All geek questions in one place

Implement Digital Signature in a Java Applet

I am trying to sign some data (POST form) in a web application using a Java applet. The x509 user certificate will have a cryptocurrency / smart card. The signature must be in the attached pkcs # 7 format.

I use this tutorial / code as a starting point when creating an applet - http://www.developer.com/java/other/article.php/3587361/Java-Applet-for-Signing-with-a-Smart-Card.htm

The biggest problem for me here is that the applet asks the user for the location of the pkcs # 11 implementation library. This is a big no-no for me because my typical user will not know the location of his pkcs # 11 library.

From the Oracle Java documentation - http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html it seems that Java does not have its own implementation.

Is there any way to do this signing without asking the user about this location. I am fine with a solution that only works with IE and Firefox on Windows.

With the few smart cards / crypto tokens that I used, I noticed that the moment I insert it, I can see the certificate in the personal tab of IE and Firefox certificates. This probably means that the cryptographic token registers all the certificates that it contains in the OS when you insert the card and cancels it when you delete it. Thus, perhaps it should display some interface for OS / Browser, when it does - can it not be used for signing?

+5
source share
2 answers

We did what you are trying to do now (distributed signing with client modules) in addition to distributed cryptography for our SecureBlackox product, and we offer an ActiveX control for IE and Java applets for other browsers.

Unfortunately, PKCS # 11 DLLs are not registered anywhere, so you cannot help asking the user about the location of this DLL.

Most hardware devices support PKCS # 11 and CryptoAPI. In the CryptoAPI interface, the CSP DLL provides hardware certificates for the CryptoAPI engine and, therefore, for applications. In this case, you can use Java classes that work with Windows CryptoAPI.

PKCS # 11 is an interface implemented by hardware vendors, so Java cannot implement it on its own. The JVM is not hardware and does not contain certificates (even if that were the case, it would not solve your problem). I need to note that Firefox has a built-in PKCS # 11 driver through which Firefox accesses its own certificates. This was done to consistently support software and hardware certificates.

+3
source

The library of smart cards or token drivers (PKCS # 11) has an additional layer called CSP (Encryption Service Provider), which acts as a bridge between the device driver and the OS encryption services. The token driver, after installing it, also adds this CSP and, therefore, when a token or smart card is connected, it makes certificates available in it (which act as a handle to the private key securely stored on the crypto device).

To sign from a browser as a client, applets are no longer supported by modern browsers. You can use the browser extension for purposes in which the browser runs its own application to access the certificate store and provide the signature function through the browser using JavaScript. Signer Digital Browser Extension offers various types of signing browsers using JavaScript. Refer to the 3 different SO links on the Browser Digital Signature page to learn about the various operations performed using the web browser extension.

0
source

Source: https://habr.com/ru/post/1495450/

More articles: