Sign XML using pure Javascript in the browser - javascript

Is it possible to use pure JavaScript to sign XML documents in the browser?
I believe there are hard security restrictions here, but maybe there is some way of doing that.

Here is a solution based on Web Crypto - https://github.com/PeculiarVentures/xadesjs

If you mean the XmlDSig which involves accessing the local cert store then I am afraid that currently there is no way to have a reliable Javascript code that could access the cert store at the client side and use the private key of the certificate.
Hundreds of developers would die for such technology, however, the Web Crypto API is still a draft and is not implemented by web browsers.
To sign documents at the client side you still need an OS bridge
a browser plugin - possibly a most difficult route as writing plugins for all possible browsers for all possible systems could be an overkill
a Java applet - considering Chrome has just dropped the support for NPAPI (plugin API), this seems to be obsolete. Mozzila will drop the support soon, too.
a ClickOnce application that is run by a client .NET platform - that still works, however is limited to OSes that support .NET/ClickOnce
If you need more references, Google for "javascript access certificate store". Example SO threads:
How to access windows certificate store in javascript?
Access browser certificate store using javascript
(these and other threads also support the argument that this is currently not possible)

I am looking for the same functionality.
As of now I found https://github.com/yaronn/xml-crypto
but did not tried yet.
For just signing (not XML) with x509 certificate I sucessfully used https://github.com/digitalbazaar/forge

If you need signature in a browser, maybe you need a specialized solution?
For example, this: https://www.cryptopro.ru/products/cades/plugin
(Use google translate).

Related

Cannot find a code to read USB Tokens in Javascript [duplicate]

I would like to ask if is still impossible, using JavaScript, to get key from USB token or from certificate stored in Browser. I was reading many articles which said WebCryptoApi doesn't enable to do that.
Is any option to get key from token? Maybe something was changed?
It is not possible for now. The WebCryptoApi does not support using keys stored in external keystores like smartcards, Mozilla keystore or Windows KeyStore (used by Chrome and Explorer), and reading the comments of the last conferences, it is not a current priority.
There is another Javascript API specification of W3C to be used with Web Cryptography Api. See WebCrypto Key Discovery
This note describes a JavaScript API for discovering named, origin-specific pre-provisioned cryptographic keys for use with the Web Cryptography API.
Unfortunately is still a working group under development.
I think that with the Chrome Native Messaging implementations its possible.
The native messaging implemented into Firefox and Edge too.
Check this:
https://github.com/open-eid/chrome-token-signing

Javascript - key / certificate from USB Token

I would like to ask if is still impossible, using JavaScript, to get key from USB token or from certificate stored in Browser. I was reading many articles which said WebCryptoApi doesn't enable to do that.
Is any option to get key from token? Maybe something was changed?
It is not possible for now. The WebCryptoApi does not support using keys stored in external keystores like smartcards, Mozilla keystore or Windows KeyStore (used by Chrome and Explorer), and reading the comments of the last conferences, it is not a current priority.
There is another Javascript API specification of W3C to be used with Web Cryptography Api. See WebCrypto Key Discovery
This note describes a JavaScript API for discovering named, origin-specific pre-provisioned cryptographic keys for use with the Web Cryptography API.
Unfortunately is still a working group under development.
I think that with the Chrome Native Messaging implementations its possible.
The native messaging implemented into Firefox and Edge too.
Check this:
https://github.com/open-eid/chrome-token-signing

How to change registry settings on a system through web browser

I am trying to develop a web page that will allow user to edit registry settings in windows system. Can i achieve it with client side scripting language.? If yes please suggest me language to do.
Can we do it with jQuery or any other type of library.
Due to obvious security concerns, this is only possible in Internet Explorer(!). This is not a jQuery library, but an activeX control; so it's quite unpleasant to use.
You have been warned, so here is the documentation :
http://technet.microsoft.com/en-us/library/ee156602.aspx
Fortunately is impossible to access the registry from a web app: the only way you have is through an ActiveX control but I would not go down this road.
have a look at the below
Access registry from a web aplication
Far from ideal but ...
If you serve up a ".hta" file (HTml Application) from your web server, Windows will run it as a program outside of IE and give it the privileges of the PC user. It will be in a separate window and there won't be any browser features (Back/Refresh/Address bar etc).
Even then, modern versions of Windows will prompt the user with security warnings if a HTA is launched from anywhere other than a local drive.
I know this thread is old, but I am not sure I like any answers for this problem. Instead of trying to access the Registry directly through Javascript, try writing a Java Applet and talk to the java applet using Javascript. Then in the JavaApplet you can write some JNI code to write a native dll to do what you need. It isn't a direct solution to your problem, but it will allow you to do what you need across multiple browsers. The downside is that you can't use it on browsers that do not support running a Java Applet, such as a mobile platform.
This method will also require you to sign your Java Applet. This is how you get around the security issues. The user will have to accept the applet the first time to give the security access.

POP3/IMAP direct implementation in Javascript

Is there any way, how to communicate with POP3/IMAP server.
For example for build a pure-JavaScript e-mail notifier?
I've found this:
ftp://ftp.activexperts-labs.com/samples/aemail/HTML/POP3/index.htm
Unfortunately it uses the ActiveX objects, which really doesn't work in many modern browsers.
It would be nice to have ability to send a packet through any protocol (= not only HTTP/S) in HTML5.
It is not possible with purely browser-based Javascript: there are is no direct socket connection support in browser Javascript. You can use special extensions in things like Firefox's Extension environment to do pure socket connections, but not in a standard browser JS file.
My guess would be that the Same Origin Policy implemented in all recent browsers would slap you in the face for this. I'd simply add a server-side layer to mediate between JSON/AJAX and POP3/IMAP - roughly what gmail does.

Detecting the autoproxy details in Javascript

Is it possible to detect and get proxy server name and port in javascript?
No. The browser proxy settings are not available from JavaScript running in a web page.
Maybe. The browser proxy settings may be available (in some web browsers) from JavaScript running with elevated permissions (for example, a Firefox add-on).
For what it's worth: While you're asking about JavaScript, getting access to the browser proxy settings even from any kind of browser plug-in such as a Flash or Java applet is also not possible, or at the very least not in any reliable or compliant way.
I mention this only because sometimes such plug-ins provide viable workarounds when JavaScript can't do something ... but here I think you are S.O.L.
Perhaps you could tell us a little bit more about what you are trying to accomplish? Maybe there's another way to address your needs.

Categories