W3C home > Mailing lists > Public > public-xg-webid@w3.org > December 2011

Re: ExplorerKeygen - keygen element for IE

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 6 Dec 2011 10:42:16 +0100
Message-Id: <D2C7730D-D212-46BF-984A-BAD4EFA6A600@bblfish.net>
To: bergi <bergi@axolotlfarm.org>, WebID XG <public-xg-webid@w3.org>
Great work Bergi!

Were you able to create a certificate with this from Internet Explorer and then
log into fcns.eu? Peter Williams declared this was impossible to do last week.

I think you should definitively copy and paste this e-mail into a wiki page
linked to from our new HOWTO page. This looks like the place to do ti from

http://www.w3.org/2005/Incubator/webid/wiki/Creating_Certificates



On 6 Dec 2011, at 00:04, bergi wrote:

> Internet Explorer doesn't support the keygen element out of the box. The
> only way to generate certificate request in the browser is the
> X509Enrollment ActiveX component. I've written some JavaScript code
> which brings nearly full keygen compatibility to IE. It's based on
> IEKeygen.js Bruno Harbulot wrote for Clerezza, but it's a little bit
> more generic.

very nice.

> 
> What must be changed:
> It should require just a conditional include on the client side:
> <!--[if IE]>
>  <script type="text/javascript" src="explorer-keygen.js"></script>
> <![endif]-->
> On the server side PKCS10 support must be added, which is in our case
> more or less just a different packaging of the public key. I'm using
> OpenSSL in my PHP code. If you look at the function
> buildCertificateSpkac and buildCertificatePkcs10 in
> OpenSslCertificateBuilder.php you will see it's nearly the same code.
> 
> The drawback of this solution:
> Microsoft doesn't trust it's own ActivceX components. This means the
> page must be in the trusted zone or the user has to change
> initialization of untrusted ActiveX components settings from disabled to
> ask.

I think this is the case for the Windows 7 only. I think I tried this a 
year ago on some other windows and it did not ask me for all this.  
It will be interesting to have people try this out themselves, and 
send us feedback.

> 
> A little bit more in detail what the JavaScript code does:
> On page load it searches for a keygen element and adds a combobox for
> the key length selection after the keygen element to the DOM. The key
> length will be written to the keylength attribute in the keygen element.

I suppose that is to imitate the way keygen works. I did not check but
does keygen really send the key length in the form to the server, or is
it not just used to create the public key?

> Also the action attribute in the form element gets renamed to ekaction
> to avoid submitting the form. The submit button is replaced with another
> button that calls some JavaScript code. If the newly created button is
> pressed, the JavaScript code will call the ActiveX component and create
> a new certificate signing request. For the CSR a new hidden input field
> will be created. The jQuery .serialize() function is used to get the
> form data in www-form-urlencoded format and Ajax is used to send the
> data to the server. Than the response is forwarded to the ActiveX
> component. And finally the certificate is installed in the Windows Keystore.

very nice!


> 
> The JavaScript code is MIT licensed, the PHP code GPL 3.



> 
> Link to the SVN repo:
> https://www.axolotlfarm.org/svn/bergi/bergnet/php/certbuilder/trunk/
> 

Social Web Architect
http://bblfish.net/
Received on Tuesday, 6 December 2011 09:42:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 6 December 2011 09:43:00 GMT