diff options
Diffstat (limited to 'security/manager/ssl/AppTrustDomain.cpp')
-rw-r--r-- | security/manager/ssl/AppTrustDomain.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp index 2cdf275ade..6ce1a9741e 100644 --- a/security/manager/ssl/AppTrustDomain.cpp +++ b/security/manager/ssl/AppTrustDomain.cpp @@ -33,6 +33,7 @@ #include "addons-public.inc" #include "addons-public-intermediate.inc" #include "addons-stage.inc" +#include "addons-stage-intermediate.inc" // Content signature root certificates #include "content-signature-dev.inc" #include "content-signature-local.inc" @@ -86,9 +87,16 @@ nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) { // If we're verifying add-ons signed by our production root, we want to make // sure a valid intermediate certificate is available for path building. + // The intermediate bundled with signed XPI files may have expired and be + // considered invalid, which can result in bug 1548973. if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) { mAddonsIntermediate = {addonsPublicIntermediate}; } + // Similarly to the above logic for production, we hardcode the intermediate + // stage certificate here, so that stage is equivalent to production. + if (trustedRoot == nsIX509CertDB::AddonsStageRoot) { + mAddonsIntermediate = {addonsStageIntermediate}; + } return NS_OK; } |