8

Is it possible to use pure JavaScript to sign XML documents in the browser?

I believe there are hard security restrictions here, but maybe there is some way of doing that.

Ricardo Acras
  • 35,784
  • 16
  • 71
  • 112

4 Answers4

3

Here is a solution based on Web Crypto - https://github.com/PeculiarVentures/xadesjs

rmhrisk
  • 1,814
  • 10
  • 16
  • Whilst this may theoretically answer the question, [it would be preferable](//meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Enamul Hassan May 03 '16 at 00:42
  • Manetus, the question is "is it possible to use pure JavaScript to sign XML documents in the browser?" and the link goes to a page that does exactly that, not sure how more specific you can get short of copying and pasting the page contents here. – rmhrisk May 07 '16 at 21:17
2

If you mean the XmlDSig which involves accessing the local cert store then I am afraid that currently there is no way to have a reliable Javascript code that could access the cert store at the client side and use the private key of the certificate.

Hundreds of developers would die for such technology, however, the Web Crypto API is still a draft and is not implemented by web browsers.

To sign documents at the client side you still need an OS bridge

  • a browser plugin - possibly a most difficult route as writing plugins for all possible browsers for all possible systems could be an overkill
  • a Java applet - considering Chrome has just dropped the support for NPAPI (plugin API), this seems to be obsolete. Mozzila will drop the support soon, too.
  • a ClickOnce application that is run by a client .NET platform - that still works, however is limited to OSes that support .NET/ClickOnce

If you need more references, Google for "javascript access certificate store". Example SO threads:

How to access windows certificate store in javascript?

Access browser certificate store using javascript

(these and other threads also support the argument that this is currently not possible)

Community
  • 1
  • 1
Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
1

I am looking for the same functionality.

As of now I found https://github.com/yaronn/xml-crypto but did not tried yet.

For just signing (not XML) with x509 certificate I sucessfully used https://github.com/digitalbazaar/forge

acero
  • 11
  • 3
  • Yes xml-crypto is server side, I am trying to do it with https://github.com/digitalbazaar/forge and I am getting correct DigestValue but am struggling with SignatureValue. To get canonical XML I use https://github.com/deoxxa/xml-c14n – acero Apr 18 '15 at 11:05
  • Have you found a way to reliably access the cert store at the client side from the browser's Javascript? Because as far as I know this is still not possible. – Wiktor Zychla Apr 18 '15 at 12:19
  • I went with different strategy, I pulled cert file from server over https to local storage and access it from there, user will have to type in cert password, although I am not sure about all security implications here. Someone might get cert from localstorage but will not know the password. – acero Apr 18 '15 at 15:15
  • You transmit the certificate from the client to the server and use it at the server? That's a serious security hole, plus some certificates can't be taken out of the cert store WITH the password. – Wiktor Zychla Apr 18 '15 at 19:13
  • @acero, Did you use browserify or requirejs in order to make deoxxa canonizer browser compatible? I used browserify but saw the error message - c14n is not defined after runnng `var canonicaliser = c14n.createCanonicaliser("http://www.w3.org/2001/10/xml-exc-c14n#WithComments");` –  Apr 30 '15 at 12:25
0

If you need signature in a browser, maybe you need a specialized solution? For example, this: https://www.cryptopro.ru/products/cades/plugin (Use google translate).

Pavel Patrin
  • 1,630
  • 1
  • 19
  • 33