How can I get the SSL certificate for a given URL using javascript?

I’m working on a chrome extension that needs access to the SSL certificate of the current page on the active tab (specifically, I need the public key of the certificate). It seems the certificate information for the page is not exposed in chrome’s javascript API, so I’m trying to devise a way of getting the certificate information via AJAX using the URL in the current tab.

I found some useful information on Within a web browser, is it possible for JavaScript to obtain information about the HTTPS Certificate being used for the current page?, which suggests using to “make an ajax call to the server and use a callback to inspect the certificate.” I would like to implement this solution, but I don’t have much knowledge of the TLS protocol, and the aforelinked javascript library is a bit lacking in the documentation department.

Does this mean I need to send a hello message to the server then extract the certificate info from the response? How would I create the request using the Forge package linked above? I’m also open to some better ideas on how to get the certificate.

Chrome extension: Read browser trusted root certificates

I’m developing a Chrome extension that is verifying S/MIME signatures in Gmail in the browser. The extension pulls the full source code for every email the user is opening, parses it into ASN.1 / PKI.js (encryption libraries) data types, and verifies the message content against the signature.

This is fine for a purely cryptographic check of the message content, but we currently have no idea of knowing if the certificate authority that issues the signer’s certificate is a trusted one.

To my question: Is there any way for me to access Chrome’s certificate store for trusted authorities from a background script? I’m only looking to read the certificates so I can pass them into the PKI.js encryption library as the set of trusted root CAs.

The only Chrome Javascript API resource I’ve found that comes close is the chrome.platformKeys API, but this is only available on ChromeOS.

I’m also aware of OCSP checks to see if the signer certificate has been revoked or not. This is on the road map.