From 9f2e080e59a7f6230a6629f585d3d57c45e26a6a Mon Sep 17 00:00:00 2001
From: Jan Horak <jhorak@redhat.com>
Date: Tue, 6 Sep 2011 15:03:39 +0200
Subject: [PATCH] Removed DigiNoTar patch

---
 thunderbird.spec          |   2 -
 xulrunner-diginotar.patch | 324 --------------------------------------
 2 files changed, 326 deletions(-)
 delete mode 100644 xulrunner-diginotar.patch

diff --git a/thunderbird.spec b/thunderbird.spec
index a557083..186dff6 100644
--- a/thunderbird.spec
+++ b/thunderbird.spec
@@ -61,7 +61,6 @@ Source100:      find-external-requires
 Patch0:         thunderbird-version.patch
 Patch7:         crashreporter-remove-static.patch
 Patch8:         xulrunner-6.0-secondary-ipc.patch
-Patch9:         xulrunner-diginotar.patch
 
 %if %{official_branding}
 # Required by Mozilla Corporation
@@ -143,7 +142,6 @@ sed -e 's/__RPM_VERSION_INTERNAL__/%{version_internal}/' %{P:%%PATCH0} \
 cd mozilla
 %patch7 -p2 -b .static
 %patch8 -p2 -b .secondary-ipc
-%patch9 -p1 -b .diginotar
 cd ..
 
