Thanks Nelson. Please see my in-line responses. Nelson Bolyard wrote: > Subrata Mazumdar wrote, On 2008-08-12 20:30: > > >> I have a certificate based mutually authenticated session between the >> browser and a web server. >> I would like to find out the certificate used presented by the browser >> using a programmatic API. >> > > I gather that you want to do this in the browser? > Or is it in the server? I'm going to assume you mean in the browser. > > Yes, I meant that I wanted do it in the browser. >> I can get the server certificate by clicking the icon at the status-bar >> window. >> How do I find out the certificate used to authenticate the user? >> > > In the client, you're asking it to reveal a reference to the cert that > was used to authenticate to the remote server when the connection's SSL > session was established. You call the NSS function: > > CERTCertificate * SSL_LocalCertificate(PRFileDesc *fd); > > passing the PRFileDesc handle for the socket that has successfully > negotiated a connection handshake that used a client-authenticated > SSL session. If the socket is not in such a state, it returns NULL. > > In the server, you call the NSS function: > > CERTCertificate * SSL_PeerCertificate(PRFileDesc *fd); > > which gives you the peer's (the client's) cert or NULL. > > In both the client and the server, SSL_LocalCertificate returns > the cert that you used to authenticate to your remote peer (if any), > and SSL_PeerCertificate gets the cert that your remote peer used to > authenticate to you (if any). > > Note: there is an additional function named SSL_RevealCert which is > more or less equivalent to SSL_PeerCertificate. PSM uses only > SSL_PeerCertificate. > > SSL_LocalCertificate() is the method that I was looking for. Now, my question is how do I find out the file descriptor of a cert-based authenticated session given that I only know the URL of the page. I have not gone this far yet - my I guess I should be able to figure this out from the source code of protocol handler.
Just a context on why I want to do this: let say I want put an icon next to the lock icon for server cert in the status bar for a cert-based mutually authenticated session. >> I have looked into nsIHttpAuthManager interface - it only supports >> password based authentication. >> Is there a similar interface for certificate based authentication? >> > > If you're asking "what is a scriptable PSM interface to do that?", > I'd say there is none. It appears that PSM contains no code that > calls SSL_LocalCertificate. You might file an RFE against PSM > about that. PSM might have some other means of accomplishing the > same thing. That is unknown to me. > Yes, I am looking for a scriptable PSM interface to find out the client interface. But it is not a problem - I can write one if I can figure out how to do it using NSS APIs. Actually, I am thinking of writing an interface similar to nsIHttpAuthManager. This new interface would would return the local cert, if there is any, for an URL. I know the code exists somewhere in the Mozila code-base - but where to start. Any help/suggestion would be greatly appreciated. Thanks. -- Subrata _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
