bug 964: Completely reimplement the IE key generation
authorMichael Tänzer <neo@nhng.de>
Mon, 23 Jul 2012 16:36:20 +0000 (18:36 +0200)
committerMichael Tänzer <neo@nhng.de>
Mon, 23 Jul 2012 16:36:20 +0000 (18:36 +0200)
Signed-off-by: Michael Tänzer <neo@nhng.de>
includes/keygen.php
locale/Makefile
www/keygenIE.js [new file with mode: 0644]

index fcbc48c..414b087 100644 (file)
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ 
 
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */ 
 
-if (array_key_exists('HTTP_USER_AGENT',$_SERVER) && 
-        strstr($_SERVER['HTTP_USER_AGENT'], "MSIE")) { ?>
-    <object
-        classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1"
-        codebase="/xenroll.cab#Version=5,131,3659,0"
-        id="cec"
-    >
-        <?=_("You must enable ActiveX for this to work. On Vista you have to add this website to the list of trusted sites in the internet-settings.")?>
-        <?=_("Go to Extras->Internet Options->Security->Trusted Websites, click on Custom Level, check ActiveX control elements that are not marked as safe initialized on start in scripts")?>
-    </object>
-    
-    <form method="post" action="account.php" name="CertReqForm">
-        <p><input type="hidden" name="session" value="UsedXenroll">
-        <?=_("Key Strength:")?> <select name="CspProvider"></select></p>
-        
-        <p>Select Keysize: <select name="keySize" id="keySize">
-            <option value="2048" selected="selected">2048</option>
-            <option value="3072">3072</option>
-            <option value="4096">4096</option>
-        </select></p>
-        
-        <input type="hidden" name="oldid" value="<?=$id?>">
-        <INPUT TYPE=HIDDEN NAME="CSR">
-        <input type="hidden" name="keytype" value="MS">
-        <p><input type="submit" name="GenReq" value="Create Certificate"></p>
-    </form>
-    
-    <script type="text/vbscript" language="vbscript">
-<!--
-Function GetProviderList()
-    Dim CspList, cspIndex, ProviderName
-    On Error Resume Next
-    
-    count = 0
-    base = 0
-    enhanced = 0
-    CspList = ""
-    ProviderName = ""
-    
-    // Vista:
-    Set csps = CreateObject("X509Enrollment.CCspInformations")
-    If IsObject(csps) Then
-        csps.AddAvailableCsps()
-        Document.CertReqForm.keytype.value="VI"
-        For j = 0 to csps.Count-1
-            Set oOption = document.createElement("OPTION")
-            oOption.text = csps.ItemByIndex(j).Name
-            oOption.value = j
-            Document.CertReqForm.CspProvider.add(oOption)
-        Next
-    
-    Else
-        
-        // 2000,XP:
-        
-        For ProvType = 0 to 13
-            cspIndex = 0
-            cec.ProviderType = ProvType
-            ProviderName = cec.enumProviders(cspIndex,0)
-            
-            while ProviderName <> ""
-                Set oOption = document.createElement("OPTION")
-                oOption.text = ProviderName
-                oOption.value = ProvType
-                Document.CertReqForm.CspProvider.add(oOption)
-                if ProviderName = "Microsoft Base Cryptographic Provider v1.0" Then
-                    base = count
-                end if
-                if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then
-                    enhanced = count
-                end if
-                cspIndex = cspIndex +1
-                ProviderName = ""
-                ProviderName = cec.enumProviders(cspIndex,0)
-                count = count + 1
-            wend
-        Next
-        Document.CertReqForm.CspProvider.selectedIndex = base
-        if enhanced then
-            Document.CertReqForm.CspProvider.selectedIndex = enhanced
-        end if
-    End If
-End Function
-
-Function CSR(keyflags)
-    CSR = ""
-    szName  = ""
-    
-    
-    // Vista
-    if Document.CertReqForm.keytype.value="VI" Then
-        Dim g_objClassFactory
-        Dim obj
-        Dim objPrivateKey
-        Dim g_objRequest
-        Dim g_objRequestCMC
-        
-        Set g_objClassFactory = CreateObject("X509Enrollment.CX509EnrollmentWebClassFactory")
-        Set obj = g_objClassFactory.CreateObject("X509Enrollment.CX509Enrollment")
