mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1296317 - Stop calling PR_SetError() in VerifyCert() and VerifySSLServerCert(). r=keeler 

The PR_SetError() + PR_GetError() pattern currently used is error prone and
unnecessary. The functions involved can instead return mozilla::pkix::Result,
which is equally expressive and more robust.

MozReview-Commit-ID: Hkd39eqTvds

--HG--
extra : rebase_source : f09e37c6a3a930c30cce003139df86bc84d771ee
This commit is contained in:
Cykesiopka 2016-10-10 15:44:41 +08:00
Родитель bfeb264eca
Коммит 275d94abd0
8 изменённых файлов: 158 добавлений и 175 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

104
security/certverifier/CertVerifier.cpp
Просмотреть файл

@ -8,7 +8,6 @@
#include <stdint.h>
#include "BRNameMatchingPolicy.h"
#include "CTKnownLogs.h"
#include "ExtendedValidation.h"
#include "MultiLogCTVerifier.h"
@ -322,7 +321,7 @@ CertVerifier::SHA1ModeMoreRestrictiveThanGivenMode(SHA1Mode mode)
static const unsigned int MIN_RSA_BITS = 2048;
static const unsigned int MIN_RSA_BITS_WEAK = 1024;
SECStatus
Result
CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
Time time, void* pinArg, const char* hostname,
/*out*/ UniqueCERTCertList& builtChain,
@ -348,41 +347,34 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
}
if (ocspStaplingStatus) {
if (usage != certificateUsageSSLServer) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
return Result::FATAL_ERROR_INVALID_ARGS;
}
*ocspStaplingStatus = OCSP_STAPLING_NEVER_CHECKED;
}
if (keySizeStatus) {
if (usage != certificateUsageSSLServer) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
return Result::FATAL_ERROR_INVALID_ARGS;
}
*keySizeStatus = KeySizeStatus::NeverChecked;
}
if (sha1ModeResult) {
if (usage != certificateUsageSSLServer) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
return Result::FATAL_ERROR_INVALID_ARGS;
}
*sha1ModeResult = SHA1ModeResult::NeverChecked;
}
if (!cert ||
(usage != certificateUsageSSLServer && (flags & FLAG_MUST_BE_EV))) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
return Result::FATAL_ERROR_INVALID_ARGS;
}
Result rv;
Input certDER;
rv = certDER.Init(cert->derCert.data, cert->derCert.len);
Result rv = certDER.Init(cert->derCert.data, cert->derCert.len);
if (rv != Success) {
PR_SetError(MapResultToPRErrorCode(rv), 0);
return SECFailure;
return rv;
}
// We configure the OCSP fetching modes separately for EV and non-EV
@ -404,8 +396,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
stapledOCSPResponseSECItem->len);
if (rv != Success) {
// The stapled OCSP response was too big.
PR_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE, 0);
return SECFailure;
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
}
stapledOCSPResponse = &stapledOCSPResponseInput;
}
@ -797,14 +788,13 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
}
if (rv != Success) {
PR_SetError(MapResultToPRErrorCode(rv), 0);
return SECFailure;
return rv;
}
return SECSuccess;
return Success;
}
SECStatus
Result
CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional*/ const SECItem* sctsFromTLS,
@ -831,84 +821,74 @@ CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert,
}
if (!hostname || !hostname[0]) {
PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
return SECFailure;
