Implementing Digital Signing in a Java Applet

Question

I am trying to sign some data (a POST form) in a web based application using a Java Applet. The user's x509 certificate would be in a cryptoken/smart card. The signature needs to be in attached pkcs#7 format.

I am using this tutorial/code as a starting point in building the applet - http://www.developer.com/java/other/article.php/3587361/Java-Applet-for-Signing-with-a-Smart-Card.htm

The biggest problem for me here seems to be the fact that the applet asks the user for location of the pkcs#11 implementation library. This is a big no-no for me because my typical user is not going to know the location of his pkcs#11 library.

From Oracle's Java documentation - http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html it seems that Java doesn't come with it's own implementation.

Is there a way to do this signing without asking the user for this location. I am OK with a solution which only works with just IE and Firefox on Windows.

With a few smartcards/cryptokens I have used, I have noticed that the moment I insert it, I can see the certificate in IE & Firefox's personal tab of certificates. This probably means that the crypto token registers all the certificates it contains with OS when you insert the card and deregisters it when you remove it. So it must probably be exposing some interface to the OS/Browser when it does it - can this not be used for signing?

Answer 1

We did the thing you are trying to do now (distributed signing with client-side modules) within Distributed Cryptography add-on for our SecureBlackox product and we offer ActiveX control for IE and Java applet for other browsers.

Unfortunately PKCS#11 DLLs are not registered anywhere so you can't avoid asking the user about location of this DLL.

Most hardware devices support both PKCS#11 and CryptoAPI interfaces. Within CryptoAPI interface the CSP DLL exposes hardware-based certificates to CryptoAPI engine and thus to applications. In this case you can use Java classes that work with Windows CryptoAPI.

PKCS#11 is an interface, implemented by hardware vendors, so Java can't implement it's own - JVM is not a hardware and doesn't contain certificates (even if it did, that would not solve your problem). I need to notice, that Firefox has built-in PKCS#11 driver via which Firefox accesses its own certificates. This was done for uniform support for software- and hardware-stored certificates.