-        Set objPrivateKey = g_objClassFactory.CreateObject("X509Enrollment.CX509PrivateKey")
-        Set objRequest = g_objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
-        //Msgbox     exit function
-        objPrivateKey.ProviderName = Document.CertReqForm.CspProvider(Document.CertReqForm.CspProvider.selectedIndex).text
-        // "Microsoft Enhanced RSA and AES Cryptographic Provider"
-        objPrivateKey.ProviderType = "24"
-        objPrivateKey.KeySpec = "1"
-        objPrivateKey.ExportPolicy = 1
-        select case Document.CertReqForm.keySize
-            case "3072"
-                objPrivateKey.Length = &h0C000000
-            case "4096"
-                objPrivateKey.Length = &h10000000
-            case else
-                objPrivateKey.Length = &h08000000
-        end select
-        objRequest.InitializeFromPrivateKey 1, objPrivateKey, ""
-        Set objDN = g_objClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName")
-        objDN.Encode("CN=CAcertRequest")
-        objRequest.Subject = objDN
-        
-        //  obj.Initialize(1)
-        obj.InitializeFromRequest(objRequest)
-        obj.CertificateDescription = "Description"
-        obj.CertificateFriendlyName = "FriendlyName"
-        CSR = obj.CreateRequest(1)
-        If len(CSR)<>0 Then Exit Function
-        Msgbox "<?=_("Error while generating the certificate-request. Please make sure that you have added this website to the list of trusted sites in the Internet-Options menu!")?>"
-        
-    else
-        // XP
-        Dim lngAltKeyFlag 
-        
-        cec.HashAlgorithm = "MD5"
-        err.clear
-        On Error Resume Next
-        set options = document.all.CspProvider.options
-        index = options.selectedIndex
-        cec.providerName = options(index).text
-        tmpProviderType = options(index).value
-        cec.providerType = tmpProviderType
-        cec.KeySpec = 2
-        if tmpProviderType < 2 Then
-            cec.KeySpec = 1
-        end if
-        
-        select case Document.CertReqForm.keySize
-            case "3072"
-                cec.GenKeyFlags = &h0C000001
-                lngAltKeyFLag = &h0C000000
-            case "4096"
-                cec.GenKeyFlags = &h10000001
-                lngAltKeyFLag = &h10000000
-            case else
-                cec.GenKeyFlags = &h08000001
-                lngAltKeyFLag = &h08000000
-        end select
-        CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-        if len(CSR)<>0 then Exit Function
-        cec.GenKeyFlags = lngAltKeyFLag
-        CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-        if len(CSR)<>0 then Exit Function
-        if cec.providerName = "Microsoft Enhanced Cryptographic Provider v1.0" Then
-            if MsgBox("<?=_("The high encryption key generation failed. Would you like to try 512 instead?")?>", vbOkCancel)=vbOk Then
-                cec.providerName = "Microsoft Base Cryptographic Provider v1.0"
-            else
-                Exit Function
-            end if
-        end if
-        cec.GenKeyFlags = 1 OR keyflags
-        CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-        if len(CSR)<>0 then Exit Function
-        cec.GenKeyFlags = keyflags
-        CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-        if len(CSR)<>0 then Exit Function
-        cec.GenKeyFlags = 0
-        CSR = cec.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-    End if
-End Function
-
-Sub GenReq_OnClick
-    Dim TheForm
-    Set TheForm = Document.CertReqForm
-    err.clear
-    result = CSR(2)
-    if len(result)=0 Then
-        result = MsgBox("Unable to generate PKCS#10.", 0, "Alert")
-        Exit Sub
-    end if
-    TheForm.CSR.Value = result
-    TheForm.Submit
-    Exit Sub
-End Sub
+if (array_key_exists('HTTP_USER_AGENT',$_SERVER) &&
+               strstr($_SERVER['HTTP_USER_AGENT'], "MSIE")) { ?>
+       
+       <noscript>
+               <p><?=_('You have to enable JavaScript to generate certificates in '.
+                               'the browser.')?></p>
+               <p><?=_('If you don\'t want to do that for any reason, you can use '.
