Граф коммитов

443 Коммитов

Автор SHA1 Сообщение Дата
Dana Keeler 314ecf40aa bug 1602641 - add CRLite/OCSP timing comparison telemetry r=jcj
To evaluate the performance impact of CRLite over OCSP, we need to measure when
CRLite is (presumably) faster and by how much. To do this, we measure the
duration of the respective operations and when both occur for the same
verification, we make a note in the appropriate histogram of how much faster
one was than the other.

data-review+ was already given in bug 1488865 comment 5

Differential Revision: https://phabricator.services.mozilla.com/D56508

--HG--
extra : moz-landing-system : lando
2019-12-10 23:32:51 +00:00
Dana Keeler 63f481b65a bug 1601912 - "use" CRLite fields in NSSCertDBTrustDomain to silence compiler warnings r=jcj
When cert_storage is disabled, the CRLite mode and telemetry fields don't get
used by NSSCertDBTrustDomain, so we get warnings-as-errors about unused fields.
This uses Unused to silence the warnings.

This also adds a missing #include to CertBlocklist.cpp.

Differential Revision: https://phabricator.services.mozilla.com/D56250

--HG--
extra : moz-landing-system : lando
2019-12-09 15:22:29 +00:00
Gabriele Svelto 5dc21d568c Bug 1600545 - Remove useless inclusions of header files generated from IDL files in modules/, netwerk/, parser/, security/, startupcache/, storage/, toolkit/, tools/, uriloader/, widget/, xpcom/ and xpfe/ r=Ehsan
The inclusions were removed with the following very crude script and the
resulting breakage was fixed up by hand. The manual fixups did either
revert the changes done by the script, replace a generic header with a more
specific one or replace a header with a forward declaration.

find . -name "*.idl" | grep -v web-platform | grep -v third_party | while read path; do
    interfaces=$(grep "^\(class\|interface\).*:.*" "$path" | cut -d' ' -f2)
    if [ -n "$interfaces" ]; then
        if [[ "$interfaces" == *$'\n'* ]]; then
          regexp="\("
          for i in $interfaces; do regexp="$regexp$i\|"; done
          regexp="${regexp%%\\\|}\)"
        else
          regexp="$interfaces"
        fi
        interface=$(basename "$path")
        rg -l "#include.*${interface%%.idl}.h" . | while read path2; do
            hits=$(grep -v "#include.*${interface%%.idl}.h" "$path2" | grep -c "$regexp" )
            if [ $hits -eq 0 ]; then
                echo "Removing ${interface} from ${path2}"
                grep -v "#include.*${interface%%.idl}.h" "$path2" > "$path2".tmp
                mv -f "$path2".tmp "$path2"
            fi
        done
    fi
done

Differential Revision: https://phabricator.services.mozilla.com/D55444

--HG--
extra : moz-landing-system : lando
2019-12-06 09:17:57 +00:00
Dana Keeler 4488a492b1 bug 1586855 - incorporate CRLite filters into cert_storage r=jcj,kjacobs
This patch implements CRLite lookups for TLS server certificate revocation
information in telemetry-only mode. It adds a new preference
"security.pki.crlite_mode" to control the behavior of this feature. Setting
this preference to 0 disables it completely. Setting it to 1 enables telemetry
collection only (the default). Setting it to 2 enables enforcing revocation
information found via CRLite.

Differential Revision: https://phabricator.services.mozilla.com/D54040

--HG--
rename : third_party/rust/bit_reverse/LICENSE-APACHE => third_party/rust/rental/LICENSE-APACHE
rename : third_party/rust/bit-vec/LICENSE-MIT => third_party/rust/rental/LICENSE-MIT
extra : moz-landing-system : lando
2019-12-05 22:41:53 +00:00
Dana Keeler 13ed5551e3 bug 1594510 - update all TrustDomain implementations in mozilla-central due to the mozilla::pkix API change in bug 1593141 r=mbirghan
Bug 1593141 adds a parameter to mozilla::pkix::TrustDomain::CheckRevocation.
This patch updates all TrustDomain implementations in mozilla-central to
reflect this.

