From 81fc2d83fa06c11d9f2f07529576dc7f560838ec Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 12 Jan 2016 16:12:50 +1100 Subject: [PATCH] Import certs as DER-encoded X.509 in Chrome For certificate import, Google Chrome only handles DER-encoded X.509 certificate. We are export DER-encoded PKCS #7 chain by default, which Chrome does not recognise. Update client-side Javascript to append 'importCAChain=false' query param on Chrome only, so that the certificate will be retrieved in a supported format. Fixes: https://fedorahosted.org/pki/ticket/1245 --- .../webapps/ca/admin/ca/EnrollSuccess.template | 9 ++++-- .../webapps/ca/agent/ca/EnrollSuccess.template | 9 ++++-- .../webapps/ca/agent/ca/displayBySerial.template | 4 +++ .../ca/agent/ca/displayCertFromRequest.template | 7 ++++- .../shared/webapps/ca/ee/ca/EnrollSuccess.template | 21 +++++++++++-- .../shared/webapps/ca/ee/ca/ProfileSubmit.template | 4 +++ .../webapps/ca/ee/ca/RenewalSuccess.template | 34 ++++++++++++++++++---- .../webapps/ca/ee/ca/displayBySerial.template | 4 +++ .../ca/ee/ca/displayCertFromRequest.template | 7 ++++- .../kra/agent/kra/displayBySerial2.template | 4 +++ 10 files changed, 88 insertions(+), 15 deletions(-) diff --git a/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template b/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template index d3709831e9f9c1bba686fb5f45adec01a7e82e28..9fdfdd614e8ef62cf5ff35b1b4546bf61338069b 100644 --- a/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template +++ b/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template @@ -180,8 +180,13 @@ if (navigator.appName == 'Netscape' && } else if (navigator.appName == 'Netscape' && typeof(crypto.version) == "undefined") { // non Cartman - window.location = result.fixed.scheme + "://" + result.fixed.host + ":" -+ result.fixed.port + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true"; + var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port + + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true"; + if (navigator.userAgent.indexOf("Chrome") != -1) { + // Chrome cannot handle PKCS #7; only DER-encoded X.509 + loc = loc + '&importCAChain=false'; + } + window.location = loc; } diff --git a/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template b/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template index 08bcd5240af0bbdcd01a0af441d83cddc7313db6..b627af22d9a943babc27bc15e46755dd98319db2 100644 --- a/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template +++ b/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template @@ -154,8 +154,13 @@ if (navigator.appName == 'Netscape' && } else if (navigator.appName == 'Netscape' && typeof(crypto.version) == "undefined") { // non Cartman - window.location = result.fixed.scheme + "://" + result.fixed.host + ":" -+ result.fixed.port + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true"; + var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port + + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true"; + if (navigator.userAgent.indexOf("Chrome") != -1) { + // Chrome cannot handle PKCS #7; only DER-encoded X.509 + loc = loc + '&importCAChain=false'; + } + window.location = loc; } diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template index 3b58a47790dd9e99dbcdeb5fc520d5c3dd0eeec6..0ab5b7cb46ef7012459cc96dab1fbe035b137914 100644 --- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template +++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template @@ -273,6 +273,10 @@ if (navigator.appName == "Netscape") { if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") { loc = loc + '&cmmfResponse=true'; } + else if (navigator.userAgent.indexOf("Chrome") != -1) { + // Chrome cannot handle PKCS #7; only DER-encoded X.509 + loc = loc + '&importCAChain=false'; + } } if (result.header.noCertImport != null && result.header.noCertImport == false) { document.write('
\n'+ diff --git a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template index f1148570c5e1cd3c251ee64008228da2e710b421..eb8451a5eaf1515a93df14ddf641ce06259eb647 100644 --- a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template +++ b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template @@ -133,8 +133,13 @@ function importCertificates(numCerts, requestId) if (navigator.appName == "Netscape") { if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") loc = loc+'&cmmfResponse=true'; - else + else { loc = loc + '&importCert=true'; + if (navigator.userAgent.indexOf("Chrome") != -1) { + // Chrome cannot handle PKCS #7; only DER-encoded X.509 + loc = loc + '&importCAChain=false'; + } + } } document.writeln('
'); diff --git a/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template b/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template index 771c6fb1b8898fe11dc674062da75c5ab5fc9261..4871322b50209641647455dbef96aa51b67500e4 100644 --- a/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template +++ b/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template @@ -140,9 +140,14 @@ if (navigator.appName == 'Netscape' && (navMajorVersion() > 3) && } else { for (var i = 0; i < result.recordSet.length; i++) { if (result.recordSet[i].serialNo != null) { - window.location = result.fixed.scheme + "://" + result.fixed.host + ":" + + var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port + "/ee/getBySerial?serialNumber=" + record.recordSet[i].serialNo + "&importCert=true"; + if (navigator.userAgent.indexOf("Chrome") != -1) { + // Chrome cannot handle PKCS #7; only DER-encoded X.509 + loc = loc + '&importCAChain=false'; + } + window.location = loc; } } if (result.recordSet.length > 0) @@ -153,18 +158,28 @@ if (navigator.appName == 'Netscape' && (navMajorVersion() > 3) && // non Cartman for (var i = 0; i < result.recordSet.length; i++) { if (result.recordSet[i].serialNo != null) { - window.location = result.fixed.scheme + "://" + result.fixed.host + ":" + + var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port + "/ee/getBySerial?serialNumber=" + record.recordSet[i].serialNo + "&importCert=true"; + if (navigator.userAgent.indexOf("Chrome") != -1) { + // Chrome cannot handle PKCS #7; only DER-encoded X.509 + loc = loc + '&importCAChain=false'; + } + window.location = loc; } } if (result.recordSet.length > 0) alert("Your cert has been imported into the browser!"); } else { // this must be a RA - window.location = result.fixed.scheme + "://" + result.fixed.host + ":" + + var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port + "/getCertFromRequest?requestId=" + result.fixed.requestId + "&importCert=true"; + if (navigator.userAgent.indexOf("Chrome") != -1) { + // Chrome cannot handle PKCS #7; only DER-encoded X.509 + loc = loc + '&importCAChain=false'; + } + window.location = loc; alert("Your cert has been imported into the browser!"); } } diff --git a/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template b/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template index ce1ec122e726ac4986e79151413e4836ef5021fd..e32dd8f5e58b3ce47dad0e304d3c210adbc3cb89 100644 --- a/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template +++ b/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template @@ -87,6 +87,10 @@ for (var i = 0; i < outputListSet.length; i++) { if (autoImport == 'true') { // only support one certificate import var loc = "getCertFromRequest?requestId="+ requestListSet[i].requestId + "&importCert=true"; + if (navigator.userAgent.indexOf("Chrome") != -1) { + // Chrome cannot handle PKCS #7; only DER-encoded X.509 + loc = loc + '&importCAChain=false'; + } document.write("