Signing over web (X509)


I develope a ASP.NET application. This application generates hash codes witch I need user to sign with his private key from X509 certificate stored on SmartCart or USB token.
I have seen sites on the net and have read articles about authentication with client certificate. My situation is a bit different. Basicaly the workflow would be like this:
1. User comes to a page, fills in some fields and presses "next"
2. Server (ASP.NET application) makes some calculations and shows user the resulting hash on a next page
3. When user presses "sign" button near the hash code browser pops out a window for selecting a certificate, asks for password to access certificate's private data (for signing), signs the hash and sends a signed hash back to server

In particular everything past user pressing "sing" button I have no idea how to achieve the result. So the questions are:
1. Is it possible to do this at all?
2. Is it possible to do this without any browser addons/plugins/activex?
3. Any thoughts, links, articles, technology names?

LVL 14
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
This should be possible, but would require ActiveX or Java since you would need to access the user's certificate store -  keeping in mind that Java maintains its own certificate store.  The smartcard should be less of an issue - you just need to contact the OS cryptographic api and that will talk to the smartcard vendor's middleware which will talk to the card.  Look into MS-CAPI (CryptoAPI) for 2000/xp/2003, and CAPI2 for vista/2008.  Also look into CAPICOM for some calls you can make from VB or C#.

Activex Plugins are probably the easiest, but Java can be used for a zero-footprint method.  Here's a proof of concept for java method from Vasco (an industry leader in their tiny niche):

Here is another product that might be more relevant to what you want to do:

Might try searching for 'e-signatures' (but not or 'digital signatures website customer', etc. and go from there.  Look for advertisements - these will probably be your more relevant hits in this area as there will be a lot of articles saying its a good idea to use digital signatures without telling you about how to go about it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.