Differential Revision: https://phabricator.services.mozilla.com/D52066

--HG--
extra : moz-landing-system : lando
2019-11-15 18:26:45 +00:00
Dana Keeler cc3995546b bug 1592111 - add the preference "security.osclientcerts.autoload" to control auto-loading the OS client certs module r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D52288

--HG--
extra : moz-landing-system : lando
2019-11-13 21:19:57 +00:00
Kevin Jacobs b964726542 Bug 1575735 - Explicitly check key strength of TLS channel by setting authKeyBits earlier in SSL_AuthCertificate r=keeler
This patch provides Delegated Credential information (authKeyBits and signature scheme) to CertVerifier such that we can enforce a policy check and disallow weak keys in the Delegated Credential.

This information is not passed from http3 - adding this will be done in a separate bug.

Differential Revision: https://phabricator.services.mozilla.com/D47181

--HG--
rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key.keyspec => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
extra : moz-landing-system : lando
2019-11-07 22:13:43 +00:00
Sean Feng 78953e2b7f Bug 1592355 - Convert certList to raw array for Pins verification r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D50967

--HG--
extra : moz-landing-system : lando
2019-10-31 23:56:32 +00:00
Dana Keeler e064323a59 bug 1063276 - include the peer cert chain from the TLS handshake when verifying server certificates r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D50129

--HG--
extra : moz-landing-system : lando
2019-10-24 22:48:40 +00:00
Marcus Burghardt ec4fc41539 Bug 1586081 - Remove special EV treatment from GlobalSign Extended Validation CA - SHA256 - G2. r=keeler
In 2017-04, due a transition of two CA certs from GobalSign to Google, a temporary and exceptional EV treatment was deployed in PSM for this transition:
https://bugzilla.mozilla.org/show_bug.cgi?id=1349762

This exception was removed with this patch.

Differential Revision: https://phabricator.services.mozilla.com/D49106

--HG--
extra : moz-landing-system : lando
2019-10-15 17:11:35 +00:00
Marcus Burghardt b7e036202f Bug 1585449 - Disable EV treatment for Global Chambersign Root – 2008 root. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D48959

--HG--
extra : moz-landing-system : lando
2019-10-11 20:15:29 +00:00
Dana Keeler 67fc934d4b bug 1570222 - avoid passing unrelated certificates to mozilla::pkix from NSSCertDBTrustDomain r=kjacobs
During path building, mozilla::pkix filters out candidate certificates provided
by trust domains where the subject distinguished name does not match the issuer
distinguished name of the certificate it's trying to find an issuer for.
However, if there's a problem decoding the candidate issuer certificate,
mozilla::pkix will make a note of this error, regardless of if that certificate
was potentially a suitable issuer. If no trusted path is found, the error from
that unrelated certificate may ultimately be returned by mozilla::pkix,
resulting in confusion.

Before this patch, NSSCertDBTrustDomain could cause this behavior by blithely
passing every known 3rd party certificate to mozilla::pkix (other sources of
certificates already filter on subject distinguished name). This patch adds
filtering to 3rd party certificates as well.

Differential Revision: https://phabricator.services.mozilla.com/D48120

--HG--
extra : moz-landing-system : lando
2019-10-04 16:46:08 +00:00
Dana Keeler dbf19a6cd5 bug 1577944 - avoid calling CERT_NewTempCertificate in NSSCertDBTrustDomain::GetCertTrust for enterprise certificates r=jcj,kjacobs
Calling CERT_NewTempCertificate on an enterprise certificate is inefficient
because NSS tries (and fails) to find a copy of that certificate in its internal
data structures (which includes querying softoken, which involves hitting the
disk). We can avoid doing so for these certificates in
NSSCertDBTrustDomain::GetCertTrust because we already know what trust values
they should have (after checking the relevant blocklists).