return Result::ERROR_BAD_CERT_DOMAIN;
}
// CreateCertErrorRunnable assumes that CheckCertHostname is only called
// if VerifyCert succeeded.
SECStatus rv = VerifyCert(peerCert.get(), certificateUsageSSLServer, time,
pinarg, hostname, builtChain, flags,
stapledOCSPResponse, sctsFromTLS,
evOidPolicy, ocspStaplingStatus, keySizeStatus,
sha1ModeResult, pinningTelemetryInfo,
ctInfo);
if (rv != SECSuccess) {
Result rv = VerifyCert(peerCert.get(), certificateUsageSSLServer, time,
pinarg, hostname, builtChain, flags,
stapledOCSPResponse, sctsFromTLS, evOidPolicy,
ocspStaplingStatus, keySizeStatus, sha1ModeResult,
pinningTelemetryInfo, ctInfo);
if (rv != Success) {
return rv;
}
Input peerCertInput;
Result result = peerCertInput.Init(peerCert->derCert.data,
peerCert->derCert.len);
if (result != Success) {
PR_SetError(MapResultToPRErrorCode(result), 0);
return SECFailure;
rv = peerCertInput.Init(peerCert->derCert.data, peerCert->derCert.len);
if (rv != Success) {
return rv;
}
Input stapledOCSPResponseInput;
Input* responseInputPtr = nullptr;
if (stapledOCSPResponse) {
result = stapledOCSPResponseInput.Init(stapledOCSPResponse->data,
stapledOCSPResponse->len);
if (result != Success) {
rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->data,
stapledOCSPResponse->len);
if (rv != Success) {
// The stapled OCSP response was too big.
PR_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE, 0);
return SECFailure;
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
}
responseInputPtr = &stapledOCSPResponseInput;
}
if (!(flags & FLAG_TLS_IGNORE_STATUS_REQUEST)) {
result = CheckTLSFeaturesAreSatisfied(peerCertInput, responseInputPtr);
if (result != Success) {
PR_SetError(MapResultToPRErrorCode(result), 0);
return SECFailure;
rv = CheckTLSFeaturesAreSatisfied(peerCertInput, responseInputPtr);
if (rv != Success) {
return rv;
}
}
Input hostnameInput;
result = hostnameInput.Init(BitwiseCast<const uint8_t*, const char*>(hostname),
strlen(hostname));
if (result != Success) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
rv = hostnameInput.Init(BitwiseCast<const uint8_t*, const char*>(hostname),
strlen(hostname));
if (rv != Success) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
bool isBuiltInRoot;
result = IsCertChainRootBuiltInRoot(builtChain, isBuiltInRoot);
if (result != Success) {
PR_SetError(MapResultToPRErrorCode(result), 0);
return SECFailure;
rv = IsCertChainRootBuiltInRoot(builtChain, isBuiltInRoot);
if (rv != Success) {
return rv;
}
BRNameMatchingPolicy nameMatchingPolicy(
isBuiltInRoot ? mNameMatchingMode
: BRNameMatchingPolicy::Mode::DoNotEnforce);
result = CheckCertHostname(peerCertInput, hostnameInput, nameMatchingPolicy);
if (result != Success) {
rv = CheckCertHostname(peerCertInput, hostnameInput, nameMatchingPolicy);
if (rv != Success) {
// Treat malformed name information as a domain mismatch.
if (result == Result::ERROR_BAD_DER) {
PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
} else {
PR_SetError(MapResultToPRErrorCode(result), 0);
if (rv == Result::ERROR_BAD_DER) {
return Result::ERROR_BAD_CERT_DOMAIN;
}
return SECFailure;
return rv;
}
if (saveIntermediatesInPermanentDatabase) {
SaveIntermediateCerts(builtChain);
}
return SECSuccess;
return Success;
}
} } // namespace mozilla::psm

