最后得到了这个工作(以及下一个SCEP相关的头痛!):
原始代码中的问题概述:
收件人必须是签署请求的证书:p7Message.certificates[0]
SCEP定义了一些必须存在的Authenticated属性。其中,必须将原始请求中的transactionID和senderNonce发回(senderNonce以recipientNonce的形式发回)
更新了工作代码:
以下是一些更新和&工作代码(请注意,仍有一些缺失的检查需要实现验证/等。)
function pkiOperationScepOperationHandler(req, reply) {
//
// |req.query.message| should contain a Base64 encoded PKCS#7 package.
// The SignedData portion is PKCS#7 EnvelopedData encrypted with the CA
// public key we gave the client in GetCACert. Once decrypted, we have
// ourselves the client's CSR.
//
if(!req.query.message) {
return reply('The CA could not validate the request').code(403);
}
try {
const msgBuffer = new Buffer(req.query.message, 'base64');
const p7Message = forge.pkcs7.messageFromAsn1(
forge.asn1.fromDer(
forge.util.createBuffer(msgBuffer, 'binary')
)
);
// :TODO: Validate integrity
// :TODO: Validated signing
//
// The outter PKCS#7 signed data must contain authenticated
// attributes for transactionID and senderNonce. We will use these
// in our reply back as part of the SCEP spec.
//
const oids = forge.pki.oids;
let origTransactionId = p7Message.rawCapture.authenticatedAttributes.find( attr => {
const oid = forge.asn1.derToOid(attr.value[0].value);
return ('2.16.840.1.113733.1.9.7' === oid); // transactionID
});
if(!origTransactionId) {
return reply('Invalid request payload').code(403);
}
origTransactionId = origTransactionId.value[1].value[0].value; // PrintableString
let origSenderNonce = p7Message.rawCapture.authenticatedAttributes.find( attr => {
const oid = forge.asn1.derToOid(attr.value[0].value);
return ('2.16.840.1.113733.1.9.5' === oid); // senderNonce
});
if(!origSenderNonce) {
return reply('Invalid request payload').code(403);
}
origSenderNonce = origSenderNonce.value[1].value[0].value; // OctetString
const p7EnvelopedData = forge.pkcs7.messageFromAsn1(
forge.asn1.fromDer(
forge.util.createBuffer(new Buffer(p7Message.rawCapture.content.value[0].value[0].value, 'binary'), 'binary')
)
);
// decrypt using our key
p7EnvelopedData.decrypt(p7EnvelopedData.recipients[0], conf.serverConfig.caPrivateKey);
// p7EnvelopedData should contain a PKCS#10 CSR
const csrDataBuffer = new Buffer(p7EnvelopedData.content.getBytes(), 'binary');
const csr = forge.pki.certificationRequestFromAsn1(
forge.asn1.fromDer(
forge.util.createBuffer(csrDataBuffer, 'binary')
),
true // computeHash
);
//
// Create a new cert based on the CSR and sign it
//
// See https://github.com/digitalbazaar/forge/issues/154
//
const signedCert = forge.pki.createCertificate();
signedCert.serialNumber = Date.now().toString();
signedCert.validity.notBefore = new Date();
signedCert.validity.notAfter = new Date();
// expires one year from now (client should contact us before then to renew)
signedCert.validity.notAfter.setFullYear(signedCert.validity.notBefore.getFullYear() + 1);
signedCert.setSubject(csr.subject.attributes);
signedCert.setIssuer(conf.serverConfig.caCert.subject.attributes);
// :TODO: Really, this should come from requested extensions in the CSR
signedCert.setExtensions([
{
name : 'keyUsage',
digitalSignature : true,
keyEncipherment : true,
critical : true,
}
]);
signedCert.publicKey = csr.publicKey;
signedCert.sign(conf.serverConfig.caPrivateKey);
req.log( ['trace' ], { message : 'Signed CSR certificate', cert : forge.pki.certificateToPem(signedCert) } );
const degenerate = forge.pkcs7.createSignedData();
degenerate.addCertificate(signedCert);
degenerate.sign();
const enveloped = forge.pkcs7.createEnvelopedData();
// Recipient is the original requester cert
enveloped.addRecipient(p7Message.certificates[0]);
enveloped.content = forge.asn1.toDer(degenerate.toAsn1());
enveloped.encryptedContent.algorithm = forge.pki.oids['des-EDE3-CBC']; // We set this in GetCACaps
enveloped.encrypt();
// Package up everything in PKCS#7 signed (by us) data
const signed = forge.pkcs7.createSignedData();
signed.addSigner({
key : conf.serverConfig.caPrivateKey,
certificate : conf.serverConfig.caCert,
digestAlgorithm : forge.pki.oids.sha1,
authenticatedAttributes : [
{
type : forge.pki.oids.contentType,
value : forge.pki.oids.data
},
{
type: forge.pki.oids.messageDigest
},
{
type: forge.pki.oids.signingTime,
},
{
name : 'transactionID',
type : '2.16.840.1.113733.1.9.7',
rawValue : forge.asn1.create(
forge.asn1.Class.UNIVERSAL,
forge.asn1.Type.PRINTABLESTRING,
false,
origTransactionId
),
},
{
name : 'messageType',
type : '2.16.840.1.113733.1.9.2',
rawValue : forge.asn1.create(
forge.asn1.Class.UNIVERSAL,
forge.asn1.Type.PRINTABLESTRING,
false,
'3' // CertRep
),
},
{
name : 'senderNonce',
type : '2.16.840.1.113733.1.9.5',
rawValue : forge.asn1.create(
forge.asn1.Class.UNIVERSAL,
forge.asn1.Type.OCTETSTRING,
false,
forge.util.createBuffer(forge.random.getBytes(16)).bytes()
),
},
{
name : 'recipientNonce',
type : '2.16.840.1.113733.1.9.6',
rawValue : forge.asn1.create(
forge.asn1.Class.UNIVERSAL,
forge.asn1.Type.OCTETSTRING,
false,
origSenderNonce),
},
{
name : 'pkiStatus',
type : '2.16.840.1.113733.1.9.3',
rawValue : forge.asn1.create(
forge.asn1.Class.UNIVERSAL,
forge.asn1.Type.PRINTABLESTRING,
false,
'0' // SUCCESS
),
}
]
});
signed.content = forge.asn1.toDer(enveloped.toAsn1());
signed.sign();
const signedDer = new Buffer(forge.asn1.toDer(signed.toAsn1()).getBytes(), 'binary');
return reply(signedDer).bytes(signedDer.length).type('application/x-pki-message');
} catch(e) {
req.log( ['error' ], { message : e.toString() } );
return reply('The CA could not validate the request').code(403);
}
}
这需要几天才能做对。希望它对某人有帮助!