[rs-commit] r317 - in /rs-interop/trunk/src/site: resources/csr/ resources/csr/certenroll.js site.xml xhtml5/csr/ xhtml5/csr/index.xhtml5
rs-commit at redwax.eu
rs-commit at redwax.eu
Sun Mar 1 13:03:27 CET 2020
Author: minfrin at redwax.eu
Date: Sun Mar 1 13:03:26 2020
New Revision: 317
Log:
Add an interop for mod_csr / Microsoft CertEnroll.
Added:
rs-interop/trunk/src/site/resources/csr/
rs-interop/trunk/src/site/resources/csr/certenroll.js
rs-interop/trunk/src/site/xhtml5/csr/
rs-interop/trunk/src/site/xhtml5/csr/index.xhtml5
Modified:
rs-interop/trunk/src/site/site.xml
Added: rs-interop/trunk/src/site/resources/csr/certenroll.js
==============================================================================
--- rs-interop/trunk/src/site/resources/csr/certenroll.js (added)
+++ rs-interop/trunk/src/site/resources/csr/certenroll.js Sun Mar 1 13:03:26 2020
@@ -0,0 +1,116 @@
+/* make sure we can only submit once */
+document.getElementById('createform').addEventListener("submit", function certenroll(event) {
+
+ document.getElementById('submit').disabled = true;
+
+ try {
+ var objCSP = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformation");
+ var objCSPs = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformations");
+ var objPrivateKey = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509PrivateKey");
+ var objRequest = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
+ var objObjectIds = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectIds");
+ var objObjectId = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
+ var objX509ExtensionEnhancedKeyUsage = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
+ var objExtensionTemplate = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionTemplateName")
+ var objDn = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName")
+ var objObjectIdChallenge = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
+ var objX509ExtensionChallenge = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Extension");
+ var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment")
+
+ /* initialize the CSP using the desired Cryptograhic Service Provider */
+ objCSP.InitializeFromName("Microsoft Enhanced RSA and AES Cryptographic Provider");
+
+ /* add this CSP to the CSP collection */
+ objCSPs.Add(objCSP);
+
+ /* provide key container name, key length and key spec to the private key object */
+ //objPrivateKey.ContainerName = $('#name').val();
+ objPrivateKey.Length = parseInt($('#select-keysize-1 option:selected').val(),10);
+ objPrivateKey.KeySpec = 1; // AT_KEYEXCHANGE = 1
+ objPrivateKey.ProviderType = '24'; // XCN_PROV_RSA_AES = 24
+
+ /* provide the CSP collection object (in this case containing only 1 CSP object) */
+ /* to the private key object */
+ objPrivateKey.CspInformations = objCSPs;
+
+ /* initialize P10 based on private key */
+ objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1
+
+ /* 1.3.6.1.5.5.7.3.2 Oid - extension */
+ objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
+ objObjectIds.Add(objObjectId);
+ objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
+ objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage);
+
+ /* 1.3.6.1.5.5.7.3.3 Oid - extension */
+ //objExtensionTemplate.InitializeEncode("1.3.6.1.5.5.7.3.3");
+ //objRequest.X509Extensions.Add(objExtensionTemplate);
+
+ /* DN related stuff */
+ objDn.Encode("CN=" + document.getElementById('name').value, 0); // XCN_CERT_NAME_STR_NONE = 0
+ objRequest.Subject = objDn;
+
+ //objChallengeObjectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_RSA_challengePwd);
+ //objChallengeObjectId.InitializeFromValue("1.2.840.113549.1.9.7");
+
+ objObjectIdChallenge.InitializeFromValue("1.2.840.113549.1.9.7");
+ objX509ExtensionChallenge.Initialize(objObjectIdChallenge, 6, window.btoa('Hello, world')); // XCN_CRYPT_STRING_BASE64_ANY = 6
+ objRequest.X509Extensions.Add(objX509ExtensionChallenge);
+
+ /* enroll */
