parent
8c9ed11be4
commit
4f639ad73c
230
nss-3.47-certdb-temp-cert.patch
Normal file
230
nss-3.47-certdb-temp-cert.patch
Normal file
@ -0,0 +1,230 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User Daiki Ueno <dueno@redhat.com>
|
||||||
|
# Date 1574953499 -3600
|
||||||
|
# Thu Nov 28 16:04:59 2019 +0100
|
||||||
|
# Node ID f1f705bd0528713216e16867233825c299d3e3b2
|
||||||
|
# Parent 10722c590949819ed4d971ad5ae213bc8b11a1bf
|
||||||
|
Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
|
||||||
|
|
||||||
|
Summary:
|
||||||
|
When a builtin root module is loaded after some temp certs being
|
||||||
|
loaded, our certificate lookup logic preferred those temp certs over
|
||||||
|
perm certs stored on the root module. This was a problem because such
|
||||||
|
temp certs are usually not accompanied with trust information.
|
||||||
|
|
||||||
|
This makes the certificate lookup logic capable of handling such
|
||||||
|
situations by checking if the trust information is attached to temp
|
||||||
|
certs and otherwise falling back to perm certs.
|
||||||
|
|
||||||
|
Reviewers: rrelyea, keeler
|
||||||
|
|
||||||
|
Reviewed By: rrelyea
|
||||||
|
|
||||||
|
Subscribers: heftig
|
||||||
|
|
||||||
|
Bug #: 1593167
|
||||||
|
|
||||||
|
Differential Revision: https://phabricator.services.mozilla.com/D54726
|
||||||
|
|
||||||
|
diff --git a/lib/certdb/stanpcertdb.c b/lib/certdb/stanpcertdb.c
|
||||||
|
--- a/lib/certdb/stanpcertdb.c
|
||||||
|
+++ b/lib/certdb/stanpcertdb.c
|
||||||
|
@@ -340,6 +340,91 @@ CERT_AddTempCertToPerm(CERTCertificate *
|
||||||
|
return __CERT_AddTempCertToPerm(cert, nickname, trust);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static CERTCertificate *
|
||||||
|
+find_cert_by_der_cert(CERTCertDBHandle *handle, SECItem *derCert)
|
||||||
|
+{
|
||||||
|
+ CERTCertificate *cc;
|
||||||
|
+ NSSCryptoContext *context;
|
||||||
|
+ NSSCertificate *cert = NULL;
|
||||||
|
+ NSSCertificate *tempCert = NULL;
|
||||||
|
+ NSSCertificate *permCert = NULL;
|
||||||
|
+ NSSDER encoding;
|
||||||
|
+ nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
|
||||||
|
+ nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
|
||||||
|
+
|
||||||
|
+ /* We retrieve a certificate instance for derCert in this order:
|
||||||
|
+ * 1. Look up a temp cert in the crypto context. If it is found
|
||||||
|
+ * and has a trust object associated, use it.
|
||||||
|
+ * 2. Look up a perm cert in the trust domain. If it is found,
|
||||||
|
+ * use it. Otherwise, use the temp cert.
|
||||||
|
+ */
|
||||||
|
+ NSSITEM_FROM_SECITEM(&encoding, derCert);
|
||||||
|
+ context = STAN_GetDefaultCryptoContext();
|
||||||
|
+
|
||||||
|
+ /* First, see if it is already a temp cert */
|
||||||
|
+ tempCert = NSSCryptoContext_FindCertificateByEncodedCertificate(context,
|
||||||
|
+ &encoding);
|
||||||
|
+ if (tempCert) {
|
||||||
|
+ NSSTrust *trust;
|
||||||
|
+
|
||||||
|
+ trust = nssCryptoContext_FindTrustForCertificate(context, tempCert);
|
||||||
|
+ if (trust) {
|
||||||
|
+ nssTrust_Destroy(trust);
|
||||||
|
+ cert = tempCert;
|
||||||
|
+ tempCert = NULL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Then, see if it is already a perm cert */
|
||||||
|
+ if (!cert && handle) {
|
||||||
|
+ permCert = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
|
||||||
|
+ &encoding);
|
||||||
|
+ if (permCert) {
|
||||||
|
+ /* Delete the temp instance */
|
||||||
|
+ if (tempCert) {
|
||||||
|
+ nssCertificateStore_Lock(context->certStore, &lockTrace);
|
||||||
|
+ nssCertificateStore_RemoveCertLOCKED(context->certStore,
|
||||||
|
+ tempCert);
|
||||||
|
+ nssCertificateStore_Unlock(context->certStore, &lockTrace,
|
||||||
|
+ &unlockTrace);
|
||||||
|
+ }
|
||||||
|
+ cert = permCert;
|
||||||
|
+ permCert = NULL;
|
||||||
|
+ } else if (tempCert) {
|
||||||
|
+ cert = tempCert;
|
||||||
|
+ tempCert = NULL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (tempCert) {
|
||||||
|
+ nssCertificate_Destroy(tempCert);
|
||||||
|
+ }
|
||||||
|
+ if (permCert) {
|
||||||
|
+ nssCertificate_Destroy(permCert);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!cert) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Actually, that search ends up going by issuer/serial,
|
||||||
|
+ * so it is still possible to return a cert with the same
|
||||||
|
+ * issuer/serial but a different encoding, and we're
|
||||||
|
+ * going to reject that
|
||||||
|
+ */
|
||||||
|
+ if (!nssItem_Equal(&cert->encoding, &encoding, NULL)) {
|
||||||
|
+ nssCertificate_Destroy(cert);
|
||||||
|
+ PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cc = STAN_GetCERTCertificateOrRelease(cert);
|
||||||
|
+ if (!cc) {
|
||||||
|
+ CERT_MapStanError();
|
||||||
|
+ }
|
||||||
|
+ return cc;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
CERTCertificate *
|
||||||
|
CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
|
||||||
|
char *nickname, PRBool isperm, PRBool copyDER)
|
||||||
|
@@ -351,32 +436,8 @@ CERT_NewTempCertificate(CERTCertDBHandle
