Return the certificate chain in ClientCertStoreNSS.

NSS used to build a chain internally in the SSL stack which got lost
when switching to BoringSSL. Align with other platforms by building the
chain externally in ClientCertStoreNSS.

Although this is inherently somewhat flaky, some servers do not have
intermediates configured locally and expect the client to supply them.

This modifies (really completely rewrites) our bundled
NSS_CmpCertChainWCANames to return the chain it found. That is returned
out of ClientCertStoreNSS.

Note that this is not completely the same as the old behavior. Rather
than building as much of a path as we can manage from the leaf, we will
stop at the issuer list supplied by the server. It is assumed that the
server accepts the issuers it claims to accept. We also only do
name-based matching (which we were doing anyway) to avoid adding a more
expensive global operation in the candidate matching path.

In doing so, this syncs NSS with other platforms in removing the ancient
workaround for Netscape Enterprise Server 2.0, released in 1996.

Tested with unit tests and also manually against a custom Go server.


Cr-Original-Commit-Position: refs/heads/master@{#408647}
Cr-Mirrored-Commit: 8d569f5901989954c0b39a83f16ebd36375e98b8
4 files changed
tree: f3b185c4206c40c6d3e9730d01e43d10feaf54f0
  1. ssl/
  4. README.chromium