Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sign XML using pure Javascript in the browser

Is it possible to use pure JavaScript to sign XML documents in the browser?

I believe there are hard security restrictions here, but maybe there is some way of doing that.

like image 295
Ricardo Acras Avatar asked Apr 15 '15 00:04

Ricardo Acras


3 Answers

Here is a solution based on Web Crypto - https://github.com/PeculiarVentures/xadesjs

like image 126
rmhrisk Avatar answered Oct 17 '22 22:10

rmhrisk


If you mean the XmlDSig which involves accessing the local cert store then I am afraid that currently there is no way to have a reliable Javascript code that could access the cert store at the client side and use the private key of the certificate.

Hundreds of developers would die for such technology, however, the Web Crypto API is still a draft and is not implemented by web browsers.

To sign documents at the client side you still need an OS bridge

  • a browser plugin - possibly a most difficult route as writing plugins for all possible browsers for all possible systems could be an overkill
  • a Java applet - considering Chrome has just dropped the support for NPAPI (plugin API), this seems to be obsolete. Mozzila will drop the support soon, too.
  • a ClickOnce application that is run by a client .NET platform - that still works, however is limited to OSes that support .NET/ClickOnce

If you need more references, Google for "javascript access certificate store". Example SO threads:

How to access windows certificate store in javascript?

Access browser certificate store using javascript

(these and other threads also support the argument that this is currently not possible)

like image 42
Wiktor Zychla Avatar answered Oct 17 '22 20:10

Wiktor Zychla


I am looking for the same functionality.

As of now I found https://github.com/yaronn/xml-crypto but did not tried yet.

For just signing (not XML) with x509 certificate I sucessfully used https://github.com/digitalbazaar/forge

like image 1
acero Avatar answered Oct 17 '22 20:10

acero