The security restrictions of browsers do not allow javascript access to the system certificate keystore or smart cards. Formerly java applets could be used, but with the latest browser updates it is no longer possible.
Current solutions for digital signature in browsers require the installation of a desktop software on the user's computer. The operating process is as follows:
Installation: The user installs the desktop software on his computer. The software installs a self-signed certificate and includes an embedded browser that listens on a computer port and runs it as a service
The web application requests a signature to the local software using a secure web connection. For example https://localhost:1234/sign?doc=xxxx.
The browser waits for the result
The local application receives the document, asks the user to select the certificate or enter the card and make the signature. As it is a local application, there are no security restrictions
The web application receives the result. It can query the local application through a REST service or open a websocket.
The concept is simple (a web application that requests the signature to a local application), but the construction of an application of this type is quite complex because you have to take into account many other factors:
Software installation and distribution
Security and Encryption
Digital signature formats: XAdES, CAdES, PAdES etc. They can be implemented in the application or use a signature service in 3 phases, where the documents are on the server and a single hash is signed locally
So I recommend using an existing solution:
@firma + Autofirma: Open-source solution promoted and used by the public administration in Spain
SD-DSS + nexU(lowina): Open-source solution promoted by the European Commision. Check the demo here
chrome token signing: Chrome and Firefox extension for signing with your eID on the web developed for the Estonian government
Sinadura is also an open-source initiative, and from what I've seen it works in a similar way, but I do not know if it has important references and I have not found the API
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…