How do I add a challengePassword to a PKCS10 certificate request using IE11 and certenroll?

0

I am using Certenroll in Internet Explorer 11 to create a PKCS10 certificate sign request to send to a certificate authority.

I need to add the challengePassword attribute (OID 1.2.840.113549.1.9.7) to the generated CSR, and I am struggling to nail down the exact code to do this.

I have tried to create a X509Enrollment.CX509Extension and add this to the CSR, but the code fails when trying to assign the value to the extension:

        objX509ExtensionChallenge.Initialize(objObjectIdChallenge, 16, "Test"); // XCN_CRYPT_STRING_TEXT = 16

with the following error:

CertEnroll::CX509Extension::Initialize: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)"

Alas I'm not told which of the three parameters is invalid, or what makes the parameter incorrect.

The code is as follows:

        var objCSP = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformation");
        var objCSPs = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformations");
        var objPrivateKey = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509PrivateKey");
        var objRequest = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
        var objObjectIds = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectIds");
        var objObjectId = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
        var objX509ExtensionEnhancedKeyUsage = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage");
        var objExtensionTemplate = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionTemplateName")
        var objDn = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName")
        var objObjectIdChallenge = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId");
        var objX509ExtensionChallenge = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Extension");
        var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment")

        /* initialize the CSP using the desired Cryptograhic Service Provider */
        objCSP.InitializeFromName("Microsoft Enhanced RSA and AES Cryptographic Provider");

        /* add this CSP to the CSP collection */
        objCSPs.Add(objCSP);

        /* provide key container name, key length and key spec to the private key object */
        //objPrivateKey.ContainerName = $('#name').val();
        objPrivateKey.Length = $('#keylength').val();
        objPrivateKey.KeySpec = 1; // AT_KEYEXCHANGE = 1
        objPrivateKey.ProviderType = '24'; // XCN_PROV_RSA_AES = 24

        /* provide the CSP collection object (in this case containing only 1 CSP object) */
        /* to the private key object */
        objPrivateKey.CspInformations = objCSPs;

        /* initialize P10 based on private key */
        objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1

        /* 1.3.6.1.5.5.7.3.2 Oid - extension */
        objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
        objObjectIds.Add(objObjectId);
        objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
        objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage);

        /* 1.3.6.1.5.5.7.3.3 Oid - extension */
        //objExtensionTemplate.InitializeEncode("1.3.6.1.5.5.7.3.3");
        //objRequest.X509Extensions.Add(objExtensionTemplate);

        /* DN related stuff */
        objDn.Encode("CN=" + $('#name').val(), 0); // XCN_CERT_NAME_STR_NONE = 0
        objRequest.Subject = objDn;

        //objChallengeObjectId.InitializeFromName(CERTENROLL_OBJECTID.XCN_OID_RSA_challengePwd);
        //objChallengeObjectId.InitializeFromValue("1.2.840.113549.1.9.7");

        objObjectIdChallenge.InitializeFromValue("1.2.840.113549.1.9.7");
        // ----- we fail here -----vvvv
        objX509ExtensionChallenge.Initialize(objObjectIdChallenge, 16, "Test"); // XCN_CRYPT_STRING_TEXT = 16
        objRequest.X509Extensions.Add(objX509ExtensionChallenge);

        /* enroll */
        objEnroll.InitializeFromRequest(objRequest);
        $("#pkcs10").val(objEnroll.CreateRequest(3)); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3

Can someone confirm what I am doing wrong in the objX509ExtensionChallenge.Initialize() call that would make this fail?

Edit 1:

Changing the code as follows avoids the invalid parameter error, but there is no 1.2.840.113549.1.9.7 OID in the resulting CSR:

        objObjectIdChallenge.InitializeFromValue("1.2.840.113549.1.9.7");
        objX509ExtensionChallenge.Initialize(objObjectIdChallenge, 6, window.btoa('Hello, world')); // XCN_CRYPT_STRING_BASE64_ANY = 6
        objRequest.X509Extensions.Add(objX509ExtensionChallenge);

The resulting certificate request is as follows:

