Bug 1411458 - Confirm we actually have a PKCS#7 signedData content info. r=jcj, a=ritu
authorDavid Keeler <dkeeler@mozilla.com>
Wed, 25 Oct 2017 09:54:13 -0700
changeset 432793 c060b92db7eefa93d70ac9df262d9b11948cde5c
parent 432792 0153d5be6150088221ef083ba9bfa2844ee4124a
child 432794 4868b6953a048ad6a2ccb913280244e31e1baa64
push id8060
push userryanvm@gmail.com
push dateThu, 26 Oct 2017 18:20:20 +0000
treeherdermozilla-beta@c060b92db7ee [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjcj, ritu
bugs1411458
milestone57.0
Bug 1411458 - Confirm we actually have a PKCS#7 signedData content info. r=jcj, a=ritu MozReview-Commit-ID: GKfL1C0EPWt
security/manager/ssl/nsDataSignatureVerifier.cpp
security/nss.symbols
--- a/security/manager/ssl/nsDataSignatureVerifier.cpp
+++ b/security/manager/ssl/nsDataSignatureVerifier.cpp
@@ -165,16 +165,22 @@ VerifyCMSDetachedSignatureIncludingCerti
     return NS_ERROR_CMS_VERIFY_NOT_SIGNED;
   }
 
   NSSCMSContentInfo* cinfo = NSS_CMSMessage_ContentLevel(cmsMsg.get(), 0);
   if (!cinfo) {
     return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
   }
 
+  // We're expecting this to be a PKCS#7 signedData content info.
+  if (NSS_CMSContentInfo_GetContentTypeTag(cinfo)
+        != SEC_OID_PKCS7_SIGNED_DATA) {
+    return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
+  }
+
   // signedData is non-owning
   NSSCMSSignedData* signedData =
     static_cast<NSSCMSSignedData*>(NSS_CMSContentInfo_GetContent(cinfo));
   if (!signedData) {
     return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
   }
 
   // Set digest value.
--- a/security/nss.symbols
+++ b/security/nss.symbols
@@ -176,16 +176,17 @@ HASH_Destroy
 HASH_End
 HASH_GetHashObject
 HASH_GetType
 HASH_HashBuf
 HASH_ResultLenByOidTag
 HASH_Update
 NSSBase64_EncodeItem_Util
 NSS_CMSContentInfo_GetContent
+NSS_CMSContentInfo_GetContentTypeTag
 NSS_CMSContentInfo_SetContent_Data
 NSS_CMSContentInfo_SetContent_EnvelopedData
 NSS_CMSContentInfo_SetContent_SignedData
 NSS_CMSDecoder_Cancel
 NSS_CMSDecoder_Finish
 NSS_CMSDecoder_Start
 NSS_CMSDecoder_Update
 NSS_CMSEncoder_Cancel