使用 X509 证书 + 智能卡的 Web 签名

Question

我正在尝试向我的网络应用程序添加签名功能。

签名必须使用智能卡进行。因此，在搜索了很多地方之后，我发现了webcrypto-socket(https://peculiarventures.github.io/webcrypto-local/docs/) - Webcrypto套接字模块实现了Crypto接口(interface)并使用Fortify应用程序进行加密实现。 p>

然后，我可以登录我的应用程序，但它生成的签名不是有效的 PKCS 签名，它仅返回签名哈希值，而没有公共(public)证书。

我的代码基于以下示例:https://peculiarventures.github.io/fortify-examples/example5.html

此外，欢迎对 webcrypto-socket 和 fortify 发表评论!

我正在做这样的事情，其中​​提供者和证书按照 fortify 的建议填写:

function sign() {
    var provider;
    var cert;
    Promise.resolve()
        .then(function () {
            var providerID = document.getElementById("providers").value;
            return ws.getCrypto(providerID)
        })
        .then(function (crypto) {
            provider = crypto;

          setEngine('subtle', crypto, 

    new CryptoEngine({ name: 'subtle', crypto: crypto, subtle: crypto.subtle }));

            return GetCertificate(provider,
                document.getElementById("certificates").value);
        })
        .then(function (certificate) {
            cert = certificate;
            return GetCertificateKey("private", provider,
                document.getElementById("certificates").value);
        })
        .then(function (key) {
            if (!key) {
                throw new Error("Certificate doesn't have private key");
            }

            var textToSignElement = document.getElementById("textToSign");
            var signatureResultElement = 
                document.getElementById("signatureResult");
            signDataElement(textToSignElement, signatureResultElement, 
                cert, key, provider);

        })
}

function signDataElement(textToSignElement, signatureResultElement, 
    key, cert, provider) {
    var message = pvtsutils.Convert.FromBase64(hashElement.value);
    var hashAlg = key.algorithm.hash.name;
    var sequence = Promise.resolve();
    sequence = sequence.then(() => provider.subtle.digest({ name: hashAlg },
        new Uint8Array(message)));
    var cmsSignedSimpl = null;
    var messHex = null;
    var certRaw = null;

    sequence = sequence.then(function (res) {
        messHex = res;
        return GetCertificateAsPEM(provider, cert);
    });

    //region Combine all signed extensions
    sequence = sequence.then(result => {
        certRaw = result;
        var signedAttr = [];

        signedAttr.push(new Attribute({
            type: "1.2.840.113549.1.9.3",
            values: [new ObjectIdentifier({ value: "1.2.840.113549.1.7.1" })]
        })); // contentType

        signedAttr.push(new Attribute({
            type: "1.2.840.113549.1.9.5",
            values: [new UTCTime({ valueDate: new Date() })]
        })); // signingTime

        signedAttr.push(new Attribute({
            type: "1.2.840.113549.1.9.4",
            values: [new OctetString({ valueHex: messHex})]
        })); // messageDigest

        return signedAttr;
    });

    sequence = sequence.then(signedAttr => {
        var asn1 = fromBER(PemToDer(certRaw));
        var newCert = new Certificate({ schema: asn1.result });

        newCert.issuer.typesAndValues.push(new AttributeTypeAndValue({
            type: "2.5.4.3", // Common name
            value: new BmpString({ value: cert.issuerName })
        }));
        cmsSignedSimpl = new SignedData({
            version: 1,
            encapContentInfo: new EncapsulatedContentInfo({
                eContentType: "1.2.840.113549.1.7.1" // "data" content type
            }),
            signerInfos: [new SignerInfo({
                version: 1,
                sid: new IssuerAndSerialNumber({
                    issuer: newCert.issuer,
                    serialNumber: newCert.serialNumber
                }),
                signedAttrs: new SignedAndUnsignedAttributes({
                    type: 0,
                    attributes: signedAttr
                })
            })],
            certificates: [newCert]
        });
        return cmsSignedSimpl.sign(key, 0, hashAlg, message)
    });

    sequence = sequence.then(() => {
        var cmsSignedSchema = cmsSignedSimpl.toSchema(true);

        var cmsContentSimp = new ContentInfo({
            contentType: "1.2.840.113549.1.7.2",
            content: cmsSignedSchema
        });

        var _cmsSignedSchema = cmsContentSimp.toSchema();

        //region Make length of some elements in "indefinite form"
        _cmsSignedSchema.lenBlock.isIndefiniteForm = true;

        var block1 = _cmsSignedSchema.valueBlock.value[1];
        block1.lenBlock.isIndefiniteForm = true;

        var block2 = block1.valueBlock.value[0];
        block2.lenBlock.isIndefiniteForm = true;

        //endregion

       return _cmsSignedSchema.toBER(false);
    }, error => Promise.reject(`Erorr during signing of CMS Signed Data: ${error}`));

    sequence.then((certificateBuffer) => {
        var certSimplString = String.fromCharCode.apply(null, 
            new Uint8Array(certificateBuffer));

        signatureElement.value = formatPEM(window.btoa(certSimplString));

        alert("Certificate created successfully!");
    })

    return sequence;
}

function GetCertificate(provider, certID) {
    var certID;
    return provider.certStorage.getItem(certID)
        .then(function (cert) {
            return cert;
        });
}

function GetCertificateAsPEM(provider, cert) {
    return provider.certStorage.exportCert('PEM', cert);
}

signDataElement基于https://pkijs.org/examples/CMSSigned_complex_example.html

Answer 1

我们将 Hancock ( https://fortifyapp.com ) 中的 Fortify ( https://hancock.ink ) 与 PKIjs ( https://pkijs.org ) 和 CAdESjs ( https://github.com/PeculiarVentures/CAdES.js ) 结合使用来创建 CMS 签名。

您可以在此处查看基于 PKIjs 的 JS 基本 CMS 示例:https://pkijs.org/examples/CMSSigned_complex_example.html

您需要向我们提供您正在做的事情的示例，我们可以告诉您需要采取哪些不同的做法。

瑞恩