Chromium Strategy for client certificate authentication (ssl) (per os)

116 views
Skip to first unread message

david....@gmail.com

unread,
Feb 3, 2020, 9:55:52 AM2/3/20
to net-dev
Hello,

Could you please tell me where Chrome look for a matching certificate in case of ssl client certificate authentication ?
I'd like to check in Java the preexistence of a matching certificate...

In Windows, it's with the SunMSCAPI provider inside Windows-MY.

In Mac OS ?

In Linux ?

Extra bonus : if i have targeted an X509Certifcate (java code) associated with a smart card , is it possible to force chrome to use it next ?

Thanks in advance

David L.

Ryan Sleevi

unread,
Feb 3, 2020, 10:53:36 AM2/3/20
to david....@gmail.com, net-dev
On Mon, Feb 3, 2020 at 9:55 AM <david....@gmail.com> wrote:
Hello,

Could you please tell me where Chrome look for a matching certificate in case of ssl client certificate authentication ?

It's unclear from your request if you're looking for the code that does the checking, or if you're looking to find out where it's checked. I've tried to answer that below.
 
I'd like to check in Java the preexistence of a matching certificate...

I'm not sure I understand what you're trying to do here?
 

In Windows, it's with the SunMSCAPI provider inside Windows-MY.

Correct, Chromium looks in the "MY" store
 
In Mac OS ?

On macOS, Chromium uses the Keychain APIs, such as SecIdentitySearchCreate (deprecated, but provides access to legacy tokens) and SecItemCopyMatching (the preferred/supported way)
 
In Linux ?

In Linux, we use NSS to enumerate the configured PKCS#11 tokens.
 
Extra bonus : if i have targeted an X509Certifcate (java code) associated with a smart card , is it possible to force chrome to use it next ?

This is not clear what you're asking. If you'd like to use a smart card, you need to register it with the appropriate system provider for client certificates.

If you're asking as an embedder of Chromium, then you may want to use the ClientCertStore on the ContentBrowserClient - https://cs.chromium.org/chromium/src/content/public/browser/content_browser_client.h?l=1566&rcl=10a2b5dec6b6d1fbca93a89c215b1b2e127906ab - to provide the necessary abstractyion for providing a ClientCertIdentity, which you can use to provide an X509Certificate and a subclass of SSLPrivateKey that performs the necessary functions. 

david leruse

unread,
Feb 3, 2020, 11:47:10 AM2/3/20
to rsl...@chromium.org, net-dev
Thanks Ryan for this swift reply...

I’m gonna try to explore the java Apple Provider to check if it has access to the two locations you mentioned in your reply then If I can’t prevent certs misuses...i’ll give a try to the CertClientIdentity to force the choice

Regards

David L.



Le 3 févr. 2020 à 16:53, Ryan Sleevi <rsl...@chromium.org> a écrit :


Reply all
Reply to author
Forward
0 new messages