A3 Digital Certificate, e-CPF, how to access information with Javascript

Asked

Viewed 10,007 times

12

I am having to develop an application, which for security purposes, it is necessary to use an e-CPF by users when trying to log in. I just need to check if the e-CPF number matches the registered user’s social security number, who will be trying to log in. Can I retrieve the certificate data through Javascript? I searched in the object "window" how to try to access, but I was not successful. Any idea?

3 answers

10


The form performed by the Certisign Login button is very limited, only JAVA and . NET are supported. Sites that use this technology are bound to have many problems, because it depends on customer configuration, which is precisely the advantage of having web systems.

Serasa for example, in the method that tests the digital certificate, in its code it declares a "javascript" pointing to this PHP, which generates a code dynamically, that does nothing more than declares a variable like this, allowing the reading via javascript:

var requestOk = {
            'data':'04/04/2017 às 10:58',
            'titular':'[email protected]',
            'tipo':'0',
            'validade':'09/09/2016 até 09/12/2019',
            'renovar':'0',
            'dias':'979',
            'serasa':'0',
            'empresa':'StartCom Class 1 Client CA'
    };

Their page that does this work is this: https://serasa.certificadodigital.com.br/wp-content/themes/serasaLoja/testeRequest1/testeRequest.php

Observing: Only if you have a valid certificate on the machine will you be able to view this response. You can download and install this Lacunasoftware test certificates: https://github.com/LacunaSoftware/RestPkiSamples/blob/master/TestCertificates.md. This company has a solution that claims to be cross-browser, but never tested because the cost (R$0,50/request) makes it unviable for certain projects.

Therefore, the only way to perform this validation is in the backend. However, it is not that simple, it is not possible to do this only with PHP, because the certificate negotiation happens even at the network layer, when you are opening a connection on the web server, even before PHP is processed. What is done is this:

  • A configuration is activated on the WEB server that Checks the client’s certificate.
  • The Navigator understands this and opens this dialog box for the client to allow access and select the certificate, according to the image: inserir a descrição da imagem aqui
  • After the client selects the connection to the server follows normally, and the variables are exported as environment variables that can be easily read on $SERVER, keys starting with "SSL"

Each web server has a way to accomplish this. Here is how it is configured in Lighttpd: https://redmine.lighttpd.net/boards/2/topics/5157?r=7273#message-7273. And here (in English) an article that shows how it is done in PHP using Apache https://cweiske.de/tagebuch/ssl-client-certificates.htm

So the answer that "Not possible with Chrome and other browsers" is not true, the difficulty is great but not impossible.

Using Certisign Login is just a simpler stopgap, but it only works for national websites and depends on the JAVA installed on the clients and/or active ex for .NET. However, you are limited to language and complex client installation. Chrome itself eliminated the possibility of JAVA applets leaving only Firefox and IE (with activex) which makes this method very restrictive.

About obtaining the certificate CPF/CNPJ, the ones I have for testing are from "SOLUTI", they contain in CN after the name the character : separates the numerical sequence from the CPF or CNPJ and can be extracted in this way.

inserir a descrição da imagem aqui

If you work with other certifiers please leave in the comment of this reply if it also expresses in this way the number of the CPF or CNPJ.

There is still today this difficulty of native support in the browsers, but I believe that in the future the tendency is that it is simpler and safer to obtain certificate certificate without mirabolantes alternative resources of programming, empowering purely web applications to obtain this information with the user’s permission.

  • The new address of the Rasa test is this: https://serasa.certificadodigital.com.br/test/ and strangely it didn’t work on my Mac but it worked on my Windows, but I don’t know if this limitation even exists

  • 1

    On Mac there are other security mechanisms, vc need to allow the browser to access the OS certificate repository.

  • 1

    Not every certificate has the CPF in the CN field (example - see section 7.1.4) - although for eCPF you always will, but anyway, the right place to get this information is in the Subject Alternative Names extension (see section 7.1.2.3 of the linked document)

  • https://answall.com/questions/171093/como-funciona-a-autentica%C3%A7%C3%a3o-com-certificado-digital/198803#198803

4

One way to implement digital-certified authentication is through HTTPS with mutual authentication, as done on eCAC. The browser is in charge of listing the certificates and showing them to the user. However, this method has several problems, among them:

  • Difficult to set up, as HTTPS with mutual authentication needs to be enabled on the HTTP server
  • Bad usability for the user (e.g., if you choose the wrong certificate, you have to close the entire browser)
  • Impossible to implement digital signatures (works only for login)

In the past, this issue was solved with Java Applets. However, browsers no longer accept this type of add-on, and currently this technology no longer works in Chrome or Firefox.

A good alternative is the Web PKI, which is a native extension for browsers that enables access to user machine certificates from page Javascript. This demonstration shows exactly what you quoted: get the CPF of each certificate, among other information (as Leonancarvalho said, you can get certificates for testing here).

It is important to mention that it is not enough to obtain the CPF of the user certificate, it is necessary to perform an authentication process by certificate in order to be sure that the user actually has the key pair associated with the certificate that he claims to be the holder, as explained in Article Login with digital certificate from the Web PKI manufacturer itself, the Lacuna Software.

Disclaimer: I am the developer of Lacuna Software

  • We came to evaluate this solution at the time, and the need to install a third component to validate the certificate was the main flaw for it to be implemented. In addition, certified login on mobile devices was also a requirement, and Handshake’s native solution was then required to use a combination of SSO login on a specific subdomain to have effective authentication on all devices on the market.

3

It is not possible with Chrome and other browsers, but there is a possibility that you can perform the scan through Firefox. Googling for a while, the most I could find were two articles and a question in Stack Overflow.

The article you can access by clicking here, and the question here.

Regarding the Chromium, there is a Chromium Issue #49469 which says about the possibility of getting information related to ssl certificates. It is in English but is easy to read.

  • Not true, you can get customer’s certificate through SSL Handshaking. And it works on any current browser.

  • 1

    @Leonancarvalho please show us where we can learn and apply this technique and we will be grateful.

  • You need to configure the option on the server. In the nodejs, pass the requestCert option

Browser other questions tagged

You are not signed in. Login or sign up in order to post.