Bug 938046 - Part 3. Iterate only through valid users on getchain r=dkeeler
authorCamilo Viecco <cviecco@mozilla.com>
Wed, 11 Dec 2013 13:04:07 -0800
changeset 176996 080cd15c7c907c0fe66a6b6ae6a5044a87020393
parent 176995 7a9882dd62ac9f43a36e718c4935fb3386749897
child 176997 cde32f9a08c855d87ae9637713484b32ce4a511c
push id462
push userraliiev@mozilla.com
push dateTue, 22 Apr 2014 00:22:30 +0000
treeherdermozilla-release@ac5db8c74ac0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdkeeler
bugs938046
milestone29.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 938046 - Part 3. Iterate only through valid users on getchain r=dkeeler
security/manager/ssl/src/nsNSSCertificate.cpp
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -851,20 +851,28 @@ nsNSSCertificate::GetChain(nsIArray **_r
 
   // We want to test all usages, but we start with server because most of the
   // time Firefox users care about server certs.
   srv = certVerifier->VerifyCert(mCert,
                                  certificateUsageSSLServer, PR_Now(),
                                  nullptr, /*XXX fixme*/
                                  CertVerifier::FLAG_LOCAL_ONLY,
                                  &pkixNssChain);
+  // This is the whitelist of all non-SSLServer usages that are supported by
+  // verifycert.
+  const int otherUsagesToTest = certificateUsageSSLClient |
+                                certificateUsageSSLCA |
+                                certificateUsageEmailSigner |
+                                certificateUsageEmailRecipient |
+                                certificateUsageObjectSigner |
+                                certificateUsageStatusResponder;
   for (int usage = certificateUsageSSLClient;
        usage < certificateUsageAnyCA && !pkixNssChain;
        usage = usage << 1) {
-    if (usage == certificateUsageSSLServer) {
+    if ((usage & otherUsagesToTest) == 0) {
       continue;
     }
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("pipnss: PKIX attempting chain(%d) for '%s'\n",usage, mCert->nickname));
     srv = certVerifier->VerifyCert(mCert,
                                    usage, PR_Now(),
                                    nullptr, /*XXX fixme*/
                                    CertVerifier::FLAG_LOCAL_ONLY,
                                    &pkixNssChain);