How to sign the document with a certificate's private key from the browser (CAPICOM alternative)?

冷暖自知 提交于 2019-12-11 03:48:44

问题


So, till Windows 7 there was a Microsoft ActiveX component: CAPICOM, which one could call from Javascript and then show the contents of the certificate storage on the client's machine. The client then could choose the appropriate certificate and sign some document with the certificate's private key. That's how the access to the certificate storage looked in Javascript:

var MyStore = new ActiveXObject("CAPICOM.Store");
var oCertificates = new ActiveXObject("CAPICOM.Certificates");
// attempt to open the personal certificate store   
MyStore.Open(CAPICOM_CURRENT_USER_STORE, "My", CAPICOM_STORE_OPEN_READ_ONLY);

What’s the alternative to using CAPICOM nowadays? I want the client to be able to sign some piece of text with his private key in the browser and then send the signed text with the public key to the server. Is it still possible?

Maybe I could use Java or Silverlight instead of pure JavaScript? What about PKI.js and similar?


回答1:


In general, currently is not possible due to lack of support of browsers to Java or silverlight.

Chrome has dropped support to NPAPI plugins. Firefox has announced it will discontinue it in 2017, Edge has no support. Microsoft has deprecated Silverlight and Oracle has also announced the deprecation of the Java browser plug-in. Only old versions of IE could be used.

Javascript cryptographic libraries such as PKI.js, forge or the built-in WebCryptographyApi can be used to perform digital signatures, but they do not have access to the Operative System KeyStore, so you can not access to the installed certificates

Alternatives (Not very encouraging):

  • Use WebCryptographyApi loading certificates in browser (not for smartcards)
  • Launch a local application installed on your device and invoke via protocol, using an embedded http server or with chrome messaging api
  • Wait patiently to Key Discovery Api which will provide with access to the OS keystore to WebCrypto



回答2:


In fact I've created a .NET ActiveX object and used X509Certificate2UI class and others from the same namespace to show information about the certificates and to sign some data.

Pros: no need to use CAPICOM.

Cons: it's still an ActiveX component and so it's available in Internet Explorer only.

But that was ok for my client so I took this path.



来源:https://stackoverflow.com/questions/40497439/how-to-sign-the-document-with-a-certificates-private-key-from-the-browser-capi

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!