Date: Tuesday, December 3, 2019 @ 15:06:30 Author: heftig Revision: 370312
3.47.1-4: update temp cert patch Modified: nss/trunk/PKGBUILD nss/trunk/nss-3.47-certdb-temp-cert.patch ---------------------------------+ PKGBUILD | 4 +- nss-3.47-certdb-temp-cert.patch | 61 ++++++++++++++++++++++++++++++++------ 2 files changed, 54 insertions(+), 11 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2019-12-03 14:57:12 UTC (rev 370311) +++ PKGBUILD 2019-12-03 15:06:30 UTC (rev 370312) @@ -3,7 +3,7 @@ pkgbase=nss pkgname=(nss ca-certificates-mozilla) pkgver=3.47.1 -pkgrel=3 +pkgrel=4 pkgdesc="Network Security Services" url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"; arch=(x86_64) @@ -15,7 +15,7 @@ nss-3.47-certdb-temp-cert.patch certdata2pem.py bundle.sh) sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb' - '82d7924d7c3491de04f42c240fef6dd6e80fc5004ab44f55e6f03571d2d02e58' + 'd2a0631328883bdee211d02f0748c97d72ef1462f28415e85efcfb0a6d066dd3' '0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0' '3bfadf722da6773bdabdd25bdf78158648043d1b7e57615574f189a88ca865dd') Modified: nss-3.47-certdb-temp-cert.patch =================================================================== --- nss-3.47-certdb-temp-cert.patch 2019-12-03 14:57:12 UTC (rev 370311) +++ nss-3.47-certdb-temp-cert.patch 2019-12-03 15:06:30 UTC (rev 370312) @@ -1,7 +1,35 @@ +# HG changeset patch +# User Daiki Ueno <[email protected]> +# Date 1575381287 -3600 +# Tue Dec 03 14:54:47 2019 +0100 +# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe +# Parent d64102b76a437f24d98a20480dcc9f1655143e7c +Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available + +Summary: +When a builtin root module is loaded after some temp certs being +loaded, our certificate lookup logic preferred those temp certs over +perm certs stored on the root module. This was a problem because such +temp certs are usually not accompanied with trust information. + +This makes the certificate lookup logic capable of handling such +situations by checking if the trust information is attached to temp +certs and otherwise falling back to perm certs. + +Reviewers: rrelyea, keeler + +Reviewed By: rrelyea + +Subscribers: reviewbot, heftig + +Bug #: 1593167 + +Differential Revision: https://phabricator.services.mozilla.com/D54726 + diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c --- a/lib/pki/pki3hack.c +++ b/lib/pki/pki3hack.c -@@ -921,11 +921,11 @@ +@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate * } if (!cc->nssCertificate || forceUpdate) { fill_CERTCertificateFields(c, cc, forceUpdate); @@ -10,12 +38,27 @@ - /* if it's a perm cert, it might have been stored before the - * trust, so look for the trust again. But a temp cert can be - * ignored. +- */ +- CERTCertTrust *trust = NULL; +- trust = nssTrust_GetCERTCertTrustForCert(c, cc); + } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) { -+ /* If it's a perm cert, it might have been stored before the -+ * trust, so look for the trust again. If it's a temp cert, it -+ * might have been stored before the builtin module is loaded, -+ * so still need to look for the trust again. - */ - CERTCertTrust *trust = NULL; - trust = nssTrust_GetCERTCertTrustForCert(c, cc); - ++ CERTCertTrust *trust; ++ if (!c->object.cryptoContext) { ++ /* If it's a perm cert, it might have been stored before the ++ * trust, so look for the trust again. ++ */ ++ trust = nssTrust_GetCERTCertTrustForCert(c, cc); ++ } else { ++ /* If it's a temp cert, it might have been stored before ++ * the builtin module is loaded, so look for the trust ++ * again, but not set the empty trust if not found. ++ */ ++ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c); ++ if (!t) { ++ goto loser; ++ } ++ trust = cert_trust_from_stan_trust(t, cc->arena); ++ } + + CERT_LockCertTrust(cc); + cc->trust = trust;
