From 978cc914af14c42347582f2bc383955b555acead Mon Sep 17 00:00:00 2001
From: Michal Klocek <michal.klocek@qt.io>
Date: Tue, 1 Nov 2022 11:04:08 +0100
Subject: Make client certifcate work without CA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check for expired certificate, they will most likely
fail during authentication, so no point of selecting them.

According to rfc5246 certificate authorities list in certificate
request can be empty.

"If the certificate_authorities list is empty, then the client MAY
send any certificate of the appropriat ClientCertificateType,
unless there is some external arrangement to the contrary."

https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.4

Support empty CA list.

Change-Id: I0ae3cbd7b0cd13ef943b431c81c3edea5ae9162d
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
(cherry picked from commit 5e4f626bef2b753446c72a820be0b57235bf68d9)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/core/net/client_cert_override.cpp | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/core/net/client_cert_override.cpp b/src/core/net/client_cert_override.cpp
index 9a8cca839..4ef08e91b 100644
--- a/src/core/net/client_cert_override.cpp
+++ b/src/core/net/client_cert_override.cpp
@@ -69,16 +69,25 @@ net::ClientCertIdentityList ClientCertOverrideStore::GetClientCertsOnUIThread(co
 {
     DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
     const auto &clientCertOverrideData = m_storeData->extraCerts;
+
     // Look for certificates in memory store
+    net::ClientCertIdentityList selected_identities;
+
     for (int i = 0; i < clientCertOverrideData.length(); i++) {
         scoped_refptr<net::X509Certificate> cert = clientCertOverrideData[i]->certPtr;
-        if (cert != NULL && cert->IsIssuedByEncoded(cert_request_info.cert_authorities)) {
-            net::ClientCertIdentityList selected_identities;
-            selected_identities.push_back(std::make_unique<ClientCertIdentityOverride>(cert, clientCertOverrideData[i]->keyPtr));
-            return selected_identities;
+        if (cert) {
+            if (cert->HasExpired()) {
+                qWarning() << "Expired certificate" << clientCertOverrideData[i];
+                continue;
+            }
+            if (cert_request_info.cert_authorities.empty()
+                || cert->IsIssuedByEncoded(cert_request_info.cert_authorities)) {
+                selected_identities.push_back(std::make_unique<ClientCertIdentityOverride>(
+                        cert, clientCertOverrideData[i]->keyPtr));
+            }
         }
     }
-    return net::ClientCertIdentityList();
+    return selected_identities;
 }
 
 void ClientCertOverrideStore::GetClientCertsReturn(const net::SSLCertRequestInfo &cert_request_info,
-- 
cgit v1.2.1