SSL Client Authentication with Certificate in Chrome App

Question

I'm writing a Chrome app that needs to have an SSL socket with client authentication. I have done this before in Java with the same set of trust store and key store.

Here is what I have done on Chrome (Mac and Chromebook):

• Add client key (p12) and CA (one root CA, one intermediate CA) to system.

• In Chrome app, try both the legacy socket API and the new sockets.tcp API.

• Always receiving error ERR_SSL_CLIENT_AUTH_CERT_NEEDED. But I think I already have the correct client cert and CA in the system.

Code for legacy socket API:

chrome.socket.create('tcp',{},function(createInfo){
    mySocketId = createInfo.socketId;
    chrome.socket.connect(mySocketId,'host', 12345, function(connectResult){
        chrome.socket.secure(mySocketId,{},function(secureResult){
            console.log('secureResult '+secureResult);
        });
    });
});

My questions are:

1. Does the Chrome API support client auth with cert?
2. If supported, how do I supply the certs to chrome?

Answer 1

The Chrome API does support client authentication via tcp.secure, but with a pretty major caveat - the original feature request for SSL support says this:

Using the built-in TLS stack. Sorry, no ability to add/manage certs here, just use the existing configuration.

So, as you've suggested, you'd need to add the certs manually to Chrome. There are facilities for importing and exporting in Settings -> Show advanced settings -> HTTPS/SSL -> Manage Certificates. You may also need to work around this bug by calling tcp.setPaused before tcp.secure.

But alternatively, if you need finer-grained control than the Chrome API provides, you can also add your own javascript TLS implementation on top of the normal Chrome TCP socket API. Luckily, the library forge already has one such implementation. You can see an example using forge in conjunction with chrome.sockets.tcp here. This approach gives much more granular control, enabling things like certificate pinning, etc., that aren't supported otherwise, but do be warned that forge does not yet support TLS 1.2 or ECDHE cipher suites (though these features are planned on the roadmap).