Electronic Signatures Using The Browser
Sometimes, especially in government or enterprise context, you need to sign a document in the browser using a smartcard (some may call it “crypto token”). It’s rare, but many people have asked me, in private messages and emails, how to do it. Maybe they’ve seen some of my articles from several years ago, but failed to make it work. And my articles show the evolution (or devolution) of in-browser electronic signing.
First it was possible with javascript, then I even created a library to make things easier. Then CAPICOM and window.crypto were deprecated, so the only option was to use a Java applet. Then Java applets were deprecated and we were out of options. We got the web crytpo API, but it explicitly didn’t support hardware tokens.
For that reason, I wrote a “plea” for smartcard support in browsers, but it hasn’t happened yet and probably won’t in the near future. So what can we do now, that all previous options are deprecated?
A good approach is to have a one-time installation of some custom software (it could be a Java Web Start application or a Java-independent application), which runs a local service that listens to a particular port, and then a javascript library that sends the data to be signed to http://localhost:1234/sign and gets the response. There are such solutions available, notably NexU (thanks to efforts put in the DSS package). There are other attempts, such as this one, using Java Web Start (it’s currently not in English). Another one is Fortify.
You can try NexU’s demo here. It’s also included in the dss-demo-webapp project.
It has some tricky bits that have been recently resolved in browsers, namely, that in order to send an XMLHTTPRequest to the local service, it has to run on HTTPS, and therefor you have to package a private key in your applications (which goes against the requirements of many Certificate Authorities). Now, as far as I know, localhost is exempt from that requirement.
I hope I don’t have to write yet another article in two years explaining that this approach is superseded by yet another hacky approach.
Sometimes, especially in government or enterprise context, you need to sign a document in the browser using a smartcard (some may call it “crypto token”). It’s rare, but many people have asked me, in private messages and emails, how to do it. Maybe they’ve seen some of my articles from several years ago, but failed to make it work. And my articles show the evolution (or devolution) of in-browser electronic signing.
First it was possible with javascript, then I even created a library to make things easier. Then CAPICOM and window.crypto were deprecated, so the only option was to use a Java applet. Then Java applets were deprecated and we were out of options. We got the web crytpo API, but it explicitly didn’t support hardware tokens.
For that reason, I wrote a “plea” for smartcard support in browsers, but it hasn’t happened yet and probably won’t in the near future. So what can we do now, that all previous options are deprecated?
A good approach is to have a one-time installation of some custom software (it could be a Java Web Start application or a Java-independent application), which runs a local service that listens to a particular port, and then a javascript library that sends the data to be signed to http://localhost:1234/sign and gets the response. There are such solutions available, notably NexU (thanks to efforts put in the DSS package). There are other attempts, such as this one, using Java Web Start (it’s currently not in English). Another one is Fortify.
You can try NexU’s demo here. It’s also included in the dss-demo-webapp project.
It has some tricky bits that have been recently resolved in browsers, namely, that in order to send an XMLHTTPRequest to the local service, it has to run on HTTPS, and therefor you have to package a private key in your applications (which goes against the requirements of many Certificate Authorities). Now, as far as I know, localhost is exempt from that requirement.
I hope I don’t have to write yet another article in two years explaining that this approach is superseded by yet another hacky approach.
Have you looked into whether the new web standards for USB (or Bluetooth or NFC) can be leveraged? (Especially if you could control the range of supported hardware, which seems de rigeur in these settings anyway)
I haven’t. But I don’t think browsers are into that (yet).
I am using in MS Word but I amazed after reading your post.
There are people who have built solutions to use WebUSB to do smartcard work but WebUSB support is very poor and its existence exposed a vulnerability in FIDO which resulted in it being disabled for certain device classes.
Fortify was designed to provide access to smartcard capabilities via the WebCrypto interface making it possible to build applications that work with or without smart cards and/or local certificates from within the web. It works in Linux, Windows, and Mac unlike most solutions, and it is entirely open source.
This approach, of course, includes the ability to do signing but also includes encryption, and enrollment, unlike the DSS only approach.
Use Signer.Digital free chrome extension.
For browser based signing scenarios, one such free Chrome extension available is Signer.Digital chrome extension. Windows Setup may be downloaded from https://download.cnet.com/Signer-Digital-Chrome-Extension/3000-33362_4-78042540.html
Installing this host and restarting Chrome will automatically add Signer.Digital Chrome Extension https://chrome.google.com/webstore/detail/signerdigital/glghokcicpikglmflbbelbgeafpijkkf
The actual working of this extension is illustrated at http://web.signer.digital/PdfSigning/Index
For Javascript code, please refer to answer at
https://stackoverflow.com/a/55676351/9659885
Hi
Thanks for sharing this information, it’s very helpful.
Your code on ActiveX based digital signature is an excellent. It was 2007 or so?
The browsers have gone from bad to worse since then and it is upsetting when you way, digital signing on browser is difficult.
I’ll await your own code to digitally sign documents using the x.509 certificates stored on USB dongles.