Bug 1500003 - fix S/MIME certificate verification by adding flags parameter. r=mkmelin a=jorgk
authorJorg K <jorgk@jorgk.com>
Tue, 23 Oct 2018 22:58:19 +0200
changeset 33441 1c4c776fcf59af20f3f87406461a27f3ecf2234f
parent 33440 8c37dbc61c3cd74ff1c075d6514a5e273e1ebb24
child 33442 548d62e738ffbde6f232457ee5074912edecc242
push id387
push userclokep@gmail.com
push dateMon, 10 Dec 2018 21:30:47 +0000
reviewersmkmelin, jorgk
bugs1500003
Bug 1500003 - fix S/MIME certificate verification by adding flags parameter. r=mkmelin a=jorgk
mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
mailnews/mime/src/nsCMS.cpp
--- a/mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
+++ b/mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
@@ -853,17 +853,20 @@ nsresult nsMsgComposeSecure::MimeCryptoH
   if (!mEncryptionCertDBKey.IsEmpty()) {
     res = certdb->FindCertByDBKey(mEncryptionCertDBKey,
                                   getter_AddRefs(mSelfEncryptionCert));
     if (NS_SUCCEEDED(res) && mSelfEncryptionCert &&
         (certVerifier->VerifyCert(mSelfEncryptionCert->GetCert(),
                                   certificateUsageEmailRecipient,
                                   mozilla::pkix::Now(),
                                   nullptr, nullptr,
-                                  builtChain) != mozilla::pkix::Success)) {
+                                  builtChain,
+                                  // Only local checks can run on the main thread.
+                                  CertVerifier::FLAG_LOCAL_ONLY)
+                       != mozilla::pkix::Success)) {
       // not suitable for encryption, so unset cert and clear pref
       mSelfEncryptionCert = nullptr;
       mEncryptionCertDBKey.Truncate();
       aIdentity->SetCharAttribute("encryption_cert_dbkey",
                                    mEncryptionCertDBKey);
     }
   }
 
@@ -871,17 +874,20 @@ nsresult nsMsgComposeSecure::MimeCryptoH
   if (!mSigningCertDBKey.IsEmpty()) {
     res = certdb->FindCertByDBKey(mSigningCertDBKey,
                                   getter_AddRefs(mSelfSigningCert));
     if (NS_SUCCEEDED(res) && mSelfSigningCert &&
         (certVerifier->VerifyCert(mSelfSigningCert->GetCert(),
                                   certificateUsageEmailSigner,
                                   mozilla::pkix::Now(),
                                   nullptr, nullptr,
-                                  builtChain) != mozilla::pkix::Success)) {
+                                  builtChain,
+                                  // Only local checks can run on the main thread.
+                                  CertVerifier::FLAG_LOCAL_ONLY)
+                       != mozilla::pkix::Success)) {
       // not suitable for signing, so unset cert and clear pref
       mSelfSigningCert = nullptr;
       mSigningCertDBKey.Truncate();
       aIdentity->SetCharAttribute("signing_cert_dbkey", mSigningCertDBKey);
     }
   }
 
   // must have both the signing and encryption certs to sign
@@ -1179,16 +1185,17 @@ nsMsgComposeSecure::FindCertByEmailAddre
        node = CERT_LIST_NEXT(node)) {
     UniqueCERTCertList unusedCertChain;
     mozilla::pkix::Result result =
       certVerifier->VerifyCert(node->cert, certificateUsageEmailRecipient,
                                mozilla::pkix::Now(),
                                nullptr /*XXX pinarg*/,
                                nullptr /*hostname*/,
                                unusedCertChain,
+                               // Only local checks can run on the main thread.
                                CertVerifier::FLAG_LOCAL_ONLY);
     if (result == mozilla::pkix::Success) {
       break;
     }
   }
 
   if (CERT_LIST_END(node, certlist)) { // no valid cert found
     if (aRequireValidCert)
--- a/mailnews/mime/src/nsCMS.cpp
+++ b/mailnews/mime/src/nsCMS.cpp
@@ -239,17 +239,19 @@ nsresult nsCMSMessage::CommonVerifySigna
   {
     UniqueCERTCertList builtChain;
     mozilla::pkix::Result result =
       certVerifier->VerifyCert(si->cert,
                                certificateUsageEmailSigner,
                                Now(),
                                nullptr /*XXX pinarg*/,
                                nullptr /*hostname*/,
-                               builtChain);
+                               builtChain,
+                               // Only local checks can run on the main thread.
+                               CertVerifier::FLAG_LOCAL_ONLY);
     if (result != mozilla::pkix::Success) {
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
              ("nsCMSMessage::CommonVerifySignature - signing cert not trusted now\n"));
       rv = NS_ERROR_CMS_VERIFY_UNTRUSTED;
       goto loser;
     }
   }