Accessing ePass2003 Auto token through browser

by

Disclosure: I work for CISPL

To access ePass2003 or any Smartcard or Cryptographic USB Token, you need to use Browser Extension. As far as I know, browsers may use the keys from crypto device for TLS handshake. My company provides such extension Signer.Digital Browser Extension. Chrome and Firefox

Windows Host may be downloaded from https://signer.digital/downloads/Signer.Digital.Browser.Extension.Setup.msi

On windows, we don’t need PKCS#11 but we use Windows CSP. Thus, USB token driver must be installed on Windows client device for this to work from web browser. lib**.so file is not for Windows but it’s for Linux.

Linux host uses this .so file and PKCS#11 to accomplish the task but this is transparent to ePass2003 users and Host application takes care of this.

My requirement is to access the keystore for signing, encryption and decryption i.e public and private key for cryptographic operation on them. May i request guidance on javascript API for doing above cryptographic operation.

I am listing the javascript API (Signer.Digital Version 1.8.0) provides below promises:

  1. Select Certificate: This will open popup window to select certificate. certThumbPrint paramater may be provided to select certificate silently.

SignerDigital.getSelectedCertificate(certThumbPrint = "", showExpired = false, keyUsageFilter = 128)

keyUsageFilter values would be as per System.Security.Cryptography.X509Certificates.X509KeyUsageFlags Enum and multiple values may be added (summed).

  1. Sign Hash:

SignerDigital.signHash(hash, certAlgorithm, certThumbPrint = "")

  1. Sign Authtoken / Data: calculate hash of data and then sign hash.

SignerDigital.signAuthToken(authtoken, certAlgorithm, certThumbPrint = "", showExpired = false)

certAlgorithm is hasing algorithm to be used. ex: “SHA256” or “SHA-256”

showExpired flag may be used here to allow user just login with expired certificate and provide only access to area where user can upload his new certificate.

  1. Sign PDF: – Returns PKCS7 signature container

SignerDigital.signPdfHash(hash, certThumbPrint, certAlgorithm)

Working of PDF Signing and Digital Signature based Authentication may be tested at https://web.signer.digital/

  1. Sign XML:

SignerDigital.signXML(xmlDoc, xmlSignParms, certThumbPrint)

xmlSignParms has wider range of parameters and we provide support for integration on efforts basis.

  1. RSA Encrypt: (Using private key of user)

SignerDigital.encryptB64Data(b64Data, useOAEPPadding, certThumbPrint = "", showExpired = false, keyUsageFilter = 32)

Example:

var strToEnc = "Clear Text String to Encrypt.";
var strB64Data = btoa(strToEnc);
console.log("Base64 String of Clear Text String: " + strB64Data);

//Do not provide last parm - certThumbPrint to open dialog to select certificate.
SignerDigital.encryptB64Data(strB64Data, false, "224D7F695ABF0E22EA8D314497F5B56AEFA96FFE") //false for PKCS1 padding, true for OAEP padding
  .then(
    function(EncryptedB64String) { //Success returns xmlSign
      console.log("Encrypted Base64 String: " + EncryptedB64String);
      console.log("Encrypted String: " + atob(EncryptedB64String));
    },
    function(ErrMsg) {
      console.log(ErrMsg);
    }
  )
  1. RSA Decrypt: (Using private key of user)

SignerDigital.decryptB64Data(b64Data, useOAEPPadding, certThumbPrint = "", showExpired = false, keyUsageFilter = 32)

Example:

console.log("Encrypted B64 string from server: " + EncB64String);
SignerDigital.decryptB64Data(EncB64String, false, "224D7F695ABF0E22EA8D314497F5B56AEFA96FFE")
  .then(
    function(DecryptedB64String) { //Success returns xmlSign
      console.log("Decrypted Base64 String: " + DecryptedB64String);
      console.log("Decrypted String: " + atob(DecryptedB64String));
    },
    function(ErrMsg) {
      console.log(ErrMsg);
    }
  )
},
error: function(msg) {
  console.debug(msg);
}
  1. Sign IT/eTDS Return: (Sign Indian Income Tax/eTDS Return – Same as signHash method, except additional optional param: PAN)

SignerDigital.signITHash(hash, PAN, certThumbPrint = "")

Pass PAN blank to open Select Certificate Dialog. If PAN is nonempty, and certificate for PAN is present, will silently select certerficate.

