How to get the private key for digital signature?

[antonyliu2002]

Hi,

My web application does user authentication through X.509 digital
certificates in combination with user name and password.

When the user applies for a digital certificate from my certification
authority (CA), I have a VBScript code that generates a public/private
key pair with the RSA algorithm, as well as the certificate signing
request (CSR) in PKCS#10 format. I assume that the key pair should be
maintained by the browser (my application support Internet Explorer
only at this moment). Am I right?

Now, when the user tries to log into his account, I would like to have
my web application receive a digitally signed token from the client.
The token can be the client's username signed with his/her private
key.

Since this signing process will happen on the client side, it can only
be handled by client side script, for example, JavaScript.

But, how do we get access to the private key with JavaScript? Thanks
a million.

AL

 

[VK]

But, how do we get access to the private key with JavaScript? Thanks
a million.

You can't - or at least you should not be able to. The whole idea of
the method is that you can decode received data using open key but you
cannot forge someone's personality by encoding data with her private
key.

 

[antonyliu2002]

You can't - or at least you should not be able to. The whole idea of
the method is that you can decode received data using openkeybut you
cannot forge someone's personality by encoding data with herprivatekey.

Thanks a lot for your reply. It looks like that I did not make the
situation clear, and hence the confusion. I understand the PKI system
pretty well.

OK, let me try explaining it again and see if it is clearer.

1. When a user applies for a public key certificate from my
Certification Authority (CA) through Internet Explorer, a pair of keys
is generated in the RSA algorithm.

2. The public key and other subject identification info are sent to
the CA so that the CA can generate the certificate for this user.

3. The private key (maybe together with the corresponding public key)
is definitely maintained somewhere on the local machine (either with
some component of IE, or with the Windows OS system).

4. I am NOT trying to get the user private key from the server side,
which I know is not secure ( and maybe impossible as well). I am only
interested in getting the private key in some client side script such
as VBScript or JavaScript so that the user can do digital signature.

My objective is to get the user private key, sign some token and send
it to my web application. My web application can then verify with the
corresponding public key if the token is sent from owner of the public
key who owns the correct private key.

So, you suggest that a user can't possibly sign anything with his
private key since you imply that there is no way of accessing his
private key?