mirror of
https://github.com/ManchildProductions/UXP-Fixed.git
synced 2026-07-03 10:09:14 +00:00
moebius#119: (Windows) Security - Certificate Stores - NSSCertDBTrustDomain allows end-entities to be their own trust anchors
https://github.com/MoonchildProductions/moebius/pull/119
This commit is contained in:
@@ -208,9 +208,31 @@ function run_test() {
|
||||
setCertTrust(ca_cert, ",,");
|
||||
setCertTrust(int_cert, ",,");
|
||||
|
||||
// It turns out that if an end-entity certificate is manually trusted, it can
|
||||
// be the root of its own verified chain. This will be removed in bug 1294580.
|
||||
setCertTrust(ee_cert, "C,,");
|
||||
// If an end-entity certificate is manually trusted, it may not be the root of
|
||||
// its own verified chain. In general this will cause "unknown issuer" errors
|
||||
// unless a CA trust anchor can be found.
|
||||
setCertTrust(ee_cert, "CTu,CTu,CTu");
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
|
||||
certificateUsageSSLServer);
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
|
||||
certificateUsageSSLClient);
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
|
||||
certificateUsageEmailSigner);
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
|
||||
certificateUsageEmailRecipient);
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
|
||||
certificateUsageObjectSigner);
|
||||
|
||||
// Now make a CA trust anchor available.
|
||||
setCertTrust(ca_cert, "CTu,CTu,CTu");
|
||||
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
|
||||
certificateUsageSSLServer);
|
||||
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
|
||||
certificateUsageSSLClient);
|
||||
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
|
||||
certificateUsageEmailSigner);
|
||||
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
|
||||
certificateUsageEmailRecipient);
|
||||
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
|
||||
certificateUsageObjectSigner);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user