具有X509证书和智能卡的Web签名

时间:2018-07-03 11:50:46

标签: web x509certificate smartcard fortify

已解决

我正在尝试向我的Web应用程序添加签名功能。

签名必须使用智能卡进行。因此,在很多地方搜索后,我发现了 webcrypto-socket https://peculiarventures.github.io/webcrypto-local/docs/)-Webcrypto套接字模块实现了Crypto接口,并使用 Fortify 应用程序进行了加密实现。

然后,我可以登录我的应用程序,但是它生成的签名不是有效的PKCS签名,它仅返回签名哈希,而没有公共证书。

我的代码基于以下示例:https://peculiarventures.github.io/fortify-examples/example5.html

此外,欢迎对webcrypto-socket和设防发表评论!

我正在做这样的事情,其中​​提供者和证书按照强化建议进行填充:

function sign() {
    var provider;
    var cert;
    Promise.resolve()
        .then(function () {
            var providerID = document.getElementById("providers").value;
            return ws.getCrypto(providerID)
        })
        .then(function (crypto) {
            provider = crypto;

          setEngine('subtle', crypto, 
    new CryptoEngine({ name: 'subtle', crypto: crypto, subtle: crypto.subtle }));

            return GetCertificate(provider,
                document.getElementById("certificates").value);
        })
        .then(function (certificate) {
            cert = certificate;
            return GetCertificateKey("private", provider,
                document.getElementById("certificates").value);
        })
        .then(function (key) {
            if (!key) {
                throw new Error("Certificate doesn't have private key");
            }

            var textToSignElement = document.getElementById("textToSign");
            var signatureResultElement = 
                document.getElementById("signatureResult");
            signDataElement(textToSignElement, signatureResultElement, 
                cert, key, provider);

        })
}

function signDataElement(textToSignElement, signatureResultElement, 
    key, cert, provider) {
    var message = pvtsutils.Convert.FromBase64(hashElement.value);
    var hashAlg = key.algorithm.hash.name;
    var sequence = Promise.resolve();
    sequence = sequence.then(() => provider.subtle.digest({ name: hashAlg },
        new Uint8Array(message)));
    var cmsSignedSimpl = null;
    var messHex = null;
    var certRaw = null;

    sequence = sequence.then(function (res) {
        messHex = res;
        return GetCertificateAsPEM(provider, cert);
    });

    //region Combine all signed extensions
    sequence = sequence.then(result => {
        certRaw = result;
        var signedAttr = [];

        signedAttr.push(new Attribute({
            type: "1.2.840.113549.1.9.3",
            values: [new ObjectIdentifier({ value: "1.2.840.113549.1.7.1" })]
        })); // contentType

        signedAttr.push(new Attribute({
            type: "1.2.840.113549.1.9.5",
            values: [new UTCTime({ valueDate: new Date() })]
        })); // signingTime

        signedAttr.push(new Attribute({
            type: "1.2.840.113549.1.9.4",
            values: [new OctetString({ valueHex: messHex})]
        })); // messageDigest

        return signedAttr;
    });

    sequence = sequence.then(signedAttr => {
        var asn1 = fromBER(PemToDer(certRaw));
        var newCert = new Certificate({ schema: asn1.result });

        newCert.issuer.typesAndValues.push(new AttributeTypeAndValue({
            type: "2.5.4.3", // Common name
            value: new BmpString({ value: cert.issuerName })
        }));
        cmsSignedSimpl = new SignedData({
            version: 1,
            encapContentInfo: new EncapsulatedContentInfo({
                eContentType: "1.2.840.113549.1.7.1" // "data" content type
            }),
            signerInfos: [new SignerInfo({
                version: 1,
                sid: new IssuerAndSerialNumber({
                    issuer: newCert.issuer,
                    serialNumber: newCert.serialNumber
                }),
                signedAttrs: new SignedAndUnsignedAttributes({
                    type: 0,
                    attributes: signedAttr
                })
            })],
            certificates: [newCert]
        });
        return cmsSignedSimpl.sign(key, 0, hashAlg, message)
    });

    sequence = sequence.then(() => {
        var cmsSignedSchema = cmsSignedSimpl.toSchema(true);

        var cmsContentSimp = new ContentInfo({
            contentType: "1.2.840.113549.1.7.2",
            content: cmsSignedSchema
        });

        var _cmsSignedSchema = cmsContentSimp.toSchema();

        //region Make length of some elements in "indefinite form"
        _cmsSignedSchema.lenBlock.isIndefiniteForm = true;

        var block1 = _cmsSignedSchema.valueBlock.value[1];
        block1.lenBlock.isIndefiniteForm = true;

        var block2 = block1.valueBlock.value[0];
        block2.lenBlock.isIndefiniteForm = true;

        //endregion

       return _cmsSignedSchema.toBER(false);
    }, error => Promise.reject(`Erorr during signing of CMS Signed Data: ${error}`));

    sequence.then((certificateBuffer) => {
        var certSimplString = String.fromCharCode.apply(null, 
            new Uint8Array(certificateBuffer));

        signatureElement.value = formatPEM(window.btoa(certSimplString));

        alert("Certificate created successfully!");
    })

    return sequence;
}

function GetCertificate(provider, certID) {
    var certID;
    return provider.certStorage.getItem(certID)
        .then(function (cert) {
            return cert;
        });
}

function GetCertificateAsPEM(provider, cert) {
    return provider.certStorage.exportCert('PEM', cert);
}

signDataElement 基于https://pkijs.org/examples/CMSSigned_complex_example.html

1 个答案:

答案 0 :(得分:2)

我们将汉考克(https://fortifyapp.com)中的Fortify(https://hancock.ink)与PKIjs(https://pkijs.org)和CAdESjs(https://github.com/PeculiarVentures/CAdES.js)结合使用来创建CMS签名。

您可以在https://pkijs.org/examples/CMSSigned_complex_example.html

上看到基于PKIjs的JS基本CMS示例。

您将需要向我们提供您正在做的事的示例,我们可以告诉您您需要做些不同的事情。

瑞安

相关问题
最新问题