diff options
| author | Moonchild <mcwerewolf@gmail.com> | 2018-04-23 11:45:20 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-04-23 11:45:20 +0200 |
| commit | f5618cd8e900f37588a095381a8f2096d2038b5f (patch) | |
| tree | 2a5620008497d5e2dbf417daa007f51c46457212 /security/certverifier | |
| parent | 3b55277bc59d6bea5f61c164f9687ae242b88550 (diff) | |
| parent | c3ec00a15295120481e4b845e36ccf324dc6b669 (diff) | |
| download | UXP-f5618cd8e900f37588a095381a8f2096d2038b5f.tar UXP-f5618cd8e900f37588a095381a8f2096d2038b5f.tar.gz UXP-f5618cd8e900f37588a095381a8f2096d2038b5f.tar.lz UXP-f5618cd8e900f37588a095381a8f2096d2038b5f.tar.xz UXP-f5618cd8e900f37588a095381a8f2096d2038b5f.zip | |
Merge pull request #235 from janekptacijarabaci/security_windows_certificate-stores_1
moebius#119: (Windows) Security - Certificate Stores - NSSCertDBTrustDomain allows end-entities to be their own trust anchors
Diffstat (limited to 'security/certverifier')
| -rw-r--r-- | security/certverifier/CertVerifier.cpp | 3 | ||||
| -rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.cpp | 6 |
2 files changed, 6 insertions, 3 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp index 61d8fcdb8..2957a269f 100644 --- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -224,8 +224,7 @@ CertVerifier::VerifySignedCertificateTimestamps( CERTCertListNode* issuerNode = CERT_LIST_NEXT(endEntityNode); if (!issuerNode || CERT_LIST_END(issuerNode, builtChain)) { // Issuer certificate is required for SCT verification. - // TODO(bug 1294580): change this to Result::FATAL_ERROR_INVALID_ARGS - return Success; + return Result::FATAL_ERROR_INVALID_ARGS; } CERTCertificate* endEntity = endEntityNode->cert; diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 1fe27b760..b4e12fe9c 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -245,7 +245,11 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, // For TRUST, we only use the CERTDB_TRUSTED_CA bit, because Goanna hasn't // needed to consider end-entity certs to be their own trust anchors since // Goanna implemented nsICertOverrideService. - if (flags & CERTDB_TRUSTED_CA) { + // Of course, for this to work as expected, we need to make sure we're + // inquiring about the trust of a CA and not an end-entity. If an end-entity + // has the CERTDB_TRUSTED_CA bit set, Gecko does not consider it to be a + // trust anchor; it must inherit its trust. + if (flags & CERTDB_TRUSTED_CA && endEntityOrCA == EndEntityOrCA::MustBeCA) { if (policy.IsAnyPolicy()) { trustLevel = TrustLevel::TrustAnchor; return Success; |