General J2EE: Integrating Digital Signatures into J2EE Web App

  1. I have a requirement to add digital signature functionality to a J2EE web application. Our customers would like to press a “sign” button on a web page, be prompted to connect their hardware security token (e.g. USB device or smart card), and the signatures stored inside our system for later verification (e.g. in court). The main issue I can see is that when using hardware-based tokens the private key can never leave the device, so the device itself does the signing. Whereas our J2EE Web Application has all the code on the app server tier, and the data is located on the database (and in our architecture cannot be exported to client PCs for security reasons). Does anyone know of any solutions to this kind of requirement? Any vendor toolkits that allow this? From what I’ve read from researching this subject the pieces are all there but most web-based security solutions only implement application login authentication of one sort or another.
  2. Hi There is a solution, you can use SSL with two way athentication(client authentication) and PKCS11 interface to access your hardware token (on client side - see example). So with ssl you will get cilent's certificate on the server side (eg. in session context) and you can be sure that this certificate is trusted one (see SSL reference). Finally you have to have a global repository (LDAP) with users and their certificates and that's it. Good luck.
  3. Hi, thanks for your reply. I'm not sure how client authentication helps with implementing digital signatures? That merely tells us that the client has a certificate with a CA the HTTP server accepts. Yes, the hardware token has PKCS11 support, however this only makes the private key available on the client PC. Programmatically, I think all we'd have access to on the server side via J2EE APIs would be the authentication type of the HTTP request (via request.getAuthType() - is there anything else?), not the actual certificate itself. And even if we did have access to the certificate, it is merely the user's public key, so can only be used for verifying a signature not creating one.