4

I am developing a Thunderbird extension, which is mostly done in JavaScript. I want to use several functions from Mozilla's NSS (Network Security Services) library in JavaScript. There is one JavaScript wrapper built into Thunderbird, named WeaveCrypto.js, which I currently use. The problem with WeaveCrypto is its age (AES-256-CBC might have been good enough in 2010, but is not recommended today anymore, e.g. through the this. SHA1 is also not really recommended as the prf-Algorithm in PBKDF2 anymore.) and hardcoded values like iterations, algorithms and key lengths.

The JavaScript Crypto already made it to the "Archive of obsolete content", while DOMCrypt is only available in Firefox.

I am currently chatting with Justin Dolske, the developer of WeaveCrypto. His current take is that I could fork WeaveCrypto and if I only add algorithm IDs and change only small pieces of logic (like the hardcoded values to changeable ones) they would likely add my forked version to Thunderbird.

I will do that if I have to, but it sounds a bit strange to me, that the huge NSS library is not completely accessible and useable in JavaScript without extra effort, even though all logic of Firefox and Thunderbird extensions is written in this exact language (or did I miss something?).

Any ideas appreciated :)

Just a student
  • 10,560
  • 2
  • 41
  • 69
BeYonD
  • 41
  • 4
  • 1
    Over 4 years ago, a similar question came up (http://stackoverflow.com/questions/7753130/xpcom-encrypt-decrypt-operation-on-file-in-firefox-extension), but maybe something changed since then. – BeYonD Jan 05 '16 at 12:02

1 Answers1

0

Justin Dolske told me about the WebCryptoAPI which uses the NSS library from JavaScript. It is completely available in Firefox since version 34 (so probably also in Thunderbird since then). Most parts are, however, not supported by the famous Internet Explorer, making it more difficult to use it in browser applications. It seems still perfectly suitable for Firefox and Thunderbird extensions.

Its documentation is incomplete, but not bad. Here is some JavaScript Example Code.

Documentation on common crypto functions is also available.

The Personal Security Manager (PSM) also uses the NSS library, but does not seem to be intended for the usage in JavaScript Extensions.

BUT: The supported algorithms in NSS are not state of the art. There are JavaScript Libraries like the SJCL JavaScript Crypto Lib that contain stronger algorithms. Unfortunately, it is not really recommended to use crypto functions written in JavaScript (Javascript Cryptography Considered Harmful).

Conclusion: That is the reason why the NSS library seems like the way to go, since it is written in C and should therefore be faster and more secure than JavaScript implementations. But it should be updated to the latest security standards. In the NSS 3.3 Plan they already mention "Update the list of encryption technologies" under "Must Have" and "Elliptic Curve Cryptography (ECC)" under "Nice to Have". I cannot see much information about that in the NSS BurnDownList, but I hope there is more to come.

BeYonD
  • 41
  • 4