I want to sign the PDF using client certificate. It only work when I got the file is stored in my PC. Since I want to sign my PDF by using the certificate stored inside a USB token, what should I do to achieve that.
I tried to search from the internet, but all I got are mostly using JAVA. Is there anyway to achieve the same goal using PHP? If not, can anyone provide an alternative way to sign my PDF.
Are you talking about a PHP application that's running on a web server, and the USB token being attached to your client machine? Then forget it; it won't work because you cannot access the client's USB port from your web server via the client's browser without further plugins.
The java apps you're talking about are running in the client's browser and thus may have access to the usb port.
The task is tricky but doable. You need to create a client-side module, then calculate the hash of the document on the server, send it along with the client module to the web browser (by including it into the web page) and have the client-side module sign the hash. Then send the hash back to the server.
Our SecureBlackbox product does this, but it's not currently available for PHP on the server side (we plan to release library edition with PHP binding somewhere next year).
Related
Requirements
I'm currently working on a PHP portal for a machine-seller. His machines are capable of communicating over the internet with an integrated SBC with LAN port. The consumers who bought a machine can configure it online after they logged in to the machine-sellers-portal.
After they configured it online, they can download the configuration file via the HMI (touch display at the machine itself) to the machine. The configuration file contains valuable and private information.
The HMI is not browser based. It's a binary application that has, for example, a button "Load config". The rest has to be done in bash/php-scripts in the backround.
Solution for authentication?
I'm in a very early state of conception, but I'm wondering about some processes. I've never had a machine thats needs access to my services, only humans. What is the way to do this actually?
I have three approaches:
1. Access with "API-Key"
Means: In the OS of the SBC lies a file containing a sequence like 8asd7d7d. When I receive a GET-request to portal.company.com/getConfig/8asd7d7d I know from which machine it comes and that it is allowed to receive this config.
Disadvantage: The buyer has access to the SBCs file system. He could destroy the file by accident. He could find out the generating scheme and download configuration files from other buyers.
2. Generating one-time UUID-URL
Means: The consumer creates his configuration online. After that, he gets displayed a one-time URL like portal.company.com/getConfig/d8ac2292ea1fec3fe5c65e6ef573 which he can enter in the HMI and load the file.
Disadvantage: The consumer has to type a long URL into the display of the HMI.
3. Simulating the human authentication process
Means: The machine sends a valid post-request to portal.company.com/login with the login-data of its human owner. It gets a session-cookie (is that even possible in a non-browser environment like pure PHP-scripts?!) and the portal logic knows which URLs are accessible and which not (like for a human visitor).
Any other/better ideas?
I tend to use solution 2 as it's relatively easy to implement and hopefully secure (lets pretend a sha512-string as URL-parameter). Do you have any better suggestions? Mind, that the other way round is not possible, the portal can not actively push data to the machine (as it has no fixed IP, no webserver, ...)
If the device supports cryptographic functions, PKI can be used. Encrypt the data using the device public key. Only the device knowing the private key can decrypt the config file. PKI supports authentication also. here the device connects to a login portal that requests client certificate and after authentication of client, the config file is send to the device encrypted in device public key.
cons: each device requires a client certifcate.
I have an application that retrieves some info and give them to user from a certain public website. However, i am not sure whether i should let my app immediately connect to the target website or it should get the info through my web server using a simple PHP script (JSON).
Actually I am using Jsoup to get the information and I tried both and they worked perfectly ( immediate and PHP) using Jsoup. However, I have not published my app yet due to the confusion aforementioned.
Use the web service. If your client has logic to parse the HTML, it can break when the web page changes. The web service can absorb this change and make corrections, but your client cannot. Not unless you release another version of your app, and that can be a pain.
This is more general design kind of question. My major project is to create native app for Firefox OS. Which therefor means JavaScript, jQuery, HTML5 and css. This application should have several functions. But as a general design goes I need local html,css,js application running under firefox OS with ability to access server php scripts and mysql db, but because application is running on client side, I have a major problem with communication between application and server. Which technology, language, API or JS functions could I use for Login check, registration, messaging. How can I access server from local (on PC or Mobile Device) files. There is possibility that I'm missing some point or that my whole understanding of the problem is wrong, but is this possible and how?
Apps are built using standard Web technologies with additional metadata that allows the User Agent to discover, install, launch, and grant them additional privileges.
So says MDN.
The usual way to interact with remote, shared databases is to place a RESTful HTTP front end in front of them and access that with JavaScript/XMLHttpRequest.
XHR, WebSocket or TCPSocket.
FYR:
https://developer.mozilla.org/en-US/docs/DOM/XMLHttpRequest
https://developer.mozilla.org/en/docs/WebSockets
There is no TCPSocket document on MDN, but you can study gaia email app.
https://raw.github.com/mozilla-b2g/gaia/master/apps/email/js/ext/gaia-email-opt.js
I am building an internal system for a small business and one of the requested features was to be able to go in to different apps by clicking a button on a web page.
So for example when you click on the icon for Coda it will open and be useable.
This does not need to work for Windows, only on Mac OS Mountain Lion!
How could this be done? or can it not be done?
Two options:
If the app can be opened using a registered URL schema, you can use that. For instance, an ftp://... link opens the default FTP application, a news://... link the default news reader. You can make up your own URL schemas. An application typically needs to register itself for a certain schema for this to work.
If that is not an option, you pretty much have to install a plugin in the client's browser that can do this via any mechanism it wants.
The problem that you face here, is the way binaries and the web works. Compiled applications like cocoa apps will only work if at least their starting binaries are there. But this basically means that the user already has downloaded the binary.
Furthermore, these apps will create their own application preferences - so a downloaded version of Coda will have no license.
And if the user has downloaded you binaries, what will stop them from using your software forever? (Just apart form license problems with the authors of said software).
So, the only thing that you could do, is to present them with some kind of VNC like client that will grant them limited access to an environment that you have under control. But writing that is way out of scope for this site.
(I assume, that the application are not already installed locally, but be usable from the server).
I'm developing a project using Javascript, PHP and OpenLayers. A lot of maps are loaded using and HTTPS connection against an external OGC server.
When I try to load the map using HTTPS, they doesn't load (instead of, they show me an "Error loading the map, try again later").
I think that the problem is because of Digital Certificate. If I load directly from the server (using a WMS call) like this (look the last parameter):
https://serverurl/ogc/wms?service=WMS&version=1.1.0&request=GetMap&layers=ms1:lp_anual_250&styles=&bbox=205125.0,3150125.0,234875.0,3199875.0&width=306&height=512&srs=EPSG:4326&format=application/openlayers
The browser ask me for my authorization to see it. If i accept the Digital Certificate, I can see the map. After that, and because of my browser now accepts the certificate, I can see my own map from my own application.
So, the question is: Is there any way to ask for the Digital Certificate mannually when the user access to my web?
Thanks in advance!
PS: solutions using PHP are welcome too because I'm using CodeIgniter to load views
You could try opening the WMS URL in a div or perhaps a hidden iframe - that may cause the browser to pop up its 'Unknown cert' dialogue.
Im going to quote another user (geographika) from gis.stackexchange. I hope can help to someone with my issue:
You can use a proxy on your server so
all client requests are made to your
server, which deals with the
certificate, gets the request and
passes it back to the client. For PHP
have a look at
http://tr.php.net/manual/en/function.openssl-verify.php
If you are also using WMS software
(MapServer, GeoServer) you could
implement the same technique using a
cascading WMS server.
For details on how to do this in
MapServer see
http://geographika.co.uk/setting-up-a-secure-cascading-wms-on-mapserver