程序员经验分享-hwhale

如何获取 Firefox 附加组件中*当前*页面的 SSL 证书信息

2023-11-24

我正在尝试开发一个 Firefox 扩展/附加组件,需要访问当前加载页面的 SSL 证书信息。获得此信息后,我计划根据 SSL 信息修改页面内容。不过,在到达那里之前,我首先需要获取 SSL 信息。

概述的方法here发出单独的 XMLHTTPRequest 来获取安全证书。如果可以避免的话我宁愿不这样做,因为它会带来安全问题。

例如,恶意站点/中间人可能会在页面的第一个请求上提供一个证书(浏览器将验证该证书),然后为我的扩展将发出的 XMLHTTPRequest 提供另一个证书。这将导致扩展程序根据不一致的信息修改站点内容。因此,我想获取浏览器本身在验证站点时使用的 SSL 证书信息。

考虑到这一点,我将上述方法与中概述的方法结合起来更改 Firefox 扩展中的 HTTP 响应通过添加“http-on-examine-response”事件的观察者来拦截所有 HTTP 响应。我认为通过这种方法,我可以简单地获取从网站下载的证书信息。

这是我的代码的主要部分,其中大部分取自上面的链接(其余的是 Firefox 扩展样板):

function dumpSecurityInfo(channel) {

    const Cc = Components.classes
    const Ci = Components.interfaces;

    // Do we have a valid channel argument?
    if (! channel instanceof  Ci.nsIChannel) {
        dump("No channel available\n");
        return;
    }

    var secInfo = channel.securityInfo;


    // Print general connection security state

    if (secInfo instanceof Ci.nsITransportSecurityInfo) {
        dump("name: " + channel.name + "\n");
        secInfo.QueryInterface(Ci.nsITransportSecurityInfo);

        dump("\tSecurity state: ");

        // Check security state flags
        if ((secInfo.securityState & Ci.nsIWebProgressListener.STATE_IS_SECURE) == Ci.nsIWebProgressListener.STATE_IS_SECURE)
            dump("secure\n");

        else if ((secInfo.securityState & Ci.nsIWebProgressListener.STATE_IS_INSECURE) == Ci.nsIWebProgressListener.STATE_IS_INSECURE)
            dump("insecure\n");

        else if ((secInfo.securityState & Ci.nsIWebProgressListener.STATE_IS_BROKEN) == Ci.nsIWebProgressListener.STATE_IS_BROKEN)
            dump("unknown\n");

        dump("\tSecurity description: " + secInfo.shortSecurityDescription + "\n");
        dump("\tSecurity error message: " + secInfo.errorMessage + "\n");
    }

    // Print SSL certificate details
    if (secInfo instanceof Ci.nsISSLStatusProvider) {

        var cert = secInfo.QueryInterface(Ci.nsISSLStatusProvider).
        SSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert;

        dump("\nCertificate Status:\n");

        var verificationResult = cert.verifyForUsage(Ci.nsIX509Cert.CERT_USAGE_SSLServer);
        dump("\tVerification: ");

        switch (verificationResult) {
            case Ci.nsIX509Cert.VERIFIED_OK:
                dump("OK");
                break;
            case Ci.nsIX509Cert.NOT_VERIFIED_UNKNOWN:
                dump("not verfied/unknown");
                break;
            case Ci.nsIX509Cert.CERT_REVOKED:
                dump("revoked");
                break;
            case Ci.nsIX509Cert.CERT_EXPIRED:
                dump("expired");
                break;
            case Ci.nsIX509Cert.CERT_NOT_TRUSTED:
                dump("not trusted");
                break;
            case Ci.nsIX509Cert.ISSUER_NOT_TRUSTED:
                dump("issuer not trusted");
                break;
            case Ci.nsIX509Cert.ISSUER_UNKNOWN:
                dump("issuer unknown");
                break;
            case Ci.nsIX509Cert.INVALID_CA:
                dump("invalid CA");
                break;
            default:
                dump("unexpected failure");
                break;
        }
        dump("\n");

        dump("\tCommon name (CN) = " + cert.commonName + "\n");
        dump("\tOrganisation = " + cert.organization + "\n");
        dump("\tIssuer = " + cert.issuerOrganization + "\n");
        dump("\tSHA1 fingerprint = " + cert.sha1Fingerprint + "\n");

