[tor-commits] [tor-browser/tor-browser-60.6.1esr-8.5-1] Bug 30388: Disable nocertdb pref for armagadd-on 2.0 cert inclusion if needed

[gk at torproject.org]

commit 1d2d420ff1c7231a60ec3ff497bd57815fc1d665
Author: Georg Koppen <gk at torproject.org>
Date:   Sun May 5 06:10:28 2019 +0000

    Bug 30388: Disable nocertdb pref for armagadd-on 2.0 cert inclusion if needed
    
    For Tor Browser added a fix to temporarily disable `security.nocertdb`
    so the new cert can be inserted, and revert to original once the cert is
    inserted.
    
    Patch by pospeselr.
---
 toolkit/mozapps/extensions/internal/XPIProvider.jsm | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/toolkit/mozapps/extensions/internal/XPIProvider.jsm b/toolkit/mozapps/extensions/internal/XPIProvider.jsm
index 6cffc02d90ba..3aa0e41b625f 100644
--- a/toolkit/mozapps/extensions/internal/XPIProvider.jsm
+++ b/toolkit/mozapps/extensions/internal/XPIProvider.jsm
@@ -1824,6 +1824,13 @@ function addMissingIntermediateCertificate() {
   }
   logger.debug("hotfix for addon signing cert has not been applied; applying");
 
+  // temporarily disable nocertb so we can write cert
+  const PREF_NOCERTDB = "security.nocertdb";
+  let userNocertdb = Services.prefs.getBoolPref(PREF_NOCERTDB, true);
+  if (userNocertdb) {
+    Services.prefs.setBoolPref(PREF_NOCERTDB, false);
+  }
+
   try {
     let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
     certDB.addCertFromBase64(MISSING_INTERMEDIATE_CERTIFICATE, ",,");
@@ -1831,6 +1838,11 @@ function addMissingIntermediateCertificate() {
   } catch (e) {
     logger.error("failed to add new intermediate certificate:", e);
     return;
+  } finally {
+    // revert nocertdb pref to original value (even if exception thrown)
+    if (userNocertdb) {
+      Services.prefs.setBoolPref(PREF_NOCERTDB, true);
+    }
   }
 
   Services.prefs.setBoolPref(PREF_SIGNER_HOTFIXED, true);