Digital signature with Javascript

6
votes

So I'm stuck with this problem:

IE Edge no longer allow applets, activeX, etc. ,

and I have this applet that is used for digital signature,

the idea is to extract the private key from the KEY file in the client side, in that way the private key never leaves the client's computer, that is a requirement for security, it can't be avoid :(

I'm looking for APIs or frameworks, but I can't found a way to solve this,

with jsrsasign the examples uses a PEM file but my users have .CER + .KEY + password, in java I can do it, but I need to do it in javascript or in something on the client side.

and, reading the Web Cryptography API and some examples I found, they generate NEW private and public keys to sign BUT they never READ an existing CERTIFICATE

does anybody have this problem or know a framework I could use? please heeeelp!

3
javascriptinternet-explorerappletdigital-signaturemicrosoft-edge
so, if I understood it correctly, you have an applet that already works in IE BUT doesn't work on Edge which is why you're trying to replicate the same process using the new API (or any API available for that matter)?securecodeninja
stackoverflow.com/a/32536332/2104560Baurzhan
yes, that's the problem @RomanCanlasAlfredo M
another question - is your web app public facing or just within your organization?securecodeninja
mainly, is for a private intranets @RomanCanlasAlfredo M

3 Answers

3
votes

So the answer was to use JSRSASIGN (http://kjur.github.io/jsrsasign/) in the examples posted in github it uses PEM files, I build an example to use CER+ KEY + PASSWORD >> https://github.com/alfredomova/firmaJs-with-jsrsasign-example,

for that specific example i used sparkMD5(https://github.com/satazor/SparkMD5) to calculate the file's hash.

1
votes

Modern browsers no more supports ActiveX, applets. WebCrypto API generates and uses keys dynamically but does not have capability to access Certificates from Certificate Store.

The accepted answer provided by Alfredo M, who has also asked question, points to JavaScript to handle cryptography in browser which does not talk about accessing local Certificate Store. Recently Certificates are not being generated/issued as pfx (or PEM) files but on Cryptographic device like USB Token or smart card.

Thus we need to use Browser Extensions for modern browsers where application running behind the Browser can access Certificate Store and sign the hash. One such browser extension is provided free by my Company. You just need couple of lines of JavaScript code to call methods provided by any Browser Extension to achieve Digital Signing from modern Browser. If you just want to sign files or eReturns, you don't need any server side component. If you want to sign pdf, you may need pdf component on server side.

0
votes

You don't necessarily need to force your web app to work in Edge since it no longer support the legacy technologies that your web app is using.

"Use Enterprise Mode with Microsoft Edge to open Internet Explorer 11 for your business’s sites that require IE’s proprietary technologies."

Include your site on the Enterprise Mode Site List so it will open in IE11 automatically:

Once Edge detects that your web app is using propietary technologies, it will tell you to open your site in IE11.

The steps and the details can be found in this blog post by the Microsoft Edge team and check the user experience section of the blog so you'll get the idea of the UX it will bring to your users once implemented:

http://blogs.windows.com/msedgedev/2015/08/26/how-microsoft-edge-and-internet-explorer-11-on-windows-10-work-better-together-in-the-enterprise/