+                               'manually created certificate requests instead.')?></p>
+       </noscript>
+       
+       <div id="noActiveX" style="color:red">
+               <p><?=_('Could not initialize ActiveX object required for certificate '.
+                               'generation.')?></p>
+               <p><?=_('You have to enable ActiveX for this to work. On Windows '.
+                               'Vista, Windows 7 and later versions you have to add this '.
+                               'website to the list of trusted sites in the internet '.
+                               'settings.')?></p>
+               <p><?php
+                       printf(_('Go to "Extras -> Internet Options -> Security -> Trusted '.
+                               'Websites", click on "Custom Level", set "ActiveX control '.
+                               'elements that are not marked as safe initialized on start in '.
+                               'scripts" to "Confirm" and click "OK". Now click "Sites", add '.
+                               '"%s" and "%s" to your list of trusted sites and make the '.
+                               'changes come into effect by clicking "Close" and "OK".'),
+                               'https://'.$_SESSION['_config']['normalhostname'],
+                               'https://'.$_SESSION['_config']['securehostname'])?>
+               </p>
+       </div>
+       
+       <form method="post" style="display:none" action="account.php"
+                       id="CertReqForm">
+               <input type="hidden" name="oldid" value="<?=$id?>" />
+               <input type="hidden" id="CSR" name="CSR" />
+               <input type="hidden" name="keytype" value="MS" />
 
 
-GetProviderList()
--->
-    </script>
+               <p><?=_('Security level')?>:
+                       <select id="SecurityLevel">
+                               <option value="high" selected="selected"><?=_('High')?></option>
+                               <option value="medium"><?=_('Medium')?></option>
+                               <option value="custom"><?=_('Custom')?>&hellip;</option>
+                       </select>
+               </p>
+               
+               <fieldset id="customSettings" style="display:none">
+                       <legend><?=_('Custom Parameters')?></legend>
+                       
+                       <p><?=_('Cryptography Provider')?>:
+                               <select id="CspProvider"></select>
+                       </p>
+                       <p><?=_('Algorithm')?>: <select id="algorithm"></select></p>
+                       <p><?=_('Keysize')?>:
+                               <input id="keySize" type="number" />
+                               <?=_('Minimum Size')?>: <span id="keySizeMin"></span>,
+                               <?=_('Maximum Size')?>: <span id="keySizeMax"></span>,
+                               <?php
+                               // TRANSLATORS: this specifies the step between two valid key
+                               // sizes. E.g. if the step is 512 and the minimum is 1024 and
+                               // the maximum is 2048, then only 1024, 1536 and 2048 bits may
+                               // be specified as key size.
+                               _('Step')?>: <span id="keySizeStep"></span></p>
+                       <p style="color:red"><?php
+                               printf(_('Please note that RSA key sizes smaller than %d bit '.
+                                               'will not be accepted by CAcert.'),
+                                               1024)?>
+                       </p>
+               </fieldset>
+               
+               <p><input type="submit" id="GenReq" name="GenReq"
+                               value="<?=_('Create Certificate')?>" /></p>
+               <p id="generatingKeyNotice" style="display:none">
+                       <?=_('Generating your key. Please wait')?>&hellip;</p>
+       </form>
+       
+               
+       <!-- Error messages used in the JavaScript. Defined here so they can be
+       translated without passing the JavaScript code through PHP -->
+       <p id="createRequestErrorChooseAlgorithm" style="display:none">
+               <?=_('Could not generate certificate request. Probably you need to '.
+                               'choose a different algorithm.')?>
+       </p>
+       <p id="createRequestError" style="display:none">
+               <?=_('Could not generate certificate request.')?>
+       </p>
+       <p id="invalidKeySizeError" style="display:none">
+               <?=_('You have specified an invalid key size')?>
+       </p>
+       <p id="unsupportedPlatformError" style="display:none">
+               <?=_('Could not initialize the cryptographic module for your '.
+                               'platform. Currently we support Microsoft Windows XP, Vista '.
+                               'and 7. If you\'re using one of these platforms and see this '.
+                               'error message anyway you might have to enable ActiveX as '.
+                               'described in the red explanation text and accept loading of '.
