Determine selected client certificate via thumbprint

[crnzgm]

Fixes: #5185

Summary:

• Certificate thumbprints get compared instead of the serial number

Changes: [specify the structures changed]

• Compare certificate thumbprints
• Removed obsolete TODO comment regarding previous serial number comparison

How Has This Been Tested?
Used the WinForms.Example project to load a website that requires a client certificate and verified that the selected one was sent to the server.

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Updated documentation

Checklist:

• Tested the code(if applicable)
• Commented my code
• Changed the documentation(if applicable)
• New files have a license disclaimer
• The formatting is consistent with the project (project supports .editorconfig)

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Improved certificate matching by switching to thumbprint-based comparison.
  • Matching is now case-insensitive for thumbprints, reducing false mismatches.
  • Removed legacy comparison logic, resulting in more reliable certificate selection behavior for end users.

[coderabbitai]

Walkthrough

The PR replaces certificate serial-number comparison with thumbprint-based comparison in the CefSharp certificate callback wrapper, deriving and comparing thumbprints (case-insensitive) and removing the legacy serial-number code path.

Changes

Cohort / File(s)	Change Summary
Certificate Matching Logic CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h	Replaced serial number comparison with thumbprint-based certificate matching; removed commented-out legacy serial-number logic; now derives certThumbprint from the selected certificate and compares to the DER-derived thumbprintStr using case-insensitive equality.

Sequence Diagram(s)

sequenceDiagram
    participant Caller as Cef (invoker)
    participant Wrapper as CefCertificateCallbackWrapper
    participant Cert as X509Certificate2

    Note over Wrapper: On certificate list received
    Caller->>Wrapper: Provide certificate list
    Wrapper->>Cert: Select certificate (X509Certificate2)
    Cert-->>Wrapper: cert->Thumbprint (DER)
    Wrapper->>Wrapper: compute thumbprintStr from DER
    Wrapper->>Wrapper: certThumbprint = cert->Thumbprint
    alt thumbprints match (case-insensitive)
        Wrapper->>Caller: Accept/match certificate
    else no match
        Wrapper->>Caller: Continue search / reject
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 A thumbprint, neat and bright,
Replaces numbers out of sight,
I hop and check each little print,
Matching truths in every hint,
Certificates snug — that's pure delight! 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Determine selected client certificate via thumbprint" clearly and directly relates to the main change in the pull request. The changeset switches certificate matching from serial number comparison to thumbprint comparison, and the title accurately captures this primary objective. The title is concise, specific, and provides a teammate scanning history with a clear understanding of what was modified. It avoids vague terminology and directly references the key technical change made in the code.
Description Check	✅ Passed	The pull request description follows the repository's template structure and includes all required sections. It references the issue number (#5185), provides a clear summary of the change (switching from serial number to thumbprint comparison), details the specific modifications made, and describes how the changes were tested using the WinForms.Example project. The appropriate type of change (bug fix) is selected, and relevant checklist items are marked as completed. While some checklist items remain unchecked, they appear to be appropriately excluded given the nature of the change (no new documentation or files requiring license disclaimers were added).

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4840dd5 and 0a5d16d.

📒 Files selected for processing (1)

• CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h (1)

55-74: Add error handling for certificate construction.

The code lacks error handling for potential failures when constructing X509Certificate2 from DER-encoded bytes (line 66). If the certificate data is malformed or unsupported, an exception could be thrown. Additionally, when no matching certificate is found in the loop, _callback->Select is never called - verify this is the intended behavior.

Consider wrapping the certificate construction in a try-catch block:

                 for (; it != _certificateList.end(); ++it)
                 {
+                    try
+                    {
                         auto bytes((*it)->GetDEREncoded());
                         auto byteSize = bytes->GetSize();
 
                         auto bufferByte = gcnew cli::array<Byte>(byteSize);
                         pin_ptr<Byte> src = &bufferByte[0]; // pin pointer to first element in arr
 
                         bytes->GetData(static_cast<void*>(src), byteSize, 0);
                         auto newcert = gcnew System::Security::Cryptography::X509Certificates::X509Certificate2(bufferByte);
                         auto thumbprintStr = newcert->Thumbprint;
 
                         if (certThumbprint == thumbprintStr)
                         {
                             _callback->Select(*it);
                             break;
                         }
+                    }
+                    catch (System::Exception^)
+                    {
+                        // Continue to next certificate if parsing fails
+                        continue;
+                    }
                 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 24b1a89 and 4840dd5.

📒 Files selected for processing (1)

• CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h (2 hunks)

🔇 Additional comments (1)

CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h (1)

53-53: LGTM! Thumbprint comparison is more reliable.

Using thumbprints instead of serial numbers is the correct approach for uniquely identifying certificates, especially when dealing with certificates from different CAs or self-signed certificates.

[AppVeyorBot]

✅ Build CefSharp 140.1.140-CI5362 completed (commit b17d205070 by @crnzgm)