Update nss-3.47-certdb-temp-cert.patch to the final version

2019-12-03 09:31:24 +01:00 · 2019-12-03 09:31:24 +01:00 · 704f2e22d6
commit 704f2e22d6
parent 4f639ad73c
2 changed files with 24 additions and 230 deletions
--- a/nss-3.47-certdb-temp-cert.patch
+++ b/nss-3.47-certdb-temp-cert.patch
@ -1,230 +1,21 @@
-# HG changeset patch
+diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
-# User Daiki Ueno <dueno@redhat.com>
+--- a/lib/pki/pki3hack.c
-# Date 1574953499 -3600
+++ b/lib/pki/pki3hack.c
-#      Thu Nov 28 16:04:59 2019 +0100
+@@ -921,11 +921,11 @@
 # Node ID f1f705bd0528713216e16867233825c299d3e3b2
 # Parent  10722c590949819ed4d971ad5ae213bc8b11a1bf
 Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
 Summary:
 When a builtin root module is loaded after some temp certs being
 loaded, our certificate lookup logic preferred those temp certs over
 perm certs stored on the root module.  This was a problem because such
 temp certs are usually not accompanied with trust information.
 This makes the certificate lookup logic capable of handling such
 situations by checking if the trust information is attached to temp
 certs and otherwise falling back to perm certs.
 Reviewers: rrelyea, keeler
 Reviewed By: rrelyea
 Subscribers: heftig
 Bug #: 1593167
 Differential Revision: https://phabricator.services.mozilla.com/D54726
 diff --git a/lib/certdb/stanpcertdb.c b/lib/certdb/stanpcertdb.c
 --- a/lib/certdb/stanpcertdb.c
 +++ b/lib/certdb/stanpcertdb.c
@@ -340,6 +340,91 @@ CERT_AddTempCertToPerm(CERTCertificate *
     return __CERT_AddTempCertToPerm(cert, nickname, trust);
 }
 +static CERTCertificate *
 +find_cert_by_der_cert(CERTCertDBHandle *handle, SECItem *derCert)
 +{
 +    CERTCertificate *cc;
 +    NSSCryptoContext *context;
 +    NSSCertificate *cert = NULL;
 +    NSSCertificate *tempCert = NULL;
 +    NSSCertificate *permCert = NULL;
 +    NSSDER encoding;
 +    nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
 +    nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
 +
 +    /* We retrieve a certificate instance for derCert in this order:
 +     * 1. Look up a temp cert in the crypto context.  If it is found
 +     *    and has a trust object associated, use it.
 +     * 2. Look up a perm cert in the trust domain.  If it is found,
 +     *    use it.  Otherwise, use the temp cert.
 +     */
 +    NSSITEM_FROM_SECITEM(&encoding, derCert);
 +    context = STAN_GetDefaultCryptoContext();
 +
 +    /* First, see if it is already a temp cert */
 +    tempCert = NSSCryptoContext_FindCertificateByEncodedCertificate(context,
 +                                                                    &encoding);
 +    if (tempCert) {
 +        NSSTrust *trust;
 +
 +        trust = nssCryptoContext_FindTrustForCertificate(context, tempCert);
 +        if (trust) {
 +            nssTrust_Destroy(trust);
 +            cert = tempCert;
 +            tempCert = NULL;
 +        }
 +    }
 +
 +    /* Then, see if it is already a perm cert */
 +    if (!cert && handle) {
 +        permCert = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
 +                                                                      &encoding);
 +        if (permCert) {
 +            /* Delete the temp instance */
 +            if (tempCert) {
 +                nssCertificateStore_Lock(context->certStore, &lockTrace);
 +                nssCertificateStore_RemoveCertLOCKED(context->certStore,
 +                                                     tempCert);
 +                nssCertificateStore_Unlock(context->certStore, &lockTrace,
 +                                           &unlockTrace);
 +            }
 +            cert = permCert;
 +            permCert = NULL;
 +        } else if (tempCert) {
 +            cert = tempCert;
 +            tempCert = NULL;
 +        }
 +    }
 +
 +    if (tempCert) {
 +        nssCertificate_Destroy(tempCert);
 +    }
 +    if (permCert) {
 +        nssCertificate_Destroy(permCert);
 +    }
 +
 +    if (!cert) {
 +        return NULL;
 +    }
 +
 +    /* Actually, that search ends up going by issuer/serial,
 +     * so it is still possible to return a cert with the same
 +     * issuer/serial but a different encoding, and we're
 +     * going to reject that
 +     */
 +    if (!nssItem_Equal(&cert->encoding, &encoding, NULL)) {
 +        nssCertificate_Destroy(cert);
 +        PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
 +        return NULL;
 +    }
 +
 +    cc = STAN_GetCERTCertificateOrRelease(cert);
 +    if (!cc) {
 +        CERT_MapStanError();
 +    }
 +    return cc;
 +}
 +
 CERTCertificate *
 CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
                         char *nickname, PRBool isperm, PRBool copyDER)
@@ -351,32 +436,8 @@ CERT_NewTempCertificate(CERTCertDBHandle
     NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
     NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain();
     if (!isperm) {
 -        NSSDER encoding;
 -        NSSITEM_FROM_SECITEM(&encoding, derCert);
 -        /* First, see if it is already a temp cert */
 -        c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC,
 -                                                                 &encoding);
 -        if (!c && handle) {
 -            /* Then, see if it is already a perm cert */
 -            c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
 -                                                                   &encoding);
 -        }
 -        if (c) {
 -            /* actually, that search ends up going by issuer/serial,
 -             * so it is still possible to return a cert with the same
 -             * issuer/serial but a different encoding, and we're
 -             * going to reject that
 -             */
 -            if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
 -                nssCertificate_Destroy(c);
 -                PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
 -                cc = NULL;
 -            } else {
 -                cc = STAN_GetCERTCertificateOrRelease(c);
 -                if (cc == NULL) {
 -                    CERT_MapStanError();
 -                }
 -            }
 +        cc = find_cert_by_der_cert(handle, derCert);
 +        if (cc) {
             return cc;
         }
     }
@@ -598,19 +659,7 @@ CERT_FindCertByNickname(CERTCertDBHandle
 CERTCertificate *
 CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
 {
 -    NSSCryptoContext *cc;
 -    NSSCertificate *c;
 -    NSSDER encoding;
 -    NSSITEM_FROM_SECITEM(&encoding, derCert);
 -    cc = STAN_GetDefaultCryptoContext();
 -    c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
 -    if (!c) {
 -        c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
 -                                                               &encoding);
 -        if (!c)
 -            return NULL;
 -    }
 -    return STAN_GetCERTCertificateOrRelease(c);
 +    return find_cert_by_der_cert(handle, derCert);
 }
 static CERTCertificate *
 diff --git a/lib/pki/pkistore.c b/lib/pki/pkistore.c
 --- a/lib/pki/pkistore.c
 +++ b/lib/pki/pkistore.c
@@ -27,6 +27,8 @@
 #include "prbit.h"
 +#include "secerr.h"
 +
 /*
  * Certificate Store
  *
@@ -544,6 +546,13 @@ nssCertificateStore_FindCertificateByEnc
                                                                         &serial);
     PORT_Free(issuer.data);
     PORT_Free(serial.data);
 +
 +    if (rvCert && !nssItem_Equal(&rvCert->encoding, encoding, NULL)) {
 +        nssCertificate_Destroy(rvCert);
 +        PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
 +        return NULL;
 +    }
 +
     return rvCert;
 }
 diff --git a/lib/pki/trustdomain.c b/lib/pki/trustdomain.c
 --- a/lib/pki/trustdomain.c
 +++ b/lib/pki/trustdomain.c
@@ -15,6 +15,7 @@
 #include "pk11pub.h"
 #include "nssrwlk.h"
 #include "pk11priv.h"
 +#include "secerr.h"
 #define NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE 32
@@ -841,6 +842,13 @@ nssTrustDomain_FindCertificateByEncodedC
                                                                    &serial);
     PORT_Free(issuer.data);
     PORT_Free(serial.data);
 +
 +    if (rvCert && !nssItem_Equal(&rvCert->encoding, ber, NULL)) {
 +        nssCertificate_Destroy(rvCert);
 +        PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
 +        return NULL;
 +    }
 +
     return rvCert;
     }
     if (!cc->nssCertificate || forceUpdate) {
         fill_CERTCertificateFields(c, cc, forceUpdate);
 -    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
 -               !c->object.cryptoContext) {
 -        /* if it's a perm cert, it might have been stored before the
 -         * trust, so look for the trust again.  But a temp cert can be
 -         * ignored.
 +    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
 +        /* If it's a perm cert, it might have been stored before the
 +         * trust, so look for the trust again. If it's a temp cert, it
 +         * might have been stored before the builtin module is loaded,
 +         * so still need to look for the trust again.
          */
         CERTCertTrust *trust = NULL;
         trust = nssTrust_GetCERTCertTrustForCert(c, cc);
--- a/nss.spec
+++ b/nss.spec
@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@ -874,6 +874,9 @@ update-crypto-policies &> /dev/null || :
 %changelog
 * Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-3
 - Update nss-3.47-certdb-temp-cert.patch to the final version
 * Thu Nov 28 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-2
 - Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617)