Differential Revision: https://phabricator.services.mozilla.com/D45588

--HG--
extra : moz-landing-system : lando
2019-09-17 20:30:15 +00:00
Kershaw Chang 5fad51dd02 Bug 1560354 - Transform some nss types into gecko types. r=keeler,dragana
Differential Revision: https://phabricator.services.mozilla.com/D35566

--HG--
extra : moz-landing-system : lando
2019-09-05 15:49:35 +00:00
Barret Rennie b0cbc31990 Bug 1510569 - Implement serializers for nsITransportSecurityInfo, nsIX509Cert, and nsIX509CertList r=froydnj,keeler,mayhemer
As part of the ongoing effort to port the nsIWebProgress events from
RemoteWebProgress / WebProgressChild to BrowserParent / BrowserChild, we need
to (de)serialize the nsITransportSecurityInfo instance across the IPC layer.
The existing code was calling `NS_SerializeToString` which has the overhead of
(a) allocating a buffer and also performing base64 encoding/decoding. This
patch adds `IPC::ParamTraits` implementations for `nsITransportSecurityInfo`,
`nsIX509Certificate`, and `nsIX509CertList` that (de)serializes the params
directly onto and off of the IPC message so that we don't go through the
overhead of allocating and encoding/decoding an additional buffer.

This (de)serialization will address the performance issues present in the
current implementation.

As a side effect, I also make nsITransportSecurityInfo a builtinclass XPCOM
interface, since the existing serialization code was assuming it was, there is
only one implementation, and it is in C++.

Differential Revision: https://phabricator.services.mozilla.com/D35090

--HG--
extra : moz-landing-system : lando
2019-08-28 18:55:31 +00:00
Dorel Luca b09fe526aa Backed out 4 changesets (bug 1510569) for build bustage. CLOSED TREE
Backed out changeset d7db6a1935ce (bug 1510569)
Backed out changeset 03b7cf756a7f (bug 1510569)
Backed out changeset fa318eec0e76 (bug 1510569)
Backed out changeset cecb17bd8c03 (bug 1510569)
2019-08-28 21:46:40 +03:00
Barret Rennie 4ab0fd7d38 Bug 1510569 - Implement serializers for nsITransportSecurityInfo, nsIX509Cert, and nsIX509CertList r=froydnj,keeler,mayhemer
As part of the ongoing effort to port the nsIWebProgress events from
RemoteWebProgress / WebProgressChild to BrowserParent / BrowserChild, we need
to (de)serialize the nsITransportSecurityInfo instance across the IPC layer.
The existing code was calling `NS_SerializeToString` which has the overhead of
(a) allocating a buffer and also performing base64 encoding/decoding. This
patch adds `IPC::ParamTraits` implementations for `nsITransportSecurityInfo`,
`nsIX509Certificate`, and `nsIX509CertList` that (de)serializes the params
directly onto and off of the IPC message so that we don't go through the
overhead of allocating and encoding/decoding an additional buffer.

This (de)serialization will address the performance issues present in the
current implementation.

As a side effect, I also make nsITransportSecurityInfo a builtinclass XPCOM
interface, since the existing serialization code was assuming it was, there is
only one implementation, and it is in C++.

Differential Revision: https://phabricator.services.mozilla.com/D35090

--HG--
extra : moz-landing-system : lando
2019-08-28 18:00:16 +00:00
Oana Pop Rus 3223cd3dc2 Backed out 4 changesets (bug 1510569) for causing build bustage on a CLOSED TREE
Backed out changeset eae555c11f25 (bug 1510569)
Backed out changeset 2fb8938d16db (bug 1510569)
Backed out changeset b480af862022 (bug 1510569)
Backed out changeset 642cd6323cdc (bug 1510569)
2019-08-21 22:55:43 +03:00
Barret Rennie d8a4453540 Bug 1510569 - Implement serializers for nsITransportSecurityInfo, nsIX509Cert, and nsIX509CertList r=froydnj,keeler
As part of the ongoing effort to port the nsIWebProgress events from
RemoteWebProgress / WebProgressChild to BrowserParent / BrowserChild, we need
to (de)serialize the nsITransportSecurityInfo instance across the IPC layer.
The existing code was calling `NS_SerializeToString` which has the overhead of
(a) allocating a buffer and also performing base64 encoding/decoding. This
patch adds `IPC::ParamTraits` implementations for `nsITransportSecurityInfo`,
`nsIX509Certificate`, and `nsIX509CertList` that (de)serializes the params
directly onto and off of the IPC message so that we don't go through the
overhead of allocating and encoding/decoding an additional buffer.

