stackoom
  简体   繁体   中英

How to SSL/TLS Client Authentication on Chrome using Custom Cryptographic Service Provider (CSPs)

 原文  2019-08-28 08:33:27       c/ google-chrome/ cryptoapi

Question

I had already written a CSP module and it worked well. Here is a problems, I use my CSP module to browser to a web page that required ssl client authentication, and it worked on IE, but not for Chrome. Chrome screen show error This site can't provide a secure connection ERR_BAD_SSL_CLIENT_AUTH_CERT

I use chrome with enable-logging, and an WARNING occur like WARNING:ssl_platform_key_win.cc(386)] Could not acquire private key: Error (0x13D) while retrieving error. (0xC0000225) WARNING:ssl_platform_key_win.cc(386)] Could not acquire private key: Error (0x13D) while retrieving error. (0xC0000225) 

HCERTSTORE hStore = NULL;
CRYPT_KEY_PROV_INFO key_prov_info = { 0 };
PCCERT_CONTEXT pCertContext = nullptr;
std::vector<BYTE> der_encoded_cert;

hStore = CertOpenSystemStore(NULL, L"MY");
if (!hStore)
{
    goto Exit;
}

der_encoded_cert = LoadFromFile();

pCertContext = CertCreateCertificateContext(X509_ASN_ENCODING, der_encoded_cert.data(), der_encoded_cert.size());
if (!pCertContext)
{
    goto Exit;
}

key_prov_info.dwProvType = MY_PROVIDER_TYPE; // Or YOUR_PROVIDER_TYPE
key_prov_info.dwKeySpec = AT_SIGNATURE; // Or AT_KEYEXCHANGE
key_prov_info.pwszContainerName = L"My key name";
key_prov_info.dwFlags = CERT_SET_KEY_PROV_HANDLE_PROP_ID;
key_prov_info.cProvParam = L"My provider Name";
key_prov_info.pwszProvName = nullptr;
key_prov_info.rgProvParam = 0;


if (!CertSetCertificateContextProperty(pCertContext, CERT_KEY_PROV_INFO_PROP_ID, 0, &key_prov_info))
{
    goto Exit;
}

if (!CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_ALWAYS, NULL))
{
    goto Exit;
}

How to detect this problem come from? I can only export chrome logging.

1 answers

solution1
 0  2019-08-30 13:51:50

Chrome browser does not use Microsoft CAPI (CryptoAPI) for cryptographic services, but it includes the BoringSSL library instead. Hence, Chrome will not have access to your custom CSP module.

You should be able to import the client certificate and private key (Settings -> Advanced -> Privacy and security -> Manage Certificates -> Personal -> Import).

You don't explain why you need a custom CSP to do this with IE as importing the cert and private key into Window's certificate store should also make ssl client certificates work without it. HTH.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Writing my own CSP (cryptographic service provider) Implementing TLS server/client using book “Implementing SSL / TLS Using Cryptography and PKI” by Joshua Davies No able to get client certificate in ssl/tls How to do mutual tls authentication in C code using openssl? axis2c SSL client authentication TLS protocol detection by using client hello message How to Obtain IP Address of Connected Client in xinetd Custom Service Client/Server communication using TCP/IP under TLS 1.3 Can't import PFX to Microsoft Sample Key Storage Provider (Cryptographic Provider Development Kit) Parsing of SSL/TLS fields.
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM