通过webSoket通讯，该解决方案可以安全地访问Web上的用户私人证书吗？ [英] This solution is safe to access to user's private certificate on a web with a webSoket communication?

问题描述

我们正在开发一个使用https协议（两种方式）的网页。

We are developing a web page that use https protocol (two way).

我们需要访问用户的私人证书，因为我们需要签署文件

We need to access to the private certificates of the user, because we need sign documents by the user's certificate, so we developed a Java application that communicate with the web by a websoket.

此应用程序将自Web以来通过协议调用进行调用（即您可以通过浏览器在Acrobat Reader上打开pdf。）

This application will call with a protocol call since the web (same that when you open a pdf on Acrobat Reader from a browser).

因此，我们必须确保我们的网站正在调用本机应用程序（仅我们的网站）。我们希望开发一个系统来确保这一点。我们的想法：

So we have to be sure that our web is calling to the native application(only our web). We want develop a system to be sure of that. Our idea:

1. 向服务器发送一个公钥，一个由服务器的私有证书签名的令牌以及一个对称密钥（用于加密网络套接字通信）。


2. 接下来，我们将使用服务器上的Web服务，在本机应用程序中检查令牌是否正常。


3. 之后，我们将不得不打开本机应用程序和Web之间的websocket，并通过这种方式通过本机应用程序发送已签名的文档。


4. 然后将文档发送到服务器。

1. Send a public key, a signed token by the server's private certificate and a symmetric key (to encrypt websocket communications) to the native application.
2. Next, we will Check in the native application that the token it is OK with a web service to the server.
3. After, we will have to open the websocket between the native app and the web, and send the signed document by the native app by this way.
4. Then sent document to the server.

此实现安全吗？我们会在中间有一个男人吗？

Is this implementation safe? We will be safe of a man in the middle?

关于此解决方案的任何建议都会很受欢迎，因为我看不到任何弱点，但我不是专家安全。

Any suggestion about this solution will be wellcome, because I don't see any weakness but I am not an expert on security.

我知道其他解决方案，例如applet，JavaFX或Chrome上的本机消息，但我只想知道这些解决方案是否安全。

I know other solutions for this problem, like applets, JavaFX or native messages on Chrome, but I only want to know if these solution is safe.

在此先感谢所有，如果英语不是我最好的英语，对不起：P，

Thanks to all in advance and sorry if my english isn't the best :P,

推荐答案

我看到以下问题

1. 通过服务器的发送公共密钥和签名令牌

您正在按协议调用本地应用程序。例如 mylocalapp：// sign？securitytoken = ... 。您无法控制本地PC上安装了哪个应用程序来响应 mylocalapp：// 。浏览器显示一个难看的警告，因为您要离开安全环境。攻击者可能已经替换了默认应用程序，模拟了流程并获得了所有签名的文档。

You are calling a local app by protocol. For example mylocalapp://sign?securitytoken=.... You do not control which application is installed on local PC to respond to mylocalapp://. The browser shows an ugly warning because you are leaving the secure environment. An attacker could have replaced the default app, simulate the flow and get all signed documents.

2。接下来，我们将在本机应用程序中通过服务器上的Web服务检查令牌是否正常。

2.Next, we will Check in the native application that the token it is OK with a web service to the server.

要验证服务器的身份并避免ManInTheMiddel附加，还需要使用服务器证书为应用程序设置一个托管区

To verify identity of server and avoid a ManInTheMiddel attach you need also to set a trustore for your application with the server certificate

您的服务器还需要验证客户端的身份。您是否还打算以两种方式使用TLS？

Your server needs also to verify identity of client. Are you planning to use TLS two ways also?

1. 之后，我们将不得不打开本机应用程序和网络之间的网络套接字，并通过这种方式发送本机应用程序签名的文档。

您不需要网络套接字。只需使用URL连接就可以下载和上传文档。

You do not need a websocket. Simply use a URL connection to download and upload the documents.

西班牙经济部在Chrome决定采用此解决方案时减少NPAPI支持，签名小程序开始失败。现在，他们以这种方式重建了系统

This solution was used by Spanish ministry of economy when chrome decided to cut the NPAPI support and signature applets began to fail. Now, they have rebuilt the system in this way

1. 在用户的PC上安装本地Java应用程序。应用程序在端口上侦听，例如5678

1. Install a local Java application on the user's PC. The application listens on a port as, for example 5678

在您的页面中，javascript以 http://127.0.0.1:5678/sign 并将数据发送给sign。

In your page, javascript connects to the application in the form http://127.0.0.1:5678/sign and sends the data to sign.

该应用程序是本地的，使用操作系统密钥库（包括驱动程序PKCS＃11）没有问题。执行数字签名并将结果发送到服务器

The application is local and has no trouble using the operating system keystore, which includes drivers PKCS#11. Perform digital signature and sends the result to the server

页面的javascript会定期查询结果并在准备就绪时进行检索

The javascript of the page periodically query the result and retrieves it when ready

安全性问题基本相同，但是在本地主机上安装服务器比替换本地默认应用程序难。

The security problem is basically the same, but install a server in localhost is harder than replace the local default app.

该解决方案称为@firma，我想您可能知道。它是开源的，您可以使用它

The solution is called @firma, I guess you probably know it. It is opensource, you can use it

这篇关于通过webSoket通讯，该解决方案可以安全地访问Web上的用户私人证书吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！