Can't get hands-on server certificate

Oct 25, 2013 at 11:44 PM
Edited Oct 27, 2013 at 10:07 PM
Need to get access to server certificate / chain to (heroically) validate the server authenticity. I'd like to get the server certificate to verify that I am communicating with a server that is presenting a certificate with a cert chain that contains a whitelisted cert (using cert thumbprint).

Since the request is created in an ASYNC session, I would need to be called during the status callback (WinHttpSetStatusCallback) which is not exposed by cpprest.

The only work-around in 1.3, is to get the callback address during set_nativehandle_options() and insert myself as the callback on the request/session. My callback function would accomplish what is needed and call the previous callback.

Is there another way to get the server certificate?
Oct 28, 2013 at 5:42 PM
Hi evangineer,

I think what you have described is the best way right now to get the access to the underlying server certificate for a request. Unfortunately at this time we haven't had time yet to expose a cross platform API for certificates.

When calling WinHttpSetStatusCallback the return value is the previously defined set status callback function. So what you can do is create your http_client with a configuration using the new set_nativehandle_options feature we just introduced. Inside the callback function you provide to set_nativehandle_options, call WinHttpSetStatusCallback with you new status callback and save off the address to the previous one. Then inside your new status callback function use WinHttpQueryOption to get the server certificate and perform your additional validation. Finally in your new status callback make sure to call the previous one we originally set.

Let me know if you have any other questions or issues.
Thanks,
Steve