diff options
author | Daiki Ueno <dueno@redhat.com> | 2020-01-10 20:34:53 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2020-01-10 20:34:53 +0100 |
commit | f64e760ab09eb9cdc110fd3f24d77aed6918e1fa (patch) | |
tree | 1ea664647a2702cb362d7f0ce93fb0364cbdea4e /security | |
parent | 095a02f2597992e791d304270335d94c3120f2b6 (diff) | |
download | uxp-f64e760ab09eb9cdc110fd3f24d77aed6918e1fa.tar.gz |
Issue #1338 - Followup: certdb: propagate trust information if trust
module is loaded afterwards,
Summary: When the builtin trust module is loaded after some temp certs
being created, these temp certs are usually not accompanied by trust
information. This causes a problem in UXP as it loads the module from a
separate thread while accessing the network cache which populates temp
certs.
This change makes it properly roll up the trust information, if a temp
cert doesn't have trust information.
Diffstat (limited to 'security')
-rw-r--r-- | security/nss/lib/pki/pki3hack.c | 30 |
1 files changed, 22 insertions, 8 deletions
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index 29d2fb5a40..eac4a5705e 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate) } if (!cc->nssCertificate || forceUpdate) { fill_CERTCertificateFields(c, cc, forceUpdate); - } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess && - !c->object.cryptoContext) { - /* if it's a perm cert, it might have been stored before the - * trust, so look for the trust again. But a temp cert can be - * ignored. - */ - CERTCertTrust *trust = NULL; - trust = nssTrust_GetCERTCertTrustForCert(c, cc); + } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) { + CERTCertTrust *trust; + if (!c->object.cryptoContext) { + /* If it's a perm cert, it might have been stored before the + * trust, so look for the trust again. + */ + trust = nssTrust_GetCERTCertTrustForCert(c, cc); + } else { + /* If it's a temp cert, it might have been stored before the + * builtin trust module is loaded, so look for the trust + * again, but don't set the empty trust if it is not found. + */ + NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c); + if (!t) { + goto loser; + } + trust = cert_trust_from_stan_trust(t, cc->arena); + nssTrust_Destroy(t); + if (!trust) { + goto loser; + } + } CERT_LockCertTrust(cc); cc->trust = trust; |