Bug 1541927 - Don't readd CA via policy if it already exists. r=keeler a=pascalc
authorMichael Kaply <mozilla@kaply.com>
Fri, 26 Apr 2019 21:56:06 +0000
changeset 526445 360d480593d585f7f5e0587deb11ffa3ff38b57b
parent 526444 2c11d977339516c3fd0a475fdd9689d3b9e7eb11
child 526446 c261d2fbfb0184104451cf375e863ef91868f23c
push id2032
push userffxbld-merge
push dateMon, 13 May 2019 09:36:57 +0000
treeherdermozilla-release@455c1065dcbe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, pascalc
bugs1541927
milestone67.0
Bug 1541927 - Don't readd CA via policy if it already exists. r=keeler a=pascalc Differential Revision: https://phabricator.services.mozilla.com/D28523
browser/components/enterprisepolicies/Policies.jsm
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@@ -192,25 +192,43 @@ var Policies = {
               continue;
             }
             let reader = new FileReader();
             reader.onloadend = function() {
               if (reader.readyState != reader.DONE) {
                 log.error(`Unable to read certificate - ${certfile.path}`);
                 return;
               }
-              let cert = reader.result;
+              let certFile = reader.result;
+              let cert;
               try {
-                if (/-----BEGIN CERTIFICATE-----/.test(cert)) {
-                  gCertDB.addCertFromBase64(pemToBase64(cert), "CTu,CTu,");
-                } else {
-                  gCertDB.addCert(cert, "CTu,CTu,");
+                cert = gCertDB.constructX509(certFile);
+              } catch (e) {
+                try {
+                  // It might be PEM instead of DER.
+                  cert = gCertDB.constructX509FromBase64(pemToBase64(certFile));
+                } catch (ex) {
+                  log.error(`Unable to add certificate - ${certfile.path}`);
                 }
-              } catch (e) {
-                log.error(`Unable to add certificate - ${certfile.path}`);
+              }
+              let now = Date.now() / 1000;
+              if (cert) {
+                gCertDB.asyncVerifyCertAtTime(cert, 0x0008 /* certificateUsageSSLCA */,
+                                              0, null, now, (aPRErrorCode, aVerifiedChain, aHasEVPolicy) => {
+                  if (aPRErrorCode == Cr.NS_OK) {
+                    // Certificate is already installed.
+                    return;
+                  }
+                  try {
+                    gCertDB.addCert(certFile, "CT,CT,");
+                  } catch (e) {
+                    // It might be PEM instead of DER.
+                    gCertDB.addCertFromBase64(pemToBase64(certFile), "CT,CT,");
+                  }
+                });
               }
             };
             reader.readAsBinaryString(file);
           }
         })();
       }
     },
   },