Bug 406755, EV certs not recognized as EV with some cross-certification scenarios second landing attempt, earlier EV verification, patch 9 r=rrelyea also landing a regression fix, which applies to debug mode compilation code, only r=rrelyea blocking1.9=dsicore
authorkaie@kuix.de
Tue, 08 Apr 2008 18:48:02 -0700
changeset 14100 4a621d69fc5d8745de126a6e69a77ec4e84d53d0
parent 14099 64f34db959d4aef554a858039211e9564dc9128d
child 14101 2f02dcde22b3b3af8c13919fb5a1a8e965fe53a3
push id1
push userroot
push dateTue, 26 Apr 2011 22:38:44 +0000
treeherdermozilla-beta@bfdb6e623a36 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersrrelyea, rrelyea
bugs406755
milestone1.9pre
Bug 406755, EV certs not recognized as EV with some cross-certification scenarios second landing attempt, earlier EV verification, patch 9 r=rrelyea also landing a regression fix, which applies to debug mode compilation code, only r=rrelyea blocking1.9=dsicore
security/manager/ssl/src/nsIdentityChecking.cpp
security/manager/ssl/src/nsNSSCallbacks.cpp
security/manager/ssl/src/nsNSSCertificateDB.cpp
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -445,23 +445,25 @@ loadTestEVInfos()
       fingerprint = data;
       reader_position = pos_readable_oid;
       continue;
     }
     else if (reader_position == pos_readable_oid &&
         descriptor.EqualsLiteral(("2_readable_oid"))) {
       readable_oid = data;
       reader_position = pos_issuer;
+      continue;
     }
     else if (reader_position == pos_issuer &&
         descriptor.EqualsLiteral(("3_issuer"))) {
       issuer = data;
       reader_position = pos_serial;
+      continue;
     }
-    else if (reader_position == pos_readable_oid &&
+    else if (reader_position == pos_serial &&
         descriptor.EqualsLiteral(("4_serial"))) {
       serial = data;
       reader_position = pos_fingerprint;
     }
     else {
       found_error = PR_TRUE;
       break;
     }
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -909,17 +909,30 @@ SECStatus PR_CALLBACK AuthCertificateCal
   // We want to remember the CA certs in the temp db, so that the application can find the
   // complete chain at any time it might need it.
   // But we keep only those CA certs in the temp db, that we didn't already know.
   
   CERTCertificate *serverCert = SSL_PeerCertificate(fd);
   CERTCertificateCleaner serverCertCleaner(serverCert);
 
   if (serverCert) {
+    nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
+    nsRefPtr<nsSSLStatus> status = infoObject->SSLStatus();
+    nsRefPtr<nsNSSCertificate> nsc;
+
+    if (!status || !status->mServerCert) {
+      nsc = new nsNSSCertificate(serverCert);
+    }
+
     if (SECSuccess == rv) {
+      if (nsc) {
+        PRBool dummyIsEV;
+        nsc->GetIsExtendedValidation(&dummyIsEV); // the nsc object will cache the status
+      }
+    
       CERTCertList *certList = CERT_GetCertChainFromCert(serverCert, PR_Now(), certUsageSSLCA);
 
       nsCOMPtr<nsINSSComponent> nssComponent;
       
       for (CERTCertListNode *node = CERT_LIST_HEAD(certList);
            !CERT_LIST_END(node, certList);
            node = CERT_LIST_NEXT(node)) {
 
@@ -953,24 +966,21 @@ SECStatus PR_CALLBACK AuthCertificateCal
       }
 
       CERT_DestroyCertList(certList);
     }
 
     // The connection may get terminated, for example, if the server requires
     // a client cert. Let's provide a minimal SSLStatus
     // to the caller that contains at least the cert and its status.
-    nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
-
-    nsRefPtr<nsSSLStatus> status = infoObject->SSLStatus();
     if (!status) {
       status = new nsSSLStatus();
       infoObject->SetSSLStatus(status);
     }
     if (status && !status->mServerCert) {
-      status->mServerCert = new nsNSSCertificate(serverCert);
+      status->mServerCert = nsc;
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
              ("AuthCertificateCallback setting NEW cert %p\n", status->mServerCert.get()));
     }
   }
 
   return rv;
 }
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -82,17 +82,17 @@ extern PRLogModuleInfo* gPIPNSSLog;
 #include "nsNSSCleaner.h"
 NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
 NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
 NSSCleanupAutoPtrClass(CERTCertificateList, CERT_DestroyCertificateList)
 
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
 
-NS_IMPL_ISUPPORTS2(nsNSSCertificateDB, nsIX509CertDB, nsIX509CertDB2)
+NS_IMPL_THREADSAFE_ISUPPORTS2(nsNSSCertificateDB, nsIX509CertDB, nsIX509CertDB2)
 
 nsNSSCertificateDB::nsNSSCertificateDB()
 {
 }
 
 nsNSSCertificateDB::~nsNSSCertificateDB()
 {
 }