1

I'm writing a chrome extension and I need to verify a file that I'll download through http to make sure it hasn't been tampered with. I don't mind if the message is intercepted and decrypted, I just need my extension to be sure the message came from me. https isn't an option for the file download but I figure this is just as good. The extension ships with the public key.

In javascript I would like to verify the file made with the openssl command below.

openssl rsautl -sign -inkey mykey.pem -out secret.txt.rsa -in secret.txt

Basically I want the javascript to do the same things as

openssl rsautl -verify -inkey pubkey.pem -in secret.txt.rsa -pubin

If that's not possible are there any good alternatives?

UPDATE: jsrsasign library worked perfectly. I ended up verifying a sha512 hash which is just as good.

Josh
  • 107
  • 2
  • 9
  • Right. It works fine with those two openssl commands. I'm just wondering if there's a javascript library that can do the same – Josh Nov 07 '13 at 06:20

2 Answers2

0

https isn't an option for the file download

Could you elaborate? I can't think of a scenario where http is an available option and https isn't (short of not being able to acquire a certificate).

With that in mind, I can approve of your at least not trying to do a roll-your-own encryption. CryptoJS implements some popular cryptographic algorithms. If you seek OpenSSL interoperability, this is what your code would look like when decrypting with CryptoJS:

<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js"></script>
<script>
    var decrypted = CryptoJS.AES.decrypt(openSSLEncrypted, "Secret Passphrase");
</script>

Update: searching stackoverflow revealed a question about using JSBN for public/private keypair encryption. Perhaps that's something to look into if https is truly not an option?

Community
  • 1
  • 1
Oleg
  • 24,465
  • 8
  • 61
  • 91
  • As far as I know, aes is only for symmetric cryptography so it wouldn't help me verify anything. But I'm glad there are crypto libraries in JS – Josh Nov 07 '13 at 06:24
  • I'm reading through crypto-js. It seems like it's all symmetric encryption – Josh Nov 07 '13 at 06:25
  • "Could you elaborate?" Downloading files from dynamic IP's – Josh Nov 07 '13 at 06:29
  • @user2465313: SSL certificates are associated with a domain name *not* an IP address. I'm oversimplifying, but basically if you have a domain name that directs users to your server (dynamic dns?), than you should still be able to acquire a valid SSL certificate. That is probably not a stackoverflow, but a serverfault question though. – Oleg Nov 07 '13 at 06:34
  • Thanks for the advice. Normally you'd be right but due to circumstances that aren't really relevant to the question, https will not be possible – Josh Nov 07 '13 at 06:39
0

There is the jsrsasign library, whose RSAKey class has methods to verify RSA encrypted stuff. You'd probably have to read the file using the relevant HTML5 APIs (which I don't know any way to do without user interaction).

It is far from a straight forward solution (and I don't think you'll find one using JS) and maybe not worth the trouble, but if you badly need that functionality, give it a try.

If it is OK to have to install a separate app along with the extension, you can look into Native Messaging. Basically, you have a small native app that executes the appropriate openssl command and you can "talk" to it from your Chrome Extension. (But again, determining the location and name of the downloaded file, will (afaik) require user interaction.)

gkalpak
  • 47,844
  • 8
  • 105
  • 118
  • This is the closest thing to what I need I've found. From here it's up to my own programming skills. Thank you. – Josh Nov 07 '13 at 16:26