fix: make intermediates work with 'select-client-certificate'

[dsanders11]

Description of Change

Fixes #28553.

cc @zcbenz @deepak1556

No test added because I wasn't sure there's a viable way to make one (no current tests for this functionality) since it pulls client certificates from the system store. See #21980.

Manually reproduced and tested the fix. The fix is straight forward, but if anyone else really feels like confirming it themselves, these are the steps I used on macOS, it was a bit of a pain:

1. In Keychain Access, use Keychain Access -> Certificate Assistant to create a certificate chain, using 'SSL Client' for the type for all certificates. Create:
   1. A self-signed root CA.
   2. An intermediate CA.
   3. A leaf certificate.
2. Apply the Chromium patch provided below, which ensures Chromium will include intermediates on macOS, otherwise they are only included when the server is limiting the trusted root CAs to a specific list.
3. Run this gist in Electron Fiddle.
4. Should see that the SSL_CLIENT_CERT_CHAIN_1 field is populated if the chain was sent to the server.

Chromium Patch for Manual Testing (macOS)

diff --git a/net/ssl/client_cert_store_mac.cc b/net/ssl/client_cert_store_mac.cc
index 7d97f1d090417..62d8e4f1675e3 100644
--- a/net/ssl/client_cert_store_mac.cc
+++ b/net/ssl/client_cert_store_mac.cc
@@ -133,15 +133,16 @@ bool IsIssuedByInKeychain(const std::vector<std::string>& valid_issuers,
                                                          options));
   CFRelease(cert_chain);  // Also frees |intermediates|.
 
-  if (!new_cert || !new_cert->IsIssuedByEncoded(valid_issuers))
-    return false;
-
   std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediate_buffers;
   intermediate_buffers.reserve(new_cert->intermediate_buffers().size());
   for (const auto& intermediate : new_cert->intermediate_buffers()) {
     intermediate_buffers.push_back(bssl::UpRef(intermediate.get()));
   }
   identity->SetIntermediates(std::move(intermediate_buffers));
+
+  if (!new_cert || !new_cert->IsIssuedByEncoded(valid_issuers))
+    return false;
+
   return true;
 }
 
@@ -235,6 +236,8 @@ void GetClientCertsImpl(std::unique_ptr<ClientCertIdentity> preferred_identity,
     if (cert_iter != selected_identities->end())
       continue;
 
+    IsIssuedByInKeychain(request.cert_authorities, cert.get());
+
     // Check if the certificate issuer is allowed by the server.
     if (request.cert_authorities.empty() ||
         cert->certificate()->IsIssuedByEncoded(request.cert_authorities) ||

Checklist

• PR description included and stakeholders cc'd
• npm test passes

Release Notes

Notes: Fixed sending intermediate certificates with 'select-client-certificate' event callback

[release-clerk]

Release Notes Persisted

Fixed sending intermediate certificates with 'select-client-certificate' event callback

[trop]

I have automatically backported this PR to "12-x-y", please check out #29568

[trop]

I have automatically backported this PR to "13-x-y", please check out #29569

[trop]

I have automatically backported this PR to "14-x-y", please check out #29570