Cryptoapplet - a Java Applet that provides cryptography to Javascript

Cryptoapplet is a small (20 kB) and fast, invisible Java Applet that makes it possible to use functions provided by Java Cryptography Architecture in your Javascript code on a web page.

This applet enables Javascript programmers to use the reliable implementation of common cryptographic algorithms provided by Java, which includes password based encryption, public key cryptography and message signing, creation of new RSA key pairs, and hash functions like MD5 and SHA-1.

The applet is being developed and tested with Java 1.5 and Java 1.6 and has no external dependencies. In its default configuration the algorithms used don't require the "unlimited" Sun JCA policy files, which are often missing in default Java installations on Windows computers. New releases are tested with the latest versions of Firefox, Internet Explorer, Opera and Konqeuror.

Javascript API

General functions

• prepare() - call this method before any other methods
• getVersion() - return an integer indicating the version of the applet
• checkUnlimitedPolicy() - return true if the Java installation supports unlimited cryprography policy
• getLastException() - return the last exception caught by the Java code
• clearKeys() - unset all keys
• setPersistentString(name, str) - use the setStream() AppletContext method to persist a string for the duration of the session until the user closes the browser. Only this applet will be able to access the data. The total size limit is approx. 32 kB per applet. This works in Firefox and IE, but doesn't in Opera and Konqueror. More info here. This can with some care be used to store decrypted keys or passwords while the user's session is active, even when a web page is reloaded or changed. The implementation should internally keep the data in memory.
• getPersistentString(name) - use getStream() to read back the string stored by setPersistentString()

Password based encryption

The default algorithm is PBE with SHA-1 and DESede.

• encrypt(str, password) - encrypt str using password and return it hex encoded
• decrypt(hexStr, password) - decrypt hex encoded str using password

Hash functions

• md5(str) - return 32 bytes of hex encoded MD5 hash of str
• sha1(str) - return 40 bytes of hex encoded SHA-1 hash of str

Public key cryptography - message signing and encryption

The default algorithm is SHA-1 with RSA and 128-bit AES.

• setPrivateKey(hexKey, passPhrase) - use this hex encoded private key for further actions, passPhrase can be null
• encryptAndSign(str, hexRecipientPublicKey) - encrypt str using hexRecipientPublicKey, sign it using the current private key and return it hex encoded
• decryptAndCheckSignature(hexStr, hexSenderPublicKey) - check signature against hexSenderPublicKey and decrypt it using the current private key
• getSignature() - return the signature created by encryptAndSign() hex encoded
• setSignature(hexSig) - set hex encoded signature for decryptAndCheckSignature()

Key based message signatures

The default algorithm is SHA-1 with RSA.

• sign(msg) - return hex encoded RSA signature of msg, created with the current private key
• verify(msg, hexSig, hexPublicKey) - return boolean indicating the validity of signature hexSig

Public key generator

The keys are returned in the hex format expected by setPrivateKey() key. It is possible to protect the private key with a passphrase.

• generateKeys(size) - create a new RSA key pair with the specified key size
• getPublicKey() - return the new public key in the hex format
• getPrivateKey(passPhrase) - return the new private key in the hex format, passPhrase may be null

Notes

All data is passed around as Javascript Strings, which are then converted to Java Strings and finally to individual bytes using Java's String.getBytes("UTF-8") method. This means that passwords and passphrases that contain non-ASCII characters might not be portable if your web pages don't use utf-8. It's recommended that you use the utf-8 encoding on all your web pages that use this applet.

The functions report errors by returning either null or false.

Using the applet

The parameters are the default settings and can be omitted.

<applet name="crypto" code="name.styblo.cryptoapplet.CryptoApplet" 
        archive="cryptoapplet.jar" mayscript="true"
        width="0" height="0" >
<param name="debug" value="false" />
<param name="raiseExceptions" value="false" />
<param name="passwordCipher" value="PBEWithSHA1AndDESede" />
<param name="symCipherKeySize" value="128" />
     Required Java installation was not found, this Crypto Applet won't work.
</applet>
    
<script type="text/javascript">
<!--

alert(document.crypto.getVersion());
alert(document.crypto.md5("Hello World"));

// -->
</script>

Working example applications

These example forms do not send out any information and don't use any server backend, all the processing is performed on the client by the applet.

• hash.html - MD5 and SHA-1 hash functions
• crypt.html - password based encryption
• keygen.html - RSA key pair generator
• sign.html - RSA key signatures
• pubkey.html - public key cryptography

Download

• binary archive
• source archive

Author and license

This applet is free software available under the terms of the GNU GPL license.

Copyright 2009 Tomas Styblo