Java插件替换数字签名 [英] Java plugin replacement for digital signatures

问题描述

我们有一个自定义Java小程序，可以执行某些任务，例如从本地文件系统中加载PDF，使用系统KeyStore/智能卡中的证书对它进行签名等.在常规HTML/JavaScript中无法执行此类操作.既然跨浏览器已弃用Java，我们正在寻找替换applet功能的可能性.

We have a custom Java applet that performs certain tasks, like loading a PDF from local filesystem, signing it with certificates from system KeyStore/smart card etc. Such actions are not possible in regular HTML/JavaScript. Now that Java is being deprecated across browsers, we are looking for possibilities to replace the applet functionality.

有 Web密码API ，但不幸的是，该规范并未涵盖使用系统密钥库.还有另一种规范， Web加密密钥发现，但我不这样做.认为当前没有任何浏览器支持它.

There is this Web Cryptography API, but unfortunately the spec does not cover using system keystore. There is another spec for this, WebCrypto Key Discovery, but I don't think it is currently supported by any browser.

Mozilla具有 API 可能正是我们需要，但不幸的是现在不推荐使用.

Mozilla had an API that might be exactly what we need, but unfortunately it is deprecated now.

因此，看来我们唯一的选择是:

So it looks like our only options are:

• 编写自定义桌面GUI应用
• 编写自定义浏览器插件

还是有更好的解决方案?你有什么建议?我不在乎该解决方案是否仅适用于Internet Explorer，因为我们的大多数用户都在使用.

Or is there some better solution? What do you suggest? I don't care if the solution would be only for Internet Explorer since most of our users use.

推荐答案

由于浏览器的Java限制，通常无法使用OS本机密钥库.您仍然可以在IE和Firefox的旧版本中使用Java，但是Oracle宣布将停止为浏览器提供JRE插件，并且Firefox决定在2017年放弃对Java的支持，因此不推荐

Due to Java restrictions on browsers is not possible in general to use the OS native Key Store. You still can use Java in old versions of IE and Firefox, but Oracle has announced that will discontinue JRE plugin for browser, and Firefox decided to drop java support in 2017, so it is not recommended

无法编写浏览器插件，因为浏览器不允许访问多种操作系统功能.特别是Chrome插件API仅允许访问Chrome操作系统中的用户证书，而不能访问Windows或Linux中的用户证书.对于Edge，我认为该插件界面尚不可用.

Write a browser plugin is not possible because browsers do not allow access to several OS functions. In particular Chrome plugin API only allow access to user certificates in Chrome OS, not in Windows or Linux. For Edge, I think the plugin interface is not available yet.

还有其他选择

• 使用 WebCryptographyApi 加载软件证书.请参阅如何加载PKCS#12数字证书使用Javascript WebCrypto API

• Use WebCryptographyApi to load a software certificate. See How to load a PKCS#12 Digital Certificate with Javascript WebCrypto API

使用 chrome消息传递API (爱沙尼亚解决方案).参见 https://stackoverflow.com/a/29806091/6371459

Use chrome messaging api (Estonian solution). See https://stackoverflow.com/a/29806091/6371459

使用通过JavaScript连接的本地应用程序(西班牙语解决方案)，请参见 https://stackoverflow .com/a/38658414/6371459

Use a local application connected through javascript (Spanish solution) See https://stackoverflow.com/a/38658414/6371459

我亲自测试了第一个和最后一个选项.对于爱沙尼亚解决方案，我建议与团队联系.我认为目前仅支持某些智能卡

I personally have tested the first and the last options. For Estonian solution, I suggest to contact with the team. I think the currently support only some smartcards

这篇关于Java插件替换数字签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！