ExplorerKeygen - keygen element for IE from bergi on 2011-12-05 (public-xg-webid@w3.org from December 2011)

From: bergi <bergi@axolotlfarm.org>
Date: Tue, 06 Dec 2011 00:04:56 +0100
To: WebID XG <public-xg-webid@w3.org>
Message-ID: <4EDD4E18.2090408@axolotlfarm.org>

Internet Explorer doesn't support the keygen element out of the box. The
only way to generate certificate request in the browser is the
X509Enrollment ActiveX component. I've written some JavaScript code
which brings nearly full keygen compatibility to IE. It's based on
IEKeygen.js Bruno Harbulot wrote for Clerezza, but it's a little bit
more generic.

What must be changed:
It should require just a conditional include on the client side:
 <!--[if IE]>
  <script type="text/javascript" src="explorer-keygen.js"></script>
 <![endif]-->
On the server side PKCS10 support must be added, which is in our case
more or less just a different packaging of the public key. I'm using
OpenSSL in my PHP code. If you look at the function
buildCertificateSpkac and buildCertificatePkcs10 in
OpenSslCertificateBuilder.php you will see it's nearly the same code.

The drawback of this solution:
Microsoft doesn't trust it's own ActivceX components. This means the
page must be in the trusted zone or the user has to change
initialization of untrusted ActiveX components settings from disabled to
ask.

A little bit more in detail what the JavaScript code does:
On page load it searches for a keygen element and adds a combobox for
the key length selection after the keygen element to the DOM. The key
length will be written to the keylength attribute in the keygen element.
Also the action attribute in the form element gets renamed to ekaction
to avoid submitting the form. The submit button is replaced with another
button that calls some JavaScript code. If the newly created button is
pressed, the JavaScript code will call the ActiveX component and create
a new certificate signing request. For the CSR a new hidden input field
will be created. The jQuery .serialize() function is used to get the
form data in www-form-urlencoded format and Ajax is used to send the
data to the server. Than the response is forwarded to the ActiveX
component. And finally the certificate is installed in the Windows Keystore.

The JavaScript code is MIT licensed, the PHP code GPL 3.

Link to the SVN repo:
https://www.axolotlfarm.org/svn/bergi/bergnet/php/certbuilder/trunk/

Received on Monday, 5 December 2011 23:05:44 UTC