summaryrefslogtreecommitdiffstats
path: root/security/apps/AppTrustDomain.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'security/apps/AppTrustDomain.cpp')
-rw-r--r--security/apps/AppTrustDomain.cpp19
1 files changed, 19 insertions, 0 deletions
diff --git a/security/apps/AppTrustDomain.cpp b/security/apps/AppTrustDomain.cpp
index 7d284d0..badbdfa 100644
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -24,6 +24,7 @@
#include "xpcshell.inc"
// Add-on signing Certificates
#include "addons-public.inc"
+#include "addons-public-intermediate.inc"
#include "addons-stage.inc"
// Privileged Package Certificates
#include "privileged-package-root.inc"
@@ -125,6 +126,24 @@ nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
+ // If we're verifying add-ons signed by our production root, we want to make
+ // sure a valid intermediate certificate is available for path building.
+ // Merely holding this alive in memory makes it available for NSS to find in
+ // AppTrustDomain::FindIssuer.
+ if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) {
+ SECItem intermediateDER = {
+ siBuffer,
+ const_cast<uint8_t*>(addonsPublicIntermediate),
+ static_cast<unsigned int>(
+ mozilla::ArrayLength(addonsPublicIntermediate)),
+ };
+ mAddonsIntermediate.reset(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &intermediateDER, nullptr, false, true));
+ if (!mAddonsIntermediate) {
+ return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+ }
+ }
+
return NS_OK;
}