配置NSS Signtool以与Thales HSM一起使用？

Question

I have a problem. My organization needs to perform code signing for the XPI file type. The certificates and their private keys MUST be protected by a hardware security module. This is for security reasons.

The existing NSS Signtool provided by Mozilla we have not been able to find a way to get that tool, to recognize either a Java keystore, a CSP in Windows, or a keychain in Mac. All of the solutions researched point to requiring the key to be copied into a software database that NSS Signtool is configured to use by default.

I need to sign XPI file types, and the reason I am trying to find a solution that works with Java, windows CSP, or Mac keychain, is that my existing HSM technology from Thales, has those 3 options as interfaces to communicate with the module.

I saw there was a Java based file called XPISigner, but the solution is no longer supported, and the only version we found for that works with a Luna HSM exclusively in a way that is not forward compatible with today's Java versions.

Has anyone managed to get an HSM protected key to work with NSS Signtool? Or have there been any mechanism to integrate NSS Signtool with a java keystore? (The idea with the java option is I could then manipulate said solution to work with my HSM)

Thanks!

Answer 1

I was able to cobble together a solution using nsscapi.dll compiled from a nss-3.13.6 build. I then copied the additional library dependencies to my nss-3.20 build for use in my overall applicaiton.

nsscapi.dll for the purpose of signing a piece of code, is a rudimentary PKCS11 to Capi module interface for NSS. It apparently has memory leak problems, but since the scope of my use of NSS is to simply sign an XPI file occasionally, I am ok with restarting that module occasionally.

The solution involves: nss-3.20 built out using mozilla-build, and "make nss_build_all" from within the "nss" subfolder of this package.

Visual Studio C++ Redistributable 2015 x86 version (32bit as 64bit doesn't work for this project).

Thales CAPI interface to windows (yes they have a direct PKCS11 module, but for my customized environment only CAPI and Java keystore are options so I didn't use the Thales PKCS11 module)

The PATH environment variable was modified to point to the bin and lib folders within the NSS build.

nsscapi.dll located in the nss-3.20\\dist\\WIN95xxx\\lib\\ folder was loaded into the NSS build using "modutil":

modutil -dbdir "c:\apps\certs" -add "capi" -libfile "C:\Apps\nss-3.20\dist\WIN954.0_DBG.OBJ\lib\nsscapi.dll" -mechanisms RSA:DSA:RC2:RANDOM

I already had Thales configured to populate code signing certificates to CAPI so I had code signing certs in CAPI already.

I had to use the "certificates" snap in, in mmc.exe to view the current user "Personal" certificate store. Then modify the "friendly" name of the code signing certificate I want to use to something meaningfull like "test". This is so that the NSSCAPI module can identify that certificate uniquely in the list that is has visibility to.

After that step of changing the friendly name on one of my test code signing certificates, I used the NSS signtool to display the list of available certificates:

signtool -d "c:\apps\certs" -L

I unzipped a "test.xpi" file into the "test" subfolder of "c:\\apps\\certs" which is a sub folder name I just made up, you can use what you want.

My list contained an entry:

• Microsoft Certificate Store:test

the * denotes it is a valid cert that can be used for codesigning in NSS

I then used signtool to sign the code in my test XPI file:

signtool -d "C:\Users\mlawson\AppData\Roaming\Mozilla\Firefox\Profiles\4jnnnb1y.default" -k "Microsoft Certificate Store":"test" test/

With success!

I apologize in advance if my formatting of this answer is off. This is my first time both posting to stack overflow, and answering a post (even if it was my own). I glossed over some of the high level steps in this post to keep it brief as some of the bigger "how to" do things like building NSS, are documented on Mozilla's site already. Thales related configurations are documented by Thales, not relevant to explain how that is configured as my use case for their CAPI interface is custom and proprietary. But the overall concept of using nsscapi.dll and this solution, applies really to anything that ties into MSCAPI and being able to use that with NSS is handy. The nsscapi.dll can also be loaded into firefox "security devices" as a module so that firefox can use CAPI as well, though I don't know how well exactly...