Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
This commit is contained in:
parent
704f2e22d6
commit
a8a8d020bf
@ -1,7 +1,35 @@
|
||||
# HG changeset patch
|
||||
# User Daiki Ueno <dueno@redhat.com>
|
||||
# Date 1575381287 -3600
|
||||
# Tue Dec 03 14:54:47 2019 +0100
|
||||
# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe
|
||||
# Parent d64102b76a437f24d98a20480dcc9f1655143e7c
|
||||
Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
|
||||
|
||||
Summary:
|
||||
When a builtin root module is loaded after some temp certs being
|
||||
loaded, our certificate lookup logic preferred those temp certs over
|
||||
perm certs stored on the root module. This was a problem because such
|
||||
temp certs are usually not accompanied with trust information.
|
||||
|
||||
This makes the certificate lookup logic capable of handling such
|
||||
situations by checking if the trust information is attached to temp
|
||||
certs and otherwise falling back to perm certs.
|
||||
|
||||
Reviewers: rrelyea, keeler
|
||||
|
||||
Reviewed By: rrelyea
|
||||
|
||||
Subscribers: reviewbot, heftig
|
||||
|
||||
Bug #: 1593167
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D54726
|
||||
|
||||
diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
|
||||
--- a/lib/pki/pki3hack.c
|
||||
+++ b/lib/pki/pki3hack.c
|
||||
@@ -921,11 +921,11 @@
|
||||
@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate *
|
||||
}
|
||||
if (!cc->nssCertificate || forceUpdate) {
|
||||
fill_CERTCertificateFields(c, cc, forceUpdate);
|
||||
@ -10,12 +38,27 @@ diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
|
||||
- /* if it's a perm cert, it might have been stored before the
|
||||
- * trust, so look for the trust again. But a temp cert can be
|
||||
- * ignored.
|
||||
- */
|
||||
- CERTCertTrust *trust = NULL;
|
||||
- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
|
||||
+ } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
|
||||
+ /* If it's a perm cert, it might have been stored before the
|
||||
+ * trust, so look for the trust again. If it's a temp cert, it
|
||||
+ * might have been stored before the builtin module is loaded,
|
||||
+ * so still need to look for the trust again.
|
||||
*/
|
||||
CERTCertTrust *trust = NULL;
|
||||
trust = nssTrust_GetCERTCertTrustForCert(c, cc);
|
||||
+ CERTCertTrust *trust;
|
||||
+ if (!c->object.cryptoContext) {
|
||||
+ /* If it's a perm cert, it might have been stored before the
|
||||
+ * trust, so look for the trust again.
|
||||
+ */
|
||||
+ trust = nssTrust_GetCERTCertTrustForCert(c, cc);
|
||||
+ } else {
|
||||
+ /* If it's a temp cert, it might have been stored before
|
||||
+ * the builtin module is loaded, so look for the trust
|
||||
+ * again, but not set the empty trust if not found.
|
||||
+ */
|
||||
+ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
|
||||
+ if (!t) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+ trust = cert_trust_from_stan_trust(t, cc->arena);
|
||||
+ }
|
||||
|
||||
CERT_LockCertTrust(cc);
|
||||
cc->trust = trust;
|
||||
|
5
nss.spec
5
nss.spec
@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: %{nss_version}
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Requires: nspr >= %{nspr_version}
|
||||
@ -874,6 +874,9 @@ update-crypto-policies &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Dec 3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-4
|
||||
- Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
|
||||
|
||||
* Tue Dec 3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-3
|
||||
- Update nss-3.47-certdb-temp-cert.patch to the final version
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user