在Chrome应用中使用证书的SSL客户端身份验证 [英] SSL Client Authentication with Certificate in Chrome App

问题描述

我正在编写一个需要使用客户端身份验证的SSL套接字的Chrome应用程序。我之前在Java中使用相同的信任存储和密钥存储进行了此操作。

以下是我在Chrome（Mac和Chromebook）上完成的操作：

• 添加客户端密钥（p12）和CA（一个根CA，一个中间CA）到系统。




• 在Chrome应用程序中，尝试使用传统的套接字 API和新的 sockets.tcp API。

总是收到错误 ERR_SSL_CLIENT_AUTH_CERT_NEEDED 。但我想我已经在系统中拥有了正确的客户端证书和CA.




传统套接字API的代码：

  chrome.socket.create（'tcp'，{}，function（createInfo）{
 mySocketId = createInfo.socketId; 
 chrome.socket.connect（mySocketId，'host' ，12345，function（connectResult）{
 chrome.socket.secure（mySocketId，{}，function（secureResult）{
 console.log（'secureResult'+ secureResult）; 
}）; 
}）; 
}）; 
  

我的问题是：





1. Chrome API支持客户端认证吗？


2. 如果支持，我该如何向chrome提供认证？






解决方案

Chrome API支持通过 tcp.secure ，但有一个非常重要的警告 - 原始的 feature request for SSL support says this：




使用内置的TLS堆栈。抱歉，无法在此处添加/管理证书，只需使用现有配置即可。




因此，正如您所建议的那样， d需要手动将证书添加到Chrome。在设置 - >显示高级设置 - >HTTPS / SSL - >管理证书中可以导入和导出设备。您可能还需要通过调用 此错误 href =https://developer.chrome.com/apps/sockets_tcp#method-setPaused =nofollow> tcp.setPaused tcp.secure 。但是，如果您需要比Chrome API提供的更细粒度的控制，您还可以在普通的Chrome TCP套接字API之上添加自己的JavaScript TLS实现。幸运的是，图书馆伪造已经有一个这样的实现。您可以使用 forge 与 chrome.sockets.tcp 这里。这种方法提供了更加细化的控制，使得证书锁定等事情不再受到其他支持，但要警告的是，伪造还不支持TLS 1.2或ECDHE密码套件（尽管这些功能都在路线图）。




I'm writing a Chrome app that needs to have an SSL socket with client authentication. I have done this before in Java with the same set of trust store and key store.

Here is what I have done on Chrome (Mac and Chromebook):

• Add client key (p12) and CA (one root CA, one intermediate CA) to system.

• In Chrome app, try both the legacy socket API and the new sockets.tcp API.

• Always receiving error ERR_SSL_CLIENT_AUTH_CERT_NEEDED. But I think I already have the correct client cert and CA in the system.

Code for legacy socket API:

chrome.socket.create('tcp',{},function(createInfo){
    mySocketId = createInfo.socketId;
    chrome.socket.connect(mySocketId,'host', 12345, function(connectResult){
        chrome.socket.secure(mySocketId,{},function(secureResult){
            console.log('secureResult '+secureResult);
        });
    });
});

My questions are:

1. Does the Chrome API support client auth with cert?
2. If supported, how do I supply the certs to chrome?

解决方案

The Chrome API does support client authentication via tcp.secure, but with a pretty major caveat - the original feature request for SSL support says this:

Using the built-in TLS stack. Sorry, no ability to add/manage certs here, just use the existing configuration.

So, as you've suggested, you'd need to add the certs manually to Chrome. There are facilities for importing and exporting in Settings -> Show advanced settings -> HTTPS/SSL -> Manage Certificates. You may also need to work around this bug by calling tcp.setPaused before tcp.secure.

But alternatively, if you need finer-grained control than the Chrome API provides, you can also add your own javascript TLS implementation on top of the normal Chrome TCP socket API. Luckily, the library forge already has one such implementation. You can see an example using forge in conjunction with chrome.sockets.tcp here. This approach gives much more granular control, enabling things like certificate pinning, etc., that aren't supported otherwise, but do be warned that forge does not yet support TLS 1.2 or ECDHE cipher suites (though these features are planned on the roadmap).

这篇关于在Chrome应用中使用证书的SSL客户端身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！