14

I have a web server that allows access only using X509 authentication. Works like a charm. Now I want to extend the use of the X509 certificates (which are stored in the user's browser keystore) to

  • Sign data before it is sent to the server (using JavaScript and HTTPPost)
  • Decrypt data read from the server (where it gets encrypted using the user's public key stored there)

I found this example doing RSA Signature which is pretty close.... only it does take the key from a HTML textarea. I want to read it from the key store. Now crypto is quite in flux:

I'm looking for some working examples for signature and encryption (I have some in Java, but not browser based JavaScript).

Help is very much appreciated

stwissel
  • 20,110
  • 6
  • 54
  • 101
  • 1
    Related: I've been following the W3C's WebCrypto for a couple of years now. I think they are just about ready to publish their first standard. Its going to be a bit anemic in some areas, though. For example, it will not have BigIntegers (see [Question on BigInteger operations](http://lists.w3.org/Archives/Public/public-webcrypto-comments/2013Sep/0007.html)). But you should be OK with RSA signatures (see [`SubtleCrypto` sign method](https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#dfn-SubtleCrypto-method-sign)). – jww Jul 05 '14 at 06:55

3 Answers3

15

By the moment the W3C's WebCrypto standard is specifying a javascript object crypto inside window to perform encryption, digital-signatures, generate keys and so on with javascript. However a standard way to access the local keystore to perform operations like signatures with client keys is not defined. So nowadays there isn't a common way to do so in javascript, each browsers has it's own way; In IE you can do it with ActiveXObject("CAPICOM.Store");, with firefox using window.crypto.signText("textToSign", "ask"); (seems that now its deprecated, take a look here, actual api seems that doesn't support it: more info here), for chrome I'm not sure however using NativeSDK Client could be a possible way.

Other possibility is also using java applets with all problems this technology has these days.

There is also a project on github which encapsulates in javascript the behavior to sign (only with IE and firefox) using a common object which has the both implementations, I try it months before and work correctly with IE/Firefox, now with firefox doesn't work because the api options are deprecated, if you're curious take a look at: Glamdring/js-signer

You can also check my question where I asked similar question: js signature on chrome with OS keystore

Hope this helps,

Thiago Arrais
  • 33,360
  • 7
  • 30
  • 34
albciff
  • 18,112
  • 4
  • 64
  • 89
  • If you can provide a working code example for Firefox and/or Chrome the points are yours. Why not IE? My use case has no Windows machines. A link to a project isn't sufficient. Working code! – stwissel Nov 04 '14 at 17:19
  • Nowadays I've a java applet to perform digital signatures, I don't write code to sign with javascript because this features aren't standardized yet and are continuously changing (firefox since version 34 remove this feature because isn't a standard) so if you want a (temporally) working code... write it yourself `:)`. – albciff Nov 05 '14 at 08:01
  • Java doesn't work on mobile. Guess my bounty doesn't get me anywhere – stwissel Nov 05 '14 at 13:24
  • Yes, java plugin doesn't work on mobiles, for mobiles nowadays the solution to generate digital signatures it isn't easy, I know some solutions which are based on native application. This native applications are invoked from the webapp if the digital signature is performed from mobile device. – albciff Nov 06 '14 at 09:58
  • is it something change as of today? I'd like to access the keystore of the browser to decrypt a string using the client certificate – Giox Dec 14 '18 at 16:04
2

It is not possible to access the "local keystore" within the browser. Browsers slowly removing access to things that break the Same Origin Policy enforced by browsers. This includes things like plug-ins, the keygen tag, etc.

PKIjs was built with Same Origin Policy PKI in mind, here is a post I did on that topic - https://unmitigatedrisk.com/?p=503

rmhrisk
  • 1,814
  • 10
  • 16
  • actually.... the WebCrypto API has login() which does access any "local keystore" - file, smartcard, usb token https://www.w3.org/community/webcryptoapi/draft/ – stwissel Mar 15 '16 at 12:06
  • 2
    Actually that is form 2010, this is 2016, it does not - https://www.w3.org/TR/WebCryptoAPI/ – rmhrisk Mar 16 '16 at 16:54
  • True. Sad state of affairs. Wonder how the smart card providers do it – stwissel Mar 17 '16 at 04:14
  • 2
    They do not. The only way to do smart cards today is effectively to do a LPC over localhost to a service that interacts with the smart card. – rmhrisk Mar 18 '16 at 17:26
1

GlobalSign/PKI.js has support for X.509 certificates.

Public Key Infrastructure (PKI) is the basis of how identity and key management is performed on the web today. PKIjs is a pure JavaScript library implementing the formats that are used in PKI applications. It is built on WebCrypto (Web Cryptography API) and aspires to make it possible to build native web applications that utilize X.509 and the related formats on the web without plug-ins.

Kevin Hakanson
  • 41,386
  • 23
  • 126
  • 155
  • Interesting library. However the examples dodge the "access local keystore" topic. So it is either not there or invisible. Also the claim "open source" is contradicted by the copyright which is not an accredited OpenSource license. – stwissel Jun 03 '15 at 17:14