[Pki-devel] [PATCH] 0069 Import certs as DER-encoded X.509 in Chrome
Fraser Tweedale
ftweedal at redhat.com
Wed Jan 13 01:37:42 UTC 2016
The attached patch fixes certificate import in Chrome.
https://fedorahosted.org/pki/ticket/1245#comment:5
Thanks,
Fraser
-------------- next part --------------
From 81fc2d83fa06c11d9f2f07529576dc7f560838ec Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 12 Jan 2016 16:12:50 +1100
Subject: [PATCH] Import certs as DER-encoded X.509 in Chrome
For certificate import, Google Chrome only handles DER-encoded X.509
certificate. We are export DER-encoded PKCS #7 chain by default,
which Chrome does not recognise.
Update client-side Javascript to append 'importCAChain=false' query
param on Chrome only, so that the certificate will be retrieved in a
supported format.
Fixes: https://fedorahosted.org/pki/ticket/1245
---
.../webapps/ca/admin/ca/EnrollSuccess.template | 9 ++++--
.../webapps/ca/agent/ca/EnrollSuccess.template | 9 ++++--
.../webapps/ca/agent/ca/displayBySerial.template | 4 +++
.../ca/agent/ca/displayCertFromRequest.template | 7 ++++-
.../shared/webapps/ca/ee/ca/EnrollSuccess.template | 21 +++++++++++--
.../shared/webapps/ca/ee/ca/ProfileSubmit.template | 4 +++
.../webapps/ca/ee/ca/RenewalSuccess.template | 34 ++++++++++++++++++----
.../webapps/ca/ee/ca/displayBySerial.template | 4 +++
.../ca/ee/ca/displayCertFromRequest.template | 7 ++++-
.../kra/agent/kra/displayBySerial2.template | 4 +++
10 files changed, 88 insertions(+), 15 deletions(-)
diff --git a/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template b/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template
index d3709831e9f9c1bba686fb5f45adec01a7e82e28..9fdfdd614e8ef62cf5ff35b1b4546bf61338069b 100644
--- a/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template
+++ b/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template
@@ -180,8 +180,13 @@ if (navigator.appName == 'Netscape' &&
} else if (navigator.appName == 'Netscape' &&
typeof(crypto.version) == "undefined") {
// non Cartman
- window.location = result.fixed.scheme + "://" + result.fixed.host + ":"
-+ result.fixed.port + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+ var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+ + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ window.location = loc;
}
</SCRIPT>
diff --git a/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template b/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template
index 08bcd5240af0bbdcd01a0af441d83cddc7313db6..b627af22d9a943babc27bc15e46755dd98319db2 100644
--- a/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template
+++ b/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template
@@ -154,8 +154,13 @@ if (navigator.appName == 'Netscape' &&
} else if (navigator.appName == 'Netscape' &&
typeof(crypto.version) == "undefined") {
// non Cartman
- window.location = result.fixed.scheme + "://" + result.fixed.host + ":"
-+ result.fixed.port + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+ var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+ + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ window.location = loc;
}
</SCRIPT>
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
index 3b58a47790dd9e99dbcdeb5fc520d5c3dd0eeec6..0ab5b7cb46ef7012459cc96dab1fbe035b137914 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
@@ -273,6 +273,10 @@ if (navigator.appName == "Netscape") {
if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") {
loc = loc + '&cmmfResponse=true';
}
+ else if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
}
if (result.header.noCertImport != null && result.header.noCertImport == false) {
document.write('<form>\n'+
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
index f1148570c5e1cd3c251ee64008228da2e710b421..eb8451a5eaf1515a93df14ddf641ce06259eb647 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
@@ -133,8 +133,13 @@ function importCertificates(numCerts, requestId)
if (navigator.appName == "Netscape") {
if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined")
loc = loc+'&cmmfResponse=true';
- else
+ else {
loc = loc + '&importCert=true';
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ }
}
document.writeln('<center>');
diff --git a/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template b/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template
index 771c6fb1b8898fe11dc674062da75c5ab5fc9261..4871322b50209641647455dbef96aa51b67500e4 100644
--- a/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template
+++ b/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template
@@ -140,9 +140,14 @@ if (navigator.appName == 'Netscape' && (navMajorVersion() > 3) &&
} else {
for (var i = 0; i < result.recordSet.length; i++) {
if (result.recordSet[i].serialNo != null) {
- window.location = result.fixed.scheme + "://" + result.fixed.host + ":" +
+ var loc = result.fixed.scheme + "://" + result.fixed.host + ":" +
result.fixed.port + "/ee/getBySerial?serialNumber=" +
record.recordSet[i].serialNo + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ window.location = loc;
}
}
if (result.recordSet.length > 0)
@@ -153,18 +158,28 @@ if (navigator.appName == 'Netscape' && (navMajorVersion() > 3) &&
// non Cartman
for (var i = 0; i < result.recordSet.length; i++) {
if (result.recordSet[i].serialNo != null) {
- window.location = result.fixed.scheme + "://" + result.fixed.host + ":" +
+ var loc = result.fixed.scheme + "://" + result.fixed.host + ":" +
result.fixed.port + "/ee/getBySerial?serialNumber=" +
record.recordSet[i].serialNo + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ window.location = loc;
