Expose additional SSL certificate information.

- Provide access to the full certificate issuer chain (issue #1530)
- Add several missing certificate error codes to cef_errorcode_t (issue #1784)
- Provide the full certificate status bitmask (issue #1790)

include/capi/cef_ssl_info_capi.h

@@ -126,6 +126,24 @@ typedef struct _cef_sslinfo_t {
   ///
   cef_base_t base;
 
+  ///
+  // Returns a bitmask containing any and all problems verifying the server
+  // certificate.
+  ///
+  cef_cert_status_t (CEF_CALLBACK *get_cert_status)(
+      struct _cef_sslinfo_t* self);
+
+  ///
+  // Returns true (1) if the certificate status has any error, major or minor.
+  ///
+  int (CEF_CALLBACK *is_cert_status_error)(struct _cef_sslinfo_t* self);
+
+  ///
+  // Returns true (1) if the certificate status represents only minor errors
+  // (e.g. failure to verify certificate revocation).
+  ///
+  int (CEF_CALLBACK *is_cert_status_minor_error)(struct _cef_sslinfo_t* self);
+
   ///
   // Returns the subject of the X.509 certificate. For HTTPS server certificates
   // this represents the web server.  The common name of the subject should
@@ -170,6 +188,28 @@ typedef struct _cef_sslinfo_t {
   ///
   struct _cef_binary_value_t* (CEF_CALLBACK *get_pemencoded)(
       struct _cef_sslinfo_t* self);
+
+  ///
+  // Returns the number of certificates in the issuer chain. If 0, the
+  // certificate is self-signed.
+  ///
+  size_t (CEF_CALLBACK *get_issuer_chain_size)(struct _cef_sslinfo_t* self);
+
+  ///
+  // Returns the DER encoded data for the certificate issuer chain. If we failed
+  // to encode a certificate in the chain it is still present in the array but
+  // is an NULL string.
+  ///
+  void (CEF_CALLBACK *get_derencoded_issuer_chain)(struct _cef_sslinfo_t* self,
+      size_t* chainCount, struct _cef_binary_value_t** chain);
+
+  ///
+  // Returns the PEM encoded data for the certificate issuer chain. If we failed
+  // to encode a certificate in the chain it is still present in the array but
+  // is an NULL string.
+  ///
+  void (CEF_CALLBACK *get_pemencoded_issuer_chain)(struct _cef_sslinfo_t* self,
+      size_t* chainCount, struct _cef_binary_value_t** chain);
 } cef_sslinfo_t;
 
 

include/cef_ssl_info.h

@@ -111,6 +111,28 @@ class CefSSLCertPrincipal : public virtual CefBase {
 /*--cef(source=library)--*/
 class CefSSLInfo : public virtual CefBase {
  public:
+  typedef std::vector<CefRefPtr<CefBinaryValue> > IssuerChainBinaryList;
+
+  ///
+  // Returns a bitmask containing any and all problems verifying the server
+  // certificate.
+  ///
+  /*--cef(default_retval=CERT_STATUS_NONE)--*/
+  virtual cef_cert_status_t GetCertStatus() =0;
+
+  ///
+  // Returns true if the certificate status has any error, major or minor.
+  ///
+  /*--cef()--*/
+  virtual bool IsCertStatusError() =0;
+
+  ///
+  // Returns true if the certificate status represents only minor errors
+  // (e.g. failure to verify certificate revocation).
+  ///
+  /*--cef()--*/
+  virtual bool IsCertStatusMinorError() =0;
+
   ///
   // Returns the subject of the X.509 certificate. For HTTPS server
   // certificates this represents the web server.  The common name of the
@@ -157,6 +179,29 @@ class CefSSLInfo : public virtual CefBase {
   ///
   /*--cef()--*/
   virtual CefRefPtr<CefBinaryValue> GetPEMEncoded() =0;
+
+  ///
+  // Returns the number of certificates in the issuer chain.
+  // If 0, the certificate is self-signed.
+  ///
+  /*--cef()--*/
+  virtual size_t GetIssuerChainSize() =0;
+
+  ///
+  // Returns the DER encoded data for the certificate issuer chain.
+  // If we failed to encode a certificate in the chain it is still
+  // present in the array but is an empty string.
+  ///
+  /*--cef(count_func=chain:GetIssuerChainSize)--*/
+  virtual void GetDEREncodedIssuerChain(IssuerChainBinaryList& chain) =0;
+
+  ///
+  // Returns the PEM encoded data for the certificate issuer chain.
+  // If we failed to encode a certificate in the chain it is still
+  // present in the array but is an empty string.
+  ///
+  /*--cef(count_func=chain:GetIssuerChainSize)--*/
+  virtual void GetPEMEncodedIssuerChain(IssuerChainBinaryList& chain) =0;
 };
 
