[Webkit-unassigned] [Bug 38946] New: WebKit Mac/Obj-C API needs way to determine SSL/TLS X.509 certificate used with document/resource

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 11 16:23:44 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=38946

           Summary: WebKit Mac/Obj-C API needs way to determine SSL/TLS
                    X.509 certificate used with document/resource
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit API
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: wootest+webkitbugs at gmail.com


There's no way that I can find in the public WebKit Mac Objective-C API (WebKit.framework) to determine which X.509 certificate is used on SSL/TLS sites. Being able to determine the certificate is important in determining the specific veracity of the certificate (differentiating between normal and "green" certificates) as well as showing the name of the associated organization; standard features in every current major browser.

There are two documented delegate methods in the WebResourceLoadDelegate (webView:resource:didReceiveAuthenticationChallenge:fromDataSource: and ..:didCancelAuthenticationChallenge:..), which sound relevant because of references like this Stack Overflow question, <http://stackoverflow.com/questions/1578121/https-with-nsurlconnection-nsurlerrorservercertificateuntrusted>, noting that the certificate is probably available through the challenge -> protection space -> server trust path. Alas, in my experiments, those delegate methods are not called until a resource actually needs username/password authentication.

(Inspired by the Stack Overflow question, I found a private resource load delegate method that appears to wrap NSURLConnection's delegate method for shouldUseCredentialStorageForDataSource, but implementing it does not supply a useful object nor cause the other relevant delegate methods to be called.)

What does real-world browsers built on the system version of WebKit.framework - i.e. Safari - do to acquire this information right now? class-dump and Google finds the CertificateUtilities class with the class method sslPolicyForHost:client:. I'd rather not use a private API, but if it's the case that a new, supported, public API is developed and Safari, distributed in millions of copies, currently uses a private API, one could solve the problem by looking for the new API, falling back to looking for the private API and using it if it's available, in the same manner that some undocumented Foundation, AppKit and UIKit methods have been blessed for public use on older Mac OS X/iPhone OS versions retroactively.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list