moebius#119: (Windows) Security - Certificate Stores - NSSCertDBTrustDomain allows end-entities to be their own trust anchors

https://github.com/MoonchildProductions/moebius/pull/119
author: janekptacijarabaci <janekptacijarabaci@seznam.cz> 2018-04-23 09:10:12 +0200
committer: janekptacijarabaci <janekptacijarabaci@seznam.cz> 2018-04-23 09:10:12 +0200
commit: c3ec00a15295120481e4b845e36ccf324dc6b669 (patch)
tree: dd0f4d6bf7ccaded789019870c4f81f4e1fd8d57 /security/certverifier
parent: c30ebdac27c93b57e368c69e9c13055a17229992 (diff)
download: UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar
UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.gz
UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.lz
UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.xz
UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.zip
2 files changed, 6 insertions, 3 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index 61d8fcdb8..2957a269f 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -224,8 +224,7 @@ CertVerifier::VerifySignedCertificateTimestamps(
   CERTCertListNode* issuerNode = CERT_LIST_NEXT(endEntityNode);
   if (!issuerNode || CERT_LIST_END(issuerNode, builtChain)) {
     // Issuer certificate is required for SCT verification.
-    // TODO(bug 1294580): change this to Result::FATAL_ERROR_INVALID_ARGS
-    return Success;
+    return Result::FATAL_ERROR_INVALID_ARGS;
   }
 
   CERTCertificate* endEntity = endEntityNode->cert;
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index 1fe27b760..b4e12fe9c 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -245,7 +245,11 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
     // For TRUST, we only use the CERTDB_TRUSTED_CA bit, because Goanna hasn't
     // needed to consider end-entity certs to be their own trust anchors since
     // Goanna implemented nsICertOverrideService.
-    if (flags & CERTDB_TRUSTED_CA) {
+    // Of course, for this to work as expected, we need to make sure we're
+    // inquiring about the trust of a CA and not an end-entity. If an end-entity
+    // has the CERTDB_TRUSTED_CA bit set, Gecko does not consider it to be a
+    // trust anchor; it must inherit its trust.
+    if (flags & CERTDB_TRUSTED_CA && endEntityOrCA == EndEntityOrCA::MustBeCA) {
       if (policy.IsAnyPolicy()) {
         trustLevel = TrustLevel::TrustAnchor;
         return Success;
author	janekptacijarabaci <janekptacijarabaci@seznam.cz>	2018-04-23 09:10:12 +0200
committer	janekptacijarabaci <janekptacijarabaci@seznam.cz>	2018-04-23 09:10:12 +0200
commit	c3ec00a15295120481e4b845e36ccf324dc6b669 (patch)
tree	dd0f4d6bf7ccaded789019870c4f81f4e1fd8d57 /security/certverifier
parent	c30ebdac27c93b57e368c69e9c13055a17229992 (diff)
download	UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.gz UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.lz UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.xz UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.zip