Bug 1549010 - verify add-on signing certificates at 2019-04-27T02:43:20.000Z r=jcj a=lizzard
authorDana Keeler <dkeeler@mozilla.com>
Sat, 04 May 2019 04:15:11 +0000
changeset 516440 9cdb06fa51891f31c4371b3d06d8e46148b5237a
parent 516439 ab4fc8df4cdc3b583855f425d90b6e2aadced477
child 516441 d4f7f9eb9e7d95b021ab00e4d78a915bd657f5b9
push id2013
push usermaglione.k@gmail.com
push dateSat, 04 May 2019 05:16:30 +0000
treeherdermozilla-release@d4f7f9eb9e7d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjcj, lizzard
bugs1549010
milestone66.0.4
Bug 1549010 - verify add-on signing certificates at 2019-04-27T02:43:20.000Z r=jcj a=lizzard Differential Revision: https://phabricator.services.mozilla.com/D29928
security/apps/AppSignatureVerification.cpp
--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -632,18 +632,20 @@ nsresult VerifyCertificate(CERTCertifica
   }
   Input certDER;
   mozilla::pkix::Result result =
       certDER.Init(signerCert->derCert.data, signerCert->derCert.len);
   if (result != Success) {
     return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
   }
 
+  // 1556333000 seconds since the epoch should be about 2019-04-27T02:43:20.000Z
+  Time verificationTime = TimeFromEpochInSeconds(1556333000);
   result = BuildCertChain(
-      trustDomain, certDER, Now(), EndEntityOrCA::MustBeEndEntity,
+      trustDomain, certDER, verificationTime, EndEntityOrCA::MustBeEndEntity,
       KeyUsage::digitalSignature, KeyPurposeId::id_kp_codeSigning,
       CertPolicyId::anyPolicy, nullptr /*stapledOCSPResponse*/);
   if (result == mozilla::pkix::Result::ERROR_EXPIRED_CERTIFICATE) {
     // For code-signing you normally need trusted 3rd-party timestamps to
     // handle expiration properly. The signer could always mess with their
     // system clock so you can't trust the certificate was un-expired when
     // the signing took place. The choice is either to ignore expiration
     // or to enforce expiration at time of use. The latter leads to the