How to implement digital signature with my existing web project

Sree picture Sree · May 2, 2018 · Viewed 7.7k times · Source

I'm working on the project where the user needs to do a digital signature on a document. I checked in the google and know about sinadura which is a desktop application but I need to invoke this into my web application.

I installed alfresco community edition on Linux server (https://www.alfresco.com/thank-you/thank-you-downloading-alfresco-community-edition) and followed the instruction as below GitHub link.

https://github.com/zylklab/alfresco-sinadura

I've implemented successfully with above instructions. But Alfresco is the big project and given several other features too. But I don't need that and I just need to implement digital signature part into my own web application similar to alfresco

How to implement the digital signature part in my existing project? Can anyone please give a suggestion

Answer

pedrofb picture pedrofb · May 7, 2018

The security restrictions of browsers do not allow javascript access to the system certificate keystore or smart cards. Formerly java applets could be used, but with the latest browser updates it is no longer possible.

Current solutions for digital signature in browsers require the installation of a desktop software on the user's computer. The operating process is as follows:

Installation: The user installs the desktop software on his computer. The software installs a self-signed certificate and includes an embedded browser that listens on a computer port and runs it as a service

  1. The web application requests a signature to the local software using a secure web connection. For example https://localhost:1234/sign?doc=xxxx. The browser waits for the result

  2. The local application receives the document, asks the user to select the certificate or enter the card and make the signature. As it is a local application, there are no security restrictions

  3. The web application receives the result. It can query the local application through a REST service or open a websocket.

The concept is simple (a web application that requests the signature to a local application), but the construction of an application of this type is quite complex because you have to take into account many other factors:

  • Software installation and distribution

  • Security and Encryption

  • Digital signature formats: XAdES, CAdES, PAdES etc. They can be implemented in the application or use a signature service in 3 phases, where the documents are on the server and a single hash is signed locally

So I recommend using an existing solution:

  • @firma + Autofirma: Open-source solution promoted and used by the public administration in Spain

  • SD-DSS + nexU(lowina): Open-source solution promoted by the European Commision. Check the demo here

  • chrome token signing: Chrome and Firefox extension for signing with your eID on the web developed for the Estonian government

Sinadura is also an open-source initiative, and from what I've seen it works in a similar way, but I do not know if it has important references and I have not found the API