From 2d0f83bd4987bc6e41c5903c2dc36330dae5585b Mon Sep 17 00:00:00 2001
From: Jan Horak <jhorak@redhat.com>
Date: Wed, 12 Apr 2017 15:12:33 +0200
Subject: [PATCH] Added nss patch for certificate authorities: rhbz#1400293,
 removed patch for rhbz#1014858

---
 rhbz-1014858.patch                     | 16 ------
 rhbz-1400293-fix-mozilla-1324096.patch | 72 ++++++++++++++++++++++++++
 thunderbird.spec                       |  5 +-
 3 files changed, 75 insertions(+), 18 deletions(-)
 delete mode 100644 rhbz-1014858.patch
 create mode 100644 rhbz-1400293-fix-mozilla-1324096.patch

diff --git a/rhbz-1014858.patch b/rhbz-1014858.patch
deleted file mode 100644
index c953b33..0000000
--- a/rhbz-1014858.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff -up mozilla-release/toolkit/xre/nsAppRunner.cpp.old mozilla-release/toolkit/xre/nsAppRunner.cpp
---- mozilla-release/toolkit/xre/nsAppRunner.cpp.old	2014-11-26 03:17:40.000000000 +0100
-+++ mozilla-release/toolkit/xre/nsAppRunner.cpp	2015-01-05 14:23:05.977933308 +0100
-@@ -4168,10 +4168,8 @@ XREMain::XRE_main(int argc, char* argv[]
- 
- #if defined(MOZ_WIDGET_GTK)
- #if defined(MOZ_MEMORY) || defined(__FreeBSD__) || defined(__NetBSD__)
--  // Disable the slice allocator, since jemalloc already uses similar layout
--  // algorithms, and using a sub-allocator tends to increase fragmentation.
--  // This must be done before g_thread_init() is called.
--  g_slice_set_config(G_SLICE_CONFIG_ALWAYS_MALLOC, 1);
-+  // rhbz#1014858 - enable slice allocator for child processes
-+  unsetenv("G_SLICE");
- #endif
-   g_thread_init(nullptr);
- #endif
diff --git a/rhbz-1400293-fix-mozilla-1324096.patch b/rhbz-1400293-fix-mozilla-1324096.patch
new file mode 100644
index 0000000..4a2691e
--- /dev/null
+++ b/rhbz-1400293-fix-mozilla-1324096.patch
@@ -0,0 +1,72 @@
+diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
+--- a/security/certverifier/CertVerifier.cpp
++++ b/security/certverifier/CertVerifier.cpp
+@@ -120,16 +120,20 @@ IsCertChainRootBuiltInRoot(const UniqueC
+   }
+   CERTCertificate* root = rootNode->cert;
+   if (!root) {
+     return Result::FATAL_ERROR_LIBRARY_FAILURE;
+   }
+   return IsCertBuiltInRoot(root, result);
+ }
+ 
++// The term "builtin root" traditionally refers to a root CA certificate that
++// has been added to the NSS trust store, because it has been approved
++// for inclusion according to the Mozilla CA policy, and might be accepted
++// by Mozilla applications as an issuer for certificates seen on the public web.
+ Result
+ IsCertBuiltInRoot(CERTCertificate* cert, bool& result)
+ {
+   result = false;
+ #ifdef DEBUG
+   nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
+   if (!component) {
+     return Result::FATAL_ERROR_LIBRARY_FAILURE;
+@@ -142,25 +146,38 @@ IsCertBuiltInRoot(CERTCertificate* cert,
+     return Success;
+   }
+ #endif // DEBUG
+   AutoSECMODListReadLock lock;
+   for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list;
+        list = list->next) {
+     for (int i = 0; i < list->module->slotCount; i++) {
+       PK11SlotInfo* slot = list->module->slots[i];
+-      // PK11_HasRootCerts should return true if and only if the given slot has
+-      // an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST, which
+-      // should be true only of the builtin root list.
+-      // If we can find a copy of the given certificate on the slot with the
+-      // builtin root list, that certificate must be a builtin.
+-      if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot) &&
+-          PK11_FindCertInSlot(slot, cert, nullptr) != CK_INVALID_HANDLE) {
+-        result = true;
+-        return Success;
++      // We're searching for the "builtin root module", which is a module that
++      // contains an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST.
++      // We use PK11_HasRootCerts() to identify a module with that property.
++      // In the past, we exclusively used the PKCS#11 module named nssckbi,
++      // which is provided by the NSS library.
++      // Nowadays, some distributions use a replacement module, which contains
++      // the builtin roots, but which also contains additional CA certificates,
++      // such as CAs trusted in a local deployment.
++      // We want to be able to distinguish between these two categories,
++      // because a CA, which may issue certificates for the public web,
++      // is expected to comply with additional requirements.
++      // If the certificate has attribute CKA_NSS_MOZILLA_CA_POLICY set to true,
++      // then we treat it as a "builtin root".
++      if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot)) {
++        CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(slot, cert, nullptr);
++        if (handle != CK_INVALID_HANDLE &&
++            PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY,
++                                 false)) {
++          // Attribute was found, and is set to true
++          result = true;
++          break;
++        }
+       }
+     }
+   }
+   return Success;
+ }
+ 
+ static Result
+ BuildCertChainForOneKeyUsage(NSSCertDBTrustDomain& trustDomain, Input certDER,
diff --git a/thunderbird.spec b/thunderbird.spec
index 385b383..370fb19 100644
--- a/thunderbird.spec
+++ b/thunderbird.spec
@@ -136,7 +136,7 @@ Patch305:       build-fix-dupes.patch
 
 # Fedora specific patches
 Patch400:       rhbz-966424.patch
-Patch402:       rhbz-1014858.patch
+Patch403:       rhbz-1400293-fix-mozilla-1324096.patch
 # libvpx no longer has compat defines, use the current ones
 
 %if %{official_branding}
@@ -262,7 +262,8 @@ cd mozilla
 %endif
 %patch104 -p1 -b .gcc6
 %patch400 -p1 -b .966424
-#%patch402 -p1 -b .rhbz-1014858 FIXME musi byt
+%patch403 -p1 -b .rhbz-1400293
+
 %patch304 -p1 -b .1245783
 # Patch for big endian platforms only
 %if 0%{?big_endian}