Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value

This commit is contained in:
Daiki Ueno 2019-12-03 15:51:55 +01:00
parent 704f2e22d6
commit a8a8d020bf
2 changed files with 56 additions and 10 deletions

View File

@ -1,7 +1,35 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1575381287 -3600
# Tue Dec 03 14:54:47 2019 +0100
# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe
# Parent d64102b76a437f24d98a20480dcc9f1655143e7c
Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
Summary:
When a builtin root module is loaded after some temp certs being
loaded, our certificate lookup logic preferred those temp certs over
perm certs stored on the root module. This was a problem because such
temp certs are usually not accompanied with trust information.
This makes the certificate lookup logic capable of handling such
situations by checking if the trust information is attached to temp
certs and otherwise falling back to perm certs.
Reviewers: rrelyea, keeler
Reviewed By: rrelyea
Subscribers: reviewbot, heftig
Bug #: 1593167
Differential Revision: https://phabricator.services.mozilla.com/D54726
diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -921,11 +921,11 @@
@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate *
}
if (!cc->nssCertificate || forceUpdate) {
fill_CERTCertificateFields(c, cc, forceUpdate);
@ -10,12 +38,27 @@ diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
- /* if it's a perm cert, it might have been stored before the
- * trust, so look for the trust again. But a temp cert can be
- * ignored.
- */
- CERTCertTrust *trust = NULL;
- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
+ CERTCertTrust *trust;
+ if (!c->object.cryptoContext) {
+ /* If it's a perm cert, it might have been stored before the
+ * trust, so look for the trust again. If it's a temp cert, it
+ * might have been stored before the builtin module is loaded,
+ * so still need to look for the trust again.
*/
CERTCertTrust *trust = NULL;
trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ * trust, so look for the trust again.
+ */
+ trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ } else {
+ /* If it's a temp cert, it might have been stored before
+ * the builtin module is loaded, so look for the trust
+ * again, but not set the empty trust if not found.
+ */
+ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
+ if (!t) {
+ goto loser;
+ }
+ trust = cert_trust_from_stan_trust(t, cc->arena);
+ }
CERT_LockCertTrust(cc);
cc->trust = trust;

View File

@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: 3%{?dist}
Release: 4%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version}
@ -874,6 +874,9 @@ update-crypto-policies &> /dev/null || :
%changelog
* Tue Dec 3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-4
- Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
* Tue Dec 3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-3
- Update nss-3.47-certdb-temp-cert.patch to the final version