[Webkit-unassigned] [Bug 38946] New: WebKit Mac/Obj-C API needs way to determine SSL/TLS X.509 certificate used with document/resource
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 11 16:23:44 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=38946
Summary: WebKit Mac/Obj-C API needs way to determine SSL/TLS
X.509 certificate used with document/resource
Product: WebKit
Version: 528+ (Nightly build)
Platform: Macintosh Intel
OS/Version: Mac OS X 10.6
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebKit API
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: wootest+webkitbugs at gmail.com
There's no way that I can find in the public WebKit Mac Objective-C API (WebKit.framework) to determine which X.509 certificate is used on SSL/TLS sites. Being able to determine the certificate is important in determining the specific veracity of the certificate (differentiating between normal and "green" certificates) as well as showing the name of the associated organization; standard features in every current major browser.
There are two documented delegate methods in the WebResourceLoadDelegate (webView:resource:didReceiveAuthenticationChallenge:fromDataSource: and ..:didCancelAuthenticationChallenge:..), which sound relevant because of references like this Stack Overflow question, <http://stackoverflow.com/questions/1578121/https-with-nsurlconnection-nsurlerrorservercertificateuntrusted>, noting that the certificate is probably available through the challenge -> protection space -> server trust path. Alas, in my experiments, those delegate methods are not called until a resource actually needs username/password authentication.
(Inspired by the Stack Overflow question, I found a private resource load delegate method that appears to wrap NSURLConnection's delegate method for shouldUseCredentialStorageForDataSource, but implementing it does not supply a useful object nor cause the other relevant delegate methods to be called.)
What does real-world browsers built on the system version of WebKit.framework - i.e. Safari - do to acquire this information right now? class-dump and Google finds the CertificateUtilities class with the class method sslPolicyForHost:client:. I'd rather not use a private API, but if it's the case that a new, supported, public API is developed and Safari, distributed in millions of copies, currently uses a private API, one could solve the problem by looking for the new API, falling back to looking for the private API and using it if it's available, in the same manner that some undocumented Foundation, AppKit and UIKit methods have been blessed for public use on older Mac OS X/iPhone OS versions retroactively.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list