Bug 1603221 - Use isCertTrusted instead of asyncVerify to check for policy installed certs. r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D59199 --HG-- extra : moz-landing-system : lando
2020-01-08 21:42:18 +00:00 · 2020-01-08 21:42:18 +00:00 · fcc14ee4a8
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@ -266,30 +266,23 @@ var Policies = {
                  log.error(`Unable to add certificate - ${certfile.path}`);
                }
              }
              let now = Date.now() / 1000;
              if (cert) {
-                gCertDB.asyncVerifyCertAtTime(
+                if (
-                  cert,
+                  gCertDB.isCertTrusted(
-                  0x0008 /* certificateUsageSSLCA */,
+                    cert,
-                  0,
+                    Ci.nsIX509Cert.CA_CERT,
-                  null,
+                    Ci.nsIX509CertDB.TRUSTED_SSL
-                  now,
+                  )
-                  (aPRErrorCode, aVerifiedChain, aHasEVPolicy) => {
+                ) {
-                    if (aPRErrorCode == Cr.NS_OK) {
+                  // Certificate is already installed.
-                      // Certificate is already installed.
+                  return;
-                      return;
+                }
-                    }
+                try {
-                    try {
+                  gCertDB.addCert(certFile, "CT,CT,");
-                      gCertDB.addCert(certFile, "CT,CT,");
+                } catch (e) {
-                    } catch (e) {
+                  // It might be PEM instead of DER.
-                      // It might be PEM instead of DER.
+                  gCertDB.addCertFromBase64(pemToBase64(certFile), "CT,CT,");
-                      gCertDB.addCertFromBase64(
+                }
                        pemToBase64(certFile),
                        "CT,CT,"
                      );
                    }
                  }
                );
              }
            };
            reader.readAsBinaryString(file);
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@ -694,7 +694,11 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert* cert, uint32_t certType,
  UniqueCERTCertificate nsscert(cert->GetCert());
  CERTCertTrust nsstrust;
  srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
-  if (srv != SECSuccess) return NS_ERROR_FAILURE;
+  if (srv != SECSuccess) {
    // CERT_GetCertTrust returns SECFailure if given a temporary cert that
    // doesn't have any trust information yet. This isn't an error.
    return NS_OK;
  }
  nsNSSCertTrust trust(&nsstrust);
  if (certType == nsIX509Cert::CA_CERT) {