Digital signature with Javascript

2019-06-28 08:15发布

问题:

So I'm stuck with this problem:

IE Edge no longer allow applets, activeX, etc. ,

and I have this applet that is used for digital signature,

the idea is to extract the private key from the KEY file in the client side, in that way the private key never leaves the client's computer, that is a requirement for security, it can't be avoid :(

I'm looking for APIs or frameworks, but I can't found a way to solve this,

with jsrsasign the examples uses a PEM file but my users have .CER + .KEY + password, in java I can do it, but I need to do it in javascript or in something on the client side.

and, reading the Web Cryptography API and some examples I found, they generate NEW private and public keys to sign BUT they never READ an existing CERTIFICATE

does anybody have this problem or know a framework I could use? please heeeelp!

回答1:

So the answer was to use JSRSASIGN (http://kjur.github.io/jsrsasign/) in the examples posted in github it uses PEM files, I build an example to use CER+ KEY + PASSWORD >> https://github.com/alfredomova/firmaJs-with-jsrsasign-example,

for that specific example i used sparkMD5(https://github.com/satazor/SparkMD5) to calculate the file's hash.



回答2:

You don't necessarily need to force your web app to work in Edge since it no longer support the legacy technologies that your web app is using.

"Use Enterprise Mode with Microsoft Edge to open Internet Explorer 11 for your business’s sites that require IE’s proprietary technologies."

Include your site on the Enterprise Mode Site List so it will open in IE11 automatically:

Once Edge detects that your web app is using propietary technologies, it will tell you to open your site in IE11.

The steps and the details can be found in this blog post by the Microsoft Edge team and check the user experience section of the blog so you'll get the idea of the UX it will bring to your users once implemented:

http://blogs.windows.com/msedgedev/2015/08/26/how-microsoft-edge-and-internet-explorer-11-on-windows-10-work-better-together-in-the-enterprise/



回答3:

Modern browsers no more supports ActiveX, applets. WebCrypto API generates and uses keys dynamically but does not have capability to access Certificates from Certificate Store.

The accepted answer provided by Alfredo M, who has also asked question, points to JavaScript to handle cryptography in browser which does not talk about accessing local Certificate Store. Recently Certificates are not being generated/issued as pfx (or PEM) files but on Cryptographic device like USB Token or smart card.

Thus we need to use Browser Extensions for modern browsers where application running behind the Browser can access Certificate Store and sign the hash. One such browser extension is provided free by my Company. You just need couple of lines of JavaScript code to call methods provided by any Browser Extension to achieve Digital Signing from modern Browser. If you just want to sign files or eReturns, you don't need any server side component. If you want to sign pdf, you may need pdf component on server side.