|
 |
81cc07 |
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
|
|
|
81cc07 |
--- a/security/certverifier/CertVerifier.cpp
|
|
|
81cc07 |
+++ b/security/certverifier/CertVerifier.cpp
|
|
|
81cc07 |
@@ -120,16 +120,20 @@ IsCertChainRootBuiltInRoot(const UniqueC
|
|
|
81cc07 |
}
|
|
|
81cc07 |
CERTCertificate* root = rootNode->cert;
|
|
|
81cc07 |
if (!root) {
|
|
|
81cc07 |
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
|
|
81cc07 |
}
|
|
|
81cc07 |
return IsCertBuiltInRoot(root, result);
|
|
|
81cc07 |
}
|
|
|
81cc07 |
|
|
|
81cc07 |
+// The term "builtin root" traditionally refers to a root CA certificate that
|
|
|
81cc07 |
+// has been added to the NSS trust store, because it has been approved
|
|
|
81cc07 |
+// for inclusion according to the Mozilla CA policy, and might be accepted
|
|
|
81cc07 |
+// by Mozilla applications as an issuer for certificates seen on the public web.
|
|
|
81cc07 |
Result
|
|
|
81cc07 |
IsCertBuiltInRoot(CERTCertificate* cert, bool& result)
|
|
|
81cc07 |
{
|
|
|
81cc07 |
result = false;
|
|
|
81cc07 |
#ifdef DEBUG
|
|
|
81cc07 |
nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
|
|
|
81cc07 |
if (!component) {
|
|
|
81cc07 |
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
|
|
81cc07 |
@@ -142,25 +146,38 @@ IsCertBuiltInRoot(CERTCertificate* cert,
|
|
|
81cc07 |
return Success;
|
|
|
81cc07 |
}
|
|
|
81cc07 |
#endif // DEBUG
|
|
|
81cc07 |
AutoSECMODListReadLock lock;
|
|
|
81cc07 |
for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list;
|
|
|
81cc07 |
list = list->next) {
|
|
|
81cc07 |
for (int i = 0; i < list->module->slotCount; i++) {
|
|
|
81cc07 |
PK11SlotInfo* slot = list->module->slots[i];
|
|
|
81cc07 |
- // PK11_HasRootCerts should return true if and only if the given slot has
|
|
|
81cc07 |
- // an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST, which
|
|
|
81cc07 |
- // should be true only of the builtin root list.
|
|
|
81cc07 |
- // If we can find a copy of the given certificate on the slot with the
|
|
|
81cc07 |
- // builtin root list, that certificate must be a builtin.
|
|
|
81cc07 |
- if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot) &&
|
|
|
81cc07 |
- PK11_FindCertInSlot(slot, cert, nullptr) != CK_INVALID_HANDLE) {
|
|
|
81cc07 |
- result = true;
|
|
|
81cc07 |
- return Success;
|
|
|
81cc07 |
+ // We're searching for the "builtin root module", which is a module that
|
|
|
81cc07 |
+ // contains an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST.
|
|
|
81cc07 |
+ // We use PK11_HasRootCerts() to identify a module with that property.
|
|
|
81cc07 |
+ // In the past, we exclusively used the PKCS#11 module named nssckbi,
|
|
|
81cc07 |
+ // which is provided by the NSS library.
|
|
|
81cc07 |
+ // Nowadays, some distributions use a replacement module, which contains
|
|
|
81cc07 |
+ // the builtin roots, but which also contains additional CA certificates,
|
|
|
81cc07 |
+ // such as CAs trusted in a local deployment.
|
|
|
81cc07 |
+ // We want to be able to distinguish between these two categories,
|
|
|
81cc07 |
+ // because a CA, which may issue certificates for the public web,
|
|
|
81cc07 |
+ // is expected to comply with additional requirements.
|
|
|
81cc07 |
+ // If the certificate has attribute CKA_NSS_MOZILLA_CA_POLICY set to true,
|
|
|
81cc07 |
+ // then we treat it as a "builtin root".
|
|
|
81cc07 |
+ if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot)) {
|
|
|
81cc07 |
+ CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(slot, cert, nullptr);
|
|
|
81cc07 |
+ if (handle != CK_INVALID_HANDLE &&
|
|
|
81cc07 |
+ PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY,
|
|
|
81cc07 |
+ false)) {
|
|
|
81cc07 |
+ // Attribute was found, and is set to true
|
|
|
81cc07 |
+ result = true;
|
|
|
81cc07 |
+ break;
|
|
|
81cc07 |
+ }
|
|
|
81cc07 |
}
|
|
|
81cc07 |
}
|
|
|
81cc07 |
}
|
|
|
81cc07 |
return Success;
|
|
|
81cc07 |
}
|
|
|
81cc07 |
|
|
|
81cc07 |
static Result
|
|
|
81cc07 |
BuildCertChainForOneKeyUsage(NSSCertDBTrustDomain& trustDomain, Input certDER,
|