summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/AppTrustDomain.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/AppTrustDomain.cpp')
-rw-r--r--security/manager/ssl/AppTrustDomain.cpp8
1 files changed, 8 insertions, 0 deletions
diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
index 2cdf275ade..6ce1a9741e 100644
--- a/security/manager/ssl/AppTrustDomain.cpp
+++ b/security/manager/ssl/AppTrustDomain.cpp
@@ -33,6 +33,7 @@
#include "addons-public.inc"
#include "addons-public-intermediate.inc"
#include "addons-stage.inc"
+#include "addons-stage-intermediate.inc"
// Content signature root certificates
#include "content-signature-dev.inc"
#include "content-signature-local.inc"
@@ -86,9 +87,16 @@ nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) {
// If we're verifying add-ons signed by our production root, we want to make
// sure a valid intermediate certificate is available for path building.
+ // The intermediate bundled with signed XPI files may have expired and be
+ // considered invalid, which can result in bug 1548973.
if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) {
mAddonsIntermediate = {addonsPublicIntermediate};
}
+ // Similarly to the above logic for production, we hardcode the intermediate
+ // stage certificate here, so that stage is equivalent to production.
+ if (trustedRoot == nsIX509CertDB::AddonsStageRoot) {
+ mAddonsIntermediate = {addonsStageIntermediate};
+ }
return NS_OK;
}