+                               'the module.')?>
+       </p>
+       
+       <script type="text/javascript" src="keygenIE.js"></script>
+       
 <? } else { ?>
     <p>
     <form method="post" action="account.php">
 <? } else { ?>
     <p>
     <form method="post" action="account.php">
index 1517066..4215a4f 100644 (file)
@@ -176,7 +176,8 @@ upload.clean: template.clean
 messages.pot: $(GETTEXT_FILES)
        xgettext --output - --sort-by-file --copyright-holder "CAcert Inc." \
                --package-name "CAcert" --package-version "$(VERSION)" \
 messages.pot: $(GETTEXT_FILES)
        xgettext --output - --sort-by-file --copyright-holder "CAcert Inc." \
                --package-name "CAcert" --package-version "$(VERSION)" \
-               --msgid-bugs-address "translations-admin@cacert.org" $^ | \
+               --msgid-bugs-address "translations-admin@cacert.org" \
+               --add-comments=TRANSLATORS $^ | \
                # replace place holders in the lines before the first msgid\
                sed '1,/^msgid/ { s/SOME DESCRIPTIVE TITLE/$(DESCRITPION)/; s/YEAR/$(COPYRIGHT_YEAR)/; s/PACKAGE/$(PACKAGE)/ }' \
                > $@
                # replace place holders in the lines before the first msgid\
                sed '1,/^msgid/ { s/SOME DESCRIPTIVE TITLE/$(DESCRITPION)/; s/YEAR/$(COPYRIGHT_YEAR)/; s/PACKAGE/$(PACKAGE)/ }' \
                > $@
diff --git a/www/keygenIE.js b/www/keygenIE.js
new file mode 100644 (file)
index 0000000..fa4bce6
--- /dev/null
@@ -0,0 +1,603 @@
+var CAcert_keygen_IE = function () {
+       
+       /// Makes a new DOM text node
+       var textnode = function (text) {
+               return document.createTextNode(text);
+       }
+       
+       
+       /// makes a new <p> element
+       var paragraph = function (text) {
+               var paragraph = document.createElement("p");
+               paragraph.appendChild(textnode(text));
+               return paragraph;
+       }
+       
+       
+       /// makes a new <pre> elemtent
+       var pre = function (text) {
+               var pre = document.createElement("pre");
+               pre.appendChild(textnode(text));
+               return pre;
+       }
+       
+       
+       /// makes a new <option> element
+       var option = function (text, value) {
+               var option = document.createElement("option");
+               if (value !== undefined) {
+                       option.setAttribute("value", value);
+               }
+               option.appendChild(textnode(text));
+               return option;
+       }
+       
+       
+       /// Removes all child nodes from the element
+       var removeChildren = function (element) {
+               element.innerHTML = "";
+       }
+       
+       
+       // Get important elements from the DOM
+       var form = document.getElementById("CertReqForm");
+       var securityLevel = document.getElementById("SecurityLevel");
+       var customSettings = document.getElementById("customSettings");
+       var provider = document.getElementById("CspProvider");
+       var algorithm = document.getElementById("algorithm");
+       var algorithmParagraph = document.getElementById("algorithmParagraph");
+       var keySize = document.getElementById("keySize");
+       var keySizeMin = document.getElementById("keySizeMin");
+       var keySizeMax = document.getElementById("keySizeMax");
+       var keySizeStep = document.getElementById("keySizeStep");
+       var genReq = document.getElementById("GenReq");
+       var csr = document.getElementById("CSR");
+       var noActiveX = document.getElementById("noActiveX");
+       var generatingKeyNotice = document.getElementById("generatingKeyNotice");
+       var createRequestErrorChooseAlgorithm = document.getElementById("createRequestErrorChooseAlgorithm");
+       var createRequestError = document.getElementById("createRequestError");
+       var invalidKeySizeError = document.getElementById("invalidKeySizeError");
+       var unsupportedPlatformError = document.getElementById("unsupportedPlatformError");
+       
+       
+       /// Initialise the CertEnroll code (Vista and higher)
+       /// returns false if initialisation fails
+       var initCertEnroll = function () {
+               var factory = null;
+               var providerList = null;
+               var cspStats = null;
+               
+               // Try to initialise the ActiveX element. Requires permissions by the user
+               try {
+                       factory = new ActiveXObject(
+                               "X509Enrollment.CX509EnrollmentWebClassFactory");
+                       if (!factory) {
+                               throw {
+                                       name: "NoObjectError",
+                                       message: "Got null at object creation"
+                               };
+                       }
+                       
+                       // also try to create a useless object here so the library gets
+                       // initialised and we don't need to check everytime later
+                       factory.CreateObject("X509Enrollment.CObjectId");
+                       
+                       form.style.display = "";
+                       noActiveX.style.display = "none";
+               } catch (e) {
+                       return false;
+               }
+               
+               
+               /// Get the selected provider
