archlinuxarm/PKGBUILDs
1
0
Fork 0
mirror of https://github.com/archlinuxarm/PKGBUILDs.git synced 2024-11-08 22:45:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
PKGBUILDs/core/nss/nss-3.47-certdb-temp-cert.patch
Kevin Mihelich 6d4a94fece core/nss to 3.47.1-4
2019-12-04 05:51:02 +00:00

64 lines
2.4 KiB
Diff
Raw Blame History

# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1575381287 -3600
# Tue Dec 03 14:54:47 2019 +0100
# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe
# Parent d64102b76a437f24d98a20480dcc9f1655143e7c
Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
Summary:
When a builtin root module is loaded after some temp certs being
loaded, our certificate lookup logic preferred those temp certs over
perm certs stored on the root module. This was a problem because such
temp certs are usually not accompanied with trust information.
This makes the certificate lookup logic capable of handling such
situations by checking if the trust information is attached to temp
certs and otherwise falling back to perm certs.
Reviewers: rrelyea, keeler
Reviewed By: rrelyea
Subscribers: reviewbot, heftig
Bug #: 1593167
Differential Revision: https://phabricator.services.mozilla.com/D54726
diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate *
}
if (!cc->nssCertificate || forceUpdate) {
fill_CERTCertificateFields(c, cc, forceUpdate);
- } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
- !c->object.cryptoContext) {
- /* if it's a perm cert, it might have been stored before the
- * trust, so look for the trust again. But a temp cert can be
- * ignored.
- */
- CERTCertTrust *trust = NULL;
- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
+ CERTCertTrust *trust;
+ if (!c->object.cryptoContext) {
+ /* If it's a perm cert, it might have been stored before the
+ * trust, so look for the trust again.
+ */
+ trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ } else {
+ /* If it's a temp cert, it might have been stored before
+ * the builtin module is loaded, so look for the trust
+ * again, but not set the empty trust if not found.
+ */
+ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
+ if (!t) {
+ goto loser;
+ }
+ trust = cert_trust_from_stan_trust(t, cc->arena);
+ }
CERT_LockCertTrust(cc);
cc->trust = trust;
Reference in a new issue View git blame Copy permalink