Make client certifcate work without CA

Check for expired certificate, they will most likely fail during authentication, so no point of selecting them. According to rfc5246 certificate authorities list in certificate request can be empty. "If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriat ClientCertificateType, unless there is some external arrangement to the contrary." https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.4 Support empty CA list. Change-Id: I0ae3cbd7b0cd13ef943b431c81c3edea5ae9162d Reviewed-by: Michael Brüning <michael.bruning@qt.io> (cherry picked from commit 5e4f626bef2b753446c72a820be0b57235bf68d9) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Michal Klocek <michal.klocek@qt.io> 2022-11-01 11:04:08 +0100
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2022-11-17 18:10:03 +0000
commit: 978cc914af14c42347582f2bc383955b555acead (patch)
tree: 9946848e582967f197c04bde1c5caf89f8bdacf3
parent: fe1858bd8a1644b150a96795be0af21348a83806 (diff)
download: qtwebengine-978cc914af14c42347582f2bc383955b555acead.tar.gz
1 files changed, 14 insertions, 5 deletions
diff --git a/src/core/net/client_cert_override.cpp b/src/core/net/client_cert_override.cpp
index 9a8cca839..4ef08e91b 100644
--- a/src/core/net/client_cert_override.cpp
+++ b/src/core/net/client_cert_override.cpp
@@ -69,16 +69,25 @@ net::ClientCertIdentityList ClientCertOverrideStore::GetClientCertsOnUIThread(co
 {
     DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
     const auto &clientCertOverrideData = m_storeData->extraCerts;
+
     // Look for certificates in memory store
+    net::ClientCertIdentityList selected_identities;
+
     for (int i = 0; i < clientCertOverrideData.length(); i++) {
         scoped_refptr<net::X509Certificate> cert = clientCertOverrideData[i]->certPtr;
-        if (cert != NULL && cert->IsIssuedByEncoded(cert_request_info.cert_authorities)) {
-            net::ClientCertIdentityList selected_identities;
-            selected_identities.push_back(std::make_unique<ClientCertIdentityOverride>(cert, clientCertOverrideData[i]->keyPtr));
-            return selected_identities;
+        if (cert) {
+            if (cert->HasExpired()) {
+                qWarning() << "Expired certificate" << clientCertOverrideData[i];
+                continue;
+            }
+            if (cert_request_info.cert_authorities.empty()
+                || cert->IsIssuedByEncoded(cert_request_info.cert_authorities)) {
+                selected_identities.push_back(std::make_unique<ClientCertIdentityOverride>(
+                        cert, clientCertOverrideData[i]->keyPtr));
+            }
         }
     }
-    return net::ClientCertIdentityList();
+    return selected_identities;
 }
 
 void ClientCertOverrideStore::GetClientCertsReturn(const net::SSLCertRequestInfo &cert_request_info,
author	Michal Klocek <michal.klocek@qt.io>	2022-11-01 11:04:08 +0100
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2022-11-17 18:10:03 +0000
commit	978cc914af14c42347582f2bc383955b555acead (patch)
tree	9946848e582967f197c04bde1c5caf89f8bdacf3
parent	fe1858bd8a1644b150a96795be0af21348a83806 (diff)
download	qtwebengine-978cc914af14c42347582f2bc383955b555acead.tar.gz