Access Parsed - Certificate Info from the connected Peer

tfopc · 2025-01-17 07:28:12

Hi ab,

i must access some informations from the certificate from the peer for a connect client (THttpClientSocket).
Via the TNetTlsContext there is allready access to some Information (PeerIssuer,PeerSubject)
and if TNetTlsContext.WithPeerInfo = true also the full information (PeerInfo) in a text represantation.

Is it possible to append "CertInfo: TX509Parsed;" to the TNetTlsContext-Record and assign it to the NetTlsContext?

With the addition to the TNetTlsContext and a change in mormot.net.sock.windows.inc / TSChannelNetTls.AfterConnection line 2100

if Context.WithPeerInfo then
   WinInfoToParse(nfo,Context.CertInfo);

the infos are accessible for the client. For this to work i must also put the definition of WinInfoToParse in the inferface part.

{$ifdef OSWINDOWS}
procedure WinInfoToParse(const c: TWinCertInfo; out Info: TX509Parsed);
{$endif}

not perfect and also only working for win/schannel at the moment.

Other option would be to fill the TX509Parsed via the PeerInfo-Text, but i didn't find a function in your great framework to interpret the text (opposite of ParsedToText). And maybe the PeerInfo text key-names are not a defacto-standard?

Maybe it is also possible to implement something that is already there for openssl (GetPeerCertFromUrl(const url: RawUtf8): PX509DynArray;) for the other clients (socket/schannel,...)

Be aware that there seems to be a breaktion change with the certificate-chain order in some windows-versions. Found this on curl implemention:

https://github.com/curl/curl/issues/9706

One use case would be:

Request the external wan-ip via a service (for example: https://ipv4.seeip.org). Make a connect with (IgnoreCert and WithPeerInfo) to find the webserver - hostname/common-name and maybe the alt.names from a service inside the lan, that don't know the public dns-names. After that the service can check if the "websites, https" is running via a second request. -> "Self Monitoring" https-endpoint from inside without the info from a config what url to monitor.

Thanks.

Best regards,
Tobias

ab · 2025-01-17 07:35:18

Is it possible to append "CertInfo: TX509Parsed;" to the TNetTlsContext-Record and assign it to the NetTlsContext?

The problem is that this TX509Parsed is not known in mormot.net.sock and we would rather not make a dependency from mormot.crypt.secure to mormot.net.sock.

But I will look into some kind of solution.

Edit: Please try
https://github.com/synopse/mORMot2/commit/aee236df3

I have also implemented this field on OpenSSL.
And if you need more, you have the INetTls.GetRawTls method.

tfopc · 2025-01-17 08:43:16

Hi ab,
thanks for the quick change.
it works for me. Is it possible to make WinInfoToParse usable (move to interface?)

{$ifdef OSWINDOWS}
procedure WinInfoToParse(const c: TWinCertInfo; out Info: TX509Parsed);
{$endif}

I also realized with my test that the the alternative DNS-Names are not yet parsed by WinCertCtxtDecode in (mormot.lib.sspi) as also mentioned in comment...

Info.SubjectAltNames := ''; // not yet part of TWinCertInfo

Any plans to integrate that Subject Alternative Name (SAN) attribute (OID: 2.5.29.17)?
https://learn.microsoft.com/en-us/windo … extensions
https://www.alvestrand.no/objectid/2.5.29.17.html

Thanks again.

ab · 2025-01-17 10:24:46

Please try with
https://github.com/synopse/mORMot2/commit/a0020e083

tfopc · 2025-01-17 10:45:46

What should i say - you are the best!
Thank you so much.

mORMot Open Source

#1 2025-01-17 07:28:12

Access Parsed - Certificate Info from the connected Peer

#2 2025-01-17 07:35:18

Re: Access Parsed - Certificate Info from the connected Peer

#3 2025-01-17 08:43:16

Re: Access Parsed - Certificate Info from the connected Peer

#4 2025-01-17 10:24:46

Re: Access Parsed - Certificate Info from the connected Peer

#5 2025-01-17 10:45:46

Re: Access Parsed - Certificate Info from the connected Peer

Board footer