|
||||||
|
NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
|
||||||
|
NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain();
|
||||||
|
if (!isperm) {
|
||||||
|
- NSSDER encoding;
|
||||||
|
- NSSITEM_FROM_SECITEM(&encoding, derCert);
|
||||||
|
- /* First, see if it is already a temp cert */
|
||||||
|
- c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC,
|
||||||
|
- &encoding);
|
||||||
|
- if (!c && handle) {
|
||||||
|
- /* Then, see if it is already a perm cert */
|
||||||
|
- c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
|
||||||
|
- &encoding);
|
||||||
|
- }
|
||||||
|
- if (c) {
|
||||||
|
- /* actually, that search ends up going by issuer/serial,
|
||||||
|
- * so it is still possible to return a cert with the same
|
||||||
|
- * issuer/serial but a different encoding, and we're
|
||||||
|
- * going to reject that
|
||||||
|
- */
|
||||||
|
- if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
|
||||||
|
- nssCertificate_Destroy(c);
|
||||||
|
- PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
|
||||||
|
- cc = NULL;
|
||||||
|
- } else {
|
||||||
|
- cc = STAN_GetCERTCertificateOrRelease(c);
|
||||||
|
- if (cc == NULL) {
|
||||||
|
- CERT_MapStanError();
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ cc = find_cert_by_der_cert(handle, derCert);
|
||||||
|
+ if (cc) {
|
||||||
|
return cc;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -598,19 +659,7 @@ CERT_FindCertByNickname(CERTCertDBHandle
|
||||||
|
CERTCertificate *
|
||||||
|
CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
|
||||||
|
{
|
||||||
|
- NSSCryptoContext *cc;
|
||||||
|
- NSSCertificate *c;
|
||||||
|
- NSSDER encoding;
|
||||||
|
- NSSITEM_FROM_SECITEM(&encoding, derCert);
|
||||||
|
- cc = STAN_GetDefaultCryptoContext();
|
||||||
|
- c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
|
||||||
|
- if (!c) {
|
||||||
|
- c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
|
||||||
|
- &encoding);
|
||||||
|
- if (!c)
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
- return STAN_GetCERTCertificateOrRelease(c);
|
||||||
|
+ return find_cert_by_der_cert(handle, derCert);
|
||||||
|
}
|
||||||
|
|
||||||
|
static CERTCertificate *
|
||||||
|
diff --git a/lib/pki/pkistore.c b/lib/pki/pkistore.c
|
||||||
|
--- a/lib/pki/pkistore.c
|
||||||
|
+++ b/lib/pki/pkistore.c
|
||||||
|
@@ -27,6 +27,8 @@
|
||||||
|
|
||||||
|
#include "prbit.h"
|
||||||
|
|
||||||
|
+#include "secerr.h"
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Certificate Store
|
||||||
|
*
|
||||||
|
@@ -544,6 +546,13 @@ nssCertificateStore_FindCertificateByEnc
|
||||||
|
&serial);
|
||||||
|
PORT_Free(issuer.data);
|
||||||
|
PORT_Free(serial.data);
|
||||||
|
+
|
||||||
|
+ if (rvCert && !nssItem_Equal(&rvCert->encoding, encoding, NULL)) {
|
||||||
|
+ nssCertificate_Destroy(rvCert);
|
||||||
|
+ PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return rvCert;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/pki/trustdomain.c b/lib/pki/trustdomain.c
|
||||||
|
--- a/lib/pki/trustdomain.c
|
||||||
|
+++ b/lib/pki/trustdomain.c
|
||||||
|
@@ -15,6 +15,7 @@
|
||||||
|
#include "pk11pub.h"
|
||||||
|
#include "nssrwlk.h"
|
||||||
|
#include "pk11priv.h"
|
||||||
|
+#include "secerr.h"
|
||||||
|
|
||||||
|
#define NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE 32
|
||||||
|
|
||||||
|
@@ -841,6 +842,13 @@ nssTrustDomain_FindCertificateByEncodedC
|
||||||
|
&serial);
|
||||||
|
PORT_Free(issuer.data);
|
||||||
|
PORT_Free(serial.data);
|
||||||
|
+
|
||||||
|
+ if (rvCert && !nssItem_Equal(&rvCert->encoding, ber, NULL)) {
|
||||||
|
+ nssCertificate_Destroy(rvCert);
|
||||||
|
+ PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return rvCert;
|
||||||
|
}
|
||||||
|
|
7
nss.spec
7
nss.spec
@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
|
|||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: %{nss_version}
|
Version: %{nss_version}
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Requires: nspr >= %{nspr_version}
|
Requires: nspr >= %{nspr_version}
|
||||||
@ -107,6 +107,8 @@ Patch2: nss-539183.patch
|
|||||||
Patch4: iquote.patch
|
Patch4: iquote.patch
|
||||||
# add missing ike mechanism to softoken
|
# add missing ike mechanism to softoken
|
||||||
Patch10: nss-3.47-ike-fix.patch
|
Patch10: nss-3.47-ike-fix.patch
|
||||||
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
|
||||||
|
Patch11: nss-3.47-certdb-temp-cert.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -872,6 +874,9 @@ update-crypto-policies &> /dev/null || :
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 28 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-2
|
||||||
|
- Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617)
|
||||||
|
|
||||||
* Fri Nov 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-1
|
* Fri Nov 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-1
|
||||||
- Update to NSS 3.47.1
|
- Update to NSS 3.47.1
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user