替代下Chrome的数字签名的小程序 [英] Alternative for digital signing applet under Chrome
问题描述
目前,我们已经开发出可以进行数字签名使用Java小程序的文件系统。然而,随着小程序在Chrome浏览器,我们正在寻找一个数字签名的替代解决方案的禁令。
At the moment we have developed a system that can digitally sign documents using a java applet. However with the ban of applets under chrome we are looking for an alternative solution for digital signing.
在签约工作方式如下的时刻:
At the moment the signing works the following way:
- 一个HTTP GET被发送到一个servlet来获取即将文档
签署; - 小程序被启动时,数字签名驱动程序将被从文件系统中提取与用户输入PIN;
- 小程序获取证书链,检查的CRL / OSCP和体征文件;
- 小程序发送一个多后的已签名的文件系统中的一个servlet。
一个替代解决方案是导入浏览器的证书,并用js来进行数字签名。但是,这不会是一个用户友好的解决方案。
One alternative solution would be to import the certificate in the browser and use js to do the signing. But that won't be an user friendly solution.
另一种解决办法是要求用户下载一个运行使用JNLP是下载并签署文件,并自动上传它使用HTTP POST多部分的程序。这种方法的缺点是它需要更多的用户交互(下载操作),我们失去了浏览器的HTTP会话,因此我们必须再次进行身份验证。
Another solution could be to ask the user to download a run a program using JNLP that downloads and signs the document and automatically uploads it using HTTP multipart POST. The drawback of this approach would be it requires additional user interactions (the download action) and we lose browser http session, so we have to authenticate again.
哪个更可行?你能想到的替代?
Which is more viable? Can you think of alternative?
推荐答案
下面的所有职务表明基于RSA签名。
您可以在纯JavaScript +网络加密API签名。
You may sign it in pure Javascript+ Web Crypto api.
要点是提取与HTML5键<文件> 标记,使用的锐意 JS库处理密钥和散列和 deoxxa 推崇XML并使用网络加密的签名/验证(此外,锐意可能还注册/验证,但网络加密速度更快)。
Key points is extracting key with HTML5 <file> tag, use forge js library to deal with keys and hashes and canonize xml with deoxxa and use web crypto for sign/verify (in addition, forge also may sign/verify but web crypto is faster).
如果您签订独家规范化XML的使用deoxxa(您在使用之前应browserify它)。如果你签署XML和需要做的包容性的规范化使用<一个href=\"http://git.nitec.kz/baurzhansahariev/ESign/blob/webcrypto/content/src/main/webapp/xml/xml-c14n.js\"相对=nofollow>我deoxxa 叉(托管自己的gitlab服务器上)。我才懒得重命名独家包容性,但我的.js文件执行包容性,相信我)使用示例锐意 + deoxxa + html5_p12_file_read 中的 signJs,verifyJs文件。
If you are signing xmls with exclusive canonicalization, use deoxxa (you should browserify it before using). If you sign xml and need to do inclusive canonicalization use my fork of deoxxa (hosted on own gitlab server). I was too lazy to rename exclusive to inclusive but my .js file performs inclusive, believe me) Example of usage forge+deoxxa+html5_p12_file_read in signJs, verifyJs files.
此外,Forge支持签名二进制文件(CMS或中老年命名风格PKCS#7),但我的JSP文件没有这样的例子。关于OCSP和连锁试验JS - 我拉开问题在锻造,但似乎太难以处理CRL / OCSP和JS TSP协议,这就是为什么你可以在JS签字,但要验证可分裂 - 哈希检查在JS做(伪造用法和其它code在我的JSP显示),但聪明的支票像CRL ,链条等做您的Web服务 - 您可以提取x509证书,并将其发送到Web服务,并使用BouncyCastle的或任何其他酷库做聪明检查。 x509证书反正是公共信息,在其发送给服务没有问题,但消化检查要求文件,你可能不希望将文件发送到服务,因此使用伪造检查摘要这是在我的verifyJS文件显示。
Also, forge supports signing binary files (CMS or in older naming style PKCS#7) but my JSP files doesn't have such example. About OCSP and chain test in JS - I opened the issue in forge, but it seems too difficult to handle CRL/OCSP and TSP protocols in JS, that's why you may sign in JS, but verify may be splitted - hash checking doing in JS(forge usage and additional code showed in my JSP) but smart checks like CRL, chain e.t.c do in your web service - you may extract X509Certificate and send it to your web service and use bouncycastle or any other cool library to do smart checks. X509Certificate is anyway public info, no problem in sending it to service, but digest checking requires files and you may not want to send files to service and thus use forge for checking digest which is showed in my verifyJS file.
我的JS code未重构和OOP甚至没有和我目前没有工作的该项目,但是,某些阶段我必须完全使用XML RSA与P12密钥文件系统siging。
My JS code is not refactored and even not in OOP and currently I'm not working on that project but on some stage I had fully working xml RSA siging with p12 keys in file system.
最新JSP在我的回购使用伪造只是解析P12文件,并提供从他们键网络加密API,但我的回购历史上也有纯JavaScript签名/验证(如果你不喜欢的网络加密API)。看到该项目的分支历史。
这篇关于替代下Chrome的数字签名的小程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
