Digital Signature Solution using Web Sockets

Abstract
This document proposes a new approach for performing digital signature in web browser
using web sockets technology. The main purpose of this approach is to eliminate dependency on
Java run time at client side and browser dependency to provide a reliable alternate solution.

Introduction
We currently use Java applet based Web signer service component to perform digital
signing in our various product. Though this approach is reliable; we have to look for an alternative
solution for the following reason

 Due to security measure most browsers are planning to drop Java applet support
 Dependency on Java run time
 Applet invocation may cause browser instability

Web Sockets
Web Socket is a protocol providing full-duplex communications channels over a single TCP
connection. All HTML5 complaint web browsers support web socket client interface natively
(Please refer here for browser compatibility list).

Proposed Solution
WebSocket based solution is considered more reliable and easy to implement in all kind of
browsers. So we have developed a solution based on web socket to provide digital signature
functionality to any web socket compatible web browser. This solution comprises of two parts
which are

1. Web Socket server

2. Client Script

Web Socket server

It is a web socket server over TCP protocol. It listens on a designated port number on local IP
address which receives web socket connection from browser. Based on the type of the service
request from browser, it performs different operation and returns the result.

1 | eMudhra Limited
Client Script
It is a java script code snippet for creating web socket client object and making connection to local
web socket server for requesting different services.

How it works?
Step 1 - Integration
1. Web socket component is installed on client machine and invoked to run on designated
port number.
2. Client script code is integrated into web application wherever digital signing is
required.

Step 2 - Working
1. Client script sends a web socket request to digitally sign the to be signed data using the
certificate chosen.
2. Web socket server computes the signature and returns base64 encoded signature data
as response.
3. On reception of signature data, web application can send the signature for verification.

Pre-requisites:
1. An installer will be shared to user which they need to install in their machine.
2. Installer will be containing the WebSocket client (AICTESigner.exe), JRE 1.7 32-
bit and other required library files.
3. Once installed, shortcut of the AICTESigner.exe will be placed on the Desktop.
4. The user needs to run the AICTESigner.exe shortcut as “Run as administrator”
for first time (mandatory) & the root certificate “127.0.0.1” will be added to
browser store for making handshake with the server.
5. If the AICTESigner.exe is not bundled with JRE, the user machine should be
installed with JRE 1.7 version (32-bit) & above.

Restriction/Limitation:

Web Sockets will not run if the proxy is enabled in Client Machine. Disable the proxy and start
the AICTESigner Server. Proxy Server must be capable of handling Web Socket communication.

2 | eMudhra Limited
 Web Socket Server
Browser running in local machine

Request token Services

certificate details

Return list of Certificate

certificate stored in Details
token
Web Socket
Client Request signing of
TBS data

Digital
Return digital Signature
signature

Security Implementation
 Web socket server will listen on local host IP address hence the services can’t be accessed
from another machine in the same network.
 Web socket server accepts connection only from the host machine where the web socket
server in installed.
 Web socket server always check “Origin” header in the request and accept connection only
from allowed web sites.
 Server doesn’t cache token password which needs to be inputted by user whenever signature
is being created.

Steps to install & run WebSocket:

 Install the given AICTESigner.msi installer in the system
 Default installation location will be "C:\ AICTESigner ". User can save it in any location of
the system.
 AICTESigner shortcut will be created in the Desktop.
 Run the AICTESigner Short cut as "Run as Administrator" for first time (this will add the
127.0.0.1 root certificate to browser store for establishing a handshake).

3 | eMudhra Limited
  The AICTESigner. UI will be minimized in taskbar tray to check the status of the connection.
 Property file includes the input parameters to be passed to WebSocket with action to be
performed & Sample html file contains script to call the methods.

Browser Compatibility
Browser Supported Version
Internet Explorer 10.0 and above
Firefox 6.0 and above
Chrome 16.0 and above
Safari (MAC OS) 6.0 and above

Operating System
 Windows [XP, 7, 8, 10],Linux,Mac

Integration Aspect:
To embed the Web Socket into web pages use the following script below, When submit button is
clicked on webpage, JavaScript function call(id, input Request) is called which invokes the Signer
applet window for signing process. Web Socket (wss://127.0.0.1:portNo) – To establish a web
Socket connection.

