diff options
Diffstat (limited to 'security/certverifier/NSSCertDBTrustDomain.cpp')
| -rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.cpp | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 412adb403..b4e12fe9c 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -242,10 +242,14 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, return Success; } - // For TRUST, we only use the CERTDB_TRUSTED_CA bit, because Gecko hasn't + // For TRUST, we only use the CERTDB_TRUSTED_CA bit, because Goanna hasn't // needed to consider end-entity certs to be their own trust anchors since - // Gecko implemented nsICertOverrideService. - if (flags & CERTDB_TRUSTED_CA) { + // Goanna implemented nsICertOverrideService. + // Of course, for this to work as expected, we need to make sure we're + // inquiring about the trust of a CA and not an end-entity. If an end-entity + // has the CERTDB_TRUSTED_CA bit set, Gecko does not consider it to be a + // trust anchor; it must inherit its trust. + if (flags & CERTDB_TRUSTED_CA && endEntityOrCA == EndEntityOrCA::MustBeCA) { if (policy.IsAnyPolicy()) { trustLevel = TrustLevel::TrustAnchor; return Success; |