In a browser environment, is it possible to get a list of SSL certificates in JavaScript?
In order to connect to a third party app, I have to give my users the option to choose one of the installed ones SSL client certificates
and pass it on to a third party that is used by the app server. (My web application does not require SSL, it is a third party that requires SSL certificates).
It seems to me that access to this list of certificates only possible by the browser itself when connecting to a service that require SSL
. Is it possible to launch the same dialog using Javascript or is there a way for a web application to view the end user's SSL store?
If this is not possible, can I just open the file dialog and download the client certificate like any standard file?
I need to support any browser from IE9 and no plugins are allowed in our application.
Thank.
source to share
If this is not possible, can I just open the file dialog and download the client certificate like any standard file?
First, this is not how SSL / TLS client authentication works at all. It's just not a matter of downloading a certificate. The private key corresponding to the certificate is used to sign some content (in the CertificateVerify
TLS message ) during the TLS handshake. Something that performs authentication.
Going back to your main question, for security reasons the SSL / TLS stack is handled outside of JavaScript code. Choosing a client certificate is part of this.
You may have some kind of API that allows JavaScript code to access some of the cryptographic functionality of the browser (and there has been work in this area ). However, safety considerations must be taken into account.
Even if the certificates contain public information to some extent, this does not mean that it is public information that should be distributed to everyone in the world, at least not necessarily in connection with the act of browsing any website.
If you were able to display a list of user's certificates from JavaScript code sent by your server, you can no doubt be able to send that list to yourself almost transparently with an Ajax call. While some people are concerned about the privacy implications of tracking cookies, it tracks which client certificates you might be migrating to another layer (for example, subject DN c CN=John Smith
and issuer DN c CN=Department/Ministry of Health/Defence
: this would be a bit of a giveaway).
My web application does not require SSL, it is a third party that requires SSL certificates.
You are not saying here if this third party will be accessed directly by the users' browsers, or if you expect users to pass in their credentials so that you can interact with this third party (without direct user interaction).
If users have direct access to this third party (through another request), their browser must ask them for a certificate that they can use.
When it comes to delegated delegations, this is another problem entirely, as users never give you the private key for their own client certificate to be able to sign their name. (It might be technically possible for users to simply provide you with their PKCS # 12 file, for example, but it wins in putting that authorization in place in the first place).
Work has been done on delegating authority with certificates using proxy certificates (RFC 3820) . Basically, your EEC (End-Entity Certificate) is used as a mini-CA, despite not having CA flags, to issue a short-lived certificate with the remote side. This mechanism is usually poorly integrated into browsers.
Another, more realistic approach would be, for example, to look at the world of SSO, SAML and Shibboleth. This works with existing browsers, but the overall architecture is slightly different (so you need to discuss this with a third party).
source to share
In a browser environment, is it possible to get a list of SSL certificates in JavaScript?
The WebCrypto API allows you to discover some things like shared and derived keys. But looking at their bylaws and use cases it is not clear to me if they allow listing and opening certificates.
I see this has been discussed in the past and the issue has been raised. Here's a discussion: Crypto-ISSUE-15: Discovery of certificates associated with (private) keys . But I can't find anything in issue 15 on WebCrypto Tracker .
Also see Will the WebCrypto API allow certificate discovery / enumeration? on the WebCrypto Mailing List . Hopefully there will be a simple YES / NO answer.
But don't be surprised if it's not available through WebCrypto. Browser security engineers have a special way of looking at things and usually don't include client certificates. Client certificates will effectively stop MitM attacks (see, for example, Certificates of Origin at the beginning ), and browsers do not make stopping MitM a priority. Instead, they are okay with incorrect credentials such as passwords; and they choose one time password (OTP) using U2F .
In a reality unfamiliar to fiction, browsers will (1) use Public Key Pinning for HTTP and then (2) rip the known good pinset because the user was phishing! You can't do this stuff ...
source to share