Certificate Request:
Data:
    Version: 0 (0x0)
    Subject: CN=Test1
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (1024 bit)
            Modulus:
                00:b6:c3:95:a4:89:81:97:1c:5c:6c:9c:e6:53:a8:
                11:37:7e:0e:b7:1b:f9:a7:25:54:5b:1d:c9:15:38:
                6c:81:1e:1a:11:8f:34:e8:65:ac:8e:e5:76:e3:9b:
                ff:d1:ab:af:1d:31:66:a3:71:db:04:5b:88:c6:b0:
                1f:84:8e:88:9d:63:25:e9:cb:b7:3a:3d:35:08:5a:
                b1:d1:1e:f7:ba:08:1f:42:d9:b6:73:12:47:99:5f:
                56:55:9c:fa:cd:ba:ba:fb:ca:9e:57:a3:79:d2:96:
                e8:ac:cc:0e:05:ab:04:bf:91:c2:9a:7d:59:b6:33:
                0e:e0:ea:89:c5:b8:83:19:cd
            Exponent: 65537 (0x10001)
    Attributes:
        1.3.6.1.4.1.311.13.2.3   :10.0.17134.2
        1.3.6.1.4.1.311.21.20    :unable to print attribute
        1.3.6.1.4.1.311.13.2.2   :unable to print attribute
    Requested Extensions:
        X509v3 Extended Key Usage: 
            TLS Web Client Authentication
        X509v3 Subject Key Identifier: 
            C8:CC:FE:D9:28:AB:DD:CD:EE:70:88:AB:33:8B:58:22:51:AA:63:C3
        X509v3 Key Usage: critical
            Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
     74:29:c8:79:74:1d:64:be:2a:ce:c6:0c:91:f1:36:70:c5:42:
     15:c0:60:13:ba:64:ff:e3:f1:fc:fa:8d:55:5e:7a:0a:6e:96:
     2d:bf:6b:69:6e:1b:57:cb:55:cb:f9:c7:63:de:85:be:51:d0:
     32:94:88:05:49:44:72:6c:81:ba:28:35:b3:4a:55:db:1d:06:
     5d:1a:5d:88:cf:48:0c:5e:91:22:ae:9f:76:5c:b6:9c:00:7b:
     4d:f5:60:06:c3:5c:59:b5:43:27:d8:76:ff:85:c3:09:46:c7:
     a4:0a:6a:09:ca:45:37:f7:bd:07:4b:22:bb:33:e7:bd:25:23:
     13:82
javascript
internet-explorer
certenroll
asked on Stack Overflow Apr 3, 2019 by Graham Leggett • edited Apr 4, 2019 by Graham Leggett

3 Answers

0

Please check the CX509ExtensionClass.Initialize(CObjectId, EncodingType, String) Method:

public virtual void Initialize (Microsoft.Hpc.Scheduler.Store.CObjectId pObjectId, Microsoft.Hpc.Scheduler.Store.EncodingType Encoding, string strEncodedData);

From this article, we can see the EncodingType doesn't contain "XCN_CRYPT_STRING_TEXT", you could try to use "XCN_CRYPT_STRING_ANY". Besides, please check the third parameter, it is an encoded string data.

Here is a related thread, you could refer to it.

answered on Stack Overflow Apr 4, 2019 by Zhi Lv - MSFT
0

According to below links, the ChallengePassword doesn't include into the supported attributes and extensions of PKCS10:

https://docs.microsoft.com/en-us/windows/desktop/seccertenroll/supported-attributes https://docs.microsoft.com/en-us/windows/desktop/seccertenroll/supported-extensions

And this OID doesn't appear in the sample request like below:

https://docs.microsoft.com/en-us/windows/desktop/seccertenroll/pkcs--10-request

answered on Stack Overflow Apr 8, 2019 by DevPreSupport_MSFT
0

You could try the IX509CertificateRequestPkcs10V3 interface in certenroll.dll.

I believe your specific problem is that the 'challengePassword' is not added as an X509 extension attribute but rather as a direct attribute to the PKCS#10 structure. X509 certificate extensions are a specific 'extensionRequest' attribute of a PKCS#10 certificate request. So instead of the IX509Extension interface, you could try the IX509Attribute interface.

I apologize, but I don't know the details of accessing these interfaces from Javascript in IE11.

answered on Stack Overflow Sep 3, 2019 by Andy Schmidt

User contributions licensed under CC BY-SA 3.0