Bug 495357 - Update some documentation concerning SaveIntermediateCerts(). r=kaie,me

Original patch by Wan-Teh Chang. MozReview-Commit-ID: 3ElvC7DanYJ
2016-10-11 19:39:00 +02:00 · 2016-10-11 19:39:00 +02:00 · a5b764f858
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@ -1194,7 +1194,8 @@ SaveIntermediateCerts(const UniqueCERTCertList& certList)
    }

    if (node->cert->slot) {
-      // This cert was found on a token, no need to remember it in the temp db.
+      // This cert was found on a token; no need to remember it in the permanent
+      // database.
      continue;
    }

@ -1213,18 +1214,15 @@ SaveIntermediateCerts(const UniqueCERTCertList& certList)
      continue;
    }

-    // We have found a signer cert that we want to remember.
    nsAutoCString nickname;
    nsresult rv = DefaultServerNicknameForCert(node->cert, nickname);
    if (NS_FAILED(rv)) {
      continue;
    }

-    // Saving valid intermediate certs to the database is a compatibility hack
-    // to work around unknown issuer errors for incorrectly configured servers
-    // that fail to send the necessary intermediate certs. As such, we ignore
-    // the return value of PK11_ImportCert(), since it doesn't really matter if
-    // it fails.
+    // As mentioned in the documentation of this function, we're importing only
+    // to cope with misconfigured servers. As such, we ignore the return value
+    // below, since it doesn't really matter if the import fails.
    Unused << PK11_ImportCert(slot.get(), node->cert, CK_INVALID_HANDLE,
                              nickname.get(), false);
  }
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@ -1367,10 +1367,6 @@ AuthCertificate(CertVerifier& certVerifier,
                          pinningTelemetryInfo.certPinningResultBucket);
  }

-  // We want to remember the CA certs in the temp db, so that the application can find the
-  // complete chain at any time it might need it.
-  // But we keep only those CA certs in the temp db, that we didn't already know.
-
  RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
  RefPtr<nsNSSCertificate> nsc;