+ objEnroll.InitializeFromRequest(objRequest);
+ $("#pkcs10").val(objEnroll.CreateRequest(3)); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3
+
+ /* send the request */
+ var xhr = new XMLHttpRequest();
+
+ xhr.onerror = function() {
+ alert('A network error occcurred trying to contact the certificate authority. Click create to try again.');
+ document.getElementById('submit').disabled = false;
+ }
+
+ xhr.onload = function() {
+ if (xhr.status != 200) {
+ alert('The certificate authority responded with ' + xhr.status + ': ' + xhr.statusText); // e.g. 404: Not Found
+ document.getElementById('submit').disabled = false;
+ } else {
+ try {
+ var allow = 4; // AllowUntrustedRoot
+ objEnroll.InstallResponse(allow, xhr.response, 0, "");
+ }
+ catch (ex) {
+ console.log(ex);
+ }
+ document.getElementById('continue').disabled = false;
+ }
+ };
+
+ xhr.open('POST', window.location.pathname, true);
+ xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
+ xhr.setRequestHeader('Accept', 'application/pkcs7-mime');
+ xhr.responseType = 'text';
+ var formData = document.getElementById('createform').serialize();
+ console.log(formData);
+ xhr.send(formData);
+
+ return false;
+ }
+ catch (ex) {
+ console.log(ex);
+ if (ex instanceof TypeError) {
+ alert('Microsoft CertEnroll is not supported on this browser');
+ }
+ else {
+ alert(ex);
+ }
+
+ document.getElementById('submit').disabled = false;
+
+ event.preventDefault();
+
+ return false;
+ }
+
+ return true;
+});
+
Modified: rs-interop/trunk/src/site/site.xml
==============================================================================
--- rs-interop/trunk/src/site/site.xml (original)
+++ rs-interop/trunk/src/site/site.xml Sun Mar 1 13:03:26 2020
@@ -23,6 +23,7 @@
<menu name="Demo/Interop">
<item name="About" href="https://interop.redwax.eu/rs/"/>
+ <item name="Certificate Sign Requests / Microsoft CertEnroll" href="https://interop.redwax.eu/rs/csr/"/>
<item name="Simple Certificate Enrollment Protocol" href="https://interop.redwax.eu/rs/scep/"/>
<item name="Time Stamp Protocol" href="https://interop.redwax.eu/rs/timestamp/"/>
</menu>
Added: rs-interop/trunk/src/site/xhtml5/csr/index.xhtml5
==============================================================================
--- rs-interop/trunk/src/site/xhtml5/csr/index.xhtml5 (added)
+++ rs-interop/trunk/src/site/xhtml5/csr/index.xhtml5 Sun Mar 1 13:03:26 2020
@@ -0,0 +1,297 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
+ <head>
+ <title>Certificate Sign Request Demo/Interop</title>
+ <meta name="description" content="Interoperate with the Redwax Certificate Sign Request module."/>
+ <link rel="canonical" href="https://interop.redwax.eu/rs/csr/"/>
+ </head>
+ <body>
+ <section class="spotlight style2 orient-right content-align-left image-position-left">
+ <div class="content null">
+ <h2>Certificate Sign Request Demo/Interop</h2>
+ <p>
+ Interoperate with the <a href="https://redwax.eu/rs/docs/latest/mod/mod_csr.html">Redwax Certificate Sign Request module</a>.
+ </p>
+ <p>
+ We have implemented a <a href="https://tools.ietf.org/html/rfc2986">
+ RFC2986 PKCS10 / Certificate Sign Request</a> endpoint that allows you to test your client
+ implementation against a Redwax Server.
+ </p>
+ <p>
+ This module allows you to work with a Microsoft CertEnroll certificate request
+ as implemented by Internet Explorer 11.
+ </p>
+ <p>
+ The code being run is the most up to date build from trunk/master in source
+ control, and is built and deployed automatically. The Redwax Interop server
+ is for testing purposes only.
+ </p>
+ </div>
+ <div class="image">
+ <img src="../images/candles-green.jpg" alt=""/>
+ </div>
+ </section>
+ <div class="none">
+ <section class="wrapper style1 align-center" id="introduction">
+ <div class="inner">
+ <h2>Certificate Sign Request Demo/Interop Server</h2>
+ <p>
+ When testing your Certificate Sign Request client implementation, use the following
+ details.
