Digitally sign data in browser using smart card or

I need to create digital signature of some XML data with a client certificate(smart card) using web browser. Usually I used to do it with a java applet executing on the client side. The benefit being multiplatform in terms of OS and browsers.

However this option is getting increasingly harder and harder to implement and support in the long term. Virtually all browsers require some sort of action in order to execute such applet, code signing with a trusted certificate is almost mandatory nowadays, new manifest attributes and so on. Well there is nothing wrong with some extra layer of security and I am ok with that.

However Google Chrome as of April 2015 has stopped support for Java applets (and other plugins as well) - there is a configuration switch but it won't be available for much longer as stated here.
Mozilla Firefox does not have end of support date for NPAPI but they call it "legacy technology".
As for IE - it does not support plugins in Modern UI.

So with Java applets no longer really a universal option what are my choices?
What I have investigated so far:

ActiveX - IE only
Silverlight - no access to certificates at all and as a plugin faces the same limitations as Java
Browser specific extensions; For example Firefox up until version 33 used to have window.crypto.signText but not anymore
local applications installed on the client - not easy to install, support, develop and update for several OS and their different versions.
Web Cryptography - "only basic cryptographic functions", no certificates support

I ran out of ideas. All suggestions are welcome and appreciated.

标签： browser digital-signature

2条回答

Bombasti

2楼-- · 2019-02-01 23:22

I did same research few weeks ago, and the first option for me is migrate to firefox (at least for now).

An alternative, could be migrate applets to JNLP java client application (maybe with some websocket/restful synchronization between java client/server/web page).

I think the options that you mentioned have less support among browsers than java applet.

0人赞添加讨论(0) 举报

Fickle 薄情

3楼-- · 2019-02-01 23:42

Proprietary API available

I want to revive an answer previously deleted for lack of information. My answer does not provide complete info but since I had the same problem and stumbled upon this question, I'd like to share my findings.

I also have an additional requirement so that the browser signature works on "older" (IE9) browsers.

There is a web API at https://www.4identity.eu/ distributed by Italian smart card manufacturer Bit4id.

The 4identity API, however, is not really a full "web API" that relies on plain Javascript, as it still requires to download a Windows-only client (sic!). The client, as far as I could understand, responds on a custom keychain URL protocol (I had a past Oauth-2 related question on how to handle desktop applications....) which is not standard according to my findings. The client has access to the key store so it can upload the signed file to the remote web service who is being polled by the Ajax page.

I need to do some paperwork to get full API access, and I have no information about pricing. Still, I deem worth to give a detailed look.

Part 2 of the question

Supporting a real digital signature from browser requires browser vendors and W3C, who oversees web standards, to do a lot of effort, maybe just the same effort they did for standardizing DRM solutions in HTML5 for sake of multimedia companies (criticism mode on). Currently there is WebCrypto standard but according to research it is not available in "mainstream browsers"

Digital signing a remote file with a smart card requires access to the key store and the implementation of cryptography libraries. An open source implementation of PaDES/CaDES is expectable by the community, but without a final implementation of a standard way to access the key store the smart card cannot be accessed.