Determine selected client certificate via thumbprint by crnzgm · Pull Request #5187 · cefsharp/CefSharp

crnzgm · 2025-10-20T17:33:56Z

Fixes: #5185

Summary:

Certificate thumbprints get compared instead of the serial number

Changes: [specify the structures changed]

Compare certificate thumbprints
Removed obsolete TODO comment regarding previous serial number comparison

How Has This Been Tested?
Used the WinForms.Example project to load a website that requires a client certificate and verified that the selected one was sent to the server.

Screenshots (if appropriate):

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)
Updated documentation

Checklist:

Tested the code(if applicable)
Commented my code
Changed the documentation(if applicable)
New files have a license disclaimer
The formatting is consistent with the project (project supports .editorconfig)

Summary by CodeRabbit

Release Notes

Bug Fixes
- Improved certificate matching by switching to thumbprint-based comparison.
- Matching is now case-insensitive for thumbprints, reducing false mismatches.
- Removed legacy comparison logic, resulting in more reliable certificate selection behavior for end users.

coderabbitai · 2025-10-20T17:34:22Z

Walkthrough

The PR replaces certificate serial-number comparison with thumbprint-based comparison in the CefSharp certificate callback wrapper, deriving and comparing thumbprints (case-insensitive) and removing the legacy serial-number code path.

Changes

Cohort / File(s)	Change Summary
Certificate Matching Logic `CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h`	Replaced serial number comparison with thumbprint-based certificate matching; removed commented-out legacy serial-number logic; now derives `certThumbprint` from the selected certificate and compares to the DER-derived `thumbprintStr` using case-insensitive equality.

Sequence Diagram(s)

sequenceDiagram
    participant Caller as Cef (invoker)
    participant Wrapper as CefCertificateCallbackWrapper
    participant Cert as X509Certificate2

    Note over Wrapper: On certificate list received
    Caller->>Wrapper: Provide certificate list
    Wrapper->>Cert: Select certificate (X509Certificate2)
  
8000
  Cert-->>Wrapper: cert->Thumbprint (DER)
    Wrapper->>Wrapper: compute thumbprintStr from DER
    Wrapper->>Wrapper: certThumbprint = cert->Thumbprint
    alt thumbprints match (case-insensitive)
        Wrapper->>Caller: Accept/match certificate
    else no match
        Wrapper->>Caller: Continue search / reject
    end

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 A thumbprint, neat and bright,
Replaces numbers out of sight,
I hop and check each little print,
Matching truths in every hint,
Certificates snug — that's pure delight! 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Determine selected client certificate via thumbprint" clearly and directly relates to the main change in the pull request. The changeset switches certificate matching from serial number comparison to thumbprint comparison, and the title accurately captures this primary objective. The title is concise, specific, and provides a teammate scanning history with a clear understanding of what was modified. It avoids vague terminology and directly references the key technical change made in the code.
Description Check	✅ Passed	The pull request description follows the repository's template structure and includes all required sections. It references the issue number (#5185), provides a clear summary of the change (switching from serial number to thumbprint comparison), details the specific modifications made, and describes how the changes were tested using the WinForms.Example project. The appropriate type of change (bug fix) is selected, and relevant checklist items are marked as completed. While some checklist items remain unchecked, they appear to be appropriately excluded given the nature of the change (no new documentation or files requiring license disclaimers were added).

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4840dd5 and 0a5d16d.

📒 Files selected for processing (1)

CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h (1)

55-74: Add error handling for certificate construction.

The code lacks error handling for potential failures when constructing X509Certificate2 from DER-encoded bytes (line 66). If the certificate data is malformed or unsupported, an exception could be thrown. Additionally, when no matching certificate is found in the loop, _callback->Select is never called - verify this is the intended behavior.

Consider wrapping the certificate construction in a try-catch block:

                 for (; it != _certificateList.end(); ++it)
                 {
+                    try
+                    {
                         auto bytes((*it)->GetDEREncoded());
                         auto byteSize = bytes->GetSize();
 
                         auto bufferByte = gcnew cli::array<Byte>(byteSize);
                         pin_ptr<Byte> src = &bufferByte[0]; // pin pointer to first element in arr
 
                         bytes->GetData(static_cast<void*>(src), byteSize, 0);
                         auto newcert = gcnew System::Security::Cryptography::X509Certificates::X509Certificate2(bufferByte);
                         auto thumbprintStr = newcert->Thumbprint;
 
                         if (certThumbprint == thumbprintStr)
                         {
                             _callback->Select(*it);
                             break;
                         }
+                    }
+                    catch (System::Exception^)
+                    {
+                        // Continue to next certificate if parsing fails
+                        continue;
+                    }
                 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 24b1a89 and 4840dd5.

📒 Files selected for processing (1)

CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h (2 hunks)

🔇 Additional comments (1)

CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h (1)

53-53: LGTM! Thumbprint comparison is more reliable.

Using thumbprints instead of serial numbers is the correct approach for uniquely identifying certificates, especially when dealing with certificates from different CAs or self-signed certificates.

CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h

Resolves cefsharp#5185

AppVeyorBot · 2025-10-20T18:00:58Z

✅ Build CefSharp 140.1.140-CI5362 completed (commit b17d205070 by @crnzgm)

amaitland · 2025-10-24T10:25:04Z

Thanks 👍

coderabbitai bot reviewed Oct 20, 2025

View reviewed changes

CefSharp.Core.Runtime/Internals/CefCertificateCallbackWrapper.h Outdated Show resolved Hide resolved

crnzgm added 2 commits October 20, 2025 19:42

Core - Determine certificate via thumbprint

62d1f0c

Resolves cefsharp#5185

Remove obsolete TODO comment

0a5d16d

crnzgm force-pushed the master branch from 4840dd5 to 0a5d16d Compare October 20, 2025 17:42

amaitland merged commit 7245885 into cefsharp:master Oct 24, 2025
2 checks passed

amaitland added this to the 141.0.x milestone Oct 25, 2025

amaitland added the breaking-change label Oct 25, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Determine selected client certificate via thumbprint#5187

Determine selected client certificate via thumbprint#5187
amaitland merged 2 commits intocefsharp:masterfrom
crnzgm:master

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

Uh oh!

Summary by CodeRabbit

Release Notes

Uh oh!

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Pre-merge checks and finishing touches

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants