mirror of
https://github.com/archlinuxarm/PKGBUILDs.git
synced 2024-11-28 22:57:37 +00:00
68 lines
2.6 KiB
Diff
68 lines
2.6 KiB
Diff
From 9530978d1552674792e281391100269305a38c47 Mon Sep 17 00:00:00 2001
|
|
From: Daiki Ueno <dueno@redhat.com>
|
|
Date: Fri, 6 Dec 2019 10:47:01 +0100
|
|
Subject: [PATCH] Bug 1593167, certdb: propagate trust information if trust
|
|
module is loaded afterwards, r=rrelyea,keeler
|
|
|
|
Summary:
|
|
When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in Firefox as it loads the module from a separate thread while accessing the network cache which populates temp certs.
|
|
|
|
This change makes it properly roll up the trust information, if a temp cert doesn't have trust information.
|
|
|
|
Reviewers: rrelyea, keeler
|
|
|
|
Reviewed By: rrelyea, keeler
|
|
|
|
Subscribers: reviewbot, heftig
|
|
|
|
Bug #: 1593167
|
|
|
|
Differential Revision: https://phabricator.services.mozilla.com/D54726
|
|
---
|
|
lib/pki/pki3hack.c | 30 ++++++++++++++++++++++--------
|
|
1 file changed, 22 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
|
|
index 29d2fb5a40..eac4a5705e 100644
|
|
--- a/lib/pki/pki3hack.c
|
|
+++ b/lib/pki/pki3hack.c
|
|
@@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
|
|
}
|
|
if (!cc->nssCertificate || forceUpdate) {
|
|
fill_CERTCertificateFields(c, cc, forceUpdate);
|
|
- } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
|
|
- !c->object.cryptoContext) {
|
|
- /* if it's a perm cert, it might have been stored before the
|
|
- * trust, so look for the trust again. But a temp cert can be
|
|
- * ignored.
|
|
- */
|
|
- CERTCertTrust *trust = NULL;
|
|
- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
|
|
+ } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
|
|
+ CERTCertTrust *trust;
|
|
+ if (!c->object.cryptoContext) {
|
|
+ /* If it's a perm cert, it might have been stored before the
|
|
+ * trust, so look for the trust again.
|
|
+ */
|
|
+ trust = nssTrust_GetCERTCertTrustForCert(c, cc);
|
|
+ } else {
|
|
+ /* If it's a temp cert, it might have been stored before the
|
|
+ * builtin trust module is loaded, so look for the trust
|
|
+ * again, but don't set the empty trust if it is not found.
|
|
+ */
|
|
+ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
|
|
+ if (!t) {
|
|
+ goto loser;
|
|
+ }
|
|
+ trust = cert_trust_from_stan_trust(t, cc->arena);
|
|
+ nssTrust_Destroy(t);
|
|
+ if (!trust) {
|
|
+ goto loser;
|
|
+ }
|
|
+ }
|
|
|
|
CERT_LockCertTrust(cc);
|
|
cc->trust = trust;
|
|
--
|
|
2.24.0
|
|
|