X.509 Digital Signatures/Encryption workflow/library recommendations?

Question

My particular use case is that I have to access digital certificates stored on the client, and use them to perform tasks of signing, verifying, encryption and decryption on

Answer 1

My best bet would still be an applet since that's possibly the most cross-platform thing. Alternately, I can develop my own activeX and limiting my reach.

Remember that client side certificate access is big security thing.

Answer 2

[Disclosure: I work for CoSign]

A secure alternative to storing the certs on the clients is to store them on a secure, centralized SSCD (Secure Signature Creation Device). A problem with local certs (smart cards, etc) is to use them securely in client/server or web-based applications.

A centralized SSCD takes care of the issue very neatly. The user still needs to authenticate himself to the SSCD, but the SSCD itself holds the certs and does the signing. The authentication step can include 2-factor authentication including One Time Passords (OTP), biometrics, etc. We have customers doing all that.

The idea is to have secure client authentication but keep the secure signing centralized as a service on the network.

See this description. Also available as a cloud-based solution.

ps, This answer covers the slightly more general question of how to securely sign in a web-based application. I agree that it does not cover the specific question of signing by using a user's smart card or client alternative (the OP was deliberately vague).

Answer 3

Our SecureBlackbox library has a distributed cryptography add-on which does what you need. Currently client-side modules do signing but can be extended by the user (we provide complete source code). You will find detailed description of the add-on on our site or in this SO answer.