bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka

MozReview-Commit-ID: KHwA2LJSeUS --HG-- extra : rebase_source : e1f7a469d2dc8608adf4b0172f99d9adb192bbb5
2024-11-25 13:51:41 +00:00 · 2016-06-02 13:17:14 -07:00 · 2016-06-02 13:17:14 -07:00 · baead5135e
commit baead5135e
parent e415083929
1 changed files with 19 additions and 0 deletions
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@ -1099,6 +1099,15 @@ DefaultServerNicknameForCert(const CERTCertificate* cert,
  return NS_ERROR_FAILURE;
 }

+/**
+ * Given a list of certificates representing a verified certificate path from an
+ * end-entity certificate to a trust anchor, imports the intermediate
+ * certificates into the permanent certificate database. This is an attempt to
+ * cope with misconfigured servers that don't include the appropriate
+ * intermediate certificates in the TLS handshake.
+ *
+ * @param certList the verified certificate list
+ */
 void
 SaveIntermediateCerts(const UniqueCERTCertList& certList)
 {
@ -1131,6 +1140,16 @@ SaveIntermediateCerts(const UniqueCERTCertList& certList)
      continue;
    }

+    // No need to save the trust anchor - it's either already a permanent
+    // certificate or it's the Microsoft Family Safety root or an enterprise
+    // root temporarily imported via the child mode or enterprise root features.
+    // We don't want to import these because they're intended to be temporary
+    // (and because importing them happens to reset their trust settings, which
+    // breaks these features).
+    if (node == CERT_LIST_TAIL(certList)) {
+      continue;
+    }
+
    // We have found a signer cert that we want to remember.
    nsAutoCString nickname;
    nsresult rv = DefaultServerNicknameForCert(node->cert, nickname);