使用 JavaScript 访问浏览器密钥库中的签名/加密 - 示例代码?(WebCryptoAPI)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24567858/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Accessing signing/encryption in a browser's Keystore using JavaScript - sample code? (WebCryptoAPI)
提问by stwissel
I have a web server that allows access only using X509 authentication. Works like a charm. Now I want to extend the use of the X509 certificates (which are stored in the user's browser keystore) to
我有一个 Web 服务器,它只允许使用 X509 身份验证进行访问。奇迹般有效。现在我想将 X509 证书(存储在用户的浏览器密钥库中)的使用扩展到
- Sign data before it is sent to the server (using JavaScript and HTTPPost)
- Decrypt data read from the server (where it gets encrypted using the user's public key stored there)
- 在将数据发送到服务器之前对其进行签名(使用 JavaScript 和 HTTPPost)
- 解密从服务器读取的数据(使用存储在那里的用户公钥对其进行加密)
I found this example doing RSA Signaturewhich is pretty close.... only it does take the key from a HTML textarea. I want to read it from the key store. Now crypto is quite in flux:
我发现这个例子做的RSA 签名非常接近......只有它确实从 HTML textarea 中获取密钥。我想从密钥库中读取它。现在加密正在不断变化:
I'm looking for some working examples for signature and encryption (I have some in Java, but not browser based JavaScript).
我正在寻找一些签名和加密的工作示例(我有一些在 Java 中,但不是基于浏览器的 JavaScript)。
Help is very much appreciated
非常感谢帮助
回答by albciff
By the moment the W3C's WebCrypto standard is specifying a javascript object cryptoinside windowto perform encryption, digital-signatures, generate keys and so on with javascript. However a standard way to access the local keystore to perform operations like signatures with client keys it's not defined. So nowadays there isn't a common way to do so in javascript, each browsers has it's own way; In IE you can do it with ActiveXObject("CAPICOM.Store");, with firefox using window.crypto.signText("textToSign", "ask");(seems that now its deprecated, take a look here, actual api seems that doesn't support it: more info here), for chrome I'm not sure however using NativeSDK Clientcould be a possible way.
目前,W3C 的 WebCrypto 标准正在crypto内部指定一个 javascript 对象,window以使用 javascript执行加密、数字签名、生成密钥等。然而,访问本地密钥库以执行诸如使用客户端密钥签名之类的操作的标准方法尚未定义。所以现在在 javascript 中没有一种通用的方法来做到这一点,每个浏览器都有自己的方法;在 IE 中,您可以ActiveXObject("CAPICOM.Store");使用 Firefox 来实现window.crypto.signText("textToSign", "ask");(似乎现在已弃用,请看这里,实际的 api 似乎不支持它:此处有更多信息),对于 chrome 我不确定但是使用NativeSDK Client可以成为一种可能的方式。
Other possibility is also using java applets with all problems this technology has these days.
另一种可能性是使用 Java 小程序,但目前该技术存在所有问题。
There is also a project on github which encapsulates in javascript the behavior to sign (only with IE and firefox) using a common object which has the both implementations, I try it months before and work correctly with IE/Firefox, now with firefox doesn't work because the api options are deprecated, if you're curious take a look at: Glamdring/js-signer
github 上还有一个项目,它使用具有这两种实现的公共对象将要签名的行为(仅适用于 IE 和 firefox)封装在 javascript 中,我几个月前尝试过并在 IE/Firefox 中正常工作,现在使用 Firefox 则不行t 工作,因为 api 选项已弃用,如果您好奇,请查看:Glamdring/js-signer
You can also check my question where I asked similar question: js signature on chrome with OS keystore
您还可以在我提出类似问题的地方查看我的问题:带有 OS 密钥库的 chrome 上的 js 签名
Hope this helps,
希望这可以帮助,
回答by rmhrisk
It is not possible to access the "local keystore" within the browser. Browsers slowly removing access to things that break the Same Origin Policy enforced by browsers. This includes things like plug-ins, the keygen tag, etc.
无法在浏览器中访问“本地密钥库”。浏览器会慢慢移除对破坏浏览器强制执行的同源策略的事物的访问。这包括插件、keygen 标签等。
PKIjs was built with Same Origin Policy PKI in mind, here is a post I did on that topic - https://unmitigatedrisk.com/?p=503
PKIjs 在构建时考虑了同源策略 PKI,这是我在该主题上发表的一篇文章 - https://unmitigatedrisk.com/?p=503
回答by Kevin Hakanson
GlobalSign/PKI.jshas support for X.509 certificates.
GlobalSign/PKI.js支持 X.509 证书。
Public Key Infrastructure (PKI) is the basis of how identity and key management is performed on the web today. PKIjs is a pure JavaScript library implementing the formats that are used in PKI applications. It is built on WebCrypto (Web Cryptography API) and aspires to make it possible to build native web applications that utilize X.509 and the related formats on the web without plug-ins.
公钥基础设施 (PKI) 是当今在 Web 上执行身份和密钥管理的基础。PKIjs 是一个纯 JavaScript 库,实现了 PKI 应用程序中使用的格式。它建立在 WebCrypto(Web Cryptography API)之上,并希望能够在没有插件的情况下构建利用 X.509 和 Web 上相关格式的本机 Web 应用程序。
