# HG changeset patch # User Daiki Ueno # Date 1575381287 -3600 # Tue Dec 03 14:54:47 2019 +0100 # Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe # Parent d64102b76a437f24d98a20480dcc9f1655143e7c Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available Summary: When a builtin root module is loaded after some temp certs being loaded, our certificate lookup logic preferred those temp certs over perm certs stored on the root module. This was a problem because such temp certs are usually not accompanied with trust information. This makes the certificate lookup logic capable of handling such situations by checking if the trust information is attached to temp certs and otherwise falling back to perm certs. Reviewers: rrelyea, keeler Reviewed By: rrelyea Subscribers: reviewbot, heftig Bug #: 1593167 Differential Revision: https://phabricator.services.mozilla.com/D54726 diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c --- a/lib/pki/pki3hack.c +++ b/lib/pki/pki3hack.c @@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate * } if (!cc->nssCertificate || forceUpdate) { fill_CERTCertificateFields(c, cc, forceUpdate); - } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess && - !c->object.cryptoContext) { - /* if it's a perm cert, it might have been stored before the - * trust, so look for the trust again. But a temp cert can be - * ignored. - */ - CERTCertTrust *trust = NULL; - trust = nssTrust_GetCERTCertTrustForCert(c, cc); + } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) { + CERTCertTrust *trust; + if (!c->object.cryptoContext) { + /* If it's a perm cert, it might have been stored before the + * trust, so look for the trust again. + */ + trust = nssTrust_GetCERTCertTrustForCert(c, cc); + } else { + /* If it's a temp cert, it might have been stored before + * the builtin module is loaded, so look for the trust + * again, but not set the empty trust if not found. + */ + NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c); + if (!t) { + goto loser; + } + trust = cert_trust_from_stan_trust(t, cc->arena); + } CERT_LockCertTrust(cc); cc->trust = trust;