We have a custom Java applet that performs certain tasks, like loading a PDF from local filesystem, signing it with certificates from system KeyStore/smart card etc. Such actions are not possible in regular HTML/JavaScript. Now that Java is being deprecated across browsers, we are looking for possibilities to replace the applet functionality.
There is this Web Cryptography API, but unfortunately the spec does not cover using system keystore. There is another spec for this, WebCrypto Key Discovery, but I don't think it is currently supported by any browser.
Mozilla had an API that might be exactly what we need, but unfortunately it is deprecated now.
So it looks like our only options are:
Write a custom desktop GUI app
Write a custom browser plugin
Or is there some better solution? What do you suggest? I don't care if the solution would be only for Internet Explorer since most of our users use.
Due to Java restrictions on browsers is not possible in general to use the OS native Key Store. You still can use Java in old versions of IE and Firefox, but Oracle has announced that will discontinue JRE plugin for browser, and Firefox decided to drop java support in 2017, so it is not recommended
Write a browser plugin is not possible because browsers do not allow access to several OS functions. In particular Chrome plugin API only allow access to user certificates in Chrome OS, not in Windows or Linux. For Edge, I think the plugin interface is not available yet.
There are some alternatives
Use WebCryptographyApi to load a software certificate. See How to load a PKCS#12 Digital Certificate with Javascript WebCrypto API
Use chrome messaging api (Estonian solution). See https://stackoverflow.com/a/29806091/6371459
Use a local application connected through javascript (Spanish solution) See https://stackoverflow.com/a/38658414/6371459
I personally have tested the first and the last options. For Estonian solution, I suggest to contact with the team. I think the currently support only some smartcards
Related
I need to create digital signature of some XML data with a client certificate(smart card) using web browser. Usually I used to do it with a java applet executing on the client side. The benefit being multiplatform in terms of OS and browsers.
However this option is getting increasingly harder and harder to implement and support in the long term. Virtually all browsers require some sort of action in order to execute such applet, code signing with a trusted certificate is almost mandatory nowadays, new manifest attributes and so on. Well there is nothing wrong with some extra layer of security and I am ok with that.
However Google Chrome as of April 2015 has stopped support for Java applets (and other plugins as well) - there is a configuration switch but it won't be available for much longer as stated here.
Mozilla Firefox does not have end of support date for NPAPI but they call it "legacy technology".
As for IE - it does not support plugins in Modern UI.
So with Java applets no longer really a universal option what are my choices?
What I have investigated so far:
ActiveX - IE only
Silverlight - no access to certificates at all and as a plugin faces the same limitations as Java
Browser specific extensions; For example Firefox up until version 33 used to have window.crypto.signText but not anymore
local applications installed on the client - not easy to install, support, develop and update for several OS and their different versions.
Web Cryptography - "only basic cryptographic functions", no certificates support
I ran out of ideas. All suggestions are welcome and appreciated.
I did same research few weeks ago, and the first option for me is migrate to firefox (at least for now).
An alternative, could be migrate applets to JNLP java client application (maybe with some websocket/restful synchronization between java client/server/web page).
I think the options that you mentioned have less support among browsers than java applet.
Proprietary API available
I want to revive an answer previously deleted for lack of information. My answer does not provide complete info but since I had the same problem and stumbled upon this question, I'd like to share my findings.
I also have an additional requirement so that the browser signature works on "older" (IE9) browsers.
There is a web API at https://www.4identity.eu/ distributed by Italian smart card manufacturer Bit4id.
The 4identity API, however, is not really a full "web API" that relies on plain Javascript, as it still requires to download a Windows-only client (sic!). The client, as far as I could understand, responds on a custom keychain URL protocol (I had a past Oauth-2 related question on how to handle desktop applications....) which is not standard according to my findings. The client has access to the key store so it can upload the signed file to the remote web service who is being polled by the Ajax page.
I need to do some paperwork to get full API access, and I have no information about pricing. Still, I deem worth to give a detailed look.
Part 2 of the question
Supporting a real digital signature from browser requires browser vendors and W3C, who oversees web standards, to do a lot of effort, maybe just the same effort they did for standardizing DRM solutions in HTML5 for sake of multimedia companies (criticism mode on). Currently there is WebCrypto standard but according to research it is not available in "mainstream browsers"
Digital signing a remote file with a smart card requires access to the key store and the implementation of cryptography libraries. An open source implementation of PaDES/CaDES is expectable by the community, but without a final implementation of a standard way to access the key store the smart card cannot be accessed.
See also this answer.
This additional part of the answer does not apply to my case as I require this to work on older browsers.
Disclaimer: I am not affiliated with Bit4id but I know them since I had the opportunity to integrate their work in my apps. One of our customers is a Bit4id partner
Google has recently announced their intentions to remove client-side Java support from Chrome in the near future. I, a Java developer by nature, have built nearly all of my web-based applications on top of some form of Java.
As such, I am looking for a workaround for Chrome's discontinuation of Java support, without having to rewrite all of my client-side web apps from the ground-up in another language.
