Bug 1500003 - fix S/MIME certificate verification by adding flags parameter. r=mkmelin
authorJorg K <jorgk@jorgk.com>
Tue, 23 Oct 2018 22:58:19 +0200
changeset 33549 73ea8939f5e07e17edab0670f4b15f3d60037312
parent 33548 3f7e3c78bdd8f998dbbcb0a8d5f366d3623f6364
child 33550 a3783aedb7814e69b3c0ccf4e7b7daa4327a8838
push id388
push userclokep@gmail.com
push dateMon, 28 Jan 2019 20:54:56 +0000
reviewersmkmelin
bugs1500003
Bug 1500003 - fix S/MIME certificate verification by adding flags parameter. r=mkmelin
mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
mailnews/mime/src/nsCMS.cpp
--- a/mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
+++ b/mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
@@ -853,17 +853,20 @@ nsresult nsMsgComposeSecure::MimeCryptoH
   if (!mEncryptionCertDBKey.IsEmpty()) {
     res = certdb->FindCertByDBKey(mEncryptionCertDBKey,
                                   getter_AddRefs(mSelfEncryptionCert));
     if (NS_SUCCEEDED(res) && mSelfEncryptionCert &&
         (certVerifier->VerifyCert(mSelfEncryptionCert->GetCert(),
                                   certificateUsageEmailRecipient,
                                   mozilla::pkix::Now(),
                                   nullptr, nullptr,
-                                  builtChain) != mozilla::pkix::Success)) {
+                                  builtChain,
+                                  // Only local checks can run on the main thread.
+                                  CertVerifier::FLAG_LOCAL_ONLY)
+                       != mozilla::pkix::Success)) {
       // not suitable for encryption, so unset cert and clear pref
       mSelfEncryptionCert = nullptr;
       mEncryptionCertDBKey.Truncate();
       aIdentity->SetCharAttribute("encryption_cert_dbkey",
                                    mEncryptionCertDBKey);
     }
   }
 
@@ -871,17 +874,20 @@ nsresult nsMsgComposeSecure::MimeCryptoH
   if (!mSigningCertDBKey.IsEmpty()) {
     res = certdb->FindCertByDBKey(mSigningCertDBKey,
                                   getter_AddRefs(mSelfSigningCert));
     if (NS_SUCCEEDED(res) && mSelfSigningCert &&
         (certVerifier->VerifyCert(mSelfSigningCert->GetCert(),
                                   certificateUsageEmailSigner,
                                   mozilla::pkix::Now(),
                                   nullptr, nullptr,
-                                  builtChain) != mozilla::pkix::Success)) {
+                                  builtChain,
+                                  // Only local checks can run on the main thread.
+                                  CertVerifier::FLAG_LOCAL_ONLY)
+                       != mozilla::pkix::Success)) {
       // not suitable for signing, so unset cert and clear pref
       mSelfSigningCert = nullptr;
       mSigningCertDBKey.Truncate();
       aIdentity->SetCharAttribute("signing_cert_dbkey", mSigningCertDBKey);
     }
   }
 
   // must have both the signing and encryption certs to sign
@@ -1179,16 +1185,17 @@ nsMsgComposeSecure::FindCertByEmailAddre
        node = CERT_LIST_NEXT(node)) {
     UniqueCERTCertList unusedCertChain;
     mozilla::pkix::Result result =
       certVerifier->VerifyCert(node->cert, certificateUsageEmailRecipient,
                                mozilla::pkix::Now(),
                                nullptr /*XXX pinarg*/,
                                nullptr /*hostname*/,
                                unusedCertChain,
+                               // Only local checks can run on the main thread.
                                CertVerifier::FLAG_LOCAL_ONLY);
     if (result == mozilla::pkix::Success) {
       break;
     }
   }
 
   if (CERT_LIST_END(node, certlist)) { // no valid cert found
     if (aRequireValidCert)
--- a/mailnews/mime/src/nsCMS.cpp
+++ b/mailnews/mime/src/nsCMS.cpp
@@ -239,17 +239,19 @@ nsresult nsCMSMessage::CommonVerifySigna
   {
     UniqueCERTCertList builtChain;
     mozilla::pkix::Result result =
       certVerifier->VerifyCert(si->cert,
                                certificateUsageEmailSigner,
                                Now(),
                                nullptr /*XXX pinarg*/,
                                nullptr /*hostname*/,
-                               builtChain);
+                               builtChain,
+                               // Only local checks can run on the main thread.
+                               CertVerifier::FLAG_LOCAL_ONLY);
     if (result != mozilla::pkix::Success) {
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
              ("nsCMSMessage::CommonVerifySignature - signing cert not trusted now\n"));
       rv = NS_ERROR_CMS_VERIFY_UNTRUSTED;
       goto loser;
     }
   }