  1. Sign CMS: (Digitally Sign India GST Return)

SignerDigital.signHashCms(hash, certAlgorithm, certIncludeOptions = 2, certThumbPrint = "")

  1. Sign IceGate Data: (Sign IceGate – Indian Customs Data – Json, text, XML)

SignerDigital.signIceGate(b64Data, certThumbPrint = "")

July 2021 Below APIs added for use by Certifying Authorities (CA needs to be enrolled with Signer.Digital Browser Extension)

  1. Detect connected smartcard: (Autodetect connected Smartcard or USB Token)

SignerDigital.getPCSCReaders(onlyConnected = true) //List PCSC Readers, set parameter to false if you want to list all available readers

  1. Generate CSR: (for Certificate Enrollment in Smartcard or USB Token)

SignerDigital.genCSR(PKCS11Lib, certSubject, certIssuer, keyBits = 2048, hasgAlgorithm = "SHA256", forceUserPinChangeIfDefault = false)

  1. Import / Download Certificate (Import User Certificate and Trust Certificate Chain to Smartcard or USB Token)

SignerDigital.importCer(PKCS11Lib, b64Payload, certIssuer)

For more details, code examples of Auto SmartCard detection, genCSR and importCer refer Answer with flow diagram

Update June 2021

Signer.Digital Browser Extension Host Version 1.7.0 now offers better user control to enhance security by asking user about Allowed Origin (website) which is trying to access certificates/keys. Also this version has Auto Update feature so that user automatically gets any security updates/enhancements after approving update by User Account Control dialog.

Signer.Digital Browser Extension Allowed Origins Dialog

More Related Contents:

  1. Access to file download dialog in Firefox
  2. text-overflow:ellipsis in Firefox 4? (and FF5)
  3. Why doesn’t Firefox support the MP3 file format in
  4. Open new popup window without address bars in firefox & IE
  5. Firefox session cookies
  6. Webdriver Unable to connect to host 127.0.0.1 on port 7055 after 45000 ms
  7. Firefox Links to local or network pages do not work
  8. How does browser know when to prompt user to save password?
  9. Transform origin on SVGs in Firefox
  10. How do I write a Firefox Addon? [closed]
  11. Firefox and Chrome slow on localhost; known fix doesn’t work on Windows 7
  12. HTML5 video (mp4 and ogv) problems in Safari and Firefox – but Chrome is all good
  13. Avoid panel to autoHide in Firefox extension
  14. firefox proxy settings via command line
  15. How to disable Firefox’s untrusted connection warning using Selenium?
  16. How to disable “This Connection is Untrusted” Certificate in FireFox?
  17. X-Frame-Options: ALLOW-FROM in firefox and chrome
  18. favicon not displayed by Firefox
  19. Firefox -moz-border-radius won’t crop out image?
  20. The character encoding of the plain text document was not declared – mootool script
  21. Firefox webdriver opens first run page all the time
  22. Firefox crashes when started by Selenium firefox driver
  23. Firebug toolbar button is always shown deactivated since Firefox 51.0.1
  24. Can Selenium verify text inside a PDF loaded by the browser?
  25. How to prevent content being displayed from Back-Forward cache in Firefox?
  26. Dynamically changing proxy in Firefox with Selenium webdriver
  27. How does Same Origin Policy apply to browser extensions?
  28. Boootstrap glyphicons Firefox issues
  29. Anti-aliasing on rotated div with border image in firefox
  30. Webdriver and proxy server for firefox

Leave a Comment