nss/nss-3.47-certdb-temp-cert.patch

# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1575450841 -3600
#      Wed Dec 04 10:14:01 2019 +0100
# Node ID 017097f0a0eaea1a3d849f3de79475c9bc28fcc2
# Parent  d64102b76a437f24d98a20480dcc9f1655143e7c
Bug 1593167, certdb: propagate trust information if trust module is loaded afterwards

Summary:
When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in Firefox as it loads the module from a separate thread while accessing the network cache which populates temp certs.

This change makes it properly roll up the trust information, if a temp cert doesn't have trust information.

Reviewers: rrelyea, keeler

Reviewed By: rrelyea

Subscribers: reviewbot, heftig

Bug #: 1593167

Differential Revision: https://phabricator.services.mozilla.com/D54726

diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate *
     }
     if (!cc->nssCertificate || forceUpdate) {
         fill_CERTCertificateFields(c, cc, forceUpdate);
-    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
-               !c->object.cryptoContext) {
-        /* if it's a perm cert, it might have been stored before the
-         * trust, so look for the trust again.  But a temp cert can be
-         * ignored.
-         */
-        CERTCertTrust *trust = NULL;
-        trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
+        CERTCertTrust *trust;
+        if (!c->object.cryptoContext) {
+            /* If it's a perm cert, it might have been stored before the
+             * trust, so look for the trust again.
+             */
+            trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+        } else {
+            /* If it's a temp cert, it might have been stored before the
+             * builtin trust module is loaded, so look for the trust
+             * again, but don't set the empty trust if it is not found.
+             */
+            NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
+            if (!t) {
+                goto loser;
+            }
+            trust = cert_trust_from_stan_trust(t, cc->arena);
+            nssTrust_Destroy(t);
+            if (!trust) {
+                goto loser;
+            }
+        }
 
         CERT_LockCertTrust(cc);
         cc->trust = trust;