Add support for EC keys #3

Merged
lauri merged 6 commits from ec-key-support into master 2021-08-19 16:59:21 +00:00
2 changed files with 23 additions and 17 deletions
Showing only changes of commit 613da4d0b5 - Show all commits

View File

@ -16,6 +16,7 @@ import { pkcs12chain } from "./pkcs12chain.js";
import { import {
pkijsToPem, pkijsToPem,
pkijsToBase64, pkijsToBase64,
pemToBase64,
} from "./util.js" } from "./util.js"
const DEVICE_KEYWORDS = ["Android", "iPhone", "iPad", "Windows", "Ubuntu", "Fedora", "Mac", "Linux"]; const DEVICE_KEYWORDS = ["Android", "iPhone", "iPad", "Windows", "Ubuntu", "Fedora", "Mac", "Linux"];
@ -102,14 +103,14 @@ function onKeyGen() {
let algorithm; let algorithm;
if (authority.certificate.algorithm == "rsa") { if (authority.certificate.algorithm == "rsa") {
algorithm = getAlgorithmParameters( algorithm = getAlgorithmParameters(
window.authority.rsa_sign_alg, "generatekey"); window.authority.certificate.key_type_specific, "generatekey");
} }
if (authority.certificate.algorithm == "ec") { if (authority.certificate.algorithm == "ec") {
algorithm = getAlgorithmParameters( algorithm = getAlgorithmParameters(
window.authority.ec_sign_alg, "generatekey"); window.authority.certificate.curve, "generatekey");
} }
if ("hash" in algorithm.algorithm) if ("hash" in algorithm.algorithm)
algorithm.algorithm.hash.name = window.authority.hash_alg; algorithm.algorithm.hash.name = window.authority.certificate.hash_algorithm;
const keyPair = await window.cryptoEngine.generateKey( const keyPair = await window.cryptoEngine.generateKey(
algorithm.algorithm, true, algorithm.usages); algorithm.algorithm, true, algorithm.usages);
@ -118,7 +119,7 @@ function onKeyGen() {
const privateKey = keyPair.privateKey; const privateKey = keyPair.privateKey;
await pkcs10.subjectPublicKeyInfo.importKey(publicKey); await pkcs10.subjectPublicKeyInfo.importKey(publicKey);
await pkcs10.sign(privateKey, window.authority.hash_alg); await pkcs10.sign(privateKey, window.authority.certificate.hash_algorithm);
window.csr = pkcs10; window.csr = pkcs10;
console.info("Certification request created"); console.info("Certification request created");
@ -184,23 +185,21 @@ function onEnroll(encoding) {
xhr.open('GET', "/api/certificate/"); xhr.open('GET', "/api/certificate/");
xhr.onload = async function() { xhr.onload = async function() {
if (xhr.status === 200) { if (xhr.status === 200) {
const caBase64 = xhr.responseText.replace( const caBase64 = pemToBase64(xhr.responseText);
/(-----(BEGIN|END) CERTIFICATE-----|\n)/g, "");
var xhr2 = new XMLHttpRequest(); var xhr2 = new XMLHttpRequest();
xhr2.open("PUT", "/api/token/?token=" + query.token ); xhr2.open("PUT", "/api/token/?token=" + query.token );
xhr2.onload = async function() { xhr2.onload = async function() {
if (xhr2.status === 200) { if (xhr2.status === 200) {
var a = document.createElement("a"); var a = document.createElement("a");
const certBase64 = xhr.responseText.replace( const certBase64 = pemToBase64(xhr.responseText);
/(-----(BEGIN|END) CERTIFICATE-----|\n)/g, "");
// Private key to base64 (for pkcs12chain) // Private key to base64 (for pkcs12chain)
let privKeyBase64 = await pkijsToBase64(keys.privateKey); let privKeyBase64 = await pkijsToBase64(keys.privateKey);
switch(encoding) { switch(encoding) {
case 'p12': case 'p12':
var p12 = await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.hash_alg); var p12 = await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.certificate.hash_algorithm);
var buf = arrayBufferToString(p12.toSchema().toBER(false)); var buf = arrayBufferToString(p12.toSchema().toBER(false));
var mimetype = "application/x-pkcs12" var mimetype = "application/x-pkcs12"
@ -208,7 +207,7 @@ function onEnroll(encoding) {
break break
case 'sswan': case 'sswan':
var p12 = arrayBufferToString( var p12 = arrayBufferToString(
(await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.hash_alg)).toSchema().toBER(false)); (await pkcs12chain(privKeyBase64, [certBase64, caBase64], "", window.authority.certificate.hash_algorithm)).toSchema().toBER(false));
var buf = JSON.stringify({ var buf = JSON.stringify({
uuid: await blobToUuid(authority.namespace), uuid: await blobToUuid(authority.namespace),
@ -247,7 +246,7 @@ function onEnroll(encoding) {
var p12 = arrayBufferToString( var p12 = arrayBufferToString(
(await pkcs12chain( (await pkcs12chain(
privKeyBase64, [certBase64, caBase64], privKeyBase64, [certBase64, caBase64],
"1234", window.authority.hash_alg)) "1234", window.authority.certificate.hash_algorithm))
.toSchema().toBER(false)); .toSchema().toBER(false));
var buf = nunjucks.render('snippets/ios.mobileconfig', { var buf = nunjucks.render('snippets/ios.mobileconfig', {
@ -312,9 +311,12 @@ async function onHashChanged() {
}, },
success: async function(authority) { success: async function(authority) {
window.authority = authority window.authority = authority
window.authority.hash_alg = "SHA-384";
window.authority.rsa_sign_alg = "RSASSA-PKCS1-v1_5"; // convert "sha512" to "SHA-512"
window.authority.ec_sign_alg = "ECDSA"; window.authority.certificate.hash_algorithm =
(window.authority.certificate.hash_algorithm.slice(0,3) +
"-" + window.authority.certificate.hash_algorithm.slice(3))
.toUpperCase();
var prefix = "unknown"; var prefix = "unknown";
for (i in DEVICE_KEYWORDS) { for (i in DEVICE_KEYWORDS) {
@ -770,10 +772,10 @@ function loadAuthority(query) {
$("#enroll").click(async function() { $("#enroll").click(async function() {
var keys = await window.cryptoEngine.generateKey( var keys = await window.cryptoEngine.generateKey(
{ {
name: "RSASSA-PKCS1-v1_5", name: window.authority.certificate.key_type_specific,
modulusLength: 1024, modulusLength: window.authority.certificate.key_size,
publicExponent: new Uint8Array([1, 0, 1]), publicExponent: new Uint8Array([1, 0, 1]),
hash: "SHA-256", hash: window.authority.certificate.hash_algorithm,
}, },
true, true,
["encrypt", "decrypt"]); ["encrypt", "decrypt"]);

View File

@ -48,3 +48,7 @@ export function pkijsToPem(pkijsObj) {
} }
}); });
} }
export function pemToBase64(pem) {
return pem.replace(/(-----(BEGIN|END) CERTIFICATE-----|\n)/g, "");
}