bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
authorDavid Keeler <dkeeler@mozilla.com>
Thu, 02 Jun 2016 13:17:14 -0700
changeset 341511 eb3f64c79e83a413c724d785cf7c1739bf0ad04c
parent 341510 f382e0ae3c2bd83bd5f89eaa4b71238bf500e393
child 341512 3c5f1c93108cff3b22bb7817fabbe7434f9ec12f
push id1183
push userraliiev@mozilla.com
push dateMon, 05 Sep 2016 20:01:49 +0000
treeherdermozilla-release@3148731bed45 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCykesiopka
bugs1277240
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka MozReview-Commit-ID: KHwA2LJSeUS
security/certverifier/NSSCertDBTrustDomain.cpp
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -1094,16 +1094,25 @@ DefaultServerNicknameForCert(const CERTC
     if (!conflict) {
       return NS_OK;
     }
   }
 
   return NS_ERROR_FAILURE;
 }
 
+/**
+ * Given a list of certificates representing a verified certificate path from an
+ * end-entity certificate to a trust anchor, imports the intermediate
+ * certificates into the permanent certificate database. This is an attempt to
+ * cope with misconfigured servers that don't include the appropriate
+ * intermediate certificates in the TLS handshake.
+ *
+ * @param certList the verified certificate list
+ */
 void
 SaveIntermediateCerts(const UniqueCERTCertList& certList)
 {
   if (!certList) {
     return;
   }
 
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
@@ -1126,16 +1135,26 @@ SaveIntermediateCerts(const UniqueCERTCe
       continue;
     }
 
     if (node->cert->isperm) {
       // We don't need to remember certs already stored in perm db.
       continue;
     }
 
+    // No need to save the trust anchor - it's either already a permanent
+    // certificate or it's the Microsoft Family Safety root or an enterprise
+    // root temporarily imported via the child mode or enterprise root features.
+    // We don't want to import these because they're intended to be temporary
+    // (and because importing them happens to reset their trust settings, which
+    // breaks these features).
+    if (node == CERT_LIST_TAIL(certList)) {
+      continue;
+    }
+
     // We have found a signer cert that we want to remember.
     nsAutoCString nickname;
     nsresult rv = DefaultServerNicknameForCert(node->cert, nickname);
     if (NS_FAILED(rv)) {
       continue;
     }
 
     // Saving valid intermediate certs to the database is a compatibility hack