mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
bug 1045739 - (1/2) mozilla::pkix: stop checking revocation for expired certificates r=keeler
This commit is contained in:
parent
0491bc1d40
commit
28142cee21
@ -50,7 +50,7 @@ public:
|
||||
Time time, KeyPurposeId requiredEKUIfPresent,
|
||||
const CertPolicyId& requiredPolicy,
|
||||
/*optional*/ const Input* stapledOCSPResponse,
|
||||
unsigned int subCACount)
|
||||
unsigned int subCACount, Result deferredSubjectError)
|
||||
: trustDomain(trustDomain)
|
||||
, subject(subject)
|
||||
, time(time)
|
||||
@ -58,6 +58,7 @@ public:
|
||||
, requiredPolicy(requiredPolicy)
|
||||
, stapledOCSPResponse(stapledOCSPResponse)
|
||||
, subCACount(subCACount)
|
||||
, deferredSubjectError(deferredSubjectError)
|
||||
, result(Result::FATAL_ERROR_LIBRARY_FAILURE)
|
||||
, resultWasSet(false)
|
||||
{
|
||||
@ -77,6 +78,7 @@ private:
|
||||
const CertPolicyId& requiredPolicy;
|
||||
/*optional*/ Input const* const stapledOCSPResponse;
|
||||
const unsigned int subCACount;
|
||||
const Result deferredSubjectError;
|
||||
|
||||
Result RecordResult(Result currentResult, /*out*/ bool& keepGoing);
|
||||
Result result;
|
||||
@ -185,13 +187,19 @@ PathBuildingStep::Check(Input potentialIssuerDER,
|
||||
return RecordResult(rv, keepGoing);
|
||||
}
|
||||
|
||||
CertID certID(subject.GetIssuer(), potentialIssuer.GetSubjectPublicKeyInfo(),
|
||||
subject.GetSerialNumber());
|
||||
rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
|
||||
stapledOCSPResponse,
|
||||
subject.GetAuthorityInfoAccess());
|
||||
if (rv != Success) {
|
||||
return RecordResult(rv, keepGoing);
|
||||
// We avoid doing revocation checking for expired certificates because OCSP
|
||||
// responders are allowed to forget about expired certificates, and many OCSP
|
||||
// responders return an error when asked for the status of an expired
|
||||
// certificate.
|
||||
if (deferredSubjectError != Result::ERROR_EXPIRED_CERTIFICATE) {
|
||||
CertID certID(subject.GetIssuer(), potentialIssuer.GetSubjectPublicKeyInfo(),
|
||||
subject.GetSerialNumber());
|
||||
rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
|
||||
stapledOCSPResponse,
|
||||
subject.GetAuthorityInfoAccess());
|
||||
if (rv != Success) {
|
||||
return RecordResult(rv, keepGoing);
|
||||
}
|
||||
}
|
||||
|
||||
return RecordResult(Success, keepGoing);
|
||||
@ -268,7 +276,8 @@ BuildForward(TrustDomain& trustDomain,
|
||||
|
||||
PathBuildingStep pathBuilder(trustDomain, subject, time,
|
||||
requiredEKUIfPresent, requiredPolicy,
|
||||
stapledOCSPResponse, subCACount);
|
||||
stapledOCSPResponse, subCACount,
|
||||
deferredEndEntityError);
|
||||
|
||||
// TODO(bug 965136): Add SKI/AKI matching optimizations
|
||||
rv = trustDomain.FindIssuer(subject.GetIssuer(), pathBuilder, time);
|
||||
|
Loading…
Reference in New Issue
Block a user