Closed
Bug 1463290
Opened 7 years ago
Closed 6 years ago
XPCshell: server_cert.getChain is not a function
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | affected |
People
(Reporter: mwobensmith, Unassigned)
References
Details
When running a TLS Canary pass for the recent Symantec root cert work, I encountered this error.
let sec_info = xhr.channel.securityInfo;
let ssl_status = sec_info.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
let server_cert = ssl_status.serverCert;
let chain = server_cert.getChain().enumerate();
TypeError: server_cert.getChain is not a function
This is only on Nightly 62, with 'security.pki.distrust_ca_policy' set to 2.
I can continue to run the tests, but this limits our ability to capture the entire cert chain, other than the end entity and the issuer.
|
||
Comment 1•7 years ago
|
||
getChain was removed in bug 867473 in 61. I think you should be able to change that code to use ssl_status.succeededCertChain (or failedCertChain, as appropriate) as of 58.
|
Reporter | |
Comment 2•7 years ago
|
||
Mystery solved. Thanks Keeler, will do just that.
|
|
Reporter | |
Comment 3•6 years ago
|
||
I can now see the presence of these two APIs, but they don't appear to be working as expected.
For example, if the connection succeeds, ssl_status.succeededCertChain exists and ssl_status.failedCertChain is null. That's fine.
However, in the case where either one is not null, the array is empty.
I tried to use the enumeration methods previously available for getChain, but those are not supported.
So, in summary, is there another way to access the cert chain from these two APIs? Or is this a bug?
|
|
||
Comment 4•6 years ago
|
||
The new APIs are each an nsIX509CertList: https://searchfox.org/mozilla-central/source/security/manager/ssl/nsIX509CertList.idl
You should be able to enumerate them like so:
let enumerator = ssl_status.succeededCertChain.getEnumerator();
let certificates = [];
for (let cert of XPCOMUtils.IterSimpleEnumerator(enumerator, Ci.nsIX509Cert)) {
certificates.push(cert);
}
(You might have to import XPCOMUtils: `ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm");`)
(see e.g. https://searchfox.org/mozilla-central/rev/f822a0b61631cbb38901569e69b4967176314aa8/toolkit/modules/addons/SecurityInfo.jsm#181 )
|
|
Reporter | |
Comment 5•6 years ago
|
||
Thank you Keeler - as usual, you are right.
I was trying to use enumerate() instead of getEnumerator(). Your example works perfectly.
|
|
||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•