+               var getProvider = function () {
+                       var providerIndex = provider.options[provider.selectedIndex].value;
+                       return providerList.ItemByIndex(providerIndex);
+               }
+               
+               
+               /// Get the selected algorithm
+               var getAlgorithm = function () {
+                       var algorithmIndex = algorithm.options[algorithm.selectedIndex].value;
+                       return alg = cspStats.ItemByIndex(algorithmIndex).CspAlgorithm;
+               }
+               
+               
+               /// Get the selected key size
+               var getKeySize = function () {
+                       var alg = getAlgorithm();
+                       
+                       var bits = parseInt(keySize.value, 10);
+                       if ( bits < alg.MinLength || bits > alg.MaxLength ||
+                                       (alg.IncrementLength &&
+                                               (bits - alg.MinLength) % alg.IncrementLength !== 0)
+                               )
+                       {
+                               return false;
+                       }
+                       
+                       return bits;
+               }
+               
+               
+               /// Fill the key size list
+               var getKeySizeList = function () {
+                       if (!cspStats) {
+                               return false;
+                       }
+                       
+                       var alg = getAlgorithm();
+                       
+                       // HTML5 attributes
+                       keySize.setAttribute("min", alg.MinLength);
+                       keySize.setAttribute("max", alg.MaxLength);
+                       keySize.setAttribute("step", alg.IncrementLength);
+                       keySize.setAttribute("value", alg.DefaultLength);
+                       keySize.value = ""+alg.DefaultLength;
+                       
+                       // ugly, but buggy otherwise if done with text nodes
+                       keySizeMin.innerHTML = alg.MinLength;
+                       keySizeMax.innerHTML = alg.MaxLength;
+                       keySizeStep.innerHTML = alg.IncrementLength;
+                       
+                       return true;
+               }
+               
+               
+               /// Fill the algorithm list
+               var getAlgorithmList = function () {
+                       var i;
+                       
+                       if (!providerList) {
+                               return false;
+                       }
+                       
+                       var csp = getProvider();
+                       
+                       cspStats = providerList.GetCspStatusesFromOperations(
+                                       0x1c, //XCN_NCRYPT_ANY_ASYMMETRIC_OPERATION
+                                       //0x10, //XCN_NCRYPT_SIGNATURE_OPERATION
+                                       //0x8, //XCN_NCRYPT_SECRET_AGREEMENT_OPERATION
+                                       //0x4, //XCN_NCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION
+                                       csp
+                               );
+                       
+                       removeChildren(algorithm);
+                       for (i = 0; i < cspStats.Count; i++) {
+                               var alg = cspStats.ItemByIndex(i).CspAlgorithm;
+                               algorithm.appendChild(option(alg.Name, i));
+                       }
+                       
+                       return getKeySizeList();
+               }
+               
+               
+               /// Fill the crypto provider list
+               var getProviderList = function () {
+                       var i;
+                       
+                       var csps = factory.CreateObject("X509Enrollment.CCspInformations");
+                       
+                       // Get provider information
+                       csps.AddAvailableCsps();
+                       
+                       removeChildren(provider);
+                       
+                       for (i = 0; i < csps.Count; i++) {
+                               var csp = csps.ItemByIndex(i);
+                               provider.appendChild(option(csp.Name, i));
+                       }
+                       
+                       providerList = csps;
+                       
+                       return getAlgorithmList();
+               }
+               
+               
+               /// Generate a key and create and submit the actual CSR
+               var createCSR = function () {
+                       var providerName, algorithmOid, bits;
+                       
+                       var level = securityLevel.options[securityLevel.selectedIndex];
+                       if (level.value === "custom") {
+                               providerName = getProvider().Name;
+                               var alg = getAlgorithm();
+                               algorithmOid = alg.GetAlgorithmOid(0, 0)
+                               bits = getKeySize();
+                               if (!bits) {
+                                       window.alert(invalidKeySizeError.innerHTML);
+                                       return false;
+                               }
+                               
+                       } else {
