Skip to content
This repository has been archived by the owner on Aug 12, 2023. It is now read-only.

Create core.pki component #25

Open
2 of 6 tasks
heuels opened this issue Jan 25, 2017 · 2 comments
Open
2 of 6 tasks

Create core.pki component #25

heuels opened this issue Jan 25, 2017 · 2 comments
Assignees
@heuels
Labels
core.pki feature
Milestone
Backlog

Comments

@heuels
Copy link
Member

heuels commented Jan 25, 2017
edited
Loading

The [email protected] roadmap states that system should include support for issuing client certificates. There are a few ways of implementing it. We could use one of many openssl wrappers available or we could use one of pure-javascript libraries that provides these kind of features.

For now I tend to choose the second option.

Pure JavaScript libraries that may be used are forge and jsrsasign. However, forge does not support file signing, which we will later need to sign .mobileconfig configuration profiles (see briskhome-mobileconfig). So jsrsasign it is.

The wiki page for jsrsasign has a few valuable demos that will certainly ease the development of this component:

The core.pki system component should support:

  • Generating public and private keys;
  • Generating Certificate Signing Requests (CSR);
  • Issuing client certificates;
  • Authorizing the issuance of a client certificate by system administrator;
  • Logging the information about the users requesting certificates and authorizing issuance;
  • Storing issued certificates in either LDAP or MongoDB.

Edit (1/31): node-forge now is now being tested for being a cryptographic tool of choice. Why node-forge? Because it can generate keys asyncronously, without stopping the whole application to think about it.

This issue is to be edited to reflect the latest status of component development.
@heuels heuels added 0.3.0 and removed 0.3.0 labels Jan 25, 2017
@heuels heuels added this to the 0.3.0 milestone Jan 25, 2017
@heuels heuels changed the title Develop core.pki component Create core.pki component Jan 25, 2017
@heuels heuels mentioned this issue Jan 25, 2017
Open
10 tasks
@heuels
Copy link
Member Author

heuels commented Jan 31, 2017

Signing .mobileconfig files with forge

An slightly modified excerpt from forge README:

const p7 = forge.pkcs7.createSignedData();
p7.content = forge.util.createBuffer('<plist>...</plist>', 'utf8');
p7.addSigner({
  key: privateKeyAssociatedWithCert,
  certificate: certOrCertPem,
  digestAlgorithm: forge.pki.oids.sha256,
  authenticatedAttributes: [{
    type: forge.pki.oids.contentType,
    value: forge.pki.oids.data
  }, {
    type: forge.pki.oids.messageDigest
    // value will be auto-populated at signing time
  }, {
    type: forge.pki.oids.signingTime,
    // value can also be auto-populated at signing time
    value: new Date()
  }]
});
p7.sign();

@heuels heuels closed this as completed Jan 31, 2017
@heuels heuels reopened this Jan 31, 2017
@heuels heuels added the core.pki label Feb 1, 2017
@heuels
Copy link
Member Author

heuels commented Feb 1, 2017
edited
Loading

Creating .p12 containers with forge

const p12Asn1 = forge.pkcs12.toPkcs12Asn1(
    privateKey, certificateChain, 'password',
    {algorithm: '3des'}
);

@heuels heuels added the feature label Feb 7, 2017
@heuels heuels self-assigned this Feb 7, 2017
@heuels heuels modified the milestones: Backlog, v0.3.0 May 16, 2017
@heuels heuels added the label Jun 30, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@heuels heuels

Labels
core.pki feature
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
1 participant
@heuels