CAPICOM is dead! Long live…um…not being able to sign in the browser!
For a while now, CAPICOM has been declared deprecated by Microsoft, as it is only implemented in 32-bit, with no plans to roll out a 64-bit version. Microsoft’s Official Recommendation for replacing CAPICOM is to “use the .NET Framework to implement security features”. This is a fine solution for desktop applications, server-side code, web services, and a whole host of other applications. However, there doesn’t seem to be any equivalent support for the functionality the CAPICOM ActiveX control enables within a browser.
The client platform Microsoft wants you to use to run client code in the Browser is Silverlight, a browser add-on similar to Flash or ActiveX. Silverlight uses many of the .NET APIs; however, the support for the System.Security.Cryptography.X509Certificates namespace does not include support for the X509Store class (i.e., how you would enumerate the user’s digital certificates). Nor is there any support for the System.Security.Cryptography.Pkcs namespace, which would allow PKCS7 signatures and encryption to be executed within the browser. Both of these functions are available in the full .NET libraries, just not within Silverlight.
ActiveX as a technology is still alive and kicking, so it seems like the only way around this deprecation (and the corresponding corporate aversion to using CAPICOM) is to roll your own ActiveX control that replicates the functionality you need, using CryptoAPI calls. While not particularly difficult to do, it’s far more likely to introduce bugs and security holes in your application via home grown code than by using something as tried and tested as CAPICOM.
Now, there’s a possibility that I’ve missed something here, and there is still a way to enumerate certificate stores and perform signatures within the browser while not using CAPICOM. If so, please tell me what it is.
June 4th, 2010 at 8:38 am
What about Bouncy Castle (http://www.bouncycastle.org/csharp/)? Any possibility it could provide a suitable replacement?
June 4th, 2010 at 9:51 am
Bouncy Castle is a reasonable choice for a desktop or server-based application, but using it in a browser would still require writing your own ActiveX or other sort of control to wrap it.
June 4th, 2010 at 9:58 am
You could probably use BC in a Java Applet, but BC only really provides cipher support. The big problem is key management – unless you want users to select p12 files when signing, you’re still stuck with the crappy Java CAPI wrapper for Windows (whose problems are a whole other ball of wax), or the PKCS11 capabilities of the JRE which require specific knowledge of where the P11 implementation libraries are on the user system. I’m not sure if the P11 support even works in Applets.
June 4th, 2010 at 2:53 pm
Well, if you’re going to go down the Java road, you might as well just make full use of its crypto capabilities, leveraging key store (or whatever it’s called these days), and so on. At which point one probably starts to feel like it’s a mass migration…
A friend also suggested/thought-out-loud:
“One more thought…if you write a silverlight app and flag it as a trusted app it has access to the AutomationFactory, which lets you [do] a variety of things outside of the normal Silverlight sandbox.
http://msdn.microsoft.com/en-us/library/system.runtime.interopservices.automation.automationfactory(v=VS.95).aspx
“Not sure if you can access the keystore via System automation or not though.”
fwiw. No idea if that’s helpful or not.
June 11th, 2010 at 5:24 pm
Another thought (similar to the Trusted Silverlight thought by Ben): write it as an XBAP application. This would give you access to all the WPF functionality as well.
http://msdn.microsoft.com/en-us/library/aa970060.aspx
Hope that helps too… in the end, it looks like there are options.
What did you learn in Redmond at DII this week?
June 11th, 2010 at 5:35 pm
The sessions on Office 2010′s support of XAdES were probably the most informative (for me) of the bunch. The higher level policy-type stuff is a little out of my wheelhouse, but was pretty useful. There was some talk of cloud-based PKI, which was somewhat interesting, but I’m still skeptical that it’s as provably secure as traditional smartcard-based architectures.
Overall, it was a pretty good event, though sparsely attended.
October 5th, 2010 at 11:45 am
Thanks for the article, i actually just finished writing an ActiveX control (really a .Net application masquerading as a COM Object) to do PKCS signing/encryption in the browser, finally got it working however the control needs to be installed on all client machines before it can work in their browser. Do you know of a way to prompt the user (with that IE yellow drop down bar) to install the control through his browser and not have to explicitly link to the installer?
October 5th, 2010 at 11:54 am
If it’s a desktop application that has an ActiveX front-end that calls it, I’m not sure if that’s possible.
Either way, even if you want it to be installed from the browser, on Vista/7 the user needs Administrator privileges to install it, which can be problematic.