        var validity = cert.validity.QueryInterface(Ci.nsIX509CertValidity);
        dump("\tValid from " + validity.notBeforeGMT + "\n");
        dump("\tValid until " + validity.notAfterGMT + "\n");
    }
}

function TracingListener() {
}

TracingListener.prototype =
{
    originalListener: null,

    onDataAvailable: function(request, context, inputStream, offset, count) {
        try
        {
            dumpSecurityInfo(request)
            this.originalListener.onDataAvailable(request, context, inputStream, offset, count);
        } catch (err) {
            dump(err);
            if (err instanceof Ci.nsIException) 
            {
                request.cancel(e.result);
            }
        }
    },

    onStartRequest: function(request, context) {
        try
        {
            dumpSecurityInfo(request)
            this.originalListener.onStartRequest(request, context);
        } catch (err) {
            dump(err);
            if (err instanceof Ci.nsIException) 
            {
                request.cancel(e.result);
            }
        }
    },

    onStopRequest: function(request, context, statusCode) {
        this.originalListener.onStopRequest(request, context, statusCode);
    },

    QueryInterface: function (aIID) {
        const Ci = Components.interfaces;
        if ( iid.equals(Ci.nsIObserver) ||
             iid.equals(Ci.nsISupportsWeakReference)         ||
             iid.equals(Ci.nsISupports))
        {
            return this;
        }
        throw Components.results.NS_NOINTERFACE;
    }
}


var httpRequestObserver =
{
    observe: function(aSubject, aTopic, aData)
    {
        const Ci = Components.interfaces;
        if (aTopic == "http-on-examine-response")
        {
            var newListener = new TracingListener();
            aSubject.QueryInterface(Ci.nsITraceableChannel);
            newListener.originalListener = aSubject.setNewListener(newListener);
        }
    },

    QueryInterface : function (aIID)
    {
        const Ci = Components.interfaces;
        if (aIID.equals(Ci.nsIObserver) ||
            aIID.equals(Ci.nsISupports))
        {
            return this;
        }

        throw Components.results.NS_NOINTERFACE;

    }
};

var test =
{
    run: function() {
        const Ci = Components.interfaces;
        dump("run");
        var observerService = Components.classes["@mozilla.org/observer-service;1"]
            .getService(Ci.nsIObserverService);    
        observerService.addObserver(httpRequestObserver,
            "http-on-examine-response", false);
    }
};

window.addEventListener("load", function () { test.run(); }, false);

我发现这个实现是不一致的。当我在 Firefox 中加载 gmail.com 时,有时会获得证书信息,有时则不会。我怀疑这是一个缓存问题,因为刷新页面通常会导致下载/打印证书信息。

对于我的预期应用程序来说,这种行为是不可接受的。这是一个研究项目,因此,如果必须的话,我愿意修改 Firefox 源代码,但我更喜欢使用扩展/附加 API 来完成此操作。

有没有更好、更一致的方式来获取 SSL 证书信息?


建立在this回答:

诀窍是注册一个进度监听器并检查aState当。。。的时候onSecurityChange函数被调用。如果Ci.nsIWebProgressListener.STATE_IS_SECURE如果设置了标志,则页面正在使用 SSL 连接。然而这还不够,aRequest参数不能是实例Ci.nsIChannel,应该首先验证if (aRequest instanceof Ci.nsIChannel).

这是工作代码:

function dumpSecurityInfo(channel) {

    const Cc = Components.classes
    const Ci = Components.interfaces;

    // Do we have a valid channel argument?
    if (! channel instanceof  Ci.nsIChannel) {
        dump("No channel available\n");
        return;
    }

    var secInfo = channel.securityInfo;

    // Print general connection security state
    if (secInfo instanceof Ci.nsITransportSecurityInfo) {
        dump("name: " + channel.name + "\n");
        secInfo.QueryInterface(Ci.nsITransportSecurityInfo);

        dump("\tSecurity state: ");

