Electronic Signatures Using The Browser

Sometimes, especially in government or enterprise context, you need to sign a document in the browser using a smartcard (some may call it “crypto token”). It’s rare, but many people have asked me, in private messages and emails, how to do it. Maybe they’ve seen some of my articles from several years ago, but failed to make it work. And my articles show the evolution (or devolution) of in-browser electronic signing.

First it was possible with javascript, then I even created a library to make things easier. Then CAPICOM and window.crypto were deprecated, so the only option was to use a Java applet. Then Java applets were deprecated and we were out of options. We got the web crytpo API, but it explicitly didn’t support hardware tokens.

For that reason, I wrote a “plea” for smartcard support in browsers, but it hasn’t happened yet and probably won’t in the near future. So what can we do now, that all previous options are deprecated?

A good approach is to have a one-time installation of some custom software (it could be a Java Web Start application or a Java-independent application), which runs a local service that listens to a particular port, and then a javascript library that sends the data to be signed to http://localhost:1234/sign and gets the response. There are such solutions available, notably NexU (thanks to efforts put in the DSS package). There are other attempts, such as this one, using Java Web Start (it’s currently not in English). Another one is Fortify.

You can try NexU’s demo here. It’s also included in the dss-demo-webapp project.

It has some tricky bits that have been recently resolved in browsers, namely, that in order to send an XMLHTTPRequest to the local service, it has to run on HTTPS, and therefor you have to package a private key in your applications (which goes against the requirements of many Certificate Authorities). Now, as far as I know, localhost is exempt from that requirement.

I hope I don’t have to write yet another article in two years explaining that this approach is superseded by yet another hacky approach.

4 thoughts on “Electronic Signatures Using The Browser”

  1. Have you looked into whether the new web standards for USB (or Bluetooth or NFC) can be leveraged? (Especially if you could control the range of supported hardware, which seems de rigeur in these settings anyway)

  2. There are people who have built solutions to use WebUSB to do smartcard work but WebUSB support is very poor and its existence exposed a vulnerability in FIDO which resulted in it being disabled for certain device classes.

    Fortify was designed to provide access to smartcard capabilities via the WebCrypto interface making it possible to build applications that work with or without smart cards and/or local certificates from within the web. It works in Linux, Windows, and Mac unlike most solutions, and it is entirely open source.

    This approach, of course, includes the ability to do signing but also includes encryption, and enrollment, unlike the DSS only approach.

Leave a Reply

Your email address will not be published. Required fields are marked *