I have a requirement to add digital signature functionality to a J2EE web application. Our customers would like to press a �sign� button on a web page, be prompted to connect their hardware security token (e.g. USB device or smart card), and the signatures stored inside our system for later verification (e.g. in court).
The main issue I can see is that when using hardware-based tokens the private key can never leave the device, so the device itself does the signing. Whereas our J2EE Web Application has all the code on the app server tier, and the data is located on the database (and in our architecture cannot be exported to client PCs for security reasons).
Does anyone know of any solutions to this kind of requirement? Any vendor toolkits that allow this? From what I�ve read from researching this subject the pieces are all there but most web-based security solutions only implement application login authentication of one sort or another.
Does the certificate have to be read off the device every time? I'm asking because web browsers know how to deal with certificates, and if the certificate was imported to the browser, it would be sent to the server automatically, where it could be processed further.
Any interaction of a web page with a hardware device would have to happen through some kind of native code, e.g. ActiveX. Maybe the manufaturer has something like that available.
Joined: Aug 04, 2005
Yes, the private key has to be read every time for two reasons:
1. The electronic signature proves that a particular officer must have been present at the time.
2. The private key must never leave the hardware token.
You want your web app to create and store signature?
Unless the hardware itself has built-in software to create the signature and submit it, it's going to be a difficult task. Like Ulf said, maybe there's a native API from the manufacturer that may allow you to access such services [ April 03, 2007: Message edited by: Hung Tang ]