зеркало из https://github.com/mozilla/gecko-dev.git
bug 1454504 - use a more performant API to find a root certificate in CertUtils.checkCert r=kmag,mossop
nsIX509Cert.issuer performs synchronous certificate verification and isn't even guaranteed to return a verified result. Luckily we can replace this with nsISSLStatus.succeededCertChain, which contains the already-verified certificate chain of the connection we're interested in. MozReview-Commit-ID: I8jPDVlUOvf --HG-- extra : rebase_source : cb426a250946aa92172a077dc9ccf708304af846
This commit is contained in:
Родитель
1e70fb391f
Коммит
70a3575ade
|
@ -7,6 +7,7 @@ var EXPORTED_SYMBOLS = ["CertUtils"];
|
|||
const Ce = Components.Exception;
|
||||
|
||||
ChromeUtils.import("resource://gre/modules/Services.jsm");
|
||||
const { XPCOMUtils } = ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm", {});
|
||||
|
||||
/**
|
||||
* Reads a set of expected certificate attributes from preferences. The returned
|
||||
|
@ -142,25 +143,29 @@ function checkCert(aChannel, aAllowNonBuiltInCerts, aCerts) {
|
|||
return;
|
||||
}
|
||||
|
||||
var cert =
|
||||
aChannel.securityInfo.QueryInterface(Ci.nsISSLStatusProvider).
|
||||
SSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert;
|
||||
let sslStatus = aChannel.securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
|
||||
.SSLStatus;
|
||||
let cert = sslStatus.serverCert;
|
||||
|
||||
validateCert(cert, aCerts);
|
||||
|
||||
if (aAllowNonBuiltInCerts === true)
|
||||
if (aAllowNonBuiltInCerts === true) {
|
||||
return;
|
||||
}
|
||||
|
||||
var issuerCert = cert;
|
||||
while (issuerCert.issuer && !issuerCert.issuer.equals(issuerCert))
|
||||
issuerCert = issuerCert.issuer;
|
||||
let certEnumerator = sslStatus.succeededCertChain.getEnumerator();
|
||||
let issuerCert = null;
|
||||
for (issuerCert of XPCOMUtils.IterSimpleEnumerator(certEnumerator,
|
||||
Ci.nsIX509Cert));
|
||||
|
||||
const certNotBuiltInErr = "Certificate issuer is not built-in.";
|
||||
if (!issuerCert)
|
||||
if (!issuerCert) {
|
||||
throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
|
||||
}
|
||||
|
||||
if (!issuerCert.isBuiltInRoot)
|
||||
if (!issuerCert.isBuiltInRoot) {
|
||||
throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
Загрузка…
Ссылка в новой задаче