Accessing signing/encryption in a browser's Keystore using JavaScript - sample code? (WebCryptoAPI)

stwissel picture stwissel · Jul 4, 2014 · Viewed 12.1k times · Source

I have a web server that allows access only using X509 authentication. Works like a charm. Now I want to extend the use of the X509 certificates (which are stored in the user's browser keystore) to

  • Sign data before it is sent to the server (using JavaScript and HTTPPost)
  • Decrypt data read from the server (where it gets encrypted using the user's public key stored there)

I found this example doing RSA Signature which is pretty close.... only it does take the key from a HTML textarea. I want to read it from the key store. Now crypto is quite in flux:

I'm looking for some working examples for signature and encryption (I have some in Java, but not browser based JavaScript).

Help is very much appreciated

Answer

albciff picture albciff · Nov 4, 2014

By the moment the W3C's WebCrypto standard is specifying a javascript object crypto inside window to perform encryption, digital-signatures, generate keys and so on with javascript. However a standard way to access the local keystore to perform operations like signatures with client keys it's not defined. So nowadays there isn't a common way to do so in javascript, each browsers has it's own way; In IE you can do it with ActiveXObject("CAPICOM.Store");, with firefox using window.crypto.signText("textToSign", "ask"); (seems that now its deprecated, take a look here, actual api seems that doesn't support it: more info here), for chrome I'm not sure however using NativeSDK Client could be a possible way.

Other possibility is also using java applets with all problems this technology has these days.

There is also a project on github which encapsulates in javascript the behavior to sign (only with IE and firefox) using a common object which has the both implementations, I try it months before and work correctly with IE/Firefox, now with firefox doesn't work because the api options are deprecated, if you're curious take a look at: Glamdring/js-signer

You can also check my question where I asked similar question: js signature on chrome with OS keystore

Hope this helps,