33
security/certverifier/CertVerifier.h
Просмотреть файл

@ -97,23 +97,24 @@ public:
// *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
// Only one usage per verification is supported.
SECStatus VerifyCert(CERTCertificate* cert,
SECCertificateUsage usage,
mozilla::pkix::Time time,
void* pinArg,
const char* hostname,
/*out*/ UniqueCERTCertList& builtChain,
Flags flags = 0,
/*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
/*optional in*/ const SECItem* sctsFromTLS = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr,
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr,
/*optional out*/ KeySizeStatus* keySizeStatus = nullptr,
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
mozilla::pkix::Result VerifyCert(
CERTCertificate* cert,
SECCertificateUsage usage,
mozilla::pkix::Time time,
void* pinArg,
const char* hostname,
/*out*/ UniqueCERTCertList& builtChain,
Flags flags = 0,
/*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
/*optional in*/ const SECItem* sctsFromTLS = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr,
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr,
/*optional out*/ KeySizeStatus* keySizeStatus = nullptr,
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
SECStatus VerifySSLServerCert(
mozilla::pkix::Result VerifySSLServerCert(
const UniqueCERTCertificate& peerCert,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional*/ const SECItem* sctsFromTLS,

49
security/manager/ssl/SSLServerCertVerification.cpp
Просмотреть файл

@ -1309,8 +1309,6 @@ AuthCertificate(CertVerifier& certVerifier,
MOZ_ASSERT(infoObject);
MOZ_ASSERT(cert);
SECStatus rv;
// We want to avoid storing any intermediate cert information when browsing
// in private, transient contexts.
bool saveIntermediates =
@ -1331,20 +1329,18 @@ AuthCertificate(CertVerifier& certVerifier,
flags |= CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
}
rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
sctsFromTLSExtension, time, infoObject,
infoObject->GetHostNameRaw(),
certList, saveIntermediates, flags,
&evOidPolicy, &ocspStaplingStatus,
&keySizeStatus, &sha1ModeResult,
&pinningTelemetryInfo,
&certificateTransparencyInfo);
PRErrorCode savedErrorCode;
if (rv != SECSuccess) {
savedErrorCode = PR_GetError();
}
Result rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
sctsFromTLSExtension, time,
infoObject,
infoObject->GetHostNameRaw(),
certList, saveIntermediates,
flags, &evOidPolicy,
&ocspStaplingStatus,
&keySizeStatus, &sha1ModeResult,
&pinningTelemetryInfo,
&certificateTransparencyInfo);
uint32_t evStatus = (rv != SECSuccess) ? 0 // 0 = Failure
uint32_t evStatus = (rv != Success) ? 0 // 0 = Failure
: (evOidPolicy == SEC_OID_UNKNOWN) ? 1 // 1 = DV
: 2; // 2 = EV
Telemetry::Accumulate(Telemetry::CERT_EV_STATUS, evStatus);
@ -1379,15 +1375,14 @@ AuthCertificate(CertVerifier& certVerifier,
RefPtr<nsNSSCertificate> nsc;
if (!status || !status->HasServerCert()) {
if( rv == SECSuccess ){
if (rv == Success) {
nsc = nsNSSCertificate::Create(cert.get(), &evOidPolicy);
}
else {
} else {
nsc = nsNSSCertificate::Create(cert.get());
}
}
if (rv == SECSuccess) {
if (rv == Success) {
GatherSuccessfulValidationTelemetry(certList);
GatherCertificateTransparencyTelemetry(certList,
certificateTransparencyInfo);
@ -1400,13 +1395,13 @@ AuthCertificate(CertVerifier& certVerifier,
infoObject->SetSSLStatus(status);
}
if (rv == SECSuccess) {
if (rv == Success) {
// Certificate verification succeeded delete any potential record
// of certificate error bits.
RememberCertErrorsTable::GetInstance().RememberCertHasError(infoObject,
nullptr, rv);
}
else {
nullptr,
SECSuccess);
} else {
// Certificate verification failed, update the status' bits.
RememberCertErrorsTable::GetInstance().LookupCertErrorBits(
infoObject, status);
@ -1414,7 +1409,7 @@ AuthCertificate(CertVerifier& certVerifier,
if (status && !status->HasServerCert()) {
nsNSSCertificate::EVStatus evStatus;
if (evOidPolicy == SEC_OID_UNKNOWN || rv != SECSuccess) {
if (evOidPolicy == SEC_OID_UNKNOWN || rv != Success) {
evStatus = nsNSSCertificate::ev_status_invalid;
} else {
evStatus = nsNSSCertificate::ev_status_valid;
@ -1426,14 +1421,14 @@ AuthCertificate(CertVerifier& certVerifier,
}
}
if (rv != SECSuccess) {
if (rv != Success) {
// Certificate validation failed; store the peer certificate chain on
// infoObject so it can be used for error reporting.
infoObject->SetFailedCertChain(Move(peerCertChain));
PR_SetError(savedErrorCode, 0);
PR_SetError(MapResultToPRErrorCode(rv), 0);
}
return rv;
return rv == Success ? SECSuccess : SECFailure;
}
/*static*/ SECStatus

16
security/manager/ssl/nsDataSignatureVerifier.cpp
Просмотреть файл

@ -12,6 +12,7 @@
#include "nsCOMPtr.h"
#include "nsNSSComponent.h"
#include "nssb64.h"
#include "pkix/pkixnss.h"
#include "pkix/pkixtypes.h"
#include "ScopedNSSTypes.h"
#include "secerr.h"
@ -256,11 +257,16 @@ VerifyCertificate(CERTCertificate* cert, void* voidContext, void* pinArg)
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
return MapSECStatus(certVerifier->VerifyCert(cert,
certificateUsageObjectSigner,
Now(), pinArg,
nullptr, // hostname
context->builtChain));
Result result = certVerifier->VerifyCert(cert,
certificateUsageObjectSigner,
Now(), pinArg,
nullptr, // hostname
context->builtChain);
if (result != Success) {
return GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
}
return NS_OK;
}
} // namespace

