From 40a355a42d4a9444dc753c04c6608dade2f06a23 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 03:13:27 +0200
Subject: Adding upstream version 125.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 security/manager/ssl/AppTrustDomain.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'security/manager/ssl/AppTrustDomain.cpp')

diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
index 2cdf275ade..6ce1a9741e 100644
--- a/security/manager/ssl/AppTrustDomain.cpp
+++ b/security/manager/ssl/AppTrustDomain.cpp
@@ -33,6 +33,7 @@
 #include "addons-public.inc"
 #include "addons-public-intermediate.inc"
 #include "addons-stage.inc"
+#include "addons-stage-intermediate.inc"
 // Content signature root certificates
 #include "content-signature-dev.inc"
 #include "content-signature-local.inc"
@@ -86,9 +87,16 @@ nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) {
 
   // If we're verifying add-ons signed by our production root, we want to make
   // sure a valid intermediate certificate is available for path building.
+  // The intermediate bundled with signed XPI files may have expired and be
+  // considered invalid, which can result in bug 1548973.
   if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) {
     mAddonsIntermediate = {addonsPublicIntermediate};
   }
+  // Similarly to the above logic for production, we hardcode the intermediate
+  // stage certificate here, so that stage is equivalent to production.
+  if (trustedRoot == nsIX509CertDB::AddonsStageRoot) {
+    mAddonsIntermediate = {addonsStageIntermediate};
+  }
 
   return NS_OK;
 }
-- 
cgit v1.2.3