NakovDocumentSigner: A System for Digitally Signing Documents in Web Applications
NakovDocumentSigner is an example of putting the pieces of the puzzle together. NakovDocumentSigner is a freeware, open-source framework for digitally signing documents in Java-based Web applications developed at Sofia University "St. Kliment Ohridski" by Prof. Svetlin Nakov and his team. The framework consists of the following components:
- A signed Java applet that is used to digitally sign files before uploading them to the server.
- A reference Web application that receives the signed files, along with their digital signatures, and verifies whether the calculated signature corresponds to the received file and certificate.
- A simple subsystem for certificate and certification chain verification, implemented as a part of the reference Web application.
The Signed Java Applet
The signed Java applet requires that Java Plug-In version 1.4 or later is installed on the client machine. This is necessary because the applet uses the Java Cryptography Architecture, which is unavailable in earlier versions of the Java Plug-In. The applet does not work with the standard virtual machine distributed with some versions of Internet Explorer. The applet is signed so that it can gain access to the user's local file system and works properly only if allowed to be executed with full rights.
The applet firmly follows the steps described in the previous part of this paper about signing documents and it represents, all in all, a button that is to be embedded in the HTML form for uploading files. It takes as parameters the field name wherefrom the file to be signed is taken and the names of the fields in which the calculated signature, the digital certificate, and the full certification chain should be written.
Obtaining Digital Certificates for Test Purposes
The client is supposed to have a digital certificate and a corresponding private key saved in a PFX file and the password to access this file should be the same as the one for the private key in it. Such PFX files can usually be obtained by purchasing a certificate from a certification authority.
For test purposes, some trial certificates can be used, such as the ones that are issued to potential customers by some well-known certification authorities, such as Thawte, VeriSign, and GlobalSign. By submitting a valid e-mail address, users can, absolutely free, get a certificate for digitally signing e-mails by Thawte. This can be done in just a few minutes at the address: http://www.thawte.com/html/COMMUNITY/personal/index.html. VeriSign issues trial certificates valid within 60 days upon submission of a valid e-mail address at http://www.verisign.com/client/enrollment/index.html. GlobalSign also offers trial certificates upon a valid e-mail address submission at http://secure.globalsign.net/ but theirs have a 30 day expiration period. All three of these certification authorities issue their certificates through the Internet and, as a result, users get them directly installed in their Web browsers. To use such certificates with NakovDocumentSigner, users have to export them from their Web browsers along with their associated private keys in a .PFX or a .P12 files.
DigitalSignerApplet—The Source Code
DigitalSignerApplet is available for free download as part of the NakovDocumentSigner framework from its official Web site http://www.nakov.com/documents-signing/. It is available in two forms: as source code and as a compiled and digitally signed .JAR file.
How DigitalSignerApplet Works
The applet extracts the selected file name from the HTML form where the applet is hosted, signs the file with the private key supplied by the user, and stores the calculated signature and user's certificate into the HTML form. This is done in several steps:
Step 1. Obtaining the Name of the File for Signing
A Few Words about the JSObject Class
The most important methods of the JSObject class are:
- getWindow()—a static method that returns an object that corresponds to the browser's window where the Java applet is running. It is used as a starting point for further accessing the browser's window and HTML document displayed in it.
Step 2. Reading the File for Signing
Next, the contents of the selected file for uploading file are read. If the file is freely readable, that means that the applet has enough security privileges to do its job.
Step 3. Choosing the Certificate Keystore File (.PFX File)
Next, the user is shown the dialog for choosing a PFX file and entering a password to access it. Later, this password is used twice—once to access the keystore and once to access the user's private key in it.
Step 4. Extracting the Private Key and Certification Chain from the .PFX File
After the PFX file is selected, it is read and the private key and corresponding certification chain are extracted. The chain always begins with the user's certificate but it is possible to consist of it only (that is, to not contain any other certificates). If the extraction of the private key and the certification chain from the PFX file is successful, the certification chain is appropriately encoded in text form to be transferred through a text field in the HTML form. Standard PkiPath encoding is used, that represents a series of ASN.1 DER-encoded certificates. The resultant certification chain is additionally encoded with Base64 to be rendered in text form.
Step 5. Signing the File
Afterwards, the signing itself takes place with the private key read from the PFX file. The digital signature thereupon obtained is encoded in text form with Base64 encoding. In the end, the text value of the certification chain extracted from the PFX file and the digital signature are written in certain fields in the HMTL form.
The fields' names in the HTML form accessed during the signing process are taken from parameters passed to the applet. The HTML document containing the signing applet is expected to have exactly one HMTL form.