+                               
+                               providerName = "Microsoft Software Key Storage Provider";
+                               
+                               algorithmOid = factory.CreateObject("X509Enrollment.CObjectId");
+                               algorithmOid.InitializeFromValue("1.2.840.113549.1.1.1"); // RSA
+                               //"1.2.840.10040.4.1" == DSA
+                               //"1.2.840.10046.2.1" == DH
+                               
+                               if (level.value === "high") {
+                                       bits = 4096;
+                               } else { // medium
+                                       bits = 2048;
+                               }
+                       }
+                       
+                       
+                       var privateKey = factory.CreateObject("X509Enrollment.CX509PrivateKey");
+                       privateKey.ProviderName = providerName;
+                       privateKey.Algorithm = algorithmOid;
+                       privateKey.Length = bits;
+                       privateKey.KeyUsage = 0xffffff; // XCN_NCRYPT_ALLOW_ALL_USAGES
+                       
+                       var request = factory.CreateObject(
+                               "X509Enrollment.CX509CertificateRequestPkcs10");
+                       request.InitializeFromPrivateKey(
+                                       1, // ContextUser
+                                       privateKey,
+                                       "" // don't use a template
+                               );
+                       
+                       var enroll = factory.CreateObject("X509Enrollment.CX509Enrollment");
+                       enroll.InitializeFromRequest(request);
+                       
+                       generatingKeyNotice.style.display = "";
+                       
+                       
+                       // The request needs to be created after we return so the "please wait"
+                       // message gets rendered
+                       var createCSRHandler = function () {
+                               try {
+                                       csr.value = enroll.CreateRequest(0x1); //XCN_CRYPT_STRING_BASE64
+                                       form.submit();
+                               } catch (e) {
+                                       window.alert(createRequestErrorChooseAlgorithm.innerHTML + "\n\nError: " + e.message);
+                               }
+                               
+                               generatingKeyNotice.style.display = "none";
+                       }
+                       
+                       window.setTimeout(createCSRHandler, 0);
+                       
+                       // Always return false, form is submitted by deferred method
+                       return false;
+               }
+               
+               
+               /// Call if securityLevel has changed
+               var refreshSecurityLevel = function () {
+                       var level = securityLevel.options[securityLevel.selectedIndex];
+                       if (level.value === "custom") {
+                               getProviderList();
+                               customSettings.style.display = "";
+                       } else {
+                               customSettings.style.display = "none";
+                       }
+               }
+               
+               securityLevel.onchange = refreshSecurityLevel;
+               provider.onchange = getAlgorithmList;
+               algorithm.onchange = getKeySizeList;
+               genReq.onclick = createCSR;
+               
+               return true;
+       } // end of initCertEnroll()
+       
+       
+       /// Initialise Xenroll code (XP and lower)
+       /// returns false if initialisation fails
+       var initXEnroll = function () {
+               cenroll = null;
+               
+               providerTypes = Array(
+                                1, //PROV_RSA_FULL
+                                2, //PROV_RSA_SIG
+                                3, //PROV_DSS
+                                4, //PROV_FORTEZZA
+                                5, //PROV_MS_EXCHANGE
+                                6, //PROV_SSL
+                               12, //PROV_RSA_SCHANNEL
+                               13, //PROV_DSS_DH
+                               14, //PROV_EC_ECDSA_SIG
+                               15, //PROV_EC_ECNRA_SIG
+                               16, //PROV_EC_ECDSA_FULL
+                               17, //PROV_EC_ECNRA_FULL
+                               18, //PROV_DH_SCHANNEL
+                               20, //PROV_SPYRUS_LYNKS
+                               21, //PROV_RNG
+                               22, //PROV_INTEL_SEC
+                               23, //PROV_REPLACE_OWF
+                               24  //PROV_RSA_AES
+                       );
+               
+               algClasses = Array(
+                               1 << 13, //ALG_CLASS_SIGNATURE
+                               //2 << 13, //ALG_CLASS_MSG_ENCRYPT
+                               //3 << 13, //ALG_CLASS_DATA_ENCRYPT
+                               //4 << 13, //ALG_CLASS_HASH
+                               5 << 13  //ALG_CLASS_KEY_EXCHANGE
+                       );
+               
+               // Try to initialise the ActiveX element.
