X.509数字签名/加密工作流程/库建议？ [英] X.509 Digital Signatures/Encryption workflow/library recommendations?

问题描述

我的特定使用案例是，我必须访问存储在客户端上的数字证书，并使用它们在客户端和服务器端执行签名，验证，加密和解密任务。对于后一部分，有许多解决方案。关键是访问客户端上存储的证书的能力。

请注意，我所说的存储在客户端上的证书是刻意模糊的。我不想限制对系统存储，用户存储，浏览器存储，加密令牌，java密钥存储，任何地方的想法。

多年来，我使用以下方法。沿着每一边我给了利弊。

1. CAPICOM / ActiveX。虽然这是最简单的工作，它限制用户在Windows上的IE。更糟糕的是，现在已弃用，只能在32位上运行。


2. Java小程序。这是跨平台和跨浏览器，但是在浏览器中的java不像一个人想要的那样普遍，并且很快就消失了（显然苹果最近删除了它）。因此，让用户下载和安装JRE的增加了麻烦。此外，用户必须执行设置无限强度加密扩展以使签名人工作的相对技术任务。

我听说过的事/想到，但我还没有进步。

1. 大部分javascript解决方案。他们实现RSA算法，但他们没有办法访问客户端证书存储上的数字证书。大多数会生成新的密钥对。


2. Flash / Flex。 Flash / flex似乎是最普遍的客户端技术。他们可以访问客户端硬件，如摄像头和麦克风。如果他们可以访问证书库，那将是可爱的。


3. Microsoft的网站上提供的CAPICOM的替代品。它规定了CAPICOM的替代方法，它们大多数是使用.NET框架的事情。这对于桌面客户端非常有用。但对于脚本，他们在一个重要的注释中非常清楚地说，你必须编写自己的activex控件。




我想要的是一种解决/解决获取访问权限的主要问题的方法。到客户端上的证书存储。我不是在寻找RSA算法的讨论，或为什么PKI是愚蠢的或一些替代非对称加密或使用架构除了Web应用程序或在苹果。

解决方案

我最好的赌注仍然是一个applet，因为这可能是最跨平台的事情。
或者，我可以开发自己的activeX并限制我的覆盖面。





请记住，客户端证书访问是大安全的事。




My particular use case is that I have to access digital certificates stored on the client, and use them to perform tasks of signing, verifying, encryption and decryption on the client side and the server side. For the latter part, there are many many solutions. The sticking point is the ability to access certificates stored on the client.

Note that I am saying "certificates stored on the client" which is deliberately vague. I dont want to restrict thoughts to system store, user store, browser store, cryptographic token, java key store, where ever.

Over the years, I used the following ways. Along side each of them I give the pros and cons.

1. CAPICOM/ActiveX. While this was the easiest to work with, it restricts the user to IE on Windows. What is worse, it is now deprecated and works only on 32bit.
2. Java applet. This is cross platform and cross browser, but java in the browser is not as common as one would like it to be and is quickly fading away (apparently Apple recently removed it). So there is the added hassle of getting the user to download and install the JRE. Additionally users have to perform the relatively technical task of setting the unlimited strength cryptography extensions for the signer to work.

Things I have heard of/thought of but I have not progressed far

1. Most javascript solutions. They implement the RSA algorithm but they dont have a way to access digital certificates on the client certificate store. Most of them generate a new key pair.
2. Flash/Flex. Flash/flex seem to be the most ubiquitous client side technology. They can already access client hardware like cameras and microphones. It would be lovely if they could access certificate stores.
3. Alternatives to CAPICOM as given on the microsoft website. It prescribes alternatives to CAPICOM which are mostly do things using the .NET framework. This is great for desktop clients. But for "scripts" they say very clearly in an "important note" that you have to write your own activex controls. Which takes us back to square one.

What I am looking for is a way to get over/around the primary problem of getting access to certificates stores on the client. I am not looking for a discussion of the RSA algorithm or why PKI is stupid or some alternative to asymmetric encryption or use of architectures other than web applications, or on Apple.

解决方案

My best bet would still be an applet since that's possibly the most cross-platform thing. Alternately, I can develop my own activeX and limiting my reach.

Remember that client side certificate access is big security thing.

这篇关于X.509数字签名/加密工作流程/库建议？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！