thunderbird/sqlcompat-esr52-4-backport-1329360

150 lines
5.5 KiB
Plaintext
Raw Normal View History

# HG changeset patch
# Parent a2f525a055c84cb9617c275a48575fea7b0001ea
diff --git a/config/external/nss/nss.symbols b/config/external/nss/nss.symbols
--- a/config/external/nss/nss.symbols
+++ b/config/external/nss/nss.symbols
@@ -25,7 +25,6 @@ CERT_AddCertToListHead
CERT_AddCertToListTail
CERT_AddExtension
CERT_AddExtensionByOID
-__CERT_AddTempCertToPerm
CERT_AsciiToName
CERT_CacheOCSPResponseFromSideChannel
CERT_CertChainFromCert
diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build
--- a/security/manager/ssl/moz.build
+++ b/security/manager/ssl/moz.build
@@ -182,8 +182,6 @@ DEFINES['NSS_ENABLE_ECC'] = 'True'
for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
DEFINES[var] = '"%s"' % CONFIG[var]
-DEFINES['CERT_AddTempCertToPerm'] = '__CERT_AddTempCertToPerm'
-
USE_LIBS += [
'crmf',
]
diff --git a/security/manager/ssl/nsNSSCertificateDB.cpp b/security/manager/ssl/nsNSSCertificateDB.cpp
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -349,9 +349,17 @@ nsNSSCertificateDB::handleCACertDownload
!!(trustBits & nsIX509CertDB::TRUSTED_EMAIL),
!!(trustBits & nsIX509CertDB::TRUSTED_OBJSIGN));
- if (CERT_AddTempCertToPerm(tmpCert.get(), nickname.get(),
- trust.GetTrust()) != SECSuccess) {
- return NS_ERROR_FAILURE;
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE,
+ nickname.get(),
+ false); // this parameter is ignored by NSS
+ if (srv != SECSuccess) {
+ return MapSECStatus(srv);
+ }
+ // NSS ignores the first argument to CERT_ChangeCertTrust
+ srv = CERT_ChangeCertTrust(nullptr, tmpCert.get(), trust.GetTrust());
+ if (srv != SECSuccess) {
+ return MapSECStatus(srv);
}
// Import additional delivered certificates that can be verified.
@@ -511,34 +519,30 @@ ImportCertsIntoTempStorage(int numcerts,
return NS_OK;
}
-static SECStatus
-ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain,
- const SECCertUsage usage, const bool caOnly)
+static nsresult
+ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain)
{
- int chainLen = 0;
- for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
+ bool encounteredFailure = false;
+ PRErrorCode savedErrorCode = 0;
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ for (CERTCertListNode* chainNode = CERT_LIST_HEAD(certChain);
!CERT_LIST_END(chainNode, certChain);
chainNode = CERT_LIST_NEXT(chainNode)) {
- chainLen++;
+ UniquePORTString nickname(CERT_MakeCANickname(chainNode->cert));
+ SECStatus srv = PK11_ImportCert(slot.get(), chainNode->cert,
+ CK_INVALID_HANDLE, nickname.get(),
+ false); // this parameter is ignored by NSS
+ if (srv != SECSuccess) {
+ encounteredFailure = true;
+ savedErrorCode = PR_GetError();
+ }
}
- SECItem **rawArray;
- rawArray = (SECItem **) PORT_Alloc(chainLen * sizeof(SECItem *));
- if (!rawArray) {
- return SECFailure;
+ if (encounteredFailure) {
+ return GetXPCOMFromNSSError(savedErrorCode);
}
- int i = 0;
- for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
- !CERT_LIST_END(chainNode, certChain);
- chainNode = CERT_LIST_NEXT(chainNode), i++) {
- rawArray[i] = &chainNode->cert->derCert;
- }
- SECStatus srv = CERT_ImportCerts(CERT_GetDefaultCertDB(), usage, chainLen,
- rawArray, nullptr, true, caOnly, nullptr);
-
- PORT_Free(rawArray);
- return srv;
+ return NS_OK;
}
NS_IMETHODIMP
@@ -597,11 +601,9 @@ nsNSSCertificateDB::ImportEmailCertifica
DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, locker);
continue;
}
- SECStatus srv = ImportCertsIntoPermanentStorage(certChain,
- certUsageEmailRecipient,
- false);
- if (srv != SECSuccess) {
- return NS_ERROR_FAILURE;
+ rv = ImportCertsIntoPermanentStorage(certChain);
+ if (NS_FAILED(rv)) {
+ return rv;
}
CERT_SaveSMimeProfile(node->cert, nullptr, nullptr);
}
@@ -654,10 +656,9 @@ nsNSSCertificateDB::ImportValidCACertsIn
continue;
}
- SECStatus srv = ImportCertsIntoPermanentStorage(certChain, certUsageAnyCA,
- true);
- if (srv != SECSuccess) {
- return NS_ERROR_FAILURE;
+ nsresult rv = ImportCertsIntoPermanentStorage(certChain);
+ if (NS_FAILED(rv)) {
+ return rv;
}
}
@@ -1336,8 +1337,15 @@ nsNSSCertificateDB::AddCertFromBase64(co
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Created nick \"%s\"\n", nickname.get()));
- SECStatus srv = CERT_AddTempCertToPerm(tmpCert.get(), nickname.get(),
- trust.GetTrust());
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE,
+ nickname.get(),
+ false); // this parameter is ignored by NSS
+ if (srv != SECSuccess) {
+ return MapSECStatus(srv);
+ }
+ // NSS ignores the first argument to CERT_ChangeCertTrust
+ srv = CERT_ChangeCertTrust(nullptr, tmpCert.get(), trust.GetTrust());
return MapSECStatus(srv);
}