Accessing signing/encryption in a browser's Ke

2020-02-08 15:43发布

I have a web server that allows access only using X509 authentication. Works like a charm. Now I want to extend the use of the X509 certificates (which are stored in the user's browser keystore) to

  • Sign data before it is sent to the server (using JavaScript and HTTPPost)
  • Decrypt data read from the server (where it gets encrypted using the user's public key stored there)

I found this example doing RSA Signature which is pretty close.... only it does take the key from a HTML textarea. I want to read it from the key store. Now crypto is quite in flux:

I'm looking for some working examples for signature and encryption (I have some in Java, but not browser based JavaScript).

Help is very much appreciated

3条回答
放荡不羁爱自由
2楼-- · 2020-02-08 16:28

It is not possible to access the "local keystore" within the browser. Browsers slowly removing access to things that break the Same Origin Policy enforced by browsers. This includes things like plug-ins, the keygen tag, etc.

PKIjs was built with Same Origin Policy PKI in mind, here is a post I did on that topic - https://unmitigatedrisk.com/?p=503

查看更多
够拽才男人
3楼-- · 2020-02-08 16:28

GlobalSign/PKI.js has support for X.509 certificates.

Public Key Infrastructure (PKI) is the basis of how identity and key management is performed on the web today. PKIjs is a pure JavaScript library implementing the formats that are used in PKI applications. It is built on WebCrypto (Web Cryptography API) and aspires to make it possible to build native web applications that utilize X.509 and the related formats on the web without plug-ins.

查看更多
孤傲高冷的网名
4楼-- · 2020-02-08 16:33

By the moment the W3C's WebCrypto standard is specifying a javascript object crypto inside window to perform encryption, digital-signatures, generate keys and so on with javascript. However a standard way to access the local keystore to perform operations like signatures with client keys it's not defined. So nowadays there isn't a common way to do so in javascript, each browsers has it's own way; In IE you can do it with ActiveXObject("CAPICOM.Store");, with firefox using window.crypto.signText("textToSign", "ask"); (seems that now its deprecated, take a look here, actual api seems that doesn't support it: more info here), for chrome I'm not sure however using NativeSDK Client could be a possible way.

Other possibility is also using java applets with all problems this technology has these days.

There is also a project on github which encapsulates in javascript the behavior to sign (only with IE and firefox) using a common object which has the both implementations, I try it months before and work correctly with IE/Firefox, now with firefox doesn't work because the api options are deprecated, if you're curious take a look at: Glamdring/js-signer

You can also check my question where I asked similar question: js signature on chrome with OS keystore

Hope this helps,

查看更多
登录 后发表回答