PSM/Korean Financial Transactions

From MozillaWiki
Jump to: navigation, search

Today

Open Questions & Action Items

  • What is KISA's recommendation for what we should do?
  • What are the current regulations? Are the current regulations still mandating SEED? (bsmith heard that these regulations were being relaxed in order to support smartphones and other novel computing devices.)
  • Besides the KISA security ActiveX control, are these sites using other ActiveX controls? If so, for what purpose?
  • Who develops the ActiveX control? The Korean government?
  • Who distributes the ActiveX control? Do websites make it available to users? Is it pre-installed on Korean computers? Does the government offer it for download?
  • What API does the ActiveX control implement?
  • Can we develop a NPAPI plugin that is implemented in terms of the ActiveX control?
  • What is the license for the ActiveX control? Could we bundle it with Firefox? Is the Korean government willing to open-source the ActiveX control?
  • If we develop an alternative implementation of the ActiveX control's functionality, to emulate it, would we need to have that implementation certified by some government organization? If so, what is the process?
  • Does the ActiveX control require the KISA government root CA certificates to be installed in the Windows certificate store?
  • Is our current SEED support in PSM/NSS sufficient? Do we need to expand it? (This is easy to do.) Do we need to have it certified by KISA?
  • Do we need to start trusting the KISA root CA certificates to enable this functionality? Are the KISA roots acceptable according to our root CA policy? If not, can/should we need to limit how we trust the cert and distribute it anyway? See also Bug:335197.
  • How widely distributed is the ActiveX control? That is, how many sites rely on it?
  • Of the sites that rely on this functionality, how many of them would otherwise work (partially or completely) in Firefox? That is, are these sites all so IE-centric that they would need major changes to work in Gecko?
  • We need to have a user of a Korean banking site walk through the process of installing the ActiveX control and logging in/out of affected sites and making transactions in IE, so that bsmith and kaie can understand what is happening.

References

Hints at ActiveX control's API

Kookmin Bank uses an ActiveX encryption system. The control appears to be "XecureWeb", vendor SoftForum. The ActiveX control is exposed to web script through the following interface 

 nsIXecurePluginInstance.BlockDec( xgate_addr, cipher));
 nsIXecurePluginInstance.BlockEnc ( xgate_addr, path,  "", "POST" );
 nsIXecurePluginInstance.BlockEnc ( xgate_addr, path,  escape(posting_data), "POST" );
 nsIXecurePluginInstance.BlockEnc(xgate_addr, "/", "", "GET");
 nsIXecurePluginInstance.BlockEnc(xgate_addr, path, escape(qs),"GET");
 nsIXecurePluginInstance.BlockEnc(xgate_addr,"/",plain,"GET");
 nsIXecurePluginInstance.BlockEnc(xgate_addr,PATH,, "GET");
 nsIXecurePluginInstance.DeleteCertificate ( escape(dn));
 nsIXecurePluginInstance.EndSession( xgate_addr );
 nsIXecurePluginInstance.GenerateCertReq( 1024 );
 nsIXecurePluginInstance.InstallCertificate(cert_type, cert );
 nsIXecurePluginInstance.LastErrCode();
 nsIXecurePluginInstance.LastErrMsg());
 nsIXecurePluginInstance.LastErrMsg();
 nsIXecurePluginInstance.PutBigBannerUrl( xgate_addr, bannerUrl);
 nsIXecurePluginInstance.RenewCertificate2( ca_port, ca_ip, ca_type + 256 , pwd_fail );
 nsIXecurePluginInstance.RenewCertificate2( crosscert_ca_port, crosscert_ca_ip, crosscert_ca_type + 256 , pwd_fail );
 nsIXecurePluginInstance.RenewCertificate2( koscom_ca_port, koscom_ca_ip, koscom_ca_type + 256 , pwd_fail );
 nsIXecurePluginInstance.RequestCertificate2 ( crosscert_ca_port, crosscert_ca_ip, ref_code, auth_code, crosscert_ca_type + 256 );
 nsIXecurePluginInstance.RequestCertificate2 ( koscom_ca_port, koscom_ca_ip, ref_code, auth_code, koscom_ca_type + 256 );
 nsIXecurePluginInstance.RequestCertificateEx2 ( ca_port, ca_ip, ref_code, auth_code,1 + 256 ,0,"","",1);
 nsIXecurePluginInstance.ShowCertManager();
 nsIXecurePluginInstance.SignData (xgate_addr,escape(accept_cert),escape(plain),show_plain,escape(sign_desc) );
 nsIXecurePluginInstance.SignData (xgate_addr,escape(yes_accept_cert),escape(plain),show_plain,escape(sign_desc) );
 nsIXecurePluginInstance.SignData (xgate_addr,escape(yes_accept_cert_bill),escape(plain),show_plain,escape(sign_desc) );
 nsIXecurePluginInstance.SignData (xgate_addr,escape(yes_accept_cert_sERP),escape(plain),show_plain,escape(sign_desc) );
 nsIXecurePluginInstance.SignData2 (xgate_addr,escape(accept_cert),escape(plain),option,escape(sign_desc),pwd_fail);

(The above is actually the interface of an NPAPI control; the ActiveX control has the same interface.) The XecureWeb installation includes the following DLLs 

$ ls /C/Program\ Files/SoftForum/XecureWeb/ActiveX
ClientSM.exe
Download
MiraePKIX_v4.dll
RestartIE.exe
Unzip32.dll
XCrSvr.exe
XWSmartCard.dll
XWebCLT.dll
XWebCMP.dll
XWebCS.dll
XWebCertMng.dll
XWebFileCLT.dll
XWebFileRD.dll
XWebSSL.dll
XWebUI.dll
XWebUpdate.dll
XWebUtil.dll
XecureASN_v20.dll
XecureCMP_v20.dll
XecureCRL_v20.dll
XecureCSP_v20.dll
XecureCTL_v20.dll
XecureCodec_v20.dll
XecureCrypto_v20.dll
XecureFreeze.dll
XecureIO_v20.dll
XecureLDAP_v20.dll
XecureNEAT_v20.dll
XecureOCSP_v20.dll
XecurePKCS12_v20.dll
XecurePKCS5_v20.dll
XecurePKCS7_v20.dll
XecurePKCS8_v20.dll
XecurePKC_v20.dll
XecurePVD_v20.dll
XecureST_v20.dll
XecureTSP_v20.dll
Zip32.dll
conf
log
npxwebplugin.dll
npxwebplugin_file.dll
nsldap32v50.dll
temp
xwUACUpdatectl.dll
xwUACWrapper.dll
xwUACctl.dll

XWebCLT.dll implements the ActiveX entry points. npxwebplugin.dll implements the NPAPI entry points.

Retrieved from "https://wiki.mozilla.org/index.php?title=PSM/Korean_Financial_Transactions&oldid=305298"