A3 Digital Certificate, e-CPF, how to access information with Javascript

The form performed by the Certisign Login button is very limited, only JAVA and . NET are supported. Sites that use this technology are bound to have many problems, because it depends on customer configuration, which is precisely the advantage of having web systems.

Serasa for example, in the method that tests the digital certificate, in its code it declares a "javascript" pointing to this PHP, which generates a code dynamically, that does nothing more than declares a variable like this, allowing the reading via javascript:

var requestOk = {
            'data':'04/04/2017 às 10:58',
            'titular':'[email protected]',
            'tipo':'0',
            'validade':'09/09/2016 até 09/12/2019',
            'renovar':'0',
            'dias':'979',
            'serasa':'0',
            'empresa':'StartCom Class 1 Client CA'
    };

Their page that does this work is this: https://serasa.certificadodigital.com.br/wp-content/themes/serasaLoja/testeRequest1/testeRequest.php

Observing: Only if you have a valid certificate on the machine will you be able to view this response. You can download and install this Lacunasoftware test certificates: https://github.com/LacunaSoftware/RestPkiSamples/blob/master/TestCertificates.md. This company has a solution that claims to be cross-browser, but never tested because the cost (R$0,50/request) makes it unviable for certain projects.

Therefore, the only way to perform this validation is in the backend. However, it is not that simple, it is not possible to do this only with PHP, because the certificate negotiation happens even at the network layer, when you are opening a connection on the web server, even before PHP is processed. What is done is this:

• A configuration is activated on the WEB server that Checks the client’s certificate.
• The Navigator understands this and opens this dialog box for the client to allow access and select the certificate, according to the image:
• After the client selects the connection to the server follows normally, and the variables are exported as environment variables that can be easily read on $SERVER, keys starting with "SSL"

Each web server has a way to accomplish this. Here is how it is configured in Lighttpd: https://redmine.lighttpd.net/boards/2/topics/5157?r=7273#message-7273. And here (in English) an article that shows how it is done in PHP using Apache https://cweiske.de/tagebuch/ssl-client-certificates.htm

So the answer that "Not possible with Chrome and other browsers" is not true, the difficulty is great but not impossible.

Using Certisign Login is just a simpler stopgap, but it only works for national websites and depends on the JAVA installed on the clients and/or active ex for .NET. However, you are limited to language and complex client installation. Chrome itself eliminated the possibility of JAVA applets leaving only Firefox and IE (with activex) which makes this method very restrictive.

About obtaining the certificate CPF/CNPJ, the ones I have for testing are from "SOLUTI", they contain in CN after the name the character : separates the numerical sequence from the CPF or CNPJ and can be extracted in this way.

If you work with other certifiers please leave in the comment of this reply if it also expresses in this way the number of the CPF or CNPJ.

There is still today this difficulty of native support in the browsers, but I believe that in the future the tendency is that it is simpler and safer to obtain certificate certificate without mirabolantes alternative resources of programming, empowering purely web applications to obtain this information with the user’s permission.

One way to implement digital-certified authentication is through HTTPS with mutual authentication, as done on eCAC. The browser is in charge of listing the certificates and showing them to the user. However, this method has several problems, among them:

• Difficult to set up, as HTTPS with mutual authentication needs to be enabled on the HTTP server
• Bad usability for the user (e.g., if you choose the wrong certificate, you have to close the entire browser)
• Impossible to implement digital signatures (works only for login)

In the past, this issue was solved with Java Applets. However, browsers no longer accept this type of add-on, and currently this technology no longer works in Chrome or Firefox.

A good alternative is the Web PKI, which is a native extension for browsers that enables access to user machine certificates from page Javascript. This demonstration shows exactly what you quoted: get the CPF of each certificate, among other information (as Leonancarvalho said, you can get certificates for testing here).

It is important to mention that it is not enough to obtain the CPF of the user certificate, it is necessary to perform an authentication process by certificate in order to be sure that the user actually has the key pair associated with the certificate that he claims to be the holder, as explained in Article Login with digital certificate from the Web PKI manufacturer itself, the Lacuna Software.

Disclaimer: I am the developer of Lacuna Software

It is not possible with Chrome and other browsers, but there is a possibility that you can perform the scan through Firefox. Googling for a while, the most I could find were two articles and a question in Stack Overflow.

The article you can access by clicking here, and the question here.

Regarding the Chromium, there is a Chromium Issue #49469 which says about the possibility of getting information related to ssl certificates. It is in English but is easy to read.