+               try {
+                       cenroll = new ActiveXObject("CEnroll.CEnroll");
+                       
+                       if (!cenroll) {
+                               throw {
+                                       name: "NoObjectError",
+                                       message: "Got null at object creation"
+                               };
+                       }
+                       
+                       form.style.display = "";
+                       //algorithmParagraph.style.display = "none";
+                       algorithm.disabled = true;
+                       noActiveX.style.display = "none";
+               } catch (e) {
+                       return false;
+               }
+               
+               
+               /// Get the name of the selected provider
+               var getProviderName = function () {
+                       return provider.options[provider.selectedIndex].text;
+               }
+               
+               
+               /// Get the type of the selected provider
+               var getProviderType = function () {
+                       return parseInt(provider.options[provider.selectedIndex].value, 10);
+               }
+               
+               
+               var refreshProvider = function () {
+                       cenroll.ProviderName = getProviderName();
+                       cenroll.ProviderType = getProviderType();
+               }
+               
+               
+               /// Get the ID of the selected algorithm
+               var getAlgorithmId = function () {
+                       return parseInt(
+                                       algorithm.options[algorithm.selectedIndex].value, 10);
+               }
+               
+               
+               /// Minimum bit length for exchange keys
+               var getMinExKeyLength = function () {
+                       refreshProvider();
+                       
+                       try {
+                               return cenroll.GetKeyLen(true, true);
+                       } catch (e) {
+                               return false;
+                       }
+               }
+               
+               
+               /// Maximum bit length for exchange keys
+               var getMaxExKeyLength = function () {
+                       refreshProvider();
+                       
+                       try {
+                               return cenroll.GetKeyLen(false, true);
+                       } catch (e) {
+                               return false;
+                       }
+               }
+               
+               
+               /// Step size for exchange keys
+               /// This might not be available on older platforms
+               var getStepExKeyLength = function () {
+                       refreshProvider();
+                       
+                       try {
+                               return cenroll.GetKeyLenEx(3, 1);
+                       } catch (e) {
+                               return false;
+                       }
+               }
+               
+               
+               /// Minimum bit length for signature keys
+               var getMinSigKeyLength = function () {
+                       refreshProvider();
+                       
+                       try {
+                               return cenroll.GetKeyLen(true, false);
+                       } catch (e) {
+                               return false;
+                       }
+               }
+               
+               
+               /// Maximum bit length for signature keys
+               var getMaxSigKeyLength = function () {
+                       refreshProvider();
+                       
+                       try {
+                               return cenroll.GetKeyLen(false, false);
+                       } catch (e) {
+                               return false;
+                       }
+               }
+               
+               
+               /// Step size for signature keys
+               /// This might not be available on older platforms
+               var getStepSigKeyLength = function () {
+                       refreshProvider();
+                       
+                       try {
+                               return cenroll.GetKeyLenEx(3, 2);
+                       } catch (e) {
+                               return false;
+                       }
+               }
+               
+               
+               /// Get the selected key size
+               var getKeySize = function () {
+                       var bits = parseInt(keySize.value, 10);
+                       //TODO: check if the bits are sane
+                       return bits;
+               }
+               
+               
+               var getKeySizeLimits = function () {
+                       // HTML5 attributes
+                       keySize.setAttribute("min", getMinSigKeyLength());
+                       keySize.setAttribute("max", getMaxSigKeyLength());
+                       if (getStepSigKeyLength()) {
+                               keySize.setAttribute("step", getStepSigKeyLength());
+                       }
+                       //keySize.setAttribute("value", alg.DefaultLength);
+                       //keySize.value = ""+alg.DefaultLength;
+                       
+                       // ugly, but buggy otherwise if done with text nodes
+                       keySizeMin.innerHTML = getMinSigKeyLength();
+                       keySizeMax.innerHTML = getMaxSigKeyLength();
+                       keySizeStep.innerHTML = getStepSigKeyLength();
+                       
+                       return true;
+               }
+               
+               
+               /// Fill the algorithm selection box
+               var getAlgorithmList = function () {
+                       var i, j;
+                       
+                       refreshProvider();
+                       
