Hi Ted, You could use standard SSL support for client certificate authentication. You can configure the web server to require a client certificate. Here's how to to it in Apache: http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients
You need to find a secure way to send a client certificate to your users, and they need to import the client certificate into the browser. This would be external to OFBiz. The entire web application, not just form submission, would be encrypted, tamper-proof and authenticated, and that would be transparent to the OFBiz application. Web browsers and operating systems already have certificate stores, and you could just use them without needing to do anything special. Certificate deployment would be an annoyance, but a one-off annoyance. If you want to do it internal to the application with Javascript, you are in effect rewriting the SSL infrastructure in your own Javascript code. Your code doesn't have a secure key store and is subject to risks of code injection and so on. See the rant on this subject at http://www.matasano.com/articles/javascript-cryptography/ If you must build something like this in Javascript, these are some libraries that might help: http://ats.oka.nu/titaniumcore/js/crypto/readme.txt http://crypto.stanford.edu/sjcl/ (symmetric AES only) http://www-cs-students.stanford.edu/~tjw/jsbn/ Hope that helps. Cheers Paul Foxworthy Ted Byers wrote > I need to add use of PKI, with document signing, to OFBiz > > What would I need to do to configure OFBiz to require client side > certificates, and where would I modify the forms sent to the client's > browser so that it includes a JavaScript file that will support use of > the client's private key to sign and encrypt the document/data > submitted when the form's submit button is clicked? I guess this is > two questions, the first being use/requirement for the client to > supply a client side certificate, and the second involves modification > of the interface so that data can be encrypted and signed. > > In due course, I may even need to alter the content displayed to the > client depending on whether or not there is a client side certificate. > > Thanks > > Ted ----- -- Coherent Software Australia Pty Ltd http://www.coherentsoftware.com.au/ Bonsai ERP, the all-inclusive ERP system http://www.bonsaierp.com.au/ -- View this message in context: http://ofbiz.135035.n4.nabble.com/Improving-OFBiz-security-tp4641462p4641485.html Sent from the OFBiz - User mailing list archive at Nabble.com.
