2

W3C is working on a http://www.w3.org/TR/WebCryptoAPI/ to define a way to generate digital signatures, encrypton and so on from javascript. Basically defines a new object crypto inside a window object in DOM which must provide javascript with signature and encrypton features. Chrome starts to implement this object which is currently available in its javascript engine (I think in beta stage), I make some tries to generate some signatures with it an seems to work correctly, however I think the most util way to generate digital signatures with this new object is using the private keys in the OS keystore instead to autogenerated key material but this access is not covered in this working draft.

I'm work for a years with a signature applet to deal with OS keystore (MS, Firefox KS, MAC OS X) but I want to do directly in javascript if it's possible to avoid all the problems which applet produces last days... new oracle security requeriments, new MANIFEST.MF attributes, browser blocking plugins and so on which are a real pain!

So I'm looking a javascript way to do so and seems that all major browser take his own way:

  • In internet explorer there is an ActiveXObject to access the windows keystore:

    // instantiate the CAPICOM objects
var store = new ActiveXObject("CAPICOM.Store");
store.Open(CAPICOM_CURRENT_USER_STORE, "My", CAPICOM_STORE_OPEN_READ_ONLY);
...

  • To access firefox Keystore seems that firefox add a signText method in window.crypto (more info about firefox webCryptoAPI implementation here and about the proprietary implementation here ):

    window.crypto.signText("textToSign", "ask");

EDIT: This firefox method it's deprecated since version 34 because it's not an standard: https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto

However on chrome seems that currently doesn't exists nothing to do the same.

So Anyone knows how can achieve this in Chrome? Anyone knows a common js way to do so in all the browsers? Any advice to give me in the right direction will be appreciated.

Thanks!

albciff
  • 18,112
  • 4
  • 64
  • 89

1 Answers1

1

You need to write active component that will access MS Crypto Store and peform cryptographic operation. It can be either Java applet or Chrome browser extension utilizing NativeClient SDK. Java applet will run in MSIE, Firefox, Chrome and most other browsers but requires JRE (Java runtime environment) installed on the client computer.

jariq
  • 11,681
  • 3
  • 33
  • 52
  • Thanks for you answer, I work for a years with applets and each day it's more hard to deal with the problems it produces. bugs, new security requeriments and so on. By the moment I take a look on NativeClient SDK as you comment. +1. thanks. – albciff Sep 05 '14 at 13:20
  • @albciff My experience with java applets is **exactly the same** but I don't really know of any other multiplatform technology that can extend browser with advanced digital signature capabilities. BTW I've just explored NativeClient SDK more closely and it seems to provide only very limited functionality: you cannot access filesystem nor load 3rd party libraries required for MS Crypto Store access. See [this thread in native-client-discuss mailinglist](https://groups.google.com/forum/#!topic/native-client-discuss/C9nR--vt-Ug) for more details. – jariq Sep 05 '14 at 19:44
  • so probably we've the same problem... I deal with applets for long time an lately I've more problems than ever (java mantra: write once run everywhere... don't apply with applets when it deals with OS keystores ). I think that javascript it's a possible good way to do so but for the time being as you said not all browser bring this feature and each browser which brings has his own implementation. Thanks again. – albciff Sep 08 '14 at 08:03
  • @jariq do you know if there is a way to access the keystore of the browser, even if each browser has a different implementation? I want to avoid java applets! – Giox Dec 14 '18 at 16:09
  • For modern browsers, as Jariq pointed, refer to [SO Answer](https://stackoverflow.com/a/63173083/9659885) which lists Javascript APIs available in free browser extension – Bharat Vasant Oct 02 '20 at 01:14