pub async fn try_extract_mtls(
parts: &Parts,
_app: &Arc<AppState>,
) -> Option<AuthResult>Expand description
Attempt to extract and validate an mTLS client certificate.
Returns Some(AuthResult) if a valid client certificate is present,
None if no certificate was presented (allowing fallback to other
auth methods).
§Certificate validation
The TLS layer (rustls ClientCertVerifier) has already validated the
certificate chain against the EST truststore by the time this function
runs. This function performs additional EST-specific checks:
- Subject DN pattern matching (if configured per label)
- SAN extraction for identity resolution
- EKU extraction for CMC RA authorization
- Revocation status check via OCSP stapling or CRL (RHELBU-3536 R21)