Bug 1036080 - Fix addCertFromBase64() to update trust bits of existing permanent certificates. r=keeler
authorHarsh Pathak <hpathak@mozilla.com>
Thu, 10 Jul 2014 11:38:00 +0200
changeset 215682 b7e9c04796661a63da87a8c20a5ac53a5bfe9766
parent 215681 4d101930de1965845701d836bed24bd31af593bc
child 215683 c9b503e42352221f0a2f8d10c7577ecddc1cb0c8
push id515
push userraliiev@mozilla.com
push dateMon, 06 Oct 2014 12:51:51 +0000
treeherdermozilla-release@267c7a481bef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1036080
milestone33.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1036080 - Fix addCertFromBase64() to update trust bits of existing permanent certificates. r=keeler
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/tests/unit/test_add_preexisting_cert.js
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -1624,18 +1624,20 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCer
   der.data = nullptr;
   der.len = 0;
 
   if (!tmpCert) {
     NS_ERROR("Couldn't create cert from DER blob");
     return MapSECStatus(SECFailure);
   }
 
+   // If there's already a certificate that matches this one in the database,
+   // we still want to set its trust to the given value.
   if (tmpCert->isperm) {
-    return NS_OK;
+    return SetCertTrustFromString(newCert, aTrust);
   }
 
   nsXPIDLCString nickname;
   nickname.Adopt(CERT_MakeCANickname(tmpCert.get()));
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get()));
 
   rv = attemptToLogInWithDefaultPassword();
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
@@ -0,0 +1,46 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+do_get_profile();
+let certDB = Cc["@mozilla.org/security/x509certdb;1"]
+               .getService(Ci.nsIX509CertDB);
+
+function load_cert(cert, trust) {
+  let file = "test_intermediate_basic_usage_constraints/" + cert + ".der";
+  addCertFromFile(certDB, file, trust);
+}
+
+function getDERString(cert)
+{
+  var length = {};
+  var cert_der = cert.getRawDER(length);
+  var cert_der_string = '';
+  for (var i = 0; i < cert_der.length; i++) {
+    cert_der_string += String.fromCharCode(cert_der[i]);
+  }
+  return cert_der_string;
+}
+
+function run_test() {
+  load_cert("ca", "CTu,CTu,CTu");
+  load_cert("int-limited-depth", "CTu,CTu,CTu");
+  let file = "test_intermediate_basic_usage_constraints/ee-int-limited-depth.der";
+  let cert_der = readFile(do_get_file(file));
+  let ee = certDB.constructX509(cert_der, cert_der.length);
+  let hasEVPolicy = {};
+  let verifiedChain = {};
+  equal(Cr.NS_OK, certDB.verifyCertNow(ee, certificateUsageSSLServer,
+                                       NO_FLAGS, verifiedChain, hasEVPolicy));
+  // Change the already existing intermediate certificate's trust using
+  // addCertFromBase64(). We use findCertByNickname first to ensure that the
+  // certificate already exists.
+  let int_cert = certDB.findCertByNickname(null, "int-limited-depth");
+  ok(int_cert);
+  let base64_cert = btoa(getDERString(int_cert));
+  certDB.addCertFromBase64(base64_cert, "p,p,p", "ignored_argument");
+  equal(SEC_ERROR_UNTRUSTED_ISSUER, certDB.verifyCertNow(ee,
+                                                         certificateUsageSSLServer,
+                                                         NO_FLAGS, verifiedChain,
+                                                         hasEVPolicy));
+}
\ No newline at end of file
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -86,8 +86,9 @@ skip-if = os == "android"
 [test_ocsp_fetch_method.js]
 run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"
 [test_ocsp_no_hsts_upgrade.js]
 run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"
+[test_add_preexisting_cert.js]