diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:13:27 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:13:27 +0000 |
commit | 40a355a42d4a9444dc753c04c6608dade2f06a23 (patch) | |
tree | 871fc667d2de662f171103ce5ec067014ef85e61 /security/manager/ssl/AppTrustDomain.cpp | |
parent | Adding upstream version 124.0.1. (diff) | |
download | firefox-40a355a42d4a9444dc753c04c6608dade2f06a23.tar.xz firefox-40a355a42d4a9444dc753c04c6608dade2f06a23.zip |
Adding upstream version 125.0.1.upstream/125.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager/ssl/AppTrustDomain.cpp')
-rw-r--r-- | security/manager/ssl/AppTrustDomain.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp index 2cdf275ade..6ce1a9741e 100644 --- a/security/manager/ssl/AppTrustDomain.cpp +++ b/security/manager/ssl/AppTrustDomain.cpp @@ -33,6 +33,7 @@ #include "addons-public.inc" #include "addons-public-intermediate.inc" #include "addons-stage.inc" +#include "addons-stage-intermediate.inc" // Content signature root certificates #include "content-signature-dev.inc" #include "content-signature-local.inc" @@ -86,9 +87,16 @@ nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) { // If we're verifying add-ons signed by our production root, we want to make // sure a valid intermediate certificate is available for path building. + // The intermediate bundled with signed XPI files may have expired and be + // considered invalid, which can result in bug 1548973. if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) { mAddonsIntermediate = {addonsPublicIntermediate}; } + // Similarly to the above logic for production, we hardcode the intermediate + // stage certificate here, so that stage is equivalent to production. + if (trustedRoot == nsIX509CertDB::AddonsStageRoot) { + mAddonsIntermediate = {addonsStageIntermediate}; + } return NS_OK; } |