问题
I would like to know JavaScript code for user authentication from browser with digital signature on client’s USB Token or Smart Card. But I don’t understand how to digitally sign login request, say authtoken, or UserID and Passwrd from browser using USB Token. I need a popup on browser to select certificate form USB Token. My user have USB tokens of various makes and respective driver installed on their PC.
I need a solution where user don\'t have to select tokken driver.
回答1:
Methods like java applets, Active X, etc are being phased out from the new Modern Browser offerings. Recently much is being talked about WebCrypto API but as of now, WebCrypto API does not provide access to (Windows) or any other Key stores or local crypto USB/Smartcard device.
For Authentication from Browser using Digital Signature, one such free Chrome extension available is Signer.Digital chrome extension. Local system (host running behind the chrome browser on windows) setup may be downloaded from https://signer.digital/downloads/Signer.Digital.Chrome.Host.Setup.zip Installing this host and restarting Chrome will automatically add Signer.Digital Chrome Extension
The actual working of this extension is illustrated here
Testing Steps:
Install Device Drivers for your USB Token or Smart Card - This should make your Certificate in Windows Certificate Store
Install setup indicated above.
Restart Chrome Browser.
Open this link
Put UserID & Password and click Register button – this will ask to select Digital Signature and register it on server (For this session only – not permanent).
Then again put same UserID and Password and select same Certificate and click Login. Selecting different certificate will not allow login.
Javascript to call method from extension:
To Register Certificate on Server:
//Get Selected Certificate Information
SignerDigital.getSelectedCertificate()
.then(
function (CertInfo) {
//Success returns Certificate Subject and Thumbprint
},
function (errmsg) {
//Send errmsg to server or display the result in browser.
}
);
To authenticate or Login using Digital Signature:
SignerDigital.signAuthToken(authToken, "SHA-256") //or "SHA256"
.then(
function (SignData) { //Success returns Signed Auth Token
},
function (errmsg) {
//Send errmsg to server or display the result in browser.
}
);
To sign PDF:
//Calculate Sign for the Hash by Calling function from Extension SignerDigital
SignerDigital.signPdfHash(hash, $("#CertThumbPrint").val(), "SHA-256") //or "SHA256"
.then(
function (signDataResp) {
//Send signDataResp to Server
},
function (errmsg) {
//Send errmsg to server or display the result in browser.
}
);
If Failed: returns error msg starting with "SDHost Error:"
User Authentication from Browser
回答2:
You can also check out https://fortifyapp.com which has a client, that once installed, enables web applications to utilize smart cards without having the user do more than insert the smart card.
Upon insert it inspects the card and then tries the appropriate driver and once loaded the web application, via a webcrypto polyfill, can interact with the token/smart card.
You can read more about how it works here: https://unmitigatedrisk.com/?p=620
来源:https://stackoverflow.com/questions/55757258/user-authentication-from-browser-using-digital-signature-certificate-on-usb-toke