In a bureaucracy that, albeit slowly, is increasingly pushing digital and dematerialization, digital signatures have been in daily use for some years now.
Their best-known incarnation takes the form of files with the extension p7m: a digital container for one or more signed documents.
In fact given their widespread use recently I needed to make a utility available for opening and verifying p7m files to all users in a company. How to do this?
The free alternatives available did not fully convince me for several reasons: some applications that can be installed on PCs require elevated privileges for updates, and online websites require the entire file to be uploaded, which can be problematic especially if sensitive documents are involved within the company.
So?
<spoiler>WebAssembly and OpenSSL</spoiler>
CreeP7M
CreeP7M is a utility for extracting and verifying p7m files within your web browser without sending the file to a third party, if you want to know the details go to the next paragraph, otherwise feel free to use it below!
Select a p7m document, the file never leaves your PC
When one thing leads to another
Alright you’ve come this far, you deserve a fair amount of insight, let’s say a why and a wherefore.
Right or wrong, the idea of working server-side didn’t appeal to me, so I had no choice but to use something client-side, do you want someone hasn’t already made a JS library?!
Answer: NO!
(I only found out later about the existence of
PKI.js)
I then came across
this post on quoll.it, where very clearly the use of OpenSSL applied to p7m files is explained.
BAM! Enlightenment!
I had been hearing about WebAssembly for a long time and it seemed like the right opportunity to play with it and learn something new by precisely build OpenSSL into wasm.
P7M with OpenSSL and WebAssembly = CreeP7M
If we are talking about Certificates, and that is what p7m signatures are based on, OpenSSL is the mother, father, parent N, you name it, of the vast majority of implementations.
So the basic idea is to use OpenSSL for all necessary operations:
- File extraction
- Signature data extraction
- Verification to known Certification Authorities
- CRL checking
Without getting too technical, you can see the source on
GitHub, the result is an OpenSSL.wasm binary of about 2.5 MB.
CreeP7M just uses it as a normal command-line application, so any changes or new features are also easily implemented.
But does it really verify p7m files offline?
The answer is unequivocally yes, the contents of the file are never sent to any external service.
However, as far as verification is concerned, third-party “actors” are required: authoritative certification authorities (CA).
The CAs used are those defined at the European level and are therefore imported by default from the institutional site eidas.ec.europa.eu.
Each CA must expose a static CRL or OCSP responder for checking the revocation status of issued certificates.
Here it gets slightly tricky: none of these services are available to our browser without them returning appropriate
CORS Headers.
The only solution is to use a cors-proxy service that adds these headers, in fact, if you notice, the initialization of CreeP7M is done by passing it (optional) both the URL from which to download CAs and the URL of a cors-proxy of our choice (much better if managed by us).
|
|
CAs are saved in the browser cache for 15 days
Conclusions
As always the ultimate goal is to make the lives of our users easier and digitally secure, so if you have suggestions I will be happy to hear them.
In the meantime I have been initiated into the world of WebAssembly and I have an hunch that I will soon find new applications to try my hand at, how about you?
Have you had any experiences with WebAssembly? I’m curious to hear about them in the comments.