}
}
if (result.recordSet.length > 0)
alert("Your cert has been imported into the browser!");
} else {
// this must be a RA
- window.location = result.fixed.scheme + "://" + result.fixed.host + ":" +
+ var loc = result.fixed.scheme + "://" + result.fixed.host + ":" +
result.fixed.port + "/getCertFromRequest?requestId=" +
result.fixed.requestId + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ window.location = loc;
alert("Your cert has been imported into the browser!");
}
}
diff --git a/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template b/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template
index ce1ec122e726ac4986e79151413e4836ef5021fd..e32dd8f5e58b3ce47dad0e304d3c210adbc3cb89 100644
--- a/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template
+++ b/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template
@@ -87,6 +87,10 @@ for (var i = 0; i < outputListSet.length; i++) {
if (autoImport == 'true') {
// only support one certificate import
var loc = "getCertFromRequest?requestId="+ requestListSet[i].requestId + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
document.write("<iframe width='0' height='0' src='"+loc+"' </iframe>");
} else {
document.writeln('<form method=post action="getCertFromRequest">');
diff --git a/base/ca/shared/webapps/ca/ee/ca/RenewalSuccess.template b/base/ca/shared/webapps/ca/ee/ca/RenewalSuccess.template
index cb840d296bc4b916801e310f547cc7e3383370d4..76685146d46c247509a3ce036f5c48f8926f587a 100644
--- a/base/ca/shared/webapps/ca/ee/ca/RenewalSuccess.template
+++ b/base/ca/shared/webapps/ca/ee/ca/RenewalSuccess.template
@@ -136,22 +136,44 @@ if (navigator.appName == 'Netscape' && (navMajorVersion() > 3) &&
// 'its serial number.');
} else if (result.fixed.authorityName == 'Certificate Manager') {
alert("Success!!");
- window.location = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port + "/getBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+ var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+ + "/getBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ window.location = loc;
} else {
alert("Success!!");
// this must be a RA
- window.location = result.fixed.scheme + "://" + result.fixed.host + ":"
-+ result.fixed.port + "/getCertFromRequest?requestId=" + result.fixed.requestId + "&importCert=true";
+ var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+ + "/getCertFromRequest?requestId=" + result.fixed.requestId + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ window.location = loc;
}
} else if (navigator.appName == 'Netscape' && (navMajorVersion() >= 3)) {
// non Cartman
if (result.fixed.authorityName == 'Certificate Manager') {
// non Cartman
- window.location = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port + "/getBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+ var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+ + "/getBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ window.location = loc;
} else {
// this must be a RA
- window.location = result.fixed.scheme + "://" + result.fixed.host + ":"
-+ result.fixed.port + "/getCertFromRequest?requestId=" + result.fixed.requestId + "&importCert=true";
+ var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+ + "/getCertFromRequest?requestId=" + result.fixed.requestId + "&importCert=true";
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ window.location = loc;
}
}
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
index d1e65fa631e0107297cf8b5383197bb9e6f5c160..56cccbec167e7479d20243cc13eded7f81462ed2 100644
--- a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
+++ b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
@@ -193,6 +193,10 @@ if (navigator.appName == "Netscape") {
if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") {
loc = loc + '&cmmfResponse=true';
}
+ else if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
}
document.write('<form>\n'+
'<INPUT TYPE=\"button\" VALUE=\"Import Your Certificate\"'+
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayCertFromRequest.template b/base/ca/shared/webapps/ca/ee/ca/displayCertFromRequest.template
index aafa17aca89305e5a5789dbe43a14e5a4f5a6047..f7987fc692cd7ba913556af494e1458b467a3502 100644
--- a/base/ca/shared/webapps/ca/ee/ca/displayCertFromRequest.template
+++ b/base/ca/shared/webapps/ca/ee/ca/displayCertFromRequest.template
@@ -122,8 +122,13 @@ function importCertificates(numCerts, requestId)
if (navigator.appName == "Netscape") {
if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined")
loc = loc+'&cmmfResponse=true';
- else
+ else {
loc = loc + '&importCert=true';
+ if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
+ }
}
document.writeln('<center>');
document.writeln('<form>\n'+
diff --git a/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template b/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template
index 06bef2f9f1fde319bca4f55cf4af21d273dd2ee5..59cc27c3fc9ee105d290264512fb3f07fcb28a51 100644
--- a/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template
+++ b/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template
@@ -118,6 +118,10 @@ if (navigator.appName == "Netscape") {
if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") {
loc = loc + '&cmmfResponse=true';
}
+ else if (navigator.userAgent.indexOf("Chrome") != -1) {
+ // Chrome cannot handle PKCS #7; only DER-encoded X.509
+ loc = loc + '&importCAChain=false';
+ }
}
document.write('<form>\n'+
'<INPUT TYPE=\"button\" VALUE=\"Download This Certificate\"'+
--
2.5.0
More information about the Pki-devel
mailing list