10
security/manager/ssl/nsNSSCertificate.cpp
Просмотреть файл

@ -681,7 +681,8 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
nullptr, /*XXX fixme*/
nullptr, /* hostname */
nssChain,
CertVerifier::FLAG_LOCAL_ONLY) != SECSuccess) {
CertVerifier::FLAG_LOCAL_ONLY)
!= mozilla::pkix::Success) {
nssChain = nullptr;
// keep going
}
@ -707,7 +708,8 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
nullptr, /*XXX fixme*/
nullptr, /*hostname*/
nssChain,
CertVerifier::FLAG_LOCAL_ONLY) != SECSuccess) {
CertVerifier::FLAG_LOCAL_ONLY)
!= mozilla::pkix::Success) {
nssChain = nullptr;
// keep going
}
@ -1153,7 +1155,7 @@ nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
uint32_t flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY |
mozilla::psm::CertVerifier::FLAG_MUST_BE_EV;
UniqueCERTCertList unusedBuiltChain;
SECStatus rv = certVerifier->VerifyCert(mCert.get(),
mozilla::pkix::Result result = certVerifier->VerifyCert(mCert.get(),
certificateUsageSSLServer, mozilla::pkix::Now(),
nullptr /* XXX pinarg */,
nullptr /* hostname */,
@ -1163,7 +1165,7 @@ nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
nullptr /* sctsFromTLSExtension */,
&resultOidTag);
if (rv != SECSuccess) {
if (result != mozilla::pkix::Success) {
resultOidTag = SEC_OID_UNKNOWN;
}
if (resultOidTag != SEC_OID_UNKNOWN) {

