Is there a Javascript equivalent of .NET HttpWebRequest.ClientCertificates?
I have this code working in C#:
var request = (HttpWebRequest)WebRequest.Create("https://x.com/service");
request.Method = "GET";
// Add X509 certificate
var bytes = Convert.FromBa开发者_开发技巧se64String(certBase64);
var certificate = new X509Certificate2(bytes, password);
request.ClientCertificates.Add(certificate, "password"));
Is there any way to reproduce this request in Javascript? Third-party libraries would be fine for my purposes.
In browser-JavaScript there is no hope of doing anything like that.
The XMLHttpRequest interface gives you limited capabilities to customise the connection. You don't get any opportunity to influence SSL negotiation and you don't get the ability to make a request to a different domain than the one you're running on (for very good security reasons).
You could get around that and use a low-level socket, with complex libraries to implement HTTPS over the top of it, except that JS doesn't give you any access to low-level sockets either. Browser scripts just aren't expected or trusted to do that kind of thing: again, there are some serious security issues to worry about if any web page can make you send random connections to other servers (including ones on your private local network).
HTML5 gives you WebSocket, which can be used for low-level, low-latency connections, but it is deliberately incompatible with other services, to stop you attacking them. In general, anything you want a browser to talk to, whether that's via XMLHttpRequest, WebSocket or Flash Socket, will have to be deliberately set up to listen for browsers.
You may check out the opensource Forge project. It implements SSL/TLS in JavaScript, including the ability to specify client-side certificates.
http://github.com/digitalbazaar/forge/blob/master/README
This project makes use of the raw Socket interface made available via Flash, and implements the actual TLS layer in JavaScript. However, because Flash is used, the server you are contacting will need to provide a cross domain policy file. Included in the Forge project is an Apache module that server administrators can install to provide this policy file easily.
If you're looking for a solution that doesn't involve a server you have administrative privileges to -- then it does look like you're out of luck. Like the other poster, bobince, said, all of new approaches to communicating over raw sockets (or similar), via the web browser, require web servers to manually "opt-in".
精彩评论