150 lines
5.5 KiB
Plaintext
150 lines
5.5 KiB
Plaintext
|
# HG changeset patch
|
||
|
# Parent a2f525a055c84cb9617c275a48575fea7b0001ea
|
||
|
|
||
|
diff --git a/config/external/nss/nss.symbols b/config/external/nss/nss.symbols
|
||
|
--- a/config/external/nss/nss.symbols
|
||
|
+++ b/config/external/nss/nss.symbols
|
||
|
@@ -25,7 +25,6 @@ CERT_AddCertToListHead
|
||
|
CERT_AddCertToListTail
|
||
|
CERT_AddExtension
|
||
|
CERT_AddExtensionByOID
|
||
|
-__CERT_AddTempCertToPerm
|
||
|
CERT_AsciiToName
|
||
|
CERT_CacheOCSPResponseFromSideChannel
|
||
|
CERT_CertChainFromCert
|
||
|
diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build
|
||
|
--- a/security/manager/ssl/moz.build
|
||
|
+++ b/security/manager/ssl/moz.build
|
||
|
@@ -182,8 +182,6 @@ DEFINES['NSS_ENABLE_ECC'] = 'True'
|
||
|
for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
|
||
|
DEFINES[var] = '"%s"' % CONFIG[var]
|
||
|
|
||
|
-DEFINES['CERT_AddTempCertToPerm'] = '__CERT_AddTempCertToPerm'
|
||
|
-
|
||
|
USE_LIBS += [
|
||
|
'crmf',
|
||
|
]
|
||
|
diff --git a/security/manager/ssl/nsNSSCertificateDB.cpp b/security/manager/ssl/nsNSSCertificateDB.cpp
|
||
|
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
|
||
|
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
|
||
|
@@ -349,9 +349,17 @@ nsNSSCertificateDB::handleCACertDownload
|
||
|
!!(trustBits & nsIX509CertDB::TRUSTED_EMAIL),
|
||
|
!!(trustBits & nsIX509CertDB::TRUSTED_OBJSIGN));
|
||
|
|
||
|
- if (CERT_AddTempCertToPerm(tmpCert.get(), nickname.get(),
|
||
|
- trust.GetTrust()) != SECSuccess) {
|
||
|
- return NS_ERROR_FAILURE;
|
||
|
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||
|
+ SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE,
|
||
|
+ nickname.get(),
|
||
|
+ false); // this parameter is ignored by NSS
|
||
|
+ if (srv != SECSuccess) {
|
||
|
+ return MapSECStatus(srv);
|
||
|
+ }
|
||
|
+ // NSS ignores the first argument to CERT_ChangeCertTrust
|
||
|
+ srv = CERT_ChangeCertTrust(nullptr, tmpCert.get(), trust.GetTrust());
|
||
|
+ if (srv != SECSuccess) {
|
||
|
+ return MapSECStatus(srv);
|
||
|
}
|
||
|
|
||
|
// Import additional delivered certificates that can be verified.
