3

Immagine a web application written in python/django in which users authenticate with digital certificates via apache+mod_ssl (and a custom django authentication backend), how can they sign files then? The certificates are released by government approved CAs.

If I'm not wrong, a file needs to be signed with the private key of a certificate, because that is the proof that the file has been really signed by someone (and not someone-else pretending to be someone).

How can a web application have access to the private key of a certificate stored in the browser of the user?

Is this possible without the need of a software running on the user's machine?

EDIT:

So this can be done either with an ActiveX control or a Java applet, right? Does this need to be developed from scratch or does anybody know an open source solution?

nemesisdesign
  • 8,159
  • 12
  • 58
  • 97

3 Answers3

2

You are correct in that the web application requires access to the private key on the user's local computer or PKI store. I developed such a solution for a web application on the USAF network.

Users logon to USAF computer with their CAC Card containing their PKI credentials and private key. In our solution, we needed to digitally sign PDF documents generated by our web application. We built an ActiveX control that would download the PDF document from the web site via a web service, digitally sign the PDF locally, and then transmit the signed PDF document back to the web site.

Since the signature authority of these documents was such a limited audience, we were able to get authorization for the use of the ActiveX control. You are heading down the right path as only a locally authorized application will have access to the user's key store.

tawman
  • 2,478
  • 1
  • 15
  • 24
  • In fact, signed Java applet can be used for client-side signing as well. – Eugene Mayevski 'Callback Oct 31 '11 at 15:10
  • Agreed. Some client side app is required and in our case we went the ActiveX route since our web app was .NET but ActiveX is C++. The AF had the same disdain for java applets as it did for ActiveX. – tawman Oct 31 '11 at 15:13
  • thx for the info, do you know if there are open source solutions out there, like java applets? – nemesisdesign Oct 31 '11 at 15:18
  • i was wondering: is there difference between the document created locally and the one uploaded to the server? – nemesisdesign Nov 04 '11 at 14:31
  • @nemesisdesign In our case, the only action performed locally was the act of digitally signing the PDF document downloaded from the server. Once signed with the user's PKI the PDF was uploaded back to the server. – tawman Nov 04 '11 at 15:17
0

As tawman described in his answer, the right approach is to have a client-side module in the browser, and have this module do actual signing. You can have signed Java applet or signed ActiveX control to do the job.

We offer such solution for distributed signing with ready to use client modules, but server-side part requires either .NET or VCL (no python, sorry). Our solution doesn't need to transfer the document to the client side (unlike tawman's scheme) - only small chunk of data is sent to the client and signed there.

Side note: client-side certificate used for authentication as a client via SSL most likely won't work for signing: these two operations require different key usage extension in the certificate.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
0

This sounds like something from EU. Unfortunately there are countless of different existing online signature plugins. Keep in mind that many depend on the client side software as well (if the certificates come from a smart card, smart card middleware usually needs to be present as well). So you better study your target market.

Martin Paljak
  • 4,119
  • 18
  • 20