        // Check security state flags
        if ((secInfo.securityState & Ci.nsIWebProgressListener.STATE_IS_SECURE) == Ci.nsIWebProgressListener.STATE_IS_SECURE)
            dump("secure\n");

        else if ((secInfo.securityState & Ci.nsIWebProgressListener.STATE_IS_INSECURE) == Ci.nsIWebProgressListener.STATE_IS_INSECURE)
            dump("insecure\n");

        else if ((secInfo.securityState & Ci.nsIWebProgressListener.STATE_IS_BROKEN) == Ci.nsIWebProgressListener.STATE_IS_BROKEN)
            dump("unknown\n");

        dump("\tSecurity description: " + secInfo.shortSecurityDescription + "\n");
        dump("\tSecurity error message: " + secInfo.errorMessage + "\n");
    }
    else {

        dump("\tNo security info available for this channel\n");
    }

    // Print SSL certificate details
    if (secInfo instanceof Ci.nsISSLStatusProvider) {

        var cert = secInfo.QueryInterface(Ci.nsISSLStatusProvider).
        SSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert;

        dump("\nCertificate Status:\n");

        var verificationResult = cert.verifyForUsage(Ci.nsIX509Cert.CERT_USAGE_SSLServer);
        dump("\tVerification: ");

        switch (verificationResult) {
            case Ci.nsIX509Cert.VERIFIED_OK:
                dump("OK");
                break;
            case Ci.nsIX509Cert.NOT_VERIFIED_UNKNOWN:
                dump("not verfied/unknown");
                break;
            case Ci.nsIX509Cert.CERT_REVOKED:
                dump("revoked");
                break;
            case Ci.nsIX509Cert.CERT_EXPIRED:
                dump("expired");
                break;
            case Ci.nsIX509Cert.CERT_NOT_TRUSTED:
                dump("not trusted");
                break;
            case Ci.nsIX509Cert.ISSUER_NOT_TRUSTED:
                dump("issuer not trusted");
                break;
            case Ci.nsIX509Cert.ISSUER_UNKNOWN:
                dump("issuer unknown");
                break;
            case Ci.nsIX509Cert.INVALID_CA:
                dump("invalid CA");
                break;
            default:
                dump("unexpected failure");
                break;
        }
        dump("\n");

        dump("\tCommon name (CN) = " + cert.commonName + "\n");
        dump("\tOrganisation = " + cert.organization + "\n");
        dump("\tIssuer = " + cert.issuerOrganization + "\n");
        dump("\tSHA1 fingerprint = " + cert.sha1Fingerprint + "\n");

        var validity = cert.validity.QueryInterface(Ci.nsIX509CertValidity);
        dump("\tValid from " + validity.notBeforeGMT + "\n");
        dump("\tValid until " + validity.notAfterGMT + "\n");
    }
}

var myListener =
{
    QueryInterface: function(aIID)
    {
        if (aIID.equals(Components.interfaces.nsIWebProgressListener) ||
           aIID.equals(Components.interfaces.nsISupportsWeakReference) ||
           aIID.equals(Components.interfaces.nsISupports))
            return this;
        throw Components.results.NS_NOINTERFACE;
    },

    onStateChange: function(aWebProgress, aRequest, aFlag, aStatus) { },

    onLocationChange: function(aProgress, aRequest, aURI) { },

    onProgressChange: function(aWebProgress, aRequest, curSelf, maxSelf, curTot, maxTot) { },
    onStatusChange: function(aWebProgress, aRequest, aStatus, aMessage) { },
    onSecurityChange: function(aWebProgress, aRequest, aState) 
    {
        // check if the state is secure or not
        if(aState & Ci.nsIWebProgressListener.STATE_IS_SECURE)
        {
            // this is a secure page, check if aRequest is a channel,
            // since only channels have security information
            if (aRequest instanceof Ci.nsIChannel)
            {
                dumpSecurityInfo(aRequest);
            }
        }    
    }
}

var test =
{
    run: function() {
        dump("run\n");
        gBrowser.addProgressListener(myListener);
    }
};

window.addEventListener("load", function () { test.run(); }, false);
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

javascript

firefox

firefoxaddon

firefox5

如何获取 Firefox 附加组件中*当前*页面的 SSL 证书信息 的相关文章

随机推荐