I would like to ask if is still impossible, using JavaScript, to get key from USB token or from certificate stored in Browser. I was reading many articles which said WebCryptoApi doesn't enable to do that.
Is any option to get key from token? Maybe something was changed?
It is not possible for now. The WebCryptoApi does not support using keys stored in external keystores like smartcards, Mozilla keystore or Windows KeyStore (used by Chrome and Explorer), and reading the comments of the last conferences, it is not a current priority.
There is another Javascript API specification of W3C to be used with Web Cryptography Api. See WebCrypto Key Discovery
This note describes a JavaScript API for discovering named, origin-specific pre-provisioned cryptographic keys for use with the Web Cryptography API.
Unfortunately is still a working group under development.
I think that with the Chrome Native Messaging implementations its possible.
The native messaging implemented into Firefox and Edge too.
Check this:
https://github.com/open-eid/chrome-token-signing
Related
google cast provides sample github links, which uses default cast extension to cast the data by registering from developer console, but how to use this sender/receiver application without using chrome extension by auto detecting the device and cast the data, is there any specific tutorials to follow up?
I've been working on a project that uses a similar approach like the one you're asking about and I came across a couple of repo's on github that helped me along the way but there isn't so much on the internet about it.
Basically you can communicate with the Google cast device without relying on the google extension by applying two steps.
Discover the device on the local network by using a service discovery service such as Bonjure or MDNS, here's a sample repo on github that uses a pure JavaScript implementation.
Communicate with the Google cast device over the network by using google's CASTV2 protocol over TLS and here's one of the most popular implementations can be found here on this github repo and also here's a high level implementation of the same library these libraries are also in written in JavaScript.
This is really embarassing
on virtually any site on the internet,
window.crypto.subtle
returns
SubtleCrypto {}
__proto__: SubtleCrypto
in the chrome console (v61 (Official Build) (64-bit))
except for
my webpage, and blank.org
where
window.crypto.subtle
returns
undefined
according to https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle
it's a read-only property that should always return a SubtleCrypto object.
what could I have done, or what has blank.org done that it could possibly not?
ps: in firefox it seems to work as intended on both my site and blank.org
According to the spec (via Github issues) a la this Google page for WebCrypto:
crypto.subtle is supposed to be undefined in insecure contexts
check your URL's
if it is
https://localhost:PORT
or 0.0.0.0:port
or 127.0.0.0:port
change it to proper hostname URL something like
http://localhost:PORT
worked for me! Thanks #Zmart
It would appear you have to use sites with https://...... and not vanilla http://....
From the spec - easy to miss (and linked by Zmart, above):
Access to the WebCrypto API is restricted to secure origins (which is to say https:// pages).
If you don't run your website on SSL with https the answer is: You can't use window.crypto.subtle. You have to configure SSL for your webserver. Look in MDN docs about Crypto.subtle it has a big warning on top op the page saying Secure context which means it is only available on https.
BUT there is an alternative solution if you still need a support for http only. And it does not involve using window.crypto.subtle but other open-source third party library instead. Here is how:
You can use Forge which is a crypto library that has same functionality like window.crypto.sybtle It has all crypto algorithms for your needs.
You can use forge instead of window.crypto when you run your services over http.
Be aware that APIs are very different and you need to write different code for cryptography using forge than using window.crypto.
You need to read forge docs to make specific cryptography method work for your use case.
You CAN NOT use same code that works in window.crypto.subtle when using forge you need to find your own way how to use forge for encryption.
For your reference to see how forge vs window.crypto.subtle codes are different read below.
Links to original window.crypto.subtle based darkwire.io code and translated darkwire.io code that is using forge instead of window.crypto.subtle:
original code using window.crypto.subtle:
here
code translated to use forge, can run on http without SSL:
here
I had translated darkwire.io to use forge for my own project that runs on http and needs encrypted communication method between clients.
I would like to ask if is still impossible, using JavaScript, to get key from USB token or from certificate stored in Browser. I was reading many articles which said WebCryptoApi doesn't enable to do that.
Is any option to get key from token? Maybe something was changed?
It is not possible for now. The WebCryptoApi does not support using keys stored in external keystores like smartcards, Mozilla keystore or Windows KeyStore (used by Chrome and Explorer), and reading the comments of the last conferences, it is not a current priority.
There is another Javascript API specification of W3C to be used with Web Cryptography Api. See WebCrypto Key Discovery
This note describes a JavaScript API for discovering named, origin-specific pre-provisioned cryptographic keys for use with the Web Cryptography API.
Unfortunately is still a working group under development.
I think that with the Chrome Native Messaging implementations its possible.
The native messaging implemented into Firefox and Edge too.
Check this:
https://github.com/open-eid/chrome-token-signing
I want to develop a simple Chrome-extension that will handle the communication with my smartcard.
After installing a driver (as described at Smartcard Reader and ChromeApp ) I can get some information of my device, like this:
device #0: {
"device":0,
"manufacturerName":"OMNIKEY AG",
"productId":12322,
"productName":"Smart Card Reader USB",
"serialNumber":"",
"vendorId":1899,
"version":516
}
How can I continue?
I need now to get ATR, and send/get data, and I have no idea how to do it...
(we did it using some program languages, like Java, Python, C++, but I don't know where is the relevant API for JS/chrome)
Looks like you're trying to use the bare chrome.usb API for writing your extension.
Basically, you would have to write a driver for smart card readers according to CCID specification (here is the link to its revision 1.1). This is entirely possible, but is definitely not the easiest task.
The alternative solution would be to utilize the Smart Card Connector App that was recently released by Google. This app already bundles a generic CCID driver and implements more high-level PC/SC API. With this API, such operations as obtaining ATR or sending/receiving data to the card could be performed by relatively simple requests.
P.S. I would like to emphasize the fact that operating with USB devices from Chrome Apps works well and stable only under Chrome OS. With other OSes, there're a lot of possible pitfalls (generally speaking, when something in the system may prevent Chrome from accessing the USB device).
Is it possible to use pure JavaScript to sign XML documents in the browser?
I believe there are hard security restrictions here, but maybe there is some way of doing that.
Here is a solution based on Web Crypto - https://github.com/PeculiarVentures/xadesjs
If you mean the XmlDSig which involves accessing the local cert store then I am afraid that currently there is no way to have a reliable Javascript code that could access the cert store at the client side and use the private key of the certificate.
Hundreds of developers would die for such technology, however, the Web Crypto API is still a draft and is not implemented by web browsers.
To sign documents at the client side you still need an OS bridge
a browser plugin - possibly a most difficult route as writing plugins for all possible browsers for all possible systems could be an overkill
a Java applet - considering Chrome has just dropped the support for NPAPI (plugin API), this seems to be obsolete. Mozzila will drop the support soon, too.
a ClickOnce application that is run by a client .NET platform - that still works, however is limited to OSes that support .NET/ClickOnce
If you need more references, Google for "javascript access certificate store". Example SO threads:
How to access windows certificate store in javascript?
Access browser certificate store using javascript
(these and other threads also support the argument that this is currently not possible)
I am looking for the same functionality.
As of now I found https://github.com/yaronn/xml-crypto
but did not tried yet.
For just signing (not XML) with x509 certificate I sucessfully used https://github.com/digitalbazaar/forge
If you need signature in a browser, maybe you need a specialized solution?
For example, this: https://www.cryptopro.ru/products/cades/plugin
(Use google translate).