From 79d89b63e0a75f94d88d55e41fc123c5bf46e38c Mon Sep 17 00:00:00 2001
From: Nicholas Tay <nick@windblume.net>
Date: Wed, 22 Feb 2023 20:11:20 +0100
Subject: Initial working with root CA detection

---
 .gitignore     |   2 ++
 background.js  |  50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 icons/def.png  | Bin 0 -> 159 bytes
 icons/nope.png | Bin 0 -> 235 bytes
 icons/ok.png   | Bin 0 -> 211 bytes
 manifest.json  |  24 ++++++++++++++++++++++++
 6 files changed, 76 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 background.js
 create mode 100644 icons/def.png
 create mode 100644 icons/nope.png
 create mode 100644 icons/ok.png
 create mode 100644 manifest.json

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f31b3e2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.DS_Store
+*.swp
diff --git a/background.js b/background.js
new file mode 100644
index 0000000..f619df2
--- /dev/null
+++ b/background.js
@@ -0,0 +1,50 @@
+// Based on https://github.com/mdn/webextensions-examples/blob/main/root-cert-stats/background.js
+
+// On header receive, inspect cert and update app icon as required
+async function onHeaderReceive(details) {
+    try {
+        await certInspectUpdate(details.requestId);
+    } catch(error) {
+        console.error(error);
+    }
+}
+
+async function certInspectUpdate(requestId) {
+    let securityInfo = await browser.webRequest.getSecurityInfo(
+        requestId,
+        {
+            "certificateChain": true
+        }
+    );
+    
+    if (securityInfo.state !== "secure" || securityInfo.isUntrusted) {
+        setIcon("nope");
+        return;
+    }
+
+    // Flagged as "secure" - check if CA is against any of our flagged CAs
+
+    // root is last in the array cert chain
+    let rootCA = securityInfo.certificates[securityInfo.certificates.length - 1];
+    if (rootCA.subject.includes("CN=GlobalSign Root CA")) {
+        setIcon("nope");
+        return;
+    }
+
+    setIcon("ok");
+}
+
+function setIcon(icon) {
+    browser.browserAction.setIcon({ path: "icons/" + icon + ".png" });
+}
+
+// Listen for all header receive events, which contain the cert details we want
+browser.webRequest.onHeadersReceived.addListener(
+    onHeaderReceive,
+    {
+        urls: ["<all_urls>"]
+    },
+    [
+        "blocking"
+    ]
+);
\ No newline at end of file
diff --git a/icons/def.png b/icons/def.png
new file mode 100644
index 0000000..3b1ccaf
Binary files /dev/null and b/icons/def.png differ
diff --git a/icons/nope.png b/icons/nope.png
new file mode 100644
index 0000000..eea8351
Binary files /dev/null and b/icons/nope.png differ
diff --git a/icons/ok.png b/icons/ok.png
new file mode 100644
index 0000000..42f9915
Binary files /dev/null and b/icons/ok.png differ
diff --git a/manifest.json b/manifest.json
new file mode 100644
index 0000000..acfa2fd
--- /dev/null
+++ b/manifest.json
@@ -0,0 +1,24 @@
+{
+    "manifest_version": 2,
+    "name": "cert/ain",
+    "description": "Keep an eye on your certs, because who can be certain what they are.",
+    "author": "Nicholas Tay <nick@windblume.net>",
+    "version": "0.1.0",
+    "permissions": ["webRequest", "webRequestBlocking", "<all_urls>"],
+    "background": {
+        "scripts": [ "background.js" ]
+    },
+    "icons": {
+        "32": "icons/def.png"
+    },
+    "browser_action": {
+        "default_icon": {
+            "32": "icons/def.png"
+        }
+    },
+    "browser_specific_settings": {
+        "gecko": {
+            "strict_min_version": "62.0b5"
+        }
+    }
+}
-- 
cgit