2

I want a web application to sign xml documents with a private key that is inside a smart card. If the private key could somehow be sent to the server, I could sign it in Java by having java.security access the windows certificate store and javax.xml.crypto to transform the xml document to the xml signing standard, but the private key can't be exported from the smart card.

Even though I could either use Java Applets or create a java application running on the client machine (using Java Web Start), in the first place, I would prefer that the user didn't have to install java, a browser addon or any java application on their machines, and secondly, both Java Applets and Java Web Start are deprecated. Oracle is telling people to search for other solutions.

The obvious choice would be to go with JavaScript, but it either requires access to the private key (which we don't have since the private key can't be exported from the smart card), or it requires additional software to be installed for the browser to communicate with a smart card reader (with some kind of native code).

I have Java code that allows me to sign xml documents with the private key of a smart card by accessing the windows certificate store and making use of the several abstractions to sign with it. Right now I'm inclined to have the user install an addon that allows the client machine to run that code, but I'd rather use JavaScript so the user doesn't have to install anything.

So my questions are: Is there anyway for me to sign xml documents with a smart card's private key using JavaScript? Is there any other way for me to do so without having to install additional software on the client's machine?

Sambit
  • 7,625
  • 7
  • 34
  • 65
osnofa
  • 41
  • 1
  • 1
  • 7
  • _Is there anyway for me to sign xml documents with a smart card's private key using JavaScript?_ --> **No** _Is there any other way for me to do so without having to install additional software on the client's machine?_ --> **No** See https://stackoverflow.com/a/50208561/6371459 – pedrofb May 23 '19 at 17:51
  • No, it's not possible to access Certificate Store without installing local software. You may find part of this answer https://stackoverflow.com/a/55692742/9659885 useful. – Bharat Vasant May 24 '19 at 00:16
  • Thank you. Yeah, from what I could tell from all the things I read this past week, everything pointed to what you told me. – osnofa May 24 '19 at 09:04
  • Possible duplicate of [How to implement digital signature with my existing web project](https://stackoverflow.com/questions/50138232/how-to-implement-digital-signature-with-my-existing-web-project) – Michael Roland May 28 '19 at 18:20
  • Just an update on my approach, for anyone that has a similar problem. I ended up going with browser extensions with _native messaging_. Basically, the extension works a communication channel between the browser and a native java application. For more information, check [https://developer.chrome.com/extensions/nativeMessaging](https://developer.chrome.com/extensions/nativeMessaging). – osnofa May 31 '19 at 10:04

0 Answers0