Bug 1703636 Don't fail when one slot fails to provide certs; r=keeler

In some special cases the PK11_FindRawCertsWithSubject could return failure. We don't want to return with failure but try the other slots before. Differential Revision: https://phabricator.services.mozilla.com/D111261
2025-02-17 22:32:51 +00:00 · 2021-04-09 17:54:05 +00:00 · 2021-04-09 17:54:05 +00:00 · d9378b2513
commit d9378b2513
parent 0985861202
1 changed files with 7 additions and 11 deletions
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@ -110,15 +110,15 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
      mSCTListFromOCSPStapling(),
      mBuiltInRootsModule(SECMOD_FindModule(kRootModuleName)) {}

-static Result FindRootsWithSubject(UniqueSECMODModule& rootsModule,
-                                   SECItem subject,
-                                   /*out*/ nsTArray<nsTArray<uint8_t>>& roots) {
+static void FindRootsWithSubject(UniqueSECMODModule& rootsModule,
+                                 SECItem subject,
+                                 /*out*/ nsTArray<nsTArray<uint8_t>>& roots) {
  MOZ_ASSERT(rootsModule);
  for (int slotIndex = 0; slotIndex < rootsModule->slotCount; slotIndex++) {
    CERTCertificateList* rawResults = nullptr;
    if (PK11_FindRawCertsWithSubject(rootsModule->slots[slotIndex], &subject,
                                     &rawResults) != SECSuccess) {
-      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+      continue;
    }
    // rawResults == nullptr means we didn't find any matching certificates
    if (!rawResults) {
@ -132,7 +132,6 @@ static Result FindRootsWithSubject(UniqueSECMODModule& rootsModule,
      roots.AppendElement(std::move(root));
    }
  }
-  return Success;
 }

 // A self-signed issuer certificate should never be necessary in order to build
@ -249,14 +248,11 @@ Result NSSCertDBTrustDomain::FindIssuer(Input encodedIssuerName,
  // does something unexpected.
  nsTArray<nsTArray<uint8_t>> builtInRoots;
  if (mBuiltInRootsModule) {
-    Result rv = FindRootsWithSubject(mBuiltInRootsModule, encodedIssuerNameItem,
-                                     builtInRoots);
-    if (rv != Success) {
-      return rv;
-    }
+    FindRootsWithSubject(mBuiltInRootsModule, encodedIssuerNameItem,
+                         builtInRoots);
    for (const auto& root : builtInRoots) {
      Input rootInput;
-      rv = rootInput.Init(root.Elements(), root.Length());
+      Result rv = rootInput.Init(root.Elements(), root.Length());
      if (rv != Success) {
        continue;  // probably too big
      }