Bug 1500003 - fix S/MIME certificate verification by adding flags parameter. r=mkmelin

2018-10-23 22:58:19 +02:00 · 2018-10-23 22:58:19 +02:00 · 62f89053af
--- a/mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
+++ b/mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
@ -858,7 +858,10 @@ nsresult nsMsgComposeSecure::MimeCryptoHackCerts(const char *aRecipients,
                                  certificateUsageEmailRecipient,
                                  mozilla::pkix::Now(),
                                  nullptr, nullptr,
-                                  builtChain) != mozilla::pkix::Success)) {
+                                  builtChain,
+                                  // Only local checks can run on the main thread.
+                                  CertVerifier::FLAG_LOCAL_ONLY)
+                       != mozilla::pkix::Success)) {
      // not suitable for encryption, so unset cert and clear pref
      mSelfEncryptionCert = nullptr;
      mEncryptionCertDBKey.Truncate();
@ -876,7 +879,10 @@ nsresult nsMsgComposeSecure::MimeCryptoHackCerts(const char *aRecipients,
                                  certificateUsageEmailSigner,
                                  mozilla::pkix::Now(),
                                  nullptr, nullptr,
-                                  builtChain) != mozilla::pkix::Success)) {
+                                  builtChain,
+                                  // Only local checks can run on the main thread.
+                                  CertVerifier::FLAG_LOCAL_ONLY)
+                       != mozilla::pkix::Success)) {
      // not suitable for signing, so unset cert and clear pref
      mSelfSigningCert = nullptr;
      mSigningCertDBKey.Truncate();
@ -1184,6 +1190,7 @@ nsMsgComposeSecure::FindCertByEmailAddress(const nsACString& aEmailAddress,
                               nullptr /*XXX pinarg*/,
                               nullptr /*hostname*/,
                               unusedCertChain,
+                               // Only local checks can run on the main thread.
                               CertVerifier::FLAG_LOCAL_ONLY);
    if (result == mozilla::pkix::Success) {
      break;
--- a/mailnews/mime/src/nsCMS.cpp
+++ b/mailnews/mime/src/nsCMS.cpp
@ -244,7 +244,9 @@ nsresult nsCMSMessage::CommonVerifySignature(unsigned char* aDigestData, uint32_
                               Now(),
                               nullptr /*XXX pinarg*/,
                               nullptr /*hostname*/,
-                               builtChain);
+                               builtChain,
+                               // Only local checks can run on the main thread.
+                               CertVerifier::FLAG_LOCAL_ONLY);
    if (result != mozilla::pkix::Success) {
      MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
             ("nsCMSMessage::CommonVerifySignature - signing cert not trusted now\n"));