+ </p>
+ <div class="index align-left">
+ <section id="summary">
+ <header>
+ <h3>Summary</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>Server URL</td>
+ <td>
+ <code>https://interop.redwax.eu<wbr />/test/csr</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Time Source</td>
+ <td>
+ <code>System Clock</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Serial Numbers</td>
+ <td>
+ <code>Random</code>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+
+ </div>
+ </section>
+ </div>
+ </div>
+ </section>
+ <section class="wrapper style1 align-center" id="integration">
+ <div class="inner">
+ <h2>Redwax Module Configuration</h2>
+ <p>
+ The following configuration is used to implement this
+ CSR endpoint. The configuration below is added to
+ a standard secure virtualhost Apache configuration, as
+ described
+ <a href="https://httpd.apache.org/docs/2.4/vhosts/name-based.html">here</a>.
+ </p>
+ <div class="index align-left">
+ <section>
+ <header>
+ <h3>
+ Configuration
+ </h3>
+ </header>
+ <div class="content">
+ <p>
+ Here we set the csr handler, and set the certificates and
+ keys to be used for signing the certificate.
+ </p>
+ <pre>
+<code><![CDATA[<IfModule !ca_module>
+ LoadModule ca_module /usr/lib64/httpd/modules/mod_ca.so
+</IfModule>
+<IfModule !ca_simple_module>
+ LoadModule ca_simple_module /usr/lib64/httpd/modules/mod_ca_simple.so
+</IfModule>
+<IfModule !csr_module>
+ LoadModule csr_module /usr/lib64/httpd/modules/mod_csr.so
+</IfModule>
+
+<Location /test/simple/csr>
+ Require all granted
+ SetHandler csr
+ CsrParamChallenge challenge
+ CsrSubjectRequest CN
+ CsrSubjectRequest O
+ CsrSubjectRequest C
+ CsrSubjectAltNameRequest rfc822Name
+</Location>
+]]></code>
+ </pre>
+ </div>
+ </section>
+ </div>
+ </div>
+ </section>
+ <section class="wrapper style1 align-center" id="directive-reference">
+ <div class="inner">
+ <h2>CertEnroll with Microsoft Internet Explorer 11</h2>
+ <p>
+ The following example form shows how to generate a request based on the
+ CertEnroll functionality in Internet Explorer 11.
+ </p>
+ <div class="index align-left">
+ <section>
+ <header>
+ <h3>Html Form</h3>
+ </header>
+ <div class="content">
+
+ <p>
+ To request a certificate be generated, submit the form below.
+ </p>
+
+ <form id="createform" method="POST" action="https://interop.redwax.eu/test/simple/csr">
+ <p>
+ <label>Enter a common name:</label>
+ <input type="text" name="subject-CN" id="name" placeholder="Common Name" value="" />
+ </p>
+ <p>
+ <button id="submit" type="submit">Create</button>
+ </p>
+
+ </form>
+
+ </div>
+ </section>
+ <section>
+ <header>
+ <h3>
+ Javascript
+ </h3>
+ </header>
+ <div class="content">
+ <p>
+ The javascript used to trigger the CertEnroll functionality can
+ be downloaded <a href="certenroll.js">here</a>, and is included
+ for reference below.
