Digitally sign data in browser using smart card or certificate

Question

I need to create digital signature of some XML data with a client certificate(smart card) using web browser. Usually I used to do it with a java applet executing on the clie

Answer 1

I did same research few weeks ago, and the first option for me is migrate to firefox (at least for now).

An alternative, could be migrate applets to JNLP java client application (maybe with some websocket/restful synchronization between java client/server/web page).

I think the options that you mentioned have less support among browsers than java applet.

Answer 2

Proprietary API available

I want to revive an answer previously deleted for lack of information. My answer does not provide complete info but since I had the same problem and stumbled upon this question, I'd like to share my findings.

I also have an additional requirement so that the browser signature works on "older" (IE9) browsers.

There is a web API at https://www.4identity.eu/ distributed by Italian smart card manufacturer Bit4id.

The 4identity API, however, is not really a full "web API" that relies on plain Javascript, as it still requires to download a Windows-only client (sic!). The client, as far as I could understand, responds on a custom keychain URL protocol (I had a past Oauth-2 related question on how to handle desktop applications....) which is not standard according to my findings. The client has access to the key store so it can upload the signed file to the remote web service who is being polled by the Ajax page.

I need to do some paperwork to get full API access, and I have no information about pricing. Still, I deem worth to give a detailed look.

Part 2 of the question

Supporting a real digital signature from browser requires browser vendors and W3C, who oversees web standards, to do a lot of effort, maybe just the same effort they did for standardizing DRM solutions in HTML5 for sake of multimedia companies (criticism mode on). Currently there is WebCrypto standard but according to research it is not available in "mainstream browsers"

Digital signing a remote file with a smart card requires access to the key store and the implementation of cryptography libraries. An open source implementation of PaDES/CaDES is expectable by the community, but without a final implementation of a standard way to access the key store the smart card cannot be accessed.

See also this answer.

This additional part of the answer does not apply to my case as I require this to work on older browsers.

Disclaimer: I am not affiliated with Bit4id but I know them since I had the opportunity to integrate their work in my apps. One of our customers is a Bit4id partner