js signature on chrome with OS keystore

2020-03-05 03:24发布

问题:

W3C is working on a http://www.w3.org/TR/WebCryptoAPI/ to define a way to generate digital signatures, encrypton and so on from javascript. Basically defines a new object crypto inside a window object in DOM which must provide javascript with signature and encrypton features. Chrome starts to implement this object which is currently available in its javascript engine (I think in beta stage), I make some tries to generate some signatures with it an seems to work correctly, however I think the most util way to generate digital signatures with this new object is using the private keys in the OS keystore instead to autogenerated key material but this access is not covered in this working draft.

I'm work for a years with a signature applet to deal with OS keystore (MS, Firefox KS, MAC OS X) but I want to do directly in javascript if it's possible to avoid all the problems which applet produces last days... new oracle security requeriments, new MANIFEST.MF attributes, browser blocking plugins and so on which are a real pain!

So I'm looking a javascript way to do so and seems that all major browser take his own way:

  • In internet explorer there is an ActiveXObject to access the windows keystore:

    // instantiate the CAPICOM objects
    var store = new ActiveXObject("CAPICOM.Store");
    store.Open(CAPICOM_CURRENT_USER_STORE, "My", CAPICOM_STORE_OPEN_READ_ONLY);
    ...
    
  • To access firefox Keystore seems that firefox add a signText method in window.crypto (more info about firefox webCryptoAPI implementation here and about the proprietary implementation here ):

    window.crypto.signText("textToSign", "ask");

EDIT: This firefox method it's deprecated since version 34 because it's not an standard: https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto

However on chrome seems that currently doesn't exists nothing to do the same.

So Anyone knows how can achieve this in Chrome? Anyone knows a common js way to do so in all the browsers? Any advice to give me in the right direction will be appreciated.

Thanks!

回答1:

You need to write active component that will access MS Crypto Store and peform cryptographic operation. It can be either Java applet or Chrome browser extension utilizing NativeClient SDK. Java applet will run in MSIE, Firefox, Chrome and most other browsers but requires JRE (Java runtime environment) installed on the client computer.