This (de)serialization will address the performance issues present in the
current implementation.

As a side effect, I also make nsITransportSecurityInfo a builtinclass XPCOM
interface, since the existing serialization code was assuming it was, there is
only one implementation, and it is in C++.

Differential Revision: https://phabricator.services.mozilla.com/D35090

--HG--
extra : moz-landing-system : lando
2019-08-21 18:24:56 +00:00
arthur.iakab b24139d864 Backed out changeset 5d42edca79d4 (bug 1560354) for causing mass failures on mozilla/Maybe.h:488 CLOSED TREE 2019-08-15 03:01:50 +03:00
Dragana Damjanovic 1ed2904c50 Bug 1560354 - Transform some nss types into gecko types. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D35566

--HG--
extra : moz-landing-system : lando
2019-07-02 21:26:36 +00:00
Moritz Birghan 978fb0351d Bug 1360307 - Improves the arguments to mozilla::psm::InitializeNSS r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39011

--HG--
extra : moz-landing-system : lando
2019-08-02 17:51:22 +00:00
Gurzau Raul 08ddcd8a5a Backed out changeset 4a66bfcbaca5 (bug 1360307) for build bustage at Logging.h on a CLOSED TREE. 2019-07-31 20:22:43 +03:00
Moritz Birghan 356d25bd08 Bug 1360307 - Improves the arguments to mozilla::psm::InitializeNSS r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39011

--HG--
extra : moz-landing-system : lando
2019-07-31 16:52:02 +00:00
Dana Keeler 5a208d1853 bug 1557092 - add fast path to avoid calling CERT_CreateSubjectList for most certificate verifications r=jcj,KevinJacobs
Differential Revision: https://phabricator.services.mozilla.com/D34042

--HG--
extra : moz-landing-system : lando
2019-06-11 22:45:26 +00:00
Dana Keeler 4401954b60 Bug 1551177 - avoid searching unproductive certificate paths during verification r=jcj,KevinJacobs
In bug 1056341 we introduced a search budget to mozilla::pkix to attempt to work
around the problem of having an extremely large search space given a set of
certificates all with the same subject and issuer distinguished names but
different public keys. In the end, though, there is probably no good value to
choose for the budget that is small enough to run quickly on the wide range of
hardware our users have and yet is large enough that we're confident won't break
someone's complicated pki setup (looking at you, the US federal government).

To address this, use the observation that as long as an intermediate can't *add*
information necessary to build a certificate chain (e.g. stapled SCTs), we
should never need a self-signed intermediate (as in, its own key verifies the
signature on it and its subject and issuer distinguished names are identical) to
build a trusted chain (since the exact same chain without that intermediate
should be valid). Given this, we simply skip all self-signed non-trust anchor
CA certificates during path building.

Differential Revision: https://phabricator.services.mozilla.com/D31368

--HG--
extra : moz-landing-system : lando
2019-05-18 00:15:54 +00:00
Myk Melez bfe7c7e0b4 Bug 1547877 - enable configuration of new cert storage implementation r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D29306

--HG--
extra : moz-landing-system : lando
2019-05-02 23:02:13 +00:00
Dana Keeler 24f126d799 bug 1530545 - store preloaded intermediates in cert_storage r=mgoodwin,myk
This updates cert_storage to be able to store certificates indexed by subject DN
for easy lookup by NSSCertDBTrustDomain during path building. This also updates
RemoteSecuritySettings to store newly-downloaded preloaded intermediates in
cert_storage.

Differential Revision: https://phabricator.services.mozilla.com/D27991

--HG--
extra : moz-landing-system : lando
2019-04-30 00:00:48 +00:00
Kevin Jacobs acb3a2377a Bug 1515465 - Enable EV Treatment for eMudhra Technologies Limited root certificates r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D28583

--HG--
extra : moz-landing-system : lando
2019-04-25 17:46:16 +00:00
Kevin Jacobs 2d5d2631dd Bug 1532757 - Enable EV Treatment for Hongkong Post Root CA 3 root certificate r=keeler
This patch enables EV validation for //CN=Hongkong Post Root CA 3// root.

