Subrata Mazumdar wrote, On 2008-08-12 20:30: > I have a certificate based mutually authenticated session between the > browser and a web server. > I would like to find out the certificate used presented by the browser > using a programmatic API.
I gather that you want to do this in the browser? Or is it in the server? I'm going to assume you mean in the browser. > I can get the server certificate by clicking the icon at the status-bar > window. > How do I find out the certificate used to authenticate the user? In the client, you're asking it to reveal a reference to the cert that was used to authenticate to the remote server when the connection's SSL session was established. You call the NSS function: CERTCertificate * SSL_LocalCertificate(PRFileDesc *fd); passing the PRFileDesc handle for the socket that has successfully negotiated a connection handshake that used a client-authenticated SSL session. If the socket is not in such a state, it returns NULL. In the server, you call the NSS function: CERTCertificate * SSL_PeerCertificate(PRFileDesc *fd); which gives you the peer's (the client's) cert or NULL. In both the client and the server, SSL_LocalCertificate returns the cert that you used to authenticate to your remote peer (if any), and SSL_PeerCertificate gets the cert that your remote peer used to authenticate to you (if any). Note: there is an additional function named SSL_RevealCert which is more or less equivalent to SSL_PeerCertificate. PSM uses only SSL_PeerCertificate. > I have looked into nsIHttpAuthManager interface - it only supports > password based authentication. > Is there a similar interface for certificate based authentication? If you're asking "what is a scriptable PSM interface to do that?", I'd say there is none. It appears that PSM contains no code that calls SSL_LocalCertificate. You might file an RFE against PSM about that. PSM might have some other means of accomplishing the same thing. That is unknown to me. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
