我正在Internet Explorer 11中使用Certenroll创建PKCS10证书签名请求,以发送给证书颁发机构。
我需要将ChallengePassword属性(OID 1.2.840.113549.1.9.7)添加到生成的CSR中,而我正在努力确定确切的代码来做到这一点。
我尝试创建X509Enrollment.CX509Extension并将其添加到CSR,但是在尝试将值分配给扩展名时代码失败:
objX509ExtensionChallenge.Initialize(objObjectIdChallenge, 16, "Test"); // XCN_CRYPT_STRING_TEXT = 16
,出现以下错误:
CertEnroll::CX509Extension::Initialize: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)"
A,我没有被告知三个参数中的哪个无效,或者是什么导致该参数不正确。
代码如下:
var objCSP = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformation");
var objCSPs = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformations");
var objPrivateKey = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509PrivateKey");
var objRequest = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
var objObjectIds = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectIds");
var objObjectId = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
var objX509ExtensionEnhancedKeyUsage = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
var objExtensionTemplate = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionTemplateName")
var objDn = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName")
var objObjectIdChallenge = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
var objX509ExtensionChallenge = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Extension");
var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment")
/* initialize the CSP using the desired Cryptograhic Service Provider */
objCSP.InitializeFromName("Microsoft Enhanced RSA and AES Cryptographic Provider");
/* add this CSP to the CSP collection */
objCSPs.Add(objCSP);
/* provide key container name, key length and key spec to the private key object */
//objPrivateKey.ContainerName = $('#name').val();
objPrivateKey.Length = $('#keylength').val();
objPrivateKey.KeySpec = 1; // AT_KEYEXCHANGE = 1
objPrivateKey.ProviderType = '24'; // XCN_PROV_RSA_AES = 24
/* provide the CSP collection object (in this case containing only 1 CSP object) */
/* to the private key object */
objPrivateKey.CspInformations = objCSPs;
/* initialize P10 based on private key */
objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1
/* 1.3.6.1.5.5.7.3.2 Oid - extension */
objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
objObjectIds.Add(objObjectId);
objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage);
/* 1.3.6.1.5.5.7.3.3 Oid - extension */
//objExtensionTemplate.InitializeEncode("1.3.6.1.5.5.7.3.3");
//objRequest.X509Extensions.Add(objExtensionTemplate);
/* DN related stuff */
objDn.Encode("CN=" + $('#name').val(), 0); // XCN_CERT_NAME_STR_NONE = 0
objRequest.Subject = objDn;
//objChallengeObjectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_RSA_challengePwd);
//objChallengeObjectId.InitializeFromValue("1.2.840.113549.1.9.7");
objObjectIdChallenge.InitializeFromValue("1.2.840.113549.1.9.7");
// ----- we fail here -----vvvv
objX509ExtensionChallenge.Initialize(objObjectIdChallenge, 16, "Test"); // XCN_CRYPT_STRING_TEXT = 16
objRequest.X509Extensions.Add(objX509ExtensionChallenge);
/* enroll */
objEnroll.InitializeFromRequest(objRequest);
$("#pkcs10").val(objEnroll.CreateRequest(3)); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3
有人可以在objX509ExtensionChallenge.Initialize()调用中确认我做错了什么吗?
编辑1:
按如下所示更改代码可以避免无效的参数错误,但是结果CSR中没有1.2.840.113549.1.9.7 OID:
objObjectIdChallenge.InitializeFromValue("1.2.840.113549.1.9.7");
objX509ExtensionChallenge.Initialize(objObjectIdChallenge, 6, window.btoa('Hello, world')); // XCN_CRYPT_STRING_BASE64_ANY = 6
objRequest.X509Extensions.Add(objX509ExtensionChallenge);
生成的证书请求如下:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=Test1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b6:c3:95:a4:89:81:97:1c:5c:6c:9c:e6:53:a8:
11:37:7e:0e:b7:1b:f9:a7:25:54:5b:1d:c9:15:38:
6c:81:1e:1a:11:8f:34:e8:65:ac:8e:e5:76:e3:9b:
ff:d1:ab:af:1d:31:66:a3:71:db:04:5b:88:c6:b0:
1f:84:8e:88:9d:63:25:e9:cb:b7:3a:3d:35:08:5a:
b1:d1:1e:f7:ba:08:1f:42:d9:b6:73:12:47:99:5f:
56:55:9c:fa:cd:ba:ba:fb:ca:9e:57:a3:79:d2:96:
e8:ac:cc:0e:05:ab:04:bf:91:c2:9a:7d:59:b6:33:
0e:e0:ea:89:c5:b8:83:19:cd
Exponent: 65537 (0x10001)
Attributes:
1.3.6.1.4.1.311.13.2.3 :10.0.17134.2
1.3.6.1.4.1.311.21.20 :unable to print attribute
1.3.6.1.4.1.311.13.2.2 :unable to print attribute
Requested Extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Key Identifier:
C8:CC:FE:D9:28:AB:DD:CD:EE:70:88:AB:33:8B:58:22:51:AA:63:C3
X509v3 Key Usage: critical
Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
74:29:c8:79:74:1d:64:be:2a:ce:c6:0c:91:f1:36:70:c5:42:
15:c0:60:13:ba:64:ff:e3:f1:fc:fa:8d:55:5e:7a:0a:6e:96:
2d:bf:6b:69:6e:1b:57:cb:55:cb:f9:c7:63:de:85:be:51:d0:
32:94:88:05:49:44:72:6c:81:ba:28:35:b3:4a:55:db:1d:06:
5d:1a:5d:88:cf:48:0c:5e:91:22:ae:9f:76:5c:b6:9c:00:7b:
4d:f5:60:06:c3:5c:59:b5:43:27:d8:76:ff:85:c3:09:46:c7:
a4:0a:6a:09:ca:45:37:f7:bd:07:4b:22:bb:33:e7:bd:25:23:
13:82
答案 0 :(得分:0)
请检查CX509ExtensionClass.Initialize(CObjectId, EncodingType, String) Method:
public virtual void Initialize (Microsoft.Hpc.Scheduler.Store.CObjectId pObjectId, Microsoft.Hpc.Scheduler.Store.EncodingType Encoding, string strEncodedData);
从本文中,我们可以看到EncodingType不包含“ XCN_CRYPT_STRING_TEXT”,您可以尝试使用“ XCN_CRYPT_STRING_ANY”。此外,请检查第三个参数,它是一个编码的字符串数据。
这里是related thread,您可以参考它。
答案 1 :(得分:0)
根据以下链接,ChallengePassword不包含在PKCS10的受支持属性和扩展中:
https://docs.microsoft.com/en-us/windows/desktop/seccertenroll/supported-attributes https://docs.microsoft.com/en-us/windows/desktop/seccertenroll/supported-extensions
此OID不会出现在如下示例请求中:
https://docs.microsoft.com/en-us/windows/desktop/seccertenroll/pkcs--10-request
答案 2 :(得分:0)
您可以在certenroll.dll中尝试IX509CertificateRequestPkcs10V3 interface。
我相信您的特定问题是'challengePassword'不是作为X509扩展属性添加的,而是作为PKCS#10结构的直接属性添加的。 X509证书扩展是PKCS#10证书请求的特定“ extensionRequest”属性。因此,您可以尝试使用IX509Attribute接口来代替IX509Extension接口。
抱歉,但是我不知道从IE11中的Javascript访问这些接口的详细信息。