Update nss-3.47-certdb-temp-cert.patch

This commit is contained in:
Daiki Ueno 2019-12-04 10:20:43 +01:00
parent a8a8d020bf
commit f3ad534c37

View File

@ -1,20 +1,15 @@
# HG changeset patch # HG changeset patch
# User Daiki Ueno <dueno@redhat.com> # User Daiki Ueno <dueno@redhat.com>
# Date 1575381287 -3600 # Date 1575450841 -3600
# Tue Dec 03 14:54:47 2019 +0100 # Wed Dec 04 10:14:01 2019 +0100
# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe # Node ID 017097f0a0eaea1a3d849f3de79475c9bc28fcc2
# Parent d64102b76a437f24d98a20480dcc9f1655143e7c # Parent d64102b76a437f24d98a20480dcc9f1655143e7c
Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available Bug 1593167, certdb: propagate trust information if trust module is loaded afterwards
Summary: Summary:
When a builtin root module is loaded after some temp certs being When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in Firefox as it loads the module from a separate thread while accessing the network cache which populates temp certs.
loaded, our certificate lookup logic preferred those temp certs over
perm certs stored on the root module. This was a problem because such
temp certs are usually not accompanied with trust information.
This makes the certificate lookup logic capable of handling such This change makes it properly roll up the trust information, if a temp cert doesn't have trust information.
situations by checking if the trust information is attached to temp
certs and otherwise falling back to perm certs.
Reviewers: rrelyea, keeler Reviewers: rrelyea, keeler
@ -29,7 +24,7 @@ Differential Revision: https://phabricator.services.mozilla.com/D54726
diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
--- a/lib/pki/pki3hack.c --- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c +++ b/lib/pki/pki3hack.c
@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate * @@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate *
} }
if (!cc->nssCertificate || forceUpdate) { if (!cc->nssCertificate || forceUpdate) {
fill_CERTCertificateFields(c, cc, forceUpdate); fill_CERTCertificateFields(c, cc, forceUpdate);
@ -49,15 +44,19 @@ diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
+ */ + */
+ trust = nssTrust_GetCERTCertTrustForCert(c, cc); + trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ } else { + } else {
+ /* If it's a temp cert, it might have been stored before + /* If it's a temp cert, it might have been stored before the
+ * the builtin module is loaded, so look for the trust + * builtin trust module is loaded, so look for the trust
+ * again, but not set the empty trust if not found. + * again, but don't set the empty trust if it is not found.
+ */ + */
+ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c); + NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
+ if (!t) { + if (!t) {
+ goto loser; + goto loser;
+ } + }
+ trust = cert_trust_from_stan_trust(t, cc->arena); + trust = cert_trust_from_stan_trust(t, cc->arena);
+ nssTrust_Destroy(t);
+ if (!trust) {
+ goto loser;
+ }
+ } + }
CERT_LockCertTrust(cc); CERT_LockCertTrust(cc);