diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:13:33 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:13:33 +0000 |
commit | 086c044dc34dfc0f74fbe41f4ecb402b2cd34884 (patch) | |
tree | a4f824bd33cb075dd5aa3eb5a0a94af221bbe83a /security/manager/ssl/AppTrustDomain.cpp | |
parent | Adding debian version 124.0.1-1. (diff) | |
download | firefox-086c044dc34dfc0f74fbe41f4ecb402b2cd34884.tar.xz firefox-086c044dc34dfc0f74fbe41f4ecb402b2cd34884.zip |
Merging upstream version 125.0.1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager/ssl/AppTrustDomain.cpp')
-rw-r--r-- | security/manager/ssl/AppTrustDomain.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp index 2cdf275ade..6ce1a9741e 100644 --- a/security/manager/ssl/AppTrustDomain.cpp +++ b/security/manager/ssl/AppTrustDomain.cpp @@ -33,6 +33,7 @@ #include "addons-public.inc" #include "addons-public-intermediate.inc" #include "addons-stage.inc" +#include "addons-stage-intermediate.inc" // Content signature root certificates #include "content-signature-dev.inc" #include "content-signature-local.inc" @@ -86,9 +87,16 @@ nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) { // If we're verifying add-ons signed by our production root, we want to make // sure a valid intermediate certificate is available for path building. + // The intermediate bundled with signed XPI files may have expired and be + // considered invalid, which can result in bug 1548973. if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) { mAddonsIntermediate = {addonsPublicIntermediate}; } + // Similarly to the above logic for production, we hardcode the intermediate + // stage certificate here, so that stage is equivalent to production. + if (trustedRoot == nsIX509CertDB::AddonsStageRoot) { + mAddonsIntermediate = {addonsStageIntermediate}; + } return NS_OK; } |