My favorites | Sign in
Logo
Project hosting will be READ-ONLY Wednesday at 8am PST due to brief network maintenance.
             
New issue | Search
for
| Advanced search | Search tips
Issue 16831: Client SSL Certificate Support for Mac
27 people starred this issue and may be notified of changes. Back to list
 
Reported by wtc@chromium.org, Jul 15, 2009
This bug tracks the remaining work to finish SSL client
authentication for Mac.  It consists of both backend
(implement SSLClientSocketMac::GetSSLCertRequestInfo and
more) and UI (certificate selection dialog) work.

 Issue 318  is the original bug on SSL client authentication
support.

Comment 1 by pinkerton@chromium.org, Jul 29, 2009
(No comment was entered for this change.)
Status: Available
Labels: Mstone-MacBeta
Comment 2 by jon@chromium.org, Jul 30, 2009
(No comment was entered for this change.)
Status: Assigned
Owner: w...@chromium.org
Comment 3 by jon@chromium.org, Aug 03, 2009
Wan-Teh recommends that this not block the beta.  I agree.  Moving to milestone 4.
Labels: -Mstone-MacBeta Mstone-4
Comment 4 by jon@chromium.org, Sep 02, 2009
Not a blocker for mstone-4 moving to mstone-5
Labels: -mstone-4 mstone-5
Comment 5 by wtc@chromium.org, Sep 28, 2009
hawk: do you have time in Q4 to work on SSL client authentication
for Mac?
Cc: h...@chromium.org
Comment 6 by h...@chromium.org, Sep 28, 2009
It depends on Mac beta timing, but I'll take the bug.
Owner: h...@chromium.org
Comment 7 by marc...@marcelocarlos.com, Dec 08, 2009
Are you also considering allow loading pkcs11 modules files like firefox does ? That 
would be very useful since there are just a few smart cards/usb tokens supported natively on mac.
Comment 8 by wtc@chromium.org, Dec 08, 2009
marcelo: We want to use the "native" interface to smart cards.  How
does one configure Safari to use smart cards/USB tokens?
Comment 9 by slushpupie, Dec 08, 2009
wtc:  Smartcards are all handled by the Keychain (a tokend for each device type).  Its just using the CDSA 
architecture, so if you have an "Identity" you can use that to perform cryptographic functions.  I think Apple even 
provides some convenience API's for doing HTTPS with client auth, though Ive not used those directly. I have 
used the CDSA stuff to write a PKCS11 driver that uses Keychain as the backend; its a bit complicated at first but 
not too terrible after you get a handle on all the parts.
Comment 10 by x509v3, Dec 13, 2009
So glad Chrome's using the native OS keystore. Can't wait for Mac client-auth to work.
Comment 11 by marc...@marcelocarlos.com, Dec 15, 2009
wtc: sorry for the late answer ... to use usb tokens/smart cards on mac i use SCA 
(http://www.opensc-project.org/sca/). So, you just have to install SCA and start using 
one of the supported smart cards.
That is the issue here, because there are some cards/tokens that are not supported by 
SCA but they offer some PKCS11 modules to be loaded (e.g. Feitian epass 2000). 
Anyway ... maybe this issue is an mac keychain issues instead of a chrome issue.
Comment 12 by or...@chromium.org, Dec 17, 2009
Replacing labels:
   Area-BrowserBackend by Area-Internals

Labels: -Area-BrowserBackend Area-Internals
Comment 13 by mal.chromium, Dec 18, 2009
(No comment was entered for this change.)
Labels: Internals-Install
Comment 14 by mal.chromium, Dec 18, 2009
Fixing a bulk edit. Looks like the search query was not correct.
Labels: -Area-Internals -Internals-Install
Comment 15 by mikesmith@chromium.org, Jan 08, 2010
(No comment was entered for this change.)
Labels: ReleaseBlock-Beta
Comment 16 by wtc@chromium.org, Jan 22, 2010
(No comment was entered for this change.)
Status: Available
Owner: ---
Comment 17 by snej@chromium.org, Jan 27, 2010
I could take this at some point — I'm fairly experienced with Keychain and CDSA, though 
not the Chrome network stack.
Comment 18 by pinkerton@chromium.org, Feb 04 (5 days ago)
snej sounds interested, over to him for parity work. P1 for M5.
Owner: s...@chromium.org
Cc: -h...@chromium.org m...@chromium.org
Labels: -Pri-2 -Size-Medium Pri-1 Area-Internals PlatformParity Internals-Network
Comment 19 by pinkerton@chromium.org, Feb 04 (5 days ago)
(No comment was entered for this change.)
Status: Assigned
Comment 20 by snej@chromium.org, Feb 05 (4 days ago)
I have it working, although so far I've only tested it with a toy SSL server running on my 
machine (Apple's SSLSample.) I'm using the system identity-chooser panel as the UI 
(SFChooseIdentityPanel); currently it comes up modally, but I'd like to make it a per-tab 
sheet.
Status: Started
Comment 21 by wtc@chromium.org, Feb 05 (4 days ago)
snej: good progress!

You can test against https://www.myopenid.com/signin_certificate
It requests SSL client authentication over renegotiation (as
opposed to the initial handshake).  You can get a certificate
from that site.
Comment 22 by snej@chromium.org, Feb 08 (43 hours ago)
The myopenid URL fails to load because SSLClientSocketMac is misinterpreting the 
status code errSSLServerAuthCompletedFlag as an error and aborting the connection. 
Backtrace is:

#0  net::(anonymous namespace)::NetErrorFromOSStatus (status=-9841) at 
/Volumes/Chromium/src/net/socket/ssl_client_socket_mac.cc:194
#1  0x0747f877 in net::SSLClientSocketMac::DoPayloadRead (this=0x2164790) at 
/Volumes/Chromium/src/net/socket/ssl_client_socket_mac.cc:1022
#2  0x074817de in net::SSLClientSocketMac::OnTransportReadComplete 
(this=0x2164790, result=5) at 
/Volumes/Chromium/src/net/socket/ssl_client_socket_mac.cc:839
Sign in to add a comment