From 79d89b63e0a75f94d88d55e41fc123c5bf46e38c Mon Sep 17 00:00:00 2001 From: Nicholas Tay Date: Wed, 22 Feb 2023 20:11:20 +0100 Subject: Initial working with root CA detection --- .gitignore | 2 ++ background.js | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ icons/def.png | Bin 0 -> 159 bytes icons/nope.png | Bin 0 -> 235 bytes icons/ok.png | Bin 0 -> 211 bytes manifest.json | 24 ++++++++++++++++++++++++ 6 files changed, 76 insertions(+) create mode 100644 .gitignore create mode 100644 background.js create mode 100644 icons/def.png create mode 100644 icons/nope.png create mode 100644 icons/ok.png create mode 100644 manifest.json diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f31b3e2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.DS_Store +*.swp diff --git a/background.js b/background.js new file mode 100644 index 0000000..f619df2 --- /dev/null +++ b/background.js @@ -0,0 +1,50 @@ +// Based on https://github.com/mdn/webextensions-examples/blob/main/root-cert-stats/background.js + +// On header receive, inspect cert and update app icon as required +async function onHeaderReceive(details) { + try { + await certInspectUpdate(details.requestId); + } catch(error) { + console.error(error); + } +} + +async function certInspectUpdate(requestId) { + let securityInfo = await browser.webRequest.getSecurityInfo( + requestId, + { + "certificateChain": true + } + ); + + if (securityInfo.state !== "secure" || securityInfo.isUntrusted) { + setIcon("nope"); + return; + } + + // Flagged as "secure" - check if CA is against any of our flagged CAs + + // root is last in the array cert chain + let rootCA = securityInfo.certificates[securityInfo.certificates.length - 1]; + if (rootCA.subject.includes("CN=GlobalSign Root CA")) { + setIcon("nope"); + return; + } + + setIcon("ok"); +} + +function setIcon(icon) { + browser.browserAction.setIcon({ path: "icons/" + icon + ".png" }); +} + +// Listen for all header receive events, which contain the cert details we want +browser.webRequest.onHeadersReceived.addListener( + onHeaderReceive, + { + urls: [""] + }, + [ + "blocking" + ] +); \ No newline at end of file diff --git a/icons/def.png b/icons/def.png new file mode 100644 index 0000000..3b1ccaf Binary files /dev/null and b/icons/def.png differ diff --git a/icons/nope.png b/icons/nope.png new file mode 100644 index 0000000..eea8351 Binary files /dev/null and b/icons/nope.png differ diff --git a/icons/ok.png b/icons/ok.png new file mode 100644 index 0000000..42f9915 Binary files /dev/null and b/icons/ok.png differ diff --git a/manifest.json b/manifest.json new file mode 100644 index 0000000..acfa2fd --- /dev/null +++ b/manifest.json @@ -0,0 +1,24 @@ +{ + "manifest_version": 2, + "name": "cert/ain", + "description": "Keep an eye on your certs, because who can be certain what they are.", + "author": "Nicholas Tay ", + "version": "0.1.0", + "permissions": ["webRequest", "webRequestBlocking", ""], + "background": { + "scripts": [ "background.js" ] + }, + "icons": { + "32": "icons/def.png" + }, + "browser_action": { + "default_icon": { + "32": "icons/def.png" + } + }, + "browser_specific_settings": { + "gecko": { + "strict_min_version": "62.0b5" + } + } +} -- cgit