 #endif  // CEF_INCLUDE_CEF_SSL_INFO_H_

include/internal/cef_types.h

@@ -866,6 +866,7 @@ typedef enum {
   ERR_SSL_VERSION_OR_CIPHER_MISMATCH = -113,
   ERR_SSL_RENEGOTIATION_REQUESTED = -114,
   ERR_CERT_COMMON_NAME_INVALID = -200,
+  ERR_CERT_BEGIN = ERR_CERT_COMMON_NAME_INVALID,
   ERR_CERT_DATE_INVALID = -201,
   ERR_CERT_AUTHORITY_INVALID = -202,
   ERR_CERT_CONTAINS_ERRORS = -203,
@@ -873,7 +874,13 @@ typedef enum {
   ERR_CERT_UNABLE_TO_CHECK_REVOCATION = -205,
   ERR_CERT_REVOKED = -206,
   ERR_CERT_INVALID = -207,
-  ERR_CERT_END = -208,
+  ERR_CERT_WEAK_SIGNATURE_ALGORITHM = -208,
+  // -209 is available: was ERR_CERT_NOT_IN_DNS.
+  ERR_CERT_NON_UNIQUE_NAME = -210,
+  ERR_CERT_WEAK_KEY = -211,
+  ERR_CERT_NAME_CONSTRAINT_VIOLATION = -212,
+  ERR_CERT_VALIDITY_TOO_LONG = -213,
+  ERR_CERT_END = ERR_CERT_VALIDITY_TOO_LONG,
   ERR_INVALID_URL = -300,
   ERR_DISALLOWED_URL_SCHEME = -301,
   ERR_UNKNOWN_URL_SCHEME = -302,
@@ -890,6 +897,38 @@ typedef enum {
   ERR_INSECURE_RESPONSE = -501,
 } cef_errorcode_t;
 
+///
+// Supported certificate status code values. See net\cert\cert_status_flags.h
+// for more information. CERT_STATUS_NONE is new in CEF because we use an
+// enum while cert_status_flags.h uses a typedef and static const variables.
+///
+typedef enum {
+  CERT_STATUS_NONE = 0,
+  CERT_STATUS_COMMON_NAME_INVALID = 1 << 0,
+  CERT_STATUS_DATE_INVALID = 1 << 1,
+  CERT_STATUS_AUTHORITY_INVALID = 1 << 2,
+  // 1 << 3 is reserved for ERR_CERT_CONTAINS_ERRORS (not useful with WinHTTP).
+  CERT_STATUS_NO_REVOCATION_MECHANISM = 1 << 4,
+  CERT_STATUS_UNABLE_TO_CHECK_REVOCATION = 1 << 5,
+  CERT_STATUS_REVOKED = 1 << 6,
+  CERT_STATUS_INVALID = 1 << 7,
+  CERT_STATUS_WEAK_SIGNATURE_ALGORITHM = 1 << 8,
+  // 1 << 9 was used for CERT_STATUS_NOT_IN_DNS
+  CERT_STATUS_NON_UNIQUE_NAME = 1 << 10,
+  CERT_STATUS_WEAK_KEY = 1 << 11,
+  // 1 << 12 was used for CERT_STATUS_WEAK_DH_KEY
+  CERT_STATUS_PINNED_KEY_MISSING = 1 << 13,
+  CERT_STATUS_NAME_CONSTRAINT_VIOLATION = 1 << 14,
+  CERT_STATUS_VALIDITY_TOO_LONG = 1 << 15,
+
+  // Bits 16 to 31 are for non-error statuses.
+  CERT_STATUS_IS_EV = 1 << 16,
+  CERT_STATUS_REV_CHECKING_ENABLED = 1 << 17,
+  // Bit 18 was CERT_STATUS_IS_DNSSEC
+  CERT_STATUS_SHA1_SIGNATURE_PRESENT = 1 << 19,
+  CERT_STATUS_CT_COMPLIANCE_FAILED = 1 << 20,
+} cef_cert_status_t;
+
 ///
 // The manner in which a link click should be opened.
 ///