diff options
| author | Michal Klocek <michal.klocek@qt.io> | 2022-11-01 11:04:08 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-11-17 12:39:06 +0000 |
| commit | 5e4f626bef2b753446c72a820be0b57235bf68d9 (patch) | |
| tree | 22f8c47c8fb4bd8a2b6ad321743235f508b27f7e /src/core/net | |
| parent | 2a06aac1a3ab6fba7125910e1e037fc8bcdf7347 (diff) | |
Make client certifcate work without CA
Check for expired certificate, they will most likely
fail during authentication, so no point of selecting them.
According to rfc5246 certificate authorities list in certificate
request can be empty.
"If the certificate_authorities list is empty, then the client MAY
send any certificate of the appropriat ClientCertificateType,
unless there is some external arrangement to the contrary."
https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.4
Support empty CA list.
Pick-to: 6.4
Change-Id: I0ae3cbd7b0cd13ef943b431c81c3edea5ae9162d
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'src/core/net')
| -rw-r--r-- | src/core/net/client_cert_override.cpp | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/src/core/net/client_cert_override.cpp b/src/core/net/client_cert_override.cpp index 9a8cca839..4ef08e91b 100644 --- a/src/core/net/client_cert_override.cpp +++ b/src/core/net/client_cert_override.cpp @@ -69,16 +69,25 @@ net::ClientCertIdentityList ClientCertOverrideStore::GetClientCertsOnUIThread(co { DCHECK_CURRENTLY_ON(content::BrowserThread::UI); const auto &clientCertOverrideData = m_storeData->extraCerts; + // Look for certificates in memory store + net::ClientCertIdentityList selected_identities; + for (int i = 0; i < clientCertOverrideData.length(); i++) { scoped_refptr<net::X509Certificate> cert = clientCertOverrideData[i]->certPtr; - if (cert != NULL && cert->IsIssuedByEncoded(cert_request_info.cert_authorities)) { - net::ClientCertIdentityList selected_identities; - selected_identities.push_back(std::make_unique<ClientCertIdentityOverride>(cert, clientCertOverrideData[i]->keyPtr)); - return selected_identities; + if (cert) { + if (cert->HasExpired()) { + qWarning() << "Expired certificate" << clientCertOverrideData[i]; + continue; + } + if (cert_request_info.cert_authorities.empty() + || cert->IsIssuedByEncoded(cert_request_info.cert_authorities)) { + selected_identities.push_back(std::make_unique<ClientCertIdentityOverride>( + cert, clientCertOverrideData[i]->keyPtr)); + } } } - return net::ClientCertIdentityList(); + return selected_identities; } void ClientCertOverrideStore::GetClientCertsReturn(const net::SSLCertRequestInfo &cert_request_info, |