New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 34607 link

Starred by 7 users

Issue metadata

Status: Verified
Email to this user bounced
Closed: Mar 2010
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

  • Only users with Commit permission may comment.

Sign in to add a comment

Mac support for <keygen> tag (generating SSL cert signing request)

Reported by, Feb 4 2010

Issue description

Split off from  issue 148 , to cover the Mac implementation of support for the 
<keygen> tag, which generates a key-pair and certificate-signing request for 
creation of a client-side SSL cert.

(The cross-platform code for this exists already; see the patch in  issue 148 . 
Only one platform-specific method needs to be implemented, the one that 
(a) generates a key-pair in the user's Keychain
(b) creates an X.509 Subject Public Key Identifier in DER encoding
(c) signs it
(d) base64-encodes it.

Comment 1 by, Feb 4 2010

I've started looking at this. I wrote an open-source Mac crypto library last year 
<>, a high level wrapper around the Security APIs, 
that supports certificate generation. I'm figuring out whether I can easily disentangle the 
cert-gen code from the rest of my support classes, or whether we'd need to consider 
adding the whole library to Chromium.

Comment 2 by, Feb 18 2010

I have it running, but not yet really tested. I added a unit test ( that simply calls 
GenKeyAndSignChallenge and verifies that it got a base64 blob of the expected length. I've been able to validate the data in 
the blob (the Netscape-format SPKAC) by saving it to a file and invoking "openssl spkac -in /tmp/keygen.spkac -verify". But I 
haven't yet tried it with a real live web server.

This blog post describes how to set up OpenSSL as a CA, and the command to generate a cert from the SPKAC data:
From there it should be easy to write a short PHP script to solicit a certificate request from the browser and return the cert. I'll 
ask wtc about adding this to his SSL test server.

FYI, the best description of the <keygen> tag I've found is:

Comment 3 by, Feb 18 2010

I used the directions on that blog post to create a local CA on my dev Mac. (Basically I 
replaced "CA:FALSE" with "CA:TRUE" in /System/Library/OpenSSL/openssl.cnf; then ran 
"/System/Library/OpenSSL/misc/ -newca" and answered the prompts; then undid 
the change to the conf file.)

Then I created an input file 'keygen.spkac' that looks like:

SPKAC=MIICSjCCATQwggEgMA........  [the blob KeygenHandler created]
CN=Joe Blow
organizationName=Google, Inc.

(Note that the country, state and organization names have to match the ones you used 
when creating the CA.) Then I ran openssl again to generate the certificate:

openssl ca -spkac keygen.spkac -out keygen.cer -days 365

This succeeded and generated a valid certificate file keygen.cer that I could open and 
inspect with the Keychain Access app.

Comment 4 by, Feb 18 2010

wtc suggested testing against:

Comment 5 by, Feb 18 2010

Comment 6 by, Feb 18 2010

That page at lets you download the PHP scripts themselves. I installed them 
on my dev machine and tweaked them to make them work for me. I am now able to 
fill out the form and have openssl generate and return a cert!

What I hit now in Chrome is:
[74893:19459:134518010461047:ERROR:/Volumes/Chromium/src/net/base/cert_d] Not implemented reached in net::CertDatabase::CertDatabase()
[74893:19459:134518010806518:ERROR:/Volumes/Chromium/src/net/base/cert_d] Not implemented reached in bool 
net::CertDatabase::AddUserCert(const char*, int)

So now it's time to implement these methods...
The following revision refers to this bug: 

r40387 | | 2010-03-02 09:47:02 -0800 (Tue, 02 Mar 2010) | 5 lines
Changed paths:

Mac: implement <keygen> support, including adding generated cert to the Keychain.
BUG= 34607 

Review URL:

Comment 8 by, Mar 2 2010

Here's how to test, for now. This URL points to my dev machine, which might not be awake all the time; we 
should move it to a test server.

1. Go to <>
2. Fill out the required fields. NOTE: The script's cert database requires every "CommonName" to be unique, so 
if you test this more than once don't use the same name! I've been appending digits to the end of my name, 
though it really doesn't matter what you fill in here.
3. Press Submit.
---> After a few seconds' pause, a sheet should drop down with certificate info in it. (Yes, it's normal that it 
says "signed by an unknown authority" in red; that's because it's a self-signed cert.) The details of the cert 
should match what you filled in.
4. Press Add
---> The sheet goes away.
5. Launch the "Keychain Access" app (in /Applications/Utilities) and click "My Certificates" in the left column.
---> The cert you just added should be in the list. It should have a flippy triangle next to it that exposes a 
private key.

Next test what happens if the cert is invalid:
1. Go to <> again. NOTE: You have 
to reload the page, even if it was still in the window from the last test.
2. Check the "Return bogus data" box 
3. Press Submit.
---> After a few seconds an error alert should appear: "Client Certificate Error: The server returned an invalid 
client certificate."

It should also be possible to test this in the wild by going to <> and signing up for 
a free client certificate. You should get the same certificate-added sheet, and then be able to use that cert to 
log into the site.

Comment 9 by, Mar 2 2010

Status: Fixed
  Hostname: macintosh-00145168447a-2.local
  Mac OS X Version 10.6.3 (Build 10D558)
  Processor: 1 Intel 1.50 GHz
  RAM: 1024 MB

  Chrome version: 5.0.348.0 r40884  
  QuickTime Player: 7.6.6
  QuickTime PlayerX: 111
  Flash Player: 10.0.42
Status: Verified
Project Member

Comment 12 by, Oct 12 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 13 by, Mar 10 2013

Labels: -Area-Internals -Internals-Network Cr-Internals Cr-Internals-Network

Sign in to add a comment