Bug 1541927 - Don't readd CA via policy if it already exists. r=keeler
authorMichael Kaply <mozilla@kaply.com>
Fri, 26 Apr 2019 21:56:06 +0000
changeset 530414 377dc8053f59bc5ccc3efde2210093cb8e44e5c5
parent 530413 013a4420b53c6697abb8609b6d576b1cc07991e2
child 530415 4d4a1d1d3b7f6cca17d845616eb7a5f034e60347
push id11265
push userffxbld-merge
push dateMon, 13 May 2019 10:53:39 +0000
treeherdermozilla-beta@77e0fe8dbdd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1541927
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1541927 - Don't readd CA via policy if it already exists. r=keeler Differential Revision: https://phabricator.services.mozilla.com/D28523
browser/components/enterprisepolicies/Policies.jsm
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@@ -192,25 +192,43 @@ var Policies = {
               continue;
             }
             let reader = new FileReader();
             reader.onloadend = function() {
               if (reader.readyState != reader.DONE) {
                 log.error(`Unable to read certificate - ${certfile.path}`);
                 return;
               }
-              let cert = reader.result;
+              let certFile = reader.result;
+              let cert;
               try {
-                if (/-----BEGIN CERTIFICATE-----/.test(cert)) {
-                  gCertDB.addCertFromBase64(pemToBase64(cert), "CTu,CTu,");
-                } else {
-                  gCertDB.addCert(cert, "CTu,CTu,");
+                cert = gCertDB.constructX509(certFile);
+              } catch (e) {
+                try {
+                  // It might be PEM instead of DER.
+                  cert = gCertDB.constructX509FromBase64(pemToBase64(certFile));
+                } catch (ex) {
+                  log.error(`Unable to add certificate - ${certfile.path}`);
                 }
-              } catch (e) {
-                log.error(`Unable to add certificate - ${certfile.path}`);
+              }
+              let now = Date.now() / 1000;
+              if (cert) {
+                gCertDB.asyncVerifyCertAtTime(cert, 0x0008 /* certificateUsageSSLCA */,
+                                              0, null, now, (aPRErrorCode, aVerifiedChain, aHasEVPolicy) => {
+                  if (aPRErrorCode == Cr.NS_OK) {
+                    // Certificate is already installed.
+                    return;
+                  }
+                  try {
+                    gCertDB.addCert(certFile, "CT,CT,");
+                  } catch (e) {
+                    // It might be PEM instead of DER.
+                    gCertDB.addCertFromBase64(pemToBase64(certFile), "CT,CT,");
+                  }
+                });
               }
             };
             reader.readAsBinaryString(file);
           }
         })();
       }
     },
   },