94
security/manager/ssl/nsNSSCertificateDB.cpp
Просмотреть файл

@ -39,6 +39,7 @@
#include "nsThreadUtils.h"
#include "nspr.h"
#include "pkix/Time.h"
#include "pkix/pkixnss.h"
#include "pkix/pkixtypes.h"
#include "secasn1.h"
#include "secder.h"
@ -613,17 +614,17 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t* data, uint32_t length,
}
UniqueCERTCertList certChain;
SECStatus srv = certVerifier->VerifyCert(node->cert,
certificateUsageEmailRecipient,
mozilla::pkix::Now(), ctx,
nullptr, certChain);
if (srv != SECSuccess) {
mozilla::pkix::Result result =
certVerifier->VerifyCert(node->cert, certificateUsageEmailRecipient,
mozilla::pkix::Now(), ctx, nullptr, certChain);
if (result != mozilla::pkix::Success) {
nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, locker);
continue;
}
srv = ImportCertsIntoPermanentStorage(certChain, certUsageEmailRecipient,
false);
SECStatus srv = ImportCertsIntoPermanentStorage(certChain,
certUsageEmailRecipient,
false);
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
@ -669,18 +670,18 @@ nsNSSCertificateDB::ImportValidCACertsInList(const UniqueCERTCertList& filteredC
!CERT_LIST_END(node, filteredCerts.get());
node = CERT_LIST_NEXT(node)) {
UniqueCERTCertList certChain;
SECStatus rv = certVerifier->VerifyCert(node->cert,
certificateUsageVerifyCA,
mozilla::pkix::Now(), ctx,
nullptr, certChain);
if (rv != SECSuccess) {
mozilla::pkix::Result result =
certVerifier->VerifyCert(node->cert, certificateUsageVerifyCA,
mozilla::pkix::Now(), ctx, nullptr, certChain);
if (result != mozilla::pkix::Success) {
nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, proofOfLock);
continue;
}
rv = ImportCertsIntoPermanentStorage(certChain, certUsageAnyCA, true);
if (rv != SECSuccess) {
SECStatus srv = ImportCertsIntoPermanentStorage(certChain, certUsageAnyCA,
true);
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
}
@ -1140,13 +1141,13 @@ nsNSSCertificateDB::FindCertByEmailAddress(const char* aEmailAddress,
node = CERT_LIST_NEXT(node)) {
UniqueCERTCertList unusedCertChain;
SECStatus srv = certVerifier->VerifyCert(node->cert,
certificateUsageEmailRecipient,
mozilla::pkix::Now(),
nullptr /*XXX pinarg*/,
nullptr /*hostname*/,
unusedCertChain);
if (srv == SECSuccess) {
mozilla::pkix::Result result =
certVerifier->VerifyCert(node->cert, certificateUsageEmailRecipient,
mozilla::pkix::Now(),
nullptr /*XXX pinarg*/,
nullptr /*hostname*/,
unusedCertChain);
if (result == mozilla::pkix::Success) {
break;
}
}
@ -1488,45 +1489,38 @@ VerifyCertAtTime(nsIX509Cert* aCert,
UniqueCERTCertList resultChain;
SECOidTag evOidPolicy;
SECStatus srv;
mozilla::pkix::Result result;
if (aHostname && aUsage == certificateUsageSSLServer) {
srv = certVerifier->VerifySSLServerCert(nssCert,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
aTime,
nullptr, // Assume no context
aHostname,
resultChain,
false, // don't save intermediates
aFlags,
&evOidPolicy);
result = certVerifier->VerifySSLServerCert(nssCert,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
aTime,
nullptr, // Assume no context
aHostname,
resultChain,
false, // don't save intermediates
aFlags,
&evOidPolicy);
} else {
srv = certVerifier->VerifyCert(nssCert.get(), aUsage, aTime,
nullptr, // Assume no context
aHostname,
resultChain,
aFlags,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
&evOidPolicy);
result = certVerifier->VerifyCert(nssCert.get(), aUsage, aTime,
nullptr, // Assume no context
aHostname,
resultChain,
aFlags,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
&evOidPolicy);
}
PRErrorCode error = PR_GetError();
nsCOMPtr<nsIX509CertList> nssCertList;
// This adopts the list
nssCertList = new nsNSSCertList(Move(resultChain), locker);
NS_ENSURE_TRUE(nssCertList, NS_ERROR_FAILURE);
if (srv == SECSuccess) {
if (evOidPolicy != SEC_OID_UNKNOWN) {
*aHasEVPolicy = true;
}
*_retval = 0;
} else {
NS_ENSURE_TRUE(error != 0, NS_ERROR_FAILURE);
*_retval = error;
*_retval = mozilla::pkix::MapResultToPRErrorCode(result);
if (result == mozilla::pkix::Success && evOidPolicy != SEC_OID_UNKNOWN) {
*aHasEVPolicy = true;
}
nssCertList.forget(aVerifiedChain);

25
security/manager/ssl/nsNSSIOLayer.cpp
Просмотреть файл

@ -379,6 +379,10 @@ nsNSSSocketInfo::DriveHandshake()
NS_IMETHODIMP
nsNSSSocketInfo::IsAcceptableForHost(const nsACString& hostname, bool* _retval)
{
NS_ENSURE_ARG(_retval);
*_retval = false;
// If this is the same hostname then the certicate status does not
// need to be considered. They are joinable.
if (hostname.Equals(GetHostName())) {
@ -444,16 +448,17 @@ nsNSSSocketInfo::IsAcceptableForHost(const nsACString& hostname, bool* _retval)
nsAutoCString hostnameFlat(PromiseFlatCString(hostname));
CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY;
UniqueCERTCertList unusedBuiltChain;
SECStatus rv = certVerifier->VerifySSLServerCert(nssCert,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
mozilla::pkix::Now(),
nullptr, // pinarg
hostnameFlat.get(),
unusedBuiltChain,
false, // save intermediates
flags);
if (rv != SECSuccess) {
mozilla::pkix::Result result =
certVerifier->VerifySSLServerCert(nssCert,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
mozilla::pkix::Now(),
nullptr, // pinarg
hostnameFlat.get(),
unusedBuiltChain,
false, // save intermediates
flags);
if (result != mozilla::pkix::Success) {
return NS_OK;
}

2
security/manager/ssl/nsSiteSecurityService.cpp
Просмотреть файл

@ -745,7 +745,7 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI,
certList,
false, // don't store intermediates
flags)
!= SECSuccess) {
!= mozilla::pkix::Success) {
return NS_ERROR_FAILURE;
}