Differential Revision: https://phabricator.services.mozilla.com/D28580

--HG--
extra : moz-landing-system : lando
2019-04-24 17:08:18 +00:00
Dana Keeler c2bdc62aa5 bug 1529044 - use a low-priority queue on a certificate verification thread to import intermediate certificates r=mgoodwin
Previously this functionality created a CryptoTask to do this work, but that
would cause a new thread to be created for each list of intermediates. This was
slow both because of all of the threads and because they could be scheduled
while other work was happening. Moving these tasks to the low-priority event
queue for threads in the certificate verification thread pool means no new
threads are created and the work only happens when these threads are idle
anyway.

Differential Revision: https://phabricator.services.mozilla.com/D26630

--HG--
extra : moz-landing-system : lando
2019-04-10 21:44:16 +00:00
Sylvestre Ledru 03fc65347c Bug 1542146 - Apply the change with the option StatementMacros from clang-format-8 r=andi
# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D26280

--HG--
extra : moz-landing-system : lando
2019-04-05 21:42:17 +00:00
Dana Keeler 61bd4db566 Bug 1535752 - avoid unnecessarily base64-encoding inputs to nsICertStorage when we already have DER r=mgoodwin
Differential Revision: https://phabricator.services.mozilla.com/D26034

--HG--
extra : moz-landing-system : lando
2019-04-05 21:19:21 +00:00
Csoregi Natalia ba58e936bd Backed out changeset 4ad80127f89f (bug 1519636) for bustage on MarkupMap.h and nsAccessibilityService.cpp. CLOSED TREE 2019-04-05 09:48:19 +03:00
Sylvestre Ledru d1c1878603 Bug 1519636 - clang-format-8: Reformat recent changes to the Google coding style r=Ehsan
clang-format-8 upstream had some improvements wrt macros
See: https://reviews.llvm.org/D33440
This is why the diff is bigger than usual

# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D26098

--HG--
extra : moz-landing-system : lando
2019-04-04 21:36:16 +00:00
Narcis Beleuzu 24dbe577a5 Backed out changeset 389b6bbd76db (bug 1519636) for bustages on MarkupMap.h . CLOSED TREE 2019-04-05 00:27:56 +03:00
Sylvestre Ledru 399dbd28fe Bug 1519636 - clang-format-8: Reformat recent changes to the Google coding style r=Ehsan
clang-format-8 upstream had some improvements wrt macros
See: https://reviews.llvm.org/D33440
This is why the diff is bigger than usual

# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D26098

--HG--
extra : moz-landing-system : lando
2019-04-04 20:12:23 +00:00
Dana Keeler 13b7c3537c bug 1529044 - intermediate certificate caching: import on a background thread to not block certificate verification r=mgoodwin
Apparently importing a certificate into the NSS certificate DB is slow enough to
materially impact the time it takes to connect to a site. This patch addresses
this by importing any intermediate certificates we want to cache from verified
connections on a background thread (so the certificate verification thread can
return faster).

Differential Revision: https://phabricator.services.mozilla.com/D24384

--HG--
extra : moz-landing-system : lando
2019-03-26 15:56:32 +00:00
Narcis Beleuzu db05e9557d Backed out changeset d641ac81d9f0 (bug 1529044) for XPCShel failures on test_missing_intermediate.js . CLOSED TREE 2019-03-25 23:20:27 +02:00
Dana Keeler f04ab743ad bug 1529044 - intermediate certificate caching: import on a background thread to not block certificate verification r=mgoodwin
Apparently importing a certificate into the NSS certificate DB is slow enough to
materially impact the time it takes to connect to a site. This patch addresses
this by importing any intermediate certificates we want to cache from verified
connections on a background thread (so the certificate verification thread can
return faster).

