问题
So, till Windows 7 there was a Microsoft ActiveX component: CAPICOM, which one could call from Javascript and then show the contents of the certificate storage on the client's machine. The client then could choose the appropriate certificate and sign some document with the certificate's private key. That's how the access to the certificate storage looked in Javascript:
var MyStore = new ActiveXObject("CAPICOM.Store");
var oCertificates = new ActiveXObject("CAPICOM.Certificates");
// attempt to open the personal certificate store
MyStore.Open(CAPICOM_CURRENT_USER_STORE, "My", CAPICOM_STORE_OPEN_READ_ONLY);
What’s the alternative to using CAPICOM nowadays? I want the client to be able to sign some piece of text with his private key in the browser and then send the signed text with the public key to the server. Is it still possible?
Maybe I could use Java or Silverlight instead of pure JavaScript? What about PKI.js and similar?
回答1:
In general, currently is not possible due to lack of support of browsers to Java or silverlight.
Chrome has dropped support to NPAPI plugins. Firefox has announced it will discontinue it in 2017, Edge has no support. Microsoft has deprecated Silverlight and Oracle has also announced the deprecation of the Java browser plug-in. Only old versions of IE could be used.
Javascript cryptographic libraries such as PKI.js, forge or the built-in WebCryptographyApi can be used to perform digital signatures, but they do not have access to the Operative System KeyStore, so you can not access to the installed certificates
Alternatives (Not very encouraging):
- Use WebCryptographyApi loading certificates in browser (not for smartcards)
- Launch a local application installed on your device and invoke via protocol, using an embedded http server or with chrome messaging api
- Wait patiently to Key Discovery Api which will provide with access to the OS keystore to WebCrypto
回答2:
In fact I've created a .NET ActiveX object and used X509Certificate2UI class and others from the same namespace to show information about the certificates and to sign some data.
Pros: no need to use CAPICOM.
Cons: it's still an ActiveX component and so it's available in Internet Explorer only.
But that was ok for my client so I took this path.
来源:https://stackoverflow.com/questions/40497439/how-to-sign-the-document-with-a-certificates-private-key-from-the-browser-capi