rsclientcerts: make each backend responsible for rate-limiting calls to find_objects
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox142 | --- | fixed |
People
(Reporter: keeler, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned][psm-clientauth])
Attachments
(1 file)
rsclientcerts::manager rate-limits calls to find_objects to once every 3 seconds because the underlying operation can be time-consuming (in particular, on macOS and Windows, if there are many certificates/keys available). On Android, keys aren't available until the user selects one, which means that if a call to find_objects happens before the selection prompt is shown (which is currently what happens) and the user chooses one in less than 3 seconds, the backend won't search again, thus making it seem like no keys are available, which causes Firefox to not send a client certificate. It would be better if each backend implementation were responsible for this rate-limiting, because only they know if it's appropriate to do so.
|
Assignee | |
Comment 1•6 months ago
|
||
Before this patch, rsclientcerts::manager would rate-limit calls to
find_objects to once every 3 seconds because the underlying operation can be
time-consuming (in particular, on macOS and Windows, if there are many
certificates/keys available). On Android, keys aren't available until the user
selects one, which means that if a call to find_objects happened before the
selection prompt was shown (which is what happens) and the user chose one in
less than 3 seconds, the backend wouldn't search again, thus making it seem like
no keys were available, which would cause Firefox to not send a client
certificate. This patch makes each backend implementation responsible for this
rate-limiting, because only they know if it's appropriate to do so.
|
||
Comment 3•6 months ago
|
||
| bugherder | ||
|
||
Updated•6 months ago
|
|
||
Updated•6 months ago
|
Description
•