Andreas Auernhammer 1fc0e9a6aa sts: allow clients to send certificate chain (#13235) ...

This commit fixes an issue in the `AssumeRoleWithCertificate`
handler.

Before clients received an error when they send
a chain of X.509 certificates (their client certificate as
well as intermediate / root CAs).

Now, client can send a certificate chain and the server
will only consider non-CA / leaf certificates as possible
client certificate candidates. However, the client still
can only send one certificate.

Signed-off-by: Andreas Auernhammer <hi@aead.dev>

2021-09-17 09:37:01 -07:00

26 KiB

Raw Blame History

View Raw