<keygen>

版本：HTML5废弃

HTML  <keygen>  元素是为了方便生成密钥材料和提交作为HTML form 的一部分的公钥.这种机制被用于设计基于 Web 的证书管理系统。按照预想， <keygen>  元素将用于 HTML 表单与其他的所需信息一起构造一个证书请求，该处理的结果将是一个带有签名的证书。

There is currently discussion among Web browser makers whether to keep this feature or not. Until a decision is reached, it is better to continue to consider this feature as deprecated and going away.

Attributes

This element includes the global attributes.

• autofocusThis Boolean attribute lets you specify that the control should have input focus when the page loads, unless the user overrides it, for example by typing in a different control. Only one form element in a document can have theautofocusattribute, which is a Boolean.
• challengeA challenge string that is submitted along with the public key. Defaults to an empty string if not specified.
• disabledThis Boolean attribute indicates that the form control is not available for interaction.
• formThe form element that this element is associated with (itsform owner). The value of the attribute must be anidof a<form>element in the same document. If this attribute is not specified, this element must be a descendant of a<form>element. This attribute enables you to place<keygen>elements anywhere within a document, not just as descendants of their form elements.
• keytypeThe type of key generated. The default value isRSA.
• nameThe name of the control, which is submitted with the form data.

The element is written as follows:

<keygen name="name" challenge="challenge string" keytype="type" keyparams="pqg-params">

Thekeytypeparameter is used to specify what type of key is to be generated. Valid values are "RSA", which is the default,"DSA" and "EC".Thenameandchallengeattributes are required in all cases.Thekeytypeattribute is optional for RSA key generation and required for DSA and EC key generation.Thekeyparamsattribute is required for DSA and EC key generation and ignored for RSA key generation.PQGis a synonym forkeyparams. That is, you may specifykeyparams="pqg-params"orpqg="pqg-params".

For RSA keys,thekeyparamsparameter is not used (ignored if present). The user may be given a choice of RSA key strengths. Currently, the user is given a choice between "high" strength (2048 bits) and "medium" strength (1024 bits).

For DSA keys,thekeyparamsparameter specifies the DSA PQG parameters which are to be used in the keygen process. The value of thepqgparameter is the the BASE64 encoded, DER encoded Dss-Parms as specified in IETFRFC 3279. The user may be given a choice of DSA key sizes, allowing the user to choose one of the sizes defined in the DSA standard.

For EC keys,thekeyparamsparameter specifies the name of the elliptic curve on which the key will be generated. It is normally a string from the table innsKeygenHandler.cpp.(Note that only a subset of the curves named there may actually be supported in any particular browser.) If thekeyparamsparameter string is not a recognized curve name string, then a curve is chosen according to the user's chosen key strength (low, medium, high), using the curve named "secp384r1" for high, and the curve named "secp256r1" for medium keys.(Note: choice of the number of key strengths, default values for each strength, and the UI by which the user is offered a choice, are outside of the scope of this specification.)

The<keygen>element is only valid within an HTML form. It will cause some sort of selection to be presented to the user for selecting key size. The UI for the selection may be a menu, radio buttons, or possibly something else. The browser presents several possible key strengths. Currently, two strengths are offered, high and medium. If the user's browser is configured to support cryptographic hardware (e.g."smart cards") the user may also be given a choice of where to generate the key, i.e., in a smart card or in software and stored on disk.

When the submit button is pressed, a key pair of the selected size is generated. The private key is encrypted and stored in the local key database.

   publickeyandchallenge ::= sequence {
       spki subjectpublickeyinfo,
       challenge ia5string
   }
   signedpublickeyandchallenge ::= sequence {
       publickeyandchallenge publickeyandchallenge,
       signaturealgorithm algorithmidentifier,
       signature bit string
   }

The public key and challenge string are DER encoded asPublicKeyAndChallenge, and then digitally signed with the private key to produce aSignedPublicKeyAndChallenge.TheSignedPublicKeyAndChallengeisBase64encoded, and the ASCII data is finally submitted to the server as the value of a form name/value pair, where the name isnameas specified by thenameattribute of thekeygenelement. If no challenge string is provided, then it will be encoded as anIA5STRINGof length zero.

Here is an example form submission as it would be delivered to a CGI program by the HTTP server:

   commonname=john+doe&email=doe@foo.com&org=foobar+computing+corp.&
   orgunit=bureau+of+bureaucracy&locality=anytown&state=california&country=us&
   key=mihfmhewxdanbgkqhkig9w0baqefaanladbiakeanx0tiljromuue%2bptwbre6xfv%0awtkqbsshxk5zhcuwcwyvcniq9b82qhjdoacdd34rqfcaind46fxkqunb0mvkzqid%0aaqabfhfnb3ppbgxhsxnneuzyawvuzdanbgkqhkig9w0baqqfaanbaakv2eex2n%2fs%0ar%2f7ijnrowlszsmttiqteb%2badwhgj9u1xruroilq%2fo2cuqxifzcnzkyakwp4dubqw%0ai0%2f%2frgbvmco%3d

Examples

• Sample form with RSA KEYGEN element
• Sample form with DSA KEYGEN element and PQG Parameters
• Sample form with DSA KEYGEN element but no PQG Parameters
• Sample form with EC KEYGEN element

Specifications

实例

带有 keygen 字段的表单：

<form action="demo_keygen.asp" method="get">
 username:<input type="text" name="usr_name">
 encryption:<keygen name="security">
 <input type="submit">
</form>

浏览器支持

Firefox、Opera、Chrome 和 Safari 6 都支持<keygen>标签。

标签定义及使用说明

<keygen>标签规定用于表单的密钥对生成器字段。

当提交表单时，私钥存储在本地，公钥发送到服务器。

HTML 4.01 与 HTML5之间的差异

<keygen>元素是 HTML5 新标签。

属性

New：HTML5 新属性。

全局属性

<keygen>标签支持全局属性，查看完整属性表HTML全局属性.

事件属性

<keygen>标签支持所有HTML事件属性.