From b0410fc20c45227756a7bbdcff65e29eb0bc4d91 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 21 Apr 2024 20:34:59 +0200 Subject: Merging upstream version 115.10.0esr. Signed-off-by: Daniel Baumann --- security/manager/ssl/AppTrustDomain.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'security/manager/ssl/AppTrustDomain.cpp') diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp index 2cdf275ade..6ce1a9741e 100644 --- a/security/manager/ssl/AppTrustDomain.cpp +++ b/security/manager/ssl/AppTrustDomain.cpp @@ -33,6 +33,7 @@ #include "addons-public.inc" #include "addons-public-intermediate.inc" #include "addons-stage.inc" +#include "addons-stage-intermediate.inc" // Content signature root certificates #include "content-signature-dev.inc" #include "content-signature-local.inc" @@ -86,9 +87,16 @@ nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) { // If we're verifying add-ons signed by our production root, we want to make // sure a valid intermediate certificate is available for path building. + // The intermediate bundled with signed XPI files may have expired and be + // considered invalid, which can result in bug 1548973. if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) { mAddonsIntermediate = {addonsPublicIntermediate}; } + // Similarly to the above logic for production, we hardcode the intermediate + // stage certificate here, so that stage is equivalent to production. + if (trustedRoot == nsIX509CertDB::AddonsStageRoot) { + mAddonsIntermediate = {addonsStageIntermediate}; + } return NS_OK; } -- cgit v1.2.3