+ </p>
+ <pre>
+<code><![CDATA[/* make sure we can only submit once */
+document.getElementById('createform').addEventListener("submit", function certenroll(event) {
+
+ document.getElementById('submit').disabled = true;
+
+ try {
+ var objCSP = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformation");
+ var objCSPs = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformations");
+ var objPrivateKey = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509PrivateKey");
+ var objRequest = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
+ var objObjectIds = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectIds");
+ var objObjectId = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
+ var objX509ExtensionEnhancedKeyUsage = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
+ var objExtensionTemplate = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionTemplateName")
+ var objDn = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName")
+ var objObjectIdChallenge = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
+ var objX509ExtensionChallenge = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Extension");
+ var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment")
+
+ /* initialize the CSP using the desired Cryptograhic Service Provider */
+ objCSP.InitializeFromName("Microsoft Enhanced RSA and AES Cryptographic Provider");
+
+ /* add this CSP to the CSP collection */
+ objCSPs.Add(objCSP);
+
+ /* provide key container name, key length and key spec to the private key object */
+ //objPrivateKey.ContainerName = $('#name').val();
+ objPrivateKey.Length = parseInt($('#select-keysize-1 option:selected').val(),10);
+ objPrivateKey.KeySpec = 1; // AT_KEYEXCHANGE = 1
+ objPrivateKey.ProviderType = '24'; // XCN_PROV_RSA_AES = 24
+
+ /* provide the CSP collection object (in this case containing only 1 CSP object) */
+ /* to the private key object */
+ objPrivateKey.CspInformations = objCSPs;
+
+ /* initialize P10 based on private key */
+ objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1
+
+ /* 1.3.6.1.5.5.7.3.2 Oid - extension */
+ objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
+ objObjectIds.Add(objObjectId);
+ objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
+ objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage);
+
+ /* 1.3.6.1.5.5.7.3.3 Oid - extension */
+ //objExtensionTemplate.InitializeEncode("1.3.6.1.5.5.7.3.3");
+ //objRequest.X509Extensions.Add(objExtensionTemplate);
+
+ /* DN related stuff */
+ objDn.Encode("CN=" + document.getElementById('name').value, 0); // XCN_CERT_NAME_STR_NONE = 0
+ objRequest.Subject = objDn;
+
+ //objChallengeObjectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_RSA_challengePwd);
+ //objChallengeObjectId.InitializeFromValue("1.2.840.113549.1.9.7");
+
+ objObjectIdChallenge.InitializeFromValue("1.2.840.113549.1.9.7");
+ objX509ExtensionChallenge.Initialize(objObjectIdChallenge, 6, window.btoa('Hello, world')); // XCN_CRYPT_STRING_BASE64_ANY = 6
+ objRequest.X509Extensions.Add(objX509ExtensionChallenge);
+
+ /* enroll */
+ objEnroll.InitializeFromRequest(objRequest);
+ $("#pkcs10").val(objEnroll.CreateRequest(3)); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3
+
+ /* send the request */
+ var xhr = new XMLHttpRequest();
+
+ xhr.onerror = function() {
+ alert('A network error occcurred trying to contact the certificate authority. Click create to try again.');
+ document.getElementById('submit').disabled = false;
+ }
+
+ xhr.onload = function() {
+ if (xhr.status != 200) {
+ alert('The certificate authority responded with ' + xhr.status + ': ' + xhr.statusText); // e.g. 404: Not Found
+ document.getElementById('submit').disabled = false;
+ } else {
+ try {
+ var allow = 4; // AllowUntrustedRoot
+ objEnroll.InstallResponse(allow, xhr.response, 0, "");
+ }
+ catch (ex) {
+ console.log(ex);
+ }
+ document.getElementById('continue').disabled = false;
+ }
+ };
+
+ xhr.open('POST', window.location.pathname, true);
+ xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
+ xhr.setRequestHeader('Accept', 'application/pkcs7-mime');
+ xhr.responseType = 'text';
+ var formData = document.getElementById('createform').serialize();
+ console.log(formData);
+ xhr.send(formData);
+
+ return false;
+ }
+ catch (ex) {
+ console.log(ex);
+ if (ex instanceof TypeError) {
+ alert('Microsoft CertEnroll is not supported on this browser');
+ }
+ else {
+ alert(ex);
+ }
+
+ document.getElementById('submit').disabled = false;
+
+ event.preventDefault();
+
+ return false;
+ }
+
+ return true;
+});
+
+]]></code>
+ </pre>
+ </div>
+ </section>
+ </div>
+ </div>
+ </section>
+ </div>
+ <script src="certenroll.js"></script>
+ </body>
+</html>
More information about the rs-commit
mailing list