On Mar 30, 12:53 pm, Anders Rundgren <anders.rundg...@telia.com>
wrote:
> It might be interesting to note how this works in MSIE since few
> CAs can completely ignore MSIE even if they wanted to:
>
> "<keygen>" a la Microsoft:
>
> It starts by the poor user trying to get the enroll ActiveX object
> to run *by reducing security until it starts*.
> Most people fail already at this stage.
>
We actually got it to work without the user having to lower the
security. The trick is to push the factory classes with their object
IDs onto the page as objects. So if you declare an object like this:
<object classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"
id="classFactory" height="0" width="0" ></object> on your enrollment
page, you automagically have a classFactory in JavaScript without any
security level changes.
I'm not claiming that Microsoft's API is nice, atrocities include such
things as
var hashObjID = classFactory.CreateObject("X509Enrollment.CObjectId");
hashObjID.InitializeFromName("89");
objRequest.HashAlgorithm = hashObjID;
to force it into using SHA-1 as the hash algorithm, but at least it
gives you control over almost anything once you have figured out how
to do it (can be painful) and it create standard PKCS#7 CSRs. Keygen
does neither and generateCRMFRequest just has to use that widely
unsupported format :(
/Thomas
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
