How to determine the root certificate?

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

How to determine the root certificate?

Postby jaehoony » Mon Jun 18, 2018 12:46 pm

Hello,
I'm using CEF 3325 and I'm trying to display the certificate information to the users, but I'm not sure what's the best way to go about it.
How can I determine the main certificate to display to users out of the many OnValidateCertificate() that gets called?

I did notice this chain of events. OnLoadingStateChange() -> *Bunch of redirections* -> OnValidateCertificate() -> OnLoadStart() -> Rest of OnValidateCertificate()
Does CEF guarantee that the first OnValidateCertificate() is the main one and not the ones from the redirections?
And similarly, does it guarantee that the OnValidateCertificate() containing main certificate is called before OnLoadStart()?

Thank you in advance!
jaehoony
Newbie
 
Posts: 2
Joined: Mon Jun 18, 2018 12:39 pm

Re: How to determine the root certificate?

Postby magreenblatt » Mon Jun 18, 2018 1:19 pm

What certificate information are you displaying to users? When are you planning to display that information? The cefclient sample application has a "Show SSL information" option on the right-click menu that you can possibly use as a model.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: How to determine the root certificate?

Postby ndesktop » Mon Jun 18, 2018 4:11 pm

jaehoony wrote:Hello,
I'm using CEF 3325 and I'm trying to display the certificate information to the users, but I'm not sure what's the best way to go about it.
How can I determine the main certificate to display to users out of the many OnValidateCertificate() that gets called?

I did notice this chain of events. OnLoadingStateChange() -> *Bunch of redirections* -> OnValidateCertificate() -> OnLoadStart() -> Rest of OnValidateCertificate()
Does CEF guarantee that the first OnValidateCertificate() is the main one and not the ones from the redirections?
And similarly, does it guarantee that the OnValidateCertificate() containing main certificate is called before OnLoadStart()?

Thank you in advance!


I don't think there is a guaranteed order (as far as I know, there isn't one).
Resources can be loaded in any order, be they XHRs, main frames, subframes, JS, images etc.
All of them can have certificates (and not necessarily the same domain as the main frame).

I'm using a custom modified CEF with a CefRequestHandler custom callback - called OnSSLCertificateInfo - and a custom structure - CefSSLCertificateInfo2 - aggregating all sorts of information from net::URLRequest, CefSslInfo, net::ssl_info, response_info, SSL flags, security_bits, and more, while also using the existing CEF callbacks.
More, the certificate info arrives on IO thread, not on UI thread, so the things are even more complicated, so (for me) the IO thread pumps cert into a map, which changes status in UI thread and displays information to the user.

All these accumulates inside a volatile certificate store with the purpose of a "history" of certificates (think as a map[CefSSLInfo] = certificate chain inside the volatile store.
This because - mainly - things are furthermore complicated by cached requests (request->response_info().was_cached inside the various CefNetworkDelegate::OnXXX calls from browser/net/network_delegate.cc), which alters the flow even more. In this case I'm getting the host, common name, url etc. from a previous request to locate the cert chain inside the volatile store.

Not sure if this scenario applies to you (and I\m not sure I was 100% clear either), but, bottom line: I don't think you can rely on a specific order of calls. Sure, it might be so for 95% of websites, but it's the others (and especially the reload/cache) which will give you trouble,
ndesktop
Master
 
Posts: 750
Joined: Thu Dec 03, 2015 10:10 am

Re: How to determine the root certificate?

Postby jaehoony » Tue Jun 19, 2018 4:09 pm

Thank you magreenblatt and ndesktop!

I too was afraid that the order is not guaranteed. I looked into the sample application and it was extracting certificate info from browser->host->navigationEntry->sslStatus->certificate.
Since all I needed was the main webpage certificate, this was sufficient to solve my problem. Thank you!

Out of curiosity, are there similar method to look up header information of the main webpage call reliably? I couldn't find something obvious in the sample.
jaehoony
Newbie
 
Posts: 2
Joined: Mon Jun 18, 2018 12:39 pm

Re: How to determine the root certificate?

Postby magreenblatt » Tue Jun 19, 2018 4:22 pm

For header information you can implement CefRequestHandler::OnResourceLoadComplete and check frame->IsMain() to verify that it's the main frame. Of course you will need to determine which of the many loaded resources is the "main webpage".
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm


Return to Support Forum

Who is online

Users browsing this forum: No registered users and 39 guests