How to get the private key for digital signature?

Discussion in 'Javascript' started by antonyliu2002, Mar 31, 2007.

  1. Hi,

    My web application does user authentication through X.509 digital
    certificates in combination with user name and password.

    When the user applies for a digital certificate from my certification
    authority (CA), I have a VBScript code that generates a public/private
    key pair with the RSA algorithm, as well as the certificate signing
    request (CSR) in PKCS#10 format. I assume that the key pair should be
    maintained by the browser (my application support Internet Explorer
    only at this moment). Am I right?

    Now, when the user tries to log into his account, I would like to have
    my web application receive a digitally signed token from the client.
    The token can be the client's username signed with his/her private
    key.

    Since this signing process will happen on the client side, it can only
    be handled by client side script, for example, JavaScript.

    But, how do we get access to the private key with JavaScript? Thanks
    a million.

    AL
     
    antonyliu2002, Mar 31, 2007
    #1
    1. Advertisements

  2. antonyliu2002

    VK Guest

    You can't - or at least you should not be able to. The whole idea of
    the method is that you can decode received data using open key but you
    cannot forge someone's personality by encoding data with her private
    key.
     
    VK, Apr 1, 2007
    #2
    1. Advertisements


  3. Thanks a lot for your reply. It looks like that I did not make the
    situation clear, and hence the confusion. I understand the PKI system
    pretty well.

    OK, let me try explaining it again and see if it is clearer.

    1. When a user applies for a public key certificate from my
    Certification Authority (CA) through Internet Explorer, a pair of keys
    is generated in the RSA algorithm.

    2. The public key and other subject identification info are sent to
    the CA so that the CA can generate the certificate for this user.

    3. The private key (maybe together with the corresponding public key)
    is definitely maintained somewhere on the local machine (either with
    some component of IE, or with the Windows OS system).

    4. I am NOT trying to get the user private key from the server side,
    which I know is not secure ( and maybe impossible as well). I am only
    interested in getting the private key in some client side script such
    as VBScript or JavaScript so that the user can do digital signature.

    My objective is to get the user private key, sign some token and send
    it to my web application. My web application can then verify with the
    corresponding public key if the token is sent from owner of the public
    key who owns the correct private key.

    So, you suggest that a user can't possibly sign anything with his
    private key since you imply that there is no way of accessing his
    private key?
     
    antonyliu2002, Apr 2, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.