|
||
|
@@ -511,34 +519,30 @@ ImportCertsIntoTempStorage(int numcerts,
|
||
|
return NS_OK;
|
||
|
}
|
||
|
|
||
|
-static SECStatus
|
||
|
-ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain,
|
||
|
- const SECCertUsage usage, const bool caOnly)
|
||
|
+static nsresult
|
||
|
+ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain)
|
||
|
{
|
||
|
- int chainLen = 0;
|
||
|
- for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
|
||
|
+ bool encounteredFailure = false;
|
||
|
+ PRErrorCode savedErrorCode = 0;
|
||
|
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||
|
+ for (CERTCertListNode* chainNode = CERT_LIST_HEAD(certChain);
|
||
|
!CERT_LIST_END(chainNode, certChain);
|
||
|
chainNode = CERT_LIST_NEXT(chainNode)) {
|
||
|
- chainLen++;
|
||
|
+ UniquePORTString nickname(CERT_MakeCANickname(chainNode->cert));
|
||
|
+ SECStatus srv = PK11_ImportCert(slot.get(), chainNode->cert,
|
||
|
+ CK_INVALID_HANDLE, nickname.get(),
|
||
|
+ false); // this parameter is ignored by NSS
|
||
|
+ if (srv != SECSuccess) {
|
||
|
+ encounteredFailure = true;
|
||
|
+ savedErrorCode = PR_GetError();
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
- SECItem **rawArray;
|
||
|
- rawArray = (SECItem **) PORT_Alloc(chainLen * sizeof(SECItem *));
|
||
|
- if (!rawArray) {
|
||
|
- return SECFailure;
|
||
|
+ if (encounteredFailure) {
|
||
|
+ return GetXPCOMFromNSSError(savedErrorCode);
|
||
|
}
|
||
|
|
||
|
- int i = 0;
|
||
|
- for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
|
||
|
- !CERT_LIST_END(chainNode, certChain);
|
||
|
- chainNode = CERT_LIST_NEXT(chainNode), i++) {
|
||
|
- rawArray[i] = &chainNode->cert->derCert;
|
||
|
- }
|
||
|
- SECStatus srv = CERT_ImportCerts(CERT_GetDefaultCertDB(), usage, chainLen,
|
||
|
- rawArray, nullptr, true, caOnly, nullptr);
|
||
|
-
|
||
|
- PORT_Free(rawArray);
|
||
|
- return srv;
|
||
|
+ return NS_OK;
|
||
|
}
|
||
|
|
||
|
NS_IMETHODIMP
|
||
|
@@ -597,11 +601,9 @@ nsNSSCertificateDB::ImportEmailCertifica
|
||
|
DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, locker);
|
||
|
continue;
|
||
|
}
|
||
|
- SECStatus srv = ImportCertsIntoPermanentStorage(certChain,
|
||
|
- certUsageEmailRecipient,
|
||
|
- false);
|
||
|
- if (srv != SECSuccess) {
|
||
|
- return NS_ERROR_FAILURE;
|
||
|
+ rv = ImportCertsIntoPermanentStorage(certChain);
|
||
|
+ if (NS_FAILED(rv)) {
|
||
|
+ return rv;
|
||
|
}
|
||
|
CERT_SaveSMimeProfile(node->cert, nullptr, nullptr);
|
||
|
}
|
||
|
@@ -654,10 +656,9 @@ nsNSSCertificateDB::ImportValidCACertsIn
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
- SECStatus srv = ImportCertsIntoPermanentStorage(certChain, certUsageAnyCA,
|
||
|
- true);
|
||
|
- if (srv != SECSuccess) {
|
||
|
- return NS_ERROR_FAILURE;
|
||
|
+ nsresult rv = ImportCertsIntoPermanentStorage(certChain);
|
||
|
+ if (NS_FAILED(rv)) {
|
||
|
+ return rv;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
@@ -1336,8 +1337,15 @@ nsNSSCertificateDB::AddCertFromBase64(co
|
||
|
|
||
|
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Created nick \"%s\"\n", nickname.get()));
|
||
|
|
||
|
- SECStatus srv = CERT_AddTempCertToPerm(tmpCert.get(), nickname.get(),
|
||
|
- trust.GetTrust());
|
||
|
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||
|
+ SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE,
|
||
|
+ nickname.get(),
|
||
|
+ false); // this parameter is ignored by NSS
|
||
|
+ if (srv != SECSuccess) {
|
||
|
+ return MapSECStatus(srv);
|
||
|
+ }
|
||
|
+ // NSS ignores the first argument to CERT_ChangeCertTrust
|
||
|
+ srv = CERT_ChangeCertTrust(nullptr, tmpCert.get(), trust.GetTrust());
|
||
|
return MapSECStatus(srv);
|
||
|
}
|
||
|
|