I need an applet sample code that allows the user to sign a text
displayed in the web browser (Internet Explorer and Mozilla/Netscape)
using his/her digital certificate (X.509) private key. The signature
process may involve hashing the displayed text field with a timestamp,
e.g. H=SHA-1(text, timestamp) and then sign (S=RSAencryption(PrivKey,
H)). In summary, the answer must include:

1)	Applet/script source code. If possible, use the same Java applet
for IE and Mozilla/NS, if not at least a version for IE (java?) and
other for Mozilla;
2)	The applet must be able to hash, using SHA-1 or MD5 one or more of
the form fields displayed in the current page;
3)	The applet must be able to sign (RSA encryption with the user?s
private key) the result of the hash or any of the form fields in the
current page.
4) The applet must be downloaded/run with the browser session (e.g
java applet or javascript) without installing any client software at
the user's computer.

If you?re using fragments of code of any existing open source
application please include the links/references in your response.
Thank you.

---

Clarification of Question by kerberos-ga on 17 Jul 2004 22:23 PDT

Hi crythias-ga, I hope this can help:

The user has a client digital certificate (X.509v3 certificate) and
the correspondent private key stored in the browser certificate
storage (e.g. windows certificate storage for IE or Mozilla?s Internal
PKCS#11 Module) or in an external PkCS#11 device as a smartcard.

If the cert/private key is stored ?in the browser? this means the
client?s browser generated the public and private key pair and the
public key was sent as a Certificate Signing Request (CSR, usually in
PKCS#10 format), which was signed by a Certificate Authority (CA, e.g.
Verisign or Thawte) and returned to the browser as a PKCS#7 packet
with the certificate. When the certificate is stored ?in the
smartcard? the process is pretty much the same, the only difference is
the private key is generated by the smartcard and never is exposed
(i.e., the computer cannot read it).
From a programmatic point of view, both browser and smartcard
certificate storages are PKCS#11 certificate storages and can be
accessed via Java or MS CryptoAPI (IE).

---

Clarification of Question by kerberos-ga on 18 Jul 2004 21:06 PDT

Hi crythias-ga,
The xmlsec looks interesting, but I'm not sure if it can do what I
need, since it is a library and must be installed at the client (this
at least breaks the requirement #4). Thank you.

Does it have to be x.509? 
How does the end user generate his own key? Java won't work as an
applet, because (IIRC) Java APPLETS don't allow save to disk.

Unless you can be able to know exactly where the key is stored on the
User's side, or the User knows where his key is stored, there is a
problem.

1) The user must have a key. 
  a) if the user doesn't generate the key, then you generate the key on your side.
  b) if you generate the key, then the user doesn't own the security of the key. 
    i) if you generate the key and hold the key on your servers, using
SSL encryption, you msy/must still ask for the user to password accept
the key to sign.
    ii) if you do that, then it's all about server side key handling. 

Since the server holds the keys, then the person who is logged in can
use his key password through SSL to unlock the key for signing, and
send. Except... this is essentially what SSL is for, anyway, isn't it?
Secure transactions, and this is who you say you are.

I as a user know I've made a transaction securely... I see the lock at
the bottom of the browser, you've told me it's all secure, and by
making my transaction, it's not signature enough? If I'm logged in,
and you need it, give me a button to click that "I agree. Sign it" and
you sign it with my key that you store on your server. I don't need
overhead on my side.

If you want me to sign with *MY* key that *I* own privately, I need to
generate the key, store the key, protect the key, not forget the key
or the pwd, not delete the key, present the key, unlock the key, use
the key, submit the signed entry. :) Make it easy on me :).

Does this help any?
http://www.aleksey.com/xmlsec/api/xmlsec-notes-sign.html

How about this: http://www.ubizen.com/c_products_services/3_ubizen_dmzshield/c3324.html

or this:
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#Intro

Hi crythias-ga,
Looks like you're now closer to the solution for my request. From
which I could see, I need something similar to the Ubizen solution,
and sounds like this can be done using the Java API, but looking back
to my question, I need a working source code for the applet
(requirement #1). I'll consider this question answered if THE PROVIDED
SCRIPT AT LEAST WORKS WITH MS INTERNET EXPLORER (If it also works with
Netscape/Mozilla I'll will consider as a plus and give an extra tip).
Thank you.

kerberos-ga :


Does this meet your needs?

http://developer.netscape.com/tech/security/formsign/formsign.html

(also pointed from http://www.mozilla.org/projects/security/pki/nss/tools/
, with bug fix in mozilla
http://bugzilla.mozilla.org/show_bug.cgi?id=29152 )

The elock formseal product appears to satisfy the needs (except for
non-MS OS machines, the user needs to execute a script) - but not
"free."
http://www.elock.com/Default.asp

athena4-ga,
Can you make an working example using the information described in the
links? As I mentioned before, I need at least a working script for MS
IE. Thank you!

PS.: Sorry for the delay in answering your comment, I've been
traveling for a while...

Sorry I was gone a while as well.  In any case, no, I don't have a
working example, since I am not a professional programmer.  If you
have professional programmers you have access to, perhaps then can do
that, given the information sources.