summaryrefslogtreecommitdiffstats
path: root/security/certverifier
diff options
context:
space:
mode:
authorjanekptacijarabaci <janekptacijarabaci@seznam.cz>2018-04-25 15:48:44 +0200
committerjanekptacijarabaci <janekptacijarabaci@seznam.cz>2018-04-25 15:48:44 +0200
commit3ab6c7feee8126bdfc5c9ab9371db41102e12e95 (patch)
treea309c45826300b888238b6a517051fe7e71d63eb /security/certverifier
parentb18a9cf86ea25bc52d9cfea584e3aa8bfbe81f0a (diff)
parentb069dabc91b7e0f5f8d161cdbe598276a21d6d68 (diff)
downloadUXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.tar
UXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.tar.gz
UXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.tar.lz
UXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.tar.xz
UXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.zip
Merge branch 'master' of https://github.com/MoonchildProductions/UXP into pm_url_1
Diffstat (limited to 'security/certverifier')
-rw-r--r--security/certverifier/CertVerifier.cpp3
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.cpp6
2 files changed, 6 insertions, 3 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index 61d8fcdb8..2957a269f 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -224,8 +224,7 @@ CertVerifier::VerifySignedCertificateTimestamps(
CERTCertListNode* issuerNode = CERT_LIST_NEXT(endEntityNode);
if (!issuerNode || CERT_LIST_END(issuerNode, builtChain)) {
// Issuer certificate is required for SCT verification.
- // TODO(bug 1294580): change this to Result::FATAL_ERROR_INVALID_ARGS
- return Success;
+ return Result::FATAL_ERROR_INVALID_ARGS;
}
CERTCertificate* endEntity = endEntityNode->cert;
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index 1fe27b760..b4e12fe9c 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -245,7 +245,11 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
// For TRUST, we only use the CERTDB_TRUSTED_CA bit, because Goanna hasn't
// needed to consider end-entity certs to be their own trust anchors since
// Goanna implemented nsICertOverrideService.
- if (flags & CERTDB_TRUSTED_CA) {
+ // Of course, for this to work as expected, we need to make sure we're
+ // inquiring about the trust of a CA and not an end-entity. If an end-entity
+ // has the CERTDB_TRUSTED_CA bit set, Gecko does not consider it to be a
+ // trust anchor; it must inherit its trust.
+ if (flags & CERTDB_TRUSTED_CA && endEntityOrCA == EndEntityOrCA::MustBeCA) {
if (policy.IsAnyPolicy()) {
trustLevel = TrustLevel::TrustAnchor;
return Success;