3

I'm writing a web application and I need to use an existing webservice. This webservice uses a wsHttpBinding and x509 certificate.

I looked all over the web but didn't find a working solution.

Can someone help me with this one?

Rob Hruska
  • 118,520
  • 32
  • 167
  • 192
Timetje8
  • 31
  • 1

1 Answers1

1

The choice of client certificate will be made by the browser when it makes the connection. JavaScript and jQuery don't have much say on this.

You can configure Firefox (for example) to ask you which certificate to pick or to choose one automatically (Preferences -> Advanced -> Encryption -> Certificates). This may trigger a pop-up window from the browser if you select "always ask", but this isn't accessible from JavaScript.

The client certificates you're going to use (and their private keys) will need be available to the browser first.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • What you're describing sounds like browser-based mutual auth TLS, however AFAIK that is different from WS-* standards available in wsHttpBinding which encrypt parts of the XML payload, allow untrusted intermediaries, etc. I would think Javascript+HTML5 LocalStorage might be able to hack together an XML document that is compatible with [WS-* with message security](http://msdn.microsoft.com/en-us/library/ms735093.aspx). – makerofthings7 Dec 29 '12 at 15:24
  • @makerofthings7, indeed, but the problem for WS-* message-level security is to get the js in the browser to be able to use the client cert's private key. They're usually not accessible. – Bruno Dec 29 '12 at 15:42
  • I was just coming to the same conclusion. Would you think that client certificates (mutual auth TLS) + Javascript with JSON is better than any hacky SOAP solution? – makerofthings7 Dec 29 '12 at 15:44
  • @makerofthings7, generally yes: if you're constrained to using a browser, you have very few options. Any hacky JavaScript-based solution to make it use SOAP will certainly have the same problems as [any browser-based JS crypto](http://security.stackexchange.com/a/24433/2435), unfortunately. The message-level WS-Security isn't meant for browsers. – Bruno Dec 29 '12 at 16:47