My goal is to provide XPCOM based API for XML Digital Signature processing using Mozilla NSS Crypto API. The Java based API for XMLDSIG is not easy to use with browser for selection of certificates from browser's certificate DB.
I am using Apache XML Security C++ libraries because it supports Mozilla NSS Crypto API and it has XML canonicalization API that complies with W3 spec.
This tool automatically selects a list of user certificates (from the browser's certificate DB based on ObjectSigner key usage criteria) which can be used to sign XML documents and present them as a menu list. The XML file to be signed is picked using the file browser. The signature parameters are chosen from a set of form fields.
The Apache XML Security for C++ library uses the Apache XML project's Xerces-C++ XML Parser and Xalan-C XSLT processor. The latter is used for processing XPath and XSLT transforms. This add-on does not support Xalan-based transforms. The XPI file for this add-on includes Mozilla-NSS enabled Apache XML security libraries for C++. But, this tool does not include the 'required' DLL or shared library for Xerces-C . You have to download and install Apache XERCES for C++ library before you install this add-on. The path for shared libraries or DLL of XERCES must be in the LD_LIBRARY_PATH (for Unix) or PATH (for windows).
You have to install and configure the Apache XERCES C++ libraries before you can use the Add-on. Please follow the instructions below for respective platform.
Download, Install and configure the Apache XML Libraries before installing the add-on :
Apache XML Libraries Installation and Configuration Instructions for Firefox 5.0+ :
- For x86 Windows (32-bit only)
- For x86 Linux - 32 bit (Not supported any more.)
- For x86_64 Linux
- For x86_64 Mac OSX
- The binary component for Xerces-C++ for Mac OSX x86_64 platform is not available from Apache Xerces-C++ download site.
- You have to download the source package and build for Mac OSX x86_64 platform. After you build and install the complied binary from the source, add the installed Xerces-C++ lib directories to your DYLD_LIBRARY_PATH environment variable. For more info on installation, go to Xerces-C XML Parser project page.
- export DYLD_LIBRARY_PATH=<XERCES-INSTALL-DIR>/lib:$DYLD_LIBRARY_PATH
Finally, restart the browser and then install the add-on from this page.
- This add-on may not work with Firefox distributed with some Linux platform. You have to download the Firefox from the Mozilla site.
- This tool is tested only on Fedora Linux (x86_64), Mac OSX 10.7.5 and Windows XP-SP3 OSes. It may or may not work on other Linux x86 OSes. Note: This version does not support 32-bit Linux.
- If the signing does not work, re-install the Add-on - uninstall then install. Do not install over existing Add-on.
- Also, check to make sure that DLLs (shared libraries) from Apache Xerces-C++ are in your PATH (LD_LIBRARY_PATH) environment variable.
- Please make sure that the "ObjectSigner" key-usage is 'true' for the signing certificate - otherwise the certificate associated with the signing key won't be part of the displayed in the list for signing certificates.
- If you need a tool to generate keys/self-signed certs for signing of XML documents, you can try our KeyManager Add-on for Firefox : https://addons.mozilla.org/en-US/firefox/addon/key-manager/
Enabling of HTML Document signing and signature validation :
HTML document signing tool and HTML signature validation is disabled by default. Use the Preference window to enable it as follows:
- "Tools --> Add-on --> Select XML Digital Signature Processing Tool --> Preferences/Options"
- Select the "HTML Signature Tool" tab
- Check the "Enable HTML Digital Signature Tool" to display the menu item under Tools menu
- Check the "Enable HTML Digital Signature Validation" if you want to validate the HTML signature embedded in a HTML document as it is being displayed by the browser
- Check the "Override proxy restriction" if you want do signature validation in HTML pages that are accessed using a HTTP proxy. If you are behind a firewall, overriding proxy restriction will hang your browser until it times out for no responses.
If the HTML signature validation is enabled, then a small icon appears on the status bar of the browser if the page contains HTML signature. This status icon displays the information about the signature and the results of the signature validation.