Bug 1603221 - Use isCertTrusted instead of asyncVerify to check for policy installed certs. r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D59199 --HG-- extra : moz-landing-system : lando
2024-10-19 16:25:38 +00:00 · 2020-01-08 21:42:18 +00:00 · 2020-01-08 21:42:18 +00:00 · fcc14ee4a8
commit fcc14ee4a8
parent 4d1f31ea12
2 changed files with 21 additions and 24 deletions
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@ -266,30 +266,23 @@ var Policies = {
                  log.error(`Unable to add certificate - ${certfile.path}`);
                }
              }
-              let now = Date.now() / 1000;
              if (cert) {
-                gCertDB.asyncVerifyCertAtTime(
-                  cert,
-                  0x0008 /* certificateUsageSSLCA */,
-                  0,
-                  null,
-                  now,
-                  (aPRErrorCode, aVerifiedChain, aHasEVPolicy) => {
-                    if (aPRErrorCode == Cr.NS_OK) {
-                      // Certificate is already installed.
-                      return;
-                    }
-                    try {
-                      gCertDB.addCert(certFile, "CT,CT,");
-                    } catch (e) {
-                      // It might be PEM instead of DER.
-                      gCertDB.addCertFromBase64(
-                        pemToBase64(certFile),
-                        "CT,CT,"
-                      );
-                    }
-                  }
-                );
+                if (
+                  gCertDB.isCertTrusted(
+                    cert,
+                    Ci.nsIX509Cert.CA_CERT,
+                    Ci.nsIX509CertDB.TRUSTED_SSL
+                  )
+                ) {
+                  // Certificate is already installed.
+                  return;
+                }
+                try {
+                  gCertDB.addCert(certFile, "CT,CT,");
+                } catch (e) {
+                  // It might be PEM instead of DER.
+                  gCertDB.addCertFromBase64(pemToBase64(certFile), "CT,CT,");
+                }
              }
            };
            reader.readAsBinaryString(file);
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@ -694,7 +694,11 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert* cert, uint32_t certType,
  UniqueCERTCertificate nsscert(cert->GetCert());
  CERTCertTrust nsstrust;
  srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
-  if (srv != SECSuccess) return NS_ERROR_FAILURE;
+  if (srv != SECSuccess) {
+    // CERT_GetCertTrust returns SECFailure if given a temporary cert that
+    // doesn't have any trust information yet. This isn't an error.
+    return NS_OK;
+  }

  nsNSSCertTrust trust(&nsstrust);
  if (certType == nsIX509Cert::CA_CERT) {