SSL client authentication with certificate in Chrome app
I am writing a Chrome app that needs to have an SSL socket with client authentication. I've done this before in Java with the same set of truststores and keystores.
Here's what I did in Chrome (Mac and Chromebook):
-
Add client key (p12) and CA (one root CA, one intermediate CA) to the system.
-
In your Chrome app, try using the legacy API
socket
and the new APIsockets.tcp
. -
Always get error
ERR_SSL_CLIENT_AUTH_CERT_NEEDED
. But I think I already have the correct client certificate and CA on the system.
Legacy Sockets API Code:
chrome.socket.create('tcp',{},function(createInfo){
mySocketId = createInfo.socketId;
chrome.socket.connect(mySocketId,'host', 12345, function(connectResult){
chrome.socket.secure(mySocketId,{},function(secureResult){
console.log('secureResult '+secureResult);
});
});
});
My questions:
- Does the Client API support certificate with certificate?
- If supported, how do I ship certificates for chrome?
source to share
The Chrome API supports client authentication through tcp.secure
, but with a rather serious caveat - the original feature for SSL support says this:
Using the built-in TLS stack. Unfortunately there is no way to add / manage certificates here, just use the existing config.
So, as you suggested, you will need to add certificates manually in Chrome. There are means for import and export in settings -> Show advanced settings -> HTTPS / SSL -> Manage certificates. You may also need this error by calling tcp.setPaused
before tcp.secure
.
But, alternatively, if you need finer control than the Chrome API provides, you can also add your own TLS implementation for javascript on top of the regular Chrome TCP socket APIs. Fortunately, there is already one such implementation in the forge library . You can see an example using forge
in conjunction with chrome.sockets.tcp
here . This approach gives much more granular control, allowing features like certificate binding, etc. that are not otherwise supported, but be warned that Forge does not yet support TLS 1.2 or ECDHE encryption suites (although these features are planned for roadmap ).
source to share