From a8a8d020bf1641f0168c74dcc4479b60925f3e04 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 3 Dec 2019 15:51:55 +0100 Subject: [PATCH] Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value --- nss-3.47-certdb-temp-cert.patch | 61 ++++++++++++++++++++++++++++----- nss.spec | 5 ++- 2 files changed, 56 insertions(+), 10 deletions(-) diff --git a/nss-3.47-certdb-temp-cert.patch b/nss-3.47-certdb-temp-cert.patch index a1608f4..b2afd50 100644 --- a/nss-3.47-certdb-temp-cert.patch +++ b/nss-3.47-certdb-temp-cert.patch @@ -1,7 +1,35 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1575381287 -3600 +# Tue Dec 03 14:54:47 2019 +0100 +# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe +# Parent d64102b76a437f24d98a20480dcc9f1655143e7c +Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available + +Summary: +When a builtin root module is loaded after some temp certs being +loaded, our certificate lookup logic preferred those temp certs over +perm certs stored on the root module. This was a problem because such +temp certs are usually not accompanied with trust information. + +This makes the certificate lookup logic capable of handling such +situations by checking if the trust information is attached to temp +certs and otherwise falling back to perm certs. + +Reviewers: rrelyea, keeler + +Reviewed By: rrelyea + +Subscribers: reviewbot, heftig + +Bug #: 1593167 + +Differential Revision: https://phabricator.services.mozilla.com/D54726 + diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c --- a/lib/pki/pki3hack.c +++ b/lib/pki/pki3hack.c -@@ -921,11 +921,11 @@ +@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate * } if (!cc->nssCertificate || forceUpdate) { fill_CERTCertificateFields(c, cc, forceUpdate); @@ -10,12 +38,27 @@ diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c - /* if it's a perm cert, it might have been stored before the - * trust, so look for the trust again. But a temp cert can be - * ignored. +- */ +- CERTCertTrust *trust = NULL; +- trust = nssTrust_GetCERTCertTrustForCert(c, cc); + } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) { -+ /* If it's a perm cert, it might have been stored before the -+ * trust, so look for the trust again. If it's a temp cert, it -+ * might have been stored before the builtin module is loaded, -+ * so still need to look for the trust again. - */ - CERTCertTrust *trust = NULL; - trust = nssTrust_GetCERTCertTrustForCert(c, cc); - ++ CERTCertTrust *trust; ++ if (!c->object.cryptoContext) { ++ /* If it's a perm cert, it might have been stored before the ++ * trust, so look for the trust again. ++ */ ++ trust = nssTrust_GetCERTCertTrustForCert(c, cc); ++ } else { ++ /* If it's a temp cert, it might have been stored before ++ * the builtin module is loaded, so look for the trust ++ * again, but not set the empty trust if not found. ++ */ ++ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c); ++ if (!t) { ++ goto loser; ++ } ++ trust = cert_trust_from_stan_trust(t, cc->arena); ++ } + + CERT_LockCertTrust(cc); + cc->trust = trust; diff --git a/nss.spec b/nss.spec index fe83c2f..2b687c6 100644 --- a/nss.spec +++ b/nss.spec @@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 3%{?dist} +Release: 4%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -874,6 +874,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Tue Dec 3 2019 Daiki Ueno - 3.47.1-4 +- Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value + * Tue Dec 3 2019 Daiki Ueno - 3.47.1-3 - Update nss-3.47-certdb-temp-cert.patch to the final version