如何使用JavaScript创建签名的PKCS#7消息?
作者:互联网
我正在尝试使用JavaScript在客户端上为PKCS#10认证请求创建签名的PKCS#7消息.
PKCS#10上有很好的示例:http://blogs.msdn.com/b/alejacma/archive/2009/01/28/how-to-create-a-certificate-request-with-certenroll-javascript.aspx
但是我需要创建PKCS#7,但无法弄清楚该怎么做. CertEnroll的官方文档中缺少示例(实际上根本没有示例):http://msdn.microsoft.com/en-us/library/windows/desktop/aa374850(v=vs.85).aspx
我最终得到了以下代码:
var XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3;
var XCN_CERT_NAME_STR_NONE = 0;
var _certEnrollClassFactory = new ActiveXObject("X509Enrollment.CX509EnrollmentWebClassFactory");
ComposePKCS10Request: function (containerName, subject)
{
// PKCS #10 certificate request
var objRequest = _certEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10");
var objCSP = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformation");
var objCSPs = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformations");
// Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");
// Add this CSP object to the CSP collection object
objCSPs.Add(objCSP);
// asymmetric private key that can be used for encryption, signing, and key agreement.
var objPrivateKey = _certEnrollClassFactory.CreateObject("X509Enrollment.CX509PrivateKey");
// Provide key container name, key length and key spec to the private key object
objPrivateKey.ContainerName = containerName;
//objPrivateKey.Length = 1024;
objPrivateKey.KeySpec = 1; // AT_KEYEXCHANGE = 1
// Provide the CSP collection object (in this case containing only 1 CSP object)
// to the private key object
objPrivateKey.CspInformations = objCSPs;
// Initialize P10 based on private key
objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1
// X.500 distinguished name (DN)
// The DN consists of a sequence of relative distinguished names (RDNs). Each RDN consists of a set of attributes,
// and each attribute consists of an object identifier (OID) and a value. The data type of the value is identified
// by the DirectoryString structure.
var objDn = _certEnrollClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName");
// DN related stuff
objDn.Encode(subject, XCN_CERT_NAME_STR_NONE);
objRequest.Subject = objDn;
return objRequest;
}
CreatePKCS7: function (containerName, subject)
{
// PKCS #7 certificate request
var objPKCS7Request = _certEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs7");
// initialize PKCS #7 certificate request by PKCS #10 certificate request
objPKCS7Request.InitializeFromInnerRequest(this.ComposePKCS10Request(containerName, subject));
var objSignerCert = _certEnrollClassFactory.CreateObject("X509Enrollment.CSignerCertificate");
var verifyType = 4; /* VerifyAllowUI, see typedef enum X509PrivateKeyVerify */
var encodingType = 0x3; /* see typedef enum EncodingType */
/**********************************************************************/
/* I have to provide certificate here??? How can I obtain it from UI? */
/**********************************************************************/
var strCertificate = '?????????????????????';
objSignerCert.Initialize(false, verifyType, encodingType, strCertificate);
/*****************************************************************************/
/* Also I'm not shure that SignerCertificate can be accessed via javascript. */
/*****************************************************************************/
objPKCS7Request.SignerCertificate = objSignerCert;
// represents the top level object and enables you to enroll in a certificate hierarchy and install a certificate response
var objEnroll = _certEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment");
// Enroll
objEnroll.InitializeFromRequest(objPKCS7Request);
var pkcs7;
try
{
pkcs7 = objEnroll.CreateRequest(XCN_CRYPT_STRING_BASE64REQUESTHEADER);
}
catch (e)
{
...
}
return pkcs7;
}
有没有办法用javascript创建PKCS#7消息?
更新:我已经有PKCS#10证书请求(请参阅代码示例中的第一个函数),并且需要为其创建PKCS#7签名消息.好吧,我解释我的问题.如何使用JavaScript创建签名的PKCS#7消息? (理想情况下,它应该允许使用UI指定适当的证书.)
至于javascript,我知道这不是方便的方法,但是很合适,因为我必须在客户端(在浏览器中)处理它.此外,证书注册IX509CertificateRequestPkcs7接口具有标记为[WebEnabled]的方法,因此我相信必须有做我声明的方法.
解决方法:
您可以使用Forge在纯JS中执行PKCS#7和PKCS#10(可在浏览器或node.js中使用):
https://github.com/digitalbazaar/forge#pkcs7
https://github.com/digitalbazaar/forge#pkcs10
标签:cryptography,pkcs7,certenroll,javascript 来源: https://codeday.me/bug/20191031/1977346.html