+                       removeChildren(algorithm);
+                       
+                       for (i = 0; i < algClasses.length; ++i) {
+                               for (j = 0; true; ++j) {
+                                       try {
+                                               var algId = cenroll.EnumAlgs(j, algClasses[i]);
+                                               var algName = cenroll.GetAlgName(algId);
+                                               algorithm.appendChild(option(algName, algId));
+                                       } catch (e) {
+                                               break;
+                                       }
+                               }
+                       }
+                       
+                       getKeySizeLimits();
+               }
+               
+               
+               /// Fill the provider selection box
+               var getProviderList = function () {
+                       var i, j;
+                       
+                       removeChildren(provider);
+                       
+                       for (i = 0; i < providerTypes.length; ++i) {
+                               cenroll.providerType = providerTypes[i];
+                               
+                               var providerName = "invalid";
+                               for (j = 0; true; ++j) {
+                                       try {
+                                               providerName = cenroll.enumProviders(j, 0);
+                                               provider.appendChild(
+                                                               option(providerName, providerTypes[i]));
+                                       } catch (e) {
+                                               break;
+                                       }
+                               }
+                       }
+                       
+                       return getAlgorithmList();
+                       //return getKeySizeLimits();
+               }
+               
+               
+               var createCSR = function () {
+                       var providerName, bits;
+                       
+                       var level = securityLevel.options[securityLevel.selectedIndex];
+                       if (level.value === "custom") {
+                               
+                               refreshProvider();
+                               
+                               bits = getKeySize();
+                               if (bits === false) {
+                                       window.alert(invalidKeySizeError.innerHTML);
+                                       return false;
+                               }
+                               
+                       } else {
+                               
+                               cenroll.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
+                               cenroll.ProviderType = 1; //PROV_RSA_FULL
+                               
+                               if (level.value === "high") {
+                                       bits = 4096;
+                               } else { // medium
+                                       bits = 2048;
+                               }
+                       }
+                       
+                       cenroll.GenKeyFlags = bits << 16; // keysize is encoded in the uper 16 bits
+                       //cenroll.GenKeyFlags = cenroll.GenKeyFlags | 0x1; //CRYPT_EXPORTABLE
+                       
+                       generatingKeyNotice.style.display = "";
+                       
+                       
+                       // The request needs to be created after we return so the "please wait"
+                       // message gets rendered
+                       var createCSRHandler = function () {
+                               try {
+                                       csr.value = cenroll.createPKCS10("", "1.3.6.1.5.5.7.3.2");
+                                       form.submit();
+                               } catch (e) {
+                                       window.alert(createRequestError.innerHTML + "\n\nError: " + e.message + " (" + e.number + ")");
+                               }
+                               
+                               generatingKeyNotice.style.display = "none";
+                               cenroll.Reset();
+                       }
+                       
+                       window.setTimeout(createCSRHandler, 0);
+                       
+                       // Always return false, form is submitted by deferred method
+                       return false;
+               }
+               
+               
+               /// Call if securityLevel has changed
+               var refreshSecurityLevel = function () {
+                       var level = securityLevel.options[securityLevel.selectedIndex];
+                       if (level.value === "custom") {
+                               getProviderList();
+                               customSettings.style.display = "";
+                       } else {
+                               customSettings.style.display = "none";
+                       }
+               }
+               
+               securityLevel.onchange = refreshSecurityLevel;
+               provider.onchange = getAlgorithmList;
+               //provider.onchange = getKeySizeLimits;
+               algorithm.onchange = getKeySizeLimits;
+               genReq.onclick = createCSR;
+               
+               return true;
+       };
+       
+       
+       // Run the init functions until one is successful
+       if (initCertEnroll()) {
+               form.style.display = "";
+               noActiveX.style.display = "none";
+       } else if (initXEnroll()) {
+               form.style.display = "";
+               noActiveX.style.display = "none";
+       } else {
+               window.alert(unsupportedPlatformError.innerHTML);
+       }
+} ();