<script type="text/javascript">
var connection = new
WebSocket('wss://127.0.0.1:2129');
.
connection.onopen = function () {
console.log('Connection Opened');
};
connection.onerror = function (error)
{
alert('Please check the server connection: ' + error);
document.getElementById("signData").value=error;
};
connection.onmessage = function (e)
{
if(e.data.indexOf("subProtocol")==-1)
alert(e.data);
};

var completeData = '';

var splitData = [];

4 | eMudhra Limited
 var i = 0;
var splitLength = 0;
var j = 0;
var actualData = '';
var textId = '';
var k = 0;
var bufLength = 16300;
function setData(txf1, msg)
{
actualData = msg;
textId = txf1;
completeData = msg;
alert('completeData length ' + completeData.length);
if(completeData.length < bufLength)
{
alert('not splitting');
splitData[0] = msg;
call(txf1,msg);
}
else
{
alert('splitting');
splitLength = completeData.length / bufLength;
alert('splitLength ' + splitLength);
var t = 0;
var tt = k + bufLength + 1;
for(i = 0; i < splitLength; i++)
{
splitData[i] = completeData.substring(t, tt);
k = k + bufLength;
t = k + 1;
tt = t + bufLength;
}
call(txf1,msg);
}
}
function call(txf1,msg)
{
var data="";
var startindex="";
if(msg.length < bufLength)
5 | eMudhra Limited
 {
completeData = splitData[0] + 'completed';
connection.send(completeData);
}
else
{
if(j == i-1)
{
completeData = splitData[j] + 'completed';
}
else{
completeData = splitData[j];
}
j++;
connection.send(completeData);
}
connection.onerror = function (error)
{
alert('Please check the server connection: ' + error);
document.getElementById("signData").value=error;
};
connection.onmessage = function (e)
{
if(e.data.indexOf("subProtocol")==-1)
{
if(e.data == 'sendmore')
{
call(textId, actualData);
}
else{
data = data + e.data;
startindex=data.indexOf('completed');
if(startindex != -1)
{
document.getElementById(txf1).value=data;
}
}
}
};
}
</script>

6 | eMudhra Limited
Input Parameters for Signing:

// Data signing
Action = signdoc
Datatosign = test
Signaction = sign
Filepath =
signType=
PanNumberParam =
Expirycheck = true/false
Issuername =
Certclass = 2
Certtype = DSC

// Parameter Description:

action = signdoc (form signing)

datatosign = input data for signing
signaction = sign (attached-original data
with signature/detached-display only
signature without original data).
filePath = path of the file (not mandatory)
signType=
panNumber = PAN number of the
certificate for validation
filterIssuerName = filters certificates based
on issuer name (not mandatory)
expirycheck = filters expired certificates, if
true expired certificates will not be
displayed
certificateType = type of certificate, where
DSC - Signature certificate, EN - Encryption
certificate, ALL - both Signature &
Encryption
certificateClass = 0 - All class of
certificates, 1- Class 1, 2- Class 2, 3- Class 3

Input Parameters for PDF Signing:

action=signpdf
datatosign=D:/Damodar/Correct/emu6.pdf
signaction=1
outputpath=D:/Damodar/Output/emu6.pdf
signtype=sign
expirycheck=true

7 | eMudhra Limited
coordinate=400,100,500,150
issuername=
certtype=ALL
certclass=0
pageno=All
coSign=true

// Parameter Description:

action = action to perform (signpdf – for pdf signing)

datatosign = input pdf data for signing
signaction = 1 - pdf file path, 3 - Base64encoded data
outputPath = output path of the file (not mandatory)
signtype = sign
coordinate = coordinates for embedding signature to pdf
expirycheck = filters expired certificates, if true expired certificates will not be displayed
issuername = filters certificates based on certificate issuer name (not mandatory)
certtype = type of certificate, where DSC - Signature certificate, EN - Encryption certificate, ALL - both
Signature & Encryption
certclass = 0 - All class of certificates, 1- Class 1, 2- Class 2, 3- Class 3
(pageno - first, last, even, odd, all)
signaction = 1 - pdf file path, 3 - Base64encoded data
coSign=true (Multiple signing is allowed)
coSign=false (Multiple signing is not allowed)

Note: For sigining Multiple pdf, pass like this "pdfData1##pdfData2##pdfData3" in "datatosign"
parameter and set "signaction=3"

(*Note: Except non-mandatory fields all other parameters must contain required values for signing)

8 | eMudhra Limited