Furthermore, I'm searching for a workaround which does not require Chrome's built-in NPAPI workarounds, as I need basic users to be able to continue to use the applets as they are.
The best option I'm aware of is Java Web Start (tutorial), which doesn't run in browser but does allow users to easily run a Java application you serve from a website. Oracle provides some documentation on how to migrate to JWS, but the gist is to simply replace the <applet> tags with a link to a .jnlp file with the same information the <applet> tag had. You may have to tweak Chrome's application defaults as well.
There is also the Google Web Toolkit, which isn't for applets, but does let you write Java that compiles into JavaScript.
If your applets are more integrated into the browser, unfortunately you may not be able to keep using Java. Chromium does offer some alternatives on their NPAPI deprecation page, but they're not pretty. Options include HTML5/WebGL, WebRTC, NaCL, or Chrome Extensions. The Chrome Experiments site is worth browsing if migrating off of Java becomes your best option.
Oracle's official recommendation, however, is to avoid Chrome. That's pretty heavy-handed, and won't work for most website owners, but it's worth mentioning.
I have developed a Chrome extension and it captures some data in a webpage.
My ultimate goal is to pass this final result to my Java Application.
I have following few options in my mind, but I was not able to find any resources for them yet.
Access the localStorage externally.
Run Chrome browser through the Java app, So I guess we have the control of its data.
If no API found, write the result to a file and access it from the
Java App.
Is there any API to achieve any of the first 2 options? Or any other interface other than the file system?
I checked with berkelium and The Chromium Embedded Framework. But they are just chrome wrappers, and we cannot run a chrome instance from it.
Edit
For the 2nd option I tried with Selenium Webdriver, but I think it hasn't any method to access the localStorage.
It sounds like you are looking for Native Messaging, which allows communication between a Chrome Extension and a native application (e.g. a Java Desktop Application).
There are plenty of question here on SO regarding the implementation of Native Messaging and there is, also, the "official" example.
I suggest the above solution, but if your application will heavily interact with the extension (and you feel like reverse engineering) there is the open-source **[NetBeans Connector Chrome Extension][3]**, which uses a different approach (Sockets or WebSockets - I am not sure).
Take a look at **[this answer][4]** for info on how to get at the sources.
Is there a limitation preventing you from exposing a REST API with your java application?
Is it possible to integrate Java, Python, or Objective C directly with the Firefox browser? In particular to do "real", native tasks such as writing files or connecting to a local database, or better yet, directly calling systems level code ?
Notably, there is a post on native code execution, somewhat slanted towards windows, elsewhere on StackOverflow: Firefox extension: native code execution?
In particular to do "real", native tasks such as writing files or
connecting to a local database, or better yet, directly calling
systems level code ?
You don't need an extra language for that, Firefox extensions can do it already:
Writing files
Connecting to a local SQLite database
Calling system libraries directly
I would recommend against attempting to write the extension in anything other than JavaScript: while there are several possibilities they create a lot more trouble than they are worth. If anything, you could create a native library and call it from your JavaScript code via js-ctypes (see link above).
A "signed" Java applet, given the correct permissions and approved by the user, can run in the browser context and have access to files or databases. However, Java applets in the browser are almost never used today (I've had Java disabled in my browser for years).
Microsoft browsers offer ActiveX, which is a way of running native code in the browser, but I don't know whether anybody uses that today either.
Google's nativeclient is another method of running native code, but only works with Google browsers at this time. Not sure whether that allows direct access to files at all.
PythonExt brings Python support to Firefox:
http://code.google.com/p/pythonext/
I'm not sure how quickly they update it for Firefox's rapid releases, and you do need to install an extension, and then it will only work in a trusted context (i.e. an extension you right yourself)
Alternatively you could build Windows 8 Metro style apps that let you use web technologies and native code together:
http://channel9.msdn.com/posts/Raman-Sharma-Building-Metro-Style-Apps-with-C-and-JavaScript
http://code.msdn.microsoft.com/Hybrid-JavaScript-and-C-e6dc77fa
We're writing a platform for building apps that are able to run on any browser and we were thinking, is there a way to do this with Python? Or should we better go with Java and Java Applets?
I was also wondering, how hard is it to write a custom browser plugin? How long would it take e.g. in man-hours?
Thank you!
The universal API for browser addons is javascript. It is well supported in Firefox, Chromium/Chrome, and Opera at least; it is the only extension API available on the last two. Intersting API subsets are firefox's Fuel, Chromium's trimmed down extension api, and the very portable GreaseMonkey functions.
A second runtime would have its own startup costs, garbage heap, and ffi overhead. It would require special privileges, and would still have to translate its API calls into javascript. That would make it fairly unattractive.
Edit: you were asking about web content with possible plugin or addon support? You also have the option of the NPAPI (also the Pepper project around it). This api is C-level and can render to a rectangular area on its own (using OS APIs), at the cost of very little support from the browser and being a portability nightmare.