From mozilla.dev.security.policy :
– the relevant extension coding techniques in Mozilla are:
* Use the observer-service to register a « http-on-examine-response » observer.
* When you observe this event, use channel.QueryInterface(Ci.nsIHTTPChannel) to get the HTTP channel from it
* Pull the securityInfo attribute of that channel
* Use QueryInterface(nsISSLStatusProvider) on the securityInfo to access the SSL data from the securityInfo.
* Pull the SSLStatus attribute of the securityInfo
* Use QueryInterface(nsISSLStatus) on the SSLStatus to access the details of the connection. The serverCert attribute contains the server certificate.
CertPatrol contains JavaScript code which does all these steps, as well as much more to parse the certificate and display the chain.
https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/
Th source is on-line on addon : https://addons.mozilla.org/fr/firefox/files/browse/134629/
Sample code on MDN:
https://developer.mozilla.org/En/How_to_check_the_security_state_of_an_XMLHTTPRequest_over_SSL
The getChain() property of nsIX509Cert allows to get the full chain up to the root.
http://hg.mozilla.org/mozilla-central/annotate/7d7179d2d809/security/manager/ssl/public/nsIX509Cert.idl#l204
If you are worried you may have been MITM by an intermediate CA, getting to the full chain is very important (it’s perfectly possible for the intermediate CA to generates further intermediate certs that make it very much look like the certificate that directly issued your cert was the correct one, except if you check the complete list).
Commentaires