Digital Certificate A3, e-CPF, how to access information with JavaScript

8

I'm having to develop an application, which for security purposes, requires the use of an e-CPF by users when trying to log in. I just need to check if the e-CPF number checks with the registered user's CPF, which is trying to log in. Can I recover my certificate data using JavaScript? I looked at the "window" object as it tried to access, but I was not successful. Any ideas?

    
asked by anonymous 07.07.2016 / 22:30

4 answers

4

The form performed by the Certisign Login button is very limited, only JAVA and .NET are supported. Websites that use this technology are bound to have many problems, as it depends on client configuration, which is the advantage of having web systems.

Serasa for example, in the method that tests the digital certificate, in its code it declares a "javascript" pointing to this PHP, which generates a code dynamically, which does nothing more than declare a variable like this, allowing reading via javascript:

var requestOk = {
            'data':'04/04/2017 às 10:58',
            'titular':'[email protected]',
            'tipo':'0',
            'validade':'09/09/2016 até 09/12/2019',
            'renovar':'0',
            'dias':'979',
            'serasa':'0',
            'empresa':'StartCom Class 1 Client CA'
    };

Their page that does this work is this: link

Note : Only if you have a valid certificate on the machine can you view this answer. You can download and install this LacunaSoftware test certificates: link . This company has a solution that says it is a cross-browser, but I never tested it because the cost (R $ 0.50 / requisition) makes it impossible for certain projects.

So, the only way to do this validation is in the backend. But it is not so simple, you can not do this with PHP, because the certificate negotiation still happens at the network layer, when you are opening a connection on the web server, before PHP is even processed. What is done is as follows:

  • A configuration is enabled on the Web server that checks the client's certificate.
  • The Browser understands this and opens this dialog box for the client to allow access and select the certificate, as shown:
  • Aftertheclientselectstheconnectiontotheserverfollowsnormally,andthevariablesareexportedasenvironmentvariablesthatcanbeeasilyreadin $ SERVER , in the keys starting with" SSL "

Each web server has a way to accomplish this. Here's how it's set up in Lighttpd: link . And here is an article that shows how PHP is done using Apache link

So the answer "Not possible with Chrome and other browsers" is not true, the difficulty is great but it is not impossible.

Using Certisign Login is just a simpler palliative, but works only for national sites and depends on JAVA installed on clients and / or active ex for .NET. However you are limited to language and a complex installation on the clients. Chrome itself deleted the possibility of JAVA Applets with only Firefox and IE (with activex) which makes this method very restrictive.

About getting the CPF / CNPJ from the certificate, the ones I have for testing are from "SOLUTI", they contain in CN after the name of the character: separates the sequence number of the CPF or CNPJ can be extracted in this way.

If you work with other certifiers, please leave a comment on this answer if it also expresses the CPF or CNPJ number.

There is still this difficulty of native support in browsers, but I believe that in the future the tendency is that it will be simpler and safer to obtain certificate of the certificate without any obvious alternative programming resources, empowering purely web applications to obtain this information with the permission of the user.

    
04.04.2017 / 16:22
2

One way to implement authentication with digital certificate is through HTTPS with mutual authentication, as is done in the eCAC . The browser is responsible for listing the certificates and display for the user. However, this method has several problems, including:

  • Difficulty in configuration, since HTTPS with mutual authentication needs to be enabled on the HTTP server
  • Usability bad for the user (eg, if you choose the wrong certificate, you have to close the entire browser)
  • Impossibility to implement digital signatures (works only for login)

In the past, you solved this issue with Java Applets. However, browsers no longer accept this type of add-on, and currently this technology no longer works in Chrome or Firefox.

A good alternative is the Web PKI , which is a native extension for browsers that provides access to user machine certificates at from the page's JavaScript. This demo shows exactly what you mentioned: you get the CPF for each certificate, among other information (as Leonan Carvalho said , you can get test certificates here ).

It is important to mention that it is not enough to obtain the CPF of the user certificate, it is necessary to perform a process of authentication by certificate in order to make sure that the user does in fact possess the key pair associated with the certificate that he says to be the holder, as explained in the article Login with digital certificate from the manufacturer itself of the PKI Web, to Lacuna Software .

Disclaimer: I am a developer of Gap Software

    
21.06.2018 / 16:46
1

Not possible with Chrome and other browsers, but there is a possibility that you can perform the verification through Firefox. Searching in Google for a while, the most I could find were two articles and one question in Stack Overflow.

The article you can access by clicking here , and the question here .

Regarding Chromium, there is a Chromium Issue # 49469 that says about the possibility of obtaining information related to ssl certificates. It's in English but it's easy to read.

    
13.07.2016 / 21:41
1

You can use the Certisign Login, which is used to validate any digital certificate from ICP-Brasil: link

    
13.07.2016 / 22:01