我正在尝试使用 javascript 在客户端为 PKCS#10 证书请求创建签名的 PKCS#7 消息。
PKCS#10 上有很好的例子:http: //blogs.msdn.com/b/alejacma/archive/2009/01/28/how-to-create-a-certificate-request-with-certenroll-javascript.aspx
但我需要创建 PKCS#7 并且无法弄清楚如何去做。CertEnroll 的官方文档中缺少示例(实际上根本没有):http: //msdn.microsoft.com/en-us/library/windows/desktop/aa374850 (v=vs.85).aspx
我最终得到了这段代码:
var XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3;
var XCN_CERT_NAME_STR_NONE = 0;
var _certEnrollClassFactory = new ActiveXObject("X509Enrollment.CX509EnrollmentWebClassFactory");
ComposePKCS10Request: function (containerName, subject)
{
// PKCS #10 certificate request
var objRequest = _certEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10");
var objCSP = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformation");
var objCSPs = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformations");
// Initialize the csp object using the desired Cryptograhic Service Provider (CSP)
objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0");
// Add this CSP object to the CSP collection object
objCSPs.Add(objCSP);
// asymmetric private key that can be used for encryption, signing, and key agreement.
var objPrivateKey = _certEnrollClassFactory.CreateObject("X509Enrollment.CX509PrivateKey");
// Provide key container name, key length and key spec to the private key object
objPrivateKey.ContainerName = containerName;
//objPrivateKey.Length = 1024;
objPrivateKey.KeySpec = 1; // AT_KEYEXCHANGE = 1
// Provide the CSP collection object (in this case containing only 1 CSP object)
// to the private key object
objPrivateKey.CspInformations = objCSPs;
// Initialize P10 based on private key
objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1
// X.500 distinguished name (DN)
// The DN consists of a sequence of relative distinguished names (RDNs). Each RDN consists of a set of attributes,
// and each attribute consists of an object identifier (OID) and a value. The data type of the value is identified
// by the DirectoryString structure.
var objDn = _certEnrollClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName");
// DN related stuff
objDn.Encode(subject, XCN_CERT_NAME_STR_NONE);
objRequest.Subject = objDn;
return objRequest;
}
CreatePKCS7: function (containerName, subject)
{
// PKCS #7 certificate request
var objPKCS7Request = _certEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs7");
// initialize PKCS #7 certificate request by PKCS #10 certificate request
objPKCS7Request.InitializeFromInnerRequest(this.ComposePKCS10Request(containerName, subject));
var objSignerCert = _certEnrollClassFactory.CreateObject("X509Enrollment.CSignerCertificate");
var verifyType = 4; /* VerifyAllowUI, see typedef enum X509PrivateKeyVerify */
var encodingType = 0x3; /* see typedef enum EncodingType */
/**********************************************************************/
/* I have to provide certificate here??? How can I obtain it from UI? */
/**********************************************************************/
var strCertificate = '?????????????????????';
objSignerCert.Initialize(false, verifyType, encodingType, strCertificate);
/*****************************************************************************/
/* Also I'm not shure that SignerCertificate can be accessed via javascript. */
/*****************************************************************************/
objPKCS7Request.SignerCertificate = objSignerCert;
// represents the top level object and enables you to enroll in a certificate hierarchy and install a certificate response
var objEnroll = _certEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment");
// Enroll
objEnroll.InitializeFromRequest(objPKCS7Request);
var pkcs7;
try
{
pkcs7 = objEnroll.CreateRequest(XCN_CRYPT_STRING_BASE64REQUESTHEADER);
}
catch (e)
{
...
}
return pkcs7;
}
有没有办法用 javascript 创建 PKCS#7 消息?
更新:我已经收到了 PKCS#10 证书请求(请参阅代码示例中的第一个函数)并且需要为其创建 PKCS#7 签名消息。好的,我解释一下我的问题。如何使用 javascript 创建签名的 PKCS#7 消息?(理想情况下,它应该允许使用 UI 指定适当的证书。)
至于 javascript,我知道这不是方便的方式,但很合适,因为我必须在客户端(在浏览器中)处理它。此外,cert注册IX509CertificateRequestPkcs7接口有标记为[WebEnabled]的方法,所以我相信一定有办法做到我所说的。