зеркало из https://github.com/mozilla/gecko-dev.git
90d81515f7
When a server requests a client certificate, it can include a list of distinguished names that it considers valid issuers for client certificates (either as direct issuers or as transitive issuers). Before this patch, the platform would call CERT_FilterCertListByCANames to filter potential client certificates by this list of names. This function uses the "classic" NSS certificate path-building algorithm and thus can't make use of other certificates that gecko may know about, such as third-party intermediates and preloaded intermediates. This patch implements client certificate filtering by re-using the path building implementation provided by mozilla::pkix to determine if each certificate has an issuer with a name included in the acceptable list. These issuers include third-party intermediates, preloaded intermediates, and all certificates known to NSS. Note that this implementation does not actually verify the client certificates - no signatures are checked and no particular key usages are enforced. However, some properties are enforced, such as validity periods. Differential Revision: https://phabricator.services.mozilla.com/D68101 --HG-- rename : security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec => security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec extra : moz-landing-system : lando |
||
|---|---|---|
| .. | ||
| apps | ||
| certverifier | ||
| ct | ||
| mac/hardenedruntime | ||
| manager | ||
| nss | ||
| sandbox | ||
| .eslintrc.js | ||
| generate_certdata.py | ||
| generate_mapfile.py | ||
| moz.build | ||
| nss.symbols | ||