Differential Revision: https://phabricator.services.mozilla.com/D24384

--HG--
extra : moz-landing-system : lando
2019-03-25 17:09:37 +00:00
shindli 12c0629a98 Merge mozilla-central to inbound. a=merge CLOSED TREE
--HG--
rename : js/src/tests/non262/fields/basic.js => js/src/jit-test/tests/fields/basic.js
rename : js/src/tests/non262/fields/literal.js => js/src/jit-test/tests/fields/literal.js
rename : js/src/tests/non262/fields/mixed_methods.js => js/src/jit-test/tests/fields/mixed_methods.js
rename : js/src/tests/non262/fields/quirks.js => js/src/jit-test/tests/fields/quirks.js
2019-03-21 06:36:37 +02:00
Jeff Walden 44f0e9ca5f Bug 1533640 - Attempt to parse empty OCSP responses and let the parse attempt signal malformedness, instead of letting an empty response's |Vector<uint8_t>::begin() == nullptr| be the trigger of that signal. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D22656

--HG--
extra : rebase_source : 47afff90c0a07330664b95fbdd7d5cc7e8b5bb4d
2019-03-07 15:28:00 -08:00
Dana Keeler 6110b2c67a bug 1515608 - allow end-entity certificates to be trust anchors for compatibility r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D23240

--HG--
extra : moz-landing-system : lando
2019-03-18 20:01:02 +00:00
Mark Goodwin 50887394d6 Bug 1429796 Cleanup storage in CertBlocklist to allow easy addition of new types of pair (e.g. whitelist entries) r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D17668

--HG--
extra : moz-landing-system : lando
2019-03-20 17:00:47 +00:00
Andreea Pavel c3cd918c5c Backed out 2 changesets (bug 1429796) for failing xperf on a CLOSED TREE
Backed out changeset b0d08863f7a5 (bug 1429796)
Backed out changeset 1bd54f8dfd9e (bug 1429796)
2019-03-20 00:03:49 +02:00
Mark Goodwin 59e0c373c3 Bug 1429796 Cleanup storage in CertBlocklist to allow easy addition of new types of pair (e.g. whitelist entries) r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D17668

--HG--
extra : moz-landing-system : lando
2019-03-19 17:48:04 +00:00
Sylvestre Ledru 41d1d79094 Bug 1519636 - Reformat recent changes to the Google coding style r=Ehsan
# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D19663

--HG--
extra : moz-landing-system : lando
2019-02-15 08:15:57 +00:00
Mike Hommey ef3ad686ee Bug 1512504 - Remove support for MSVC. r=froydnj
Consequently, this removes:
- MOZ_LIBPRIO, which is now always enabled.
- non_msvc_compiler, which is now always true.
- The cl.py wrapper, since it's not used anymore.
- CL_INCLUDES_PREFIX, which was only used for the cl.py wrapper.
- NONASCII, which was only there to ensure CL_INCLUDES_PREFIX still
  worked in non-ASCII cases.

This however keeps a large part of detecting and configuring for MSVC,
because we still do need it for at least headers, libraries, and midl.

Depends on D19614

Differential Revision: https://phabricator.services.mozilla.com/D19615

--HG--
extra : moz-landing-system : lando
2019-02-14 21:45:27 +00:00
Dana Keeler 86b72ab902 bug 1473573 - import intermediate certificates as well as roots r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D18630

--HG--
extra : moz-landing-system : lando
2019-02-12 18:23:25 +00:00
Dana Keeler f7feebc465 bug 1526007 - don't return early from NSSCertDBTrustDomain::FindIssuer if NSS doesn't find any candidate issuers r=jcj
As of bug 1514118, NSS is not the only place NSSCertDBTrustDomain looks for
issuer certificates. However, the initial implementation did not take into
account that NSSCertDBTrustDomain::FindIssuer would return early if NSS did not
find candidate issuers, resulting in unknown issuer errors for third party
roots.  This patch fixes that bug by not returning early.

Differential Revision: https://phabricator.services.mozilla.com/D19058

--HG--
extra : moz-landing-system : lando
2019-02-07 21:52:18 +00:00