 %if %{official_branding}
diff --git a/xulrunner-diginotar.patch b/xulrunner-diginotar.patch
deleted file mode 100644
index bf2a4d4..0000000
--- a/xulrunner-diginotar.patch
+++ /dev/null
@@ -1,324 +0,0 @@
-
-# HG changeset patch
-# User Kai Engert <kaie@kuix.de>
-# Date 1314714745 14400
-# Node ID d172106979730bdd967073f2c1e6188e708ca911
-# Parent  078215b4d425df355ae87f0ec47d66261ad58c5a
-Bug 682927 - Dis-trust DigiNotar root certificate, all parts together; r=bsmith
-
-diff --git a/security/manager/ssl/src/nsIdentityChecking.cpp b/security/manager/ssl/src/nsIdentityChecking.cpp
---- a/security/manager/ssl/src/nsIdentityChecking.cpp
-+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
-@@ -118,28 +118,16 @@ static struct nsMyTrustedEVInfo myTruste
-     SEC_OID_UNKNOWN,
-     "5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6",
-     "MDsxGDAWBgNVBAoTD0N5YmVydHJ1c3QsIEluYzEfMB0GA1UEAxMWQ3liZXJ0cnVz"
-     "dCBHbG9iYWwgUm9vdA==",
-     "BAAAAAABD4WqLUg=",
-     nsnull
-   },
-   {
--    // E=info@diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
--    "2.16.528.1.1001.1.1.1.12.6.1.1.1",
--    "DigiNotar EV OID",
--    SEC_OID_UNKNOWN,
--    "C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C",
--    "MF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQKEwlEaWdpTm90YXIxGjAYBgNVBAMTEURp"
--    "Z2lOb3RhciBSb290IENBMSAwHgYJKoZIhvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5u"
--    "bA==",
--    "DHbanJEMTiye/hXQWJM8TA==",
--    nsnull
--  },
--  {
-     // CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
-     "2.16.756.1.89.1.2.1.1",
-     "SwissSign EV OID",
-     SEC_OID_UNKNOWN,
-     "D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61",
-     "MEUxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMT"
-     "FlN3aXNzU2lnbiBHb2xkIENBIC0gRzI=",
-     "ALtAHEP1Xk+w",
-
-diff --git a/security/manager/ssl/src/nsNSSCallbacks.cpp b/security/manager/ssl/src/nsNSSCallbacks.cpp
---- a/security/manager/ssl/src/nsNSSCallbacks.cpp
-+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
-@@ -1029,16 +1029,63 @@ static struct nsSerialBinaryBlacklistEnt
-   { 16, "\x3e\x75\xce\xd4\x6b\x69\x30\x21\x21\x88\x30\xae\x86\xa8\x2a\x71" },
-   { 17, "\x00\xe9\x02\x8b\x95\x78\xe4\x15\xdc\x1a\x71\x0a\x2b\x88\x15\x44\x47" },
-   { 17, "\x00\xd7\x55\x8f\xda\xf5\xf1\x10\x5b\xb2\x13\x28\x2b\x70\x77\x29\xa3" },
-   { 16, "\x04\x7e\xcb\xe9\xfc\xa5\x5f\x7b\xd0\x9e\xae\x36\xe1\x0c\xae\x1e" },
-   { 17, "\x00\xf5\xc8\x6a\xf3\x61\x62\xf1\x3a\x64\xf5\x4f\x6d\xc9\x58\x7c\x06" },
-   { 0, 0 } // end marker
- };
- 
-+// Bug 682927: Do not trust any DigiNotar-issued certificates.
-+// We do this check after normal certificate validation because we do not
-+// want to override a "revoked" OCSP response.
-+PRErrorCode
-+PSM_SSL_BlacklistDigiNotar(CERTCertificate * serverCert,
-+                           CERTCertList * serverCertChain)
-+{
-+  PRBool isDigiNotarIssuedCert = PR_FALSE;
-+
-+  for (CERTCertListNode *node = CERT_LIST_HEAD(serverCertChain);
-+       !CERT_LIST_END(node, serverCertChain);
-+       node = CERT_LIST_NEXT(node)) {
-+    if (!node->cert->issuerName)
-+      continue;
-+
-+    if (strstr(node->cert->issuerName, "CN=DigiNotar")) {
-+      isDigiNotarIssuedCert = PR_TRUE;
-+      // Do not let the user override the error if the cert was
-+      // chained from the "DigiNotar Root CA" cert and the cert was issued
-+      // within the time window in which we think the mis-issuance(s) occurred.
-+      if (strstr(node->cert->issuerName, "CN=DigiNotar Root CA")) {
-+        PRTime cutoff = 0, notBefore = 0, notAfter = 0;
-+        PRStatus status = PR_ParseTimeString("01-JUL-2011 00:00", PR_TRUE, &cutoff);
-+        NS_ASSERTION(status == PR_SUCCESS, "PR_ParseTimeString failed");
-+        if (status != PR_SUCCESS ||
-+           CERT_GetCertTimes(serverCert, &notBefore, &notAfter) != SECSuccess ||
-+           notBefore >= cutoff) {
-+          return SEC_ERROR_REVOKED_CERTIFICATE;
-+        }
-+      }
-+    }
-+
-+    // By request of the Dutch government
-+    if (!strcmp(node->cert->issuerName,
-+                "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") &&
-+        CERT_LIST_END(CERT_LIST_NEXT(node), serverCertChain)) {
-+      return 0;
-+    }
-+  }
-+
-+  if (isDigiNotarIssuedCert)
-+    return SEC_ERROR_UNTRUSTED_ISSUER; // user can override this
-+  else
-+    return 0; // No DigiNotor cert => carry on as normal
-+}
-+
-+
- SECStatus PR_CALLBACK AuthCertificateCallback(void* client_data, PRFileDesc* fd,
-                                               PRBool checksig, PRBool isServer) {
-   nsNSSShutDownPreventionLock locker;
- 
-   CERTCertificate *serverCert = SSL_PeerCertificate(fd);
-   CERTCertificateCleaner serverCertCleaner(serverCert);
- 
-   if (serverCert && 
-@@ -1074,40 +1121,54 @@ SECStatus PR_CALLBACK AuthCertificateCal
- 
-       if (server_cert_comparison_len == locked_cert_comparison_len &&
-           !memcmp(server_cert_comparison_start, locked_cert_comparison_start, locked_cert_comparison_len)) {
-         PR_SetError(SEC_ERROR_REVOKED_CERTIFICATE, 0);
-         return SECFailure;
-       }
-     }
-   }
--  
-+
-   SECStatus rv = PSM_SSL_PKIX_AuthCertificate(fd, serverCert, checksig, isServer);
- 
-   // We want to remember the CA certs in the temp db, so that the application can find the
-   // complete chain at any time it might need it.
-   // But we keep only those CA certs in the temp db, that we didn't already know.
- 
-   if (serverCert) {
-     nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
-     nsRefPtr<nsSSLStatus> status = infoObject->SSLStatus();
-     nsRefPtr<nsNSSCertificate> nsc;
- 
-     if (!status || !status->mServerCert) {
-       nsc = nsNSSCertificate::Create(serverCert);
-     }
- 
--    if (SECSuccess == rv) {
-+    CERTCertList *certList = nsnull;
-+    if (rv == SECSuccess) {
-+      certList = CERT_GetCertChainFromCert(serverCert, PR_Now(), certUsageSSLCA);
-+      if (!certList) {
-+        rv = SECFailure;
-+      } else {
-+        PRErrorCode blacklistErrorCode = PSM_SSL_BlacklistDigiNotar(serverCert,
-+                                                                    certList);
-+        if (blacklistErrorCode != 0) {
-+          infoObject->SetCertIssuerBlacklisted();
-+          PORT_SetError(blacklistErrorCode);
-+          rv = SECFailure;
-+        }
-+      }
-+    }
-+
-+    if (rv == SECSuccess) {
-       if (nsc) {
-         PRBool dummyIsEV;
-         nsc->GetIsExtendedValidation(&dummyIsEV); // the nsc object will cache the status
-       }
-     
--      CERTCertList *certList = CERT_GetCertChainFromCert(serverCert, PR_Now(), certUsageSSLCA);
--
-       nsCOMPtr<nsINSSComponent> nssComponent;
-       
-       for (CERTCertListNode *node = CERT_LIST_HEAD(certList);
-            !CERT_LIST_END(node, certList);
-            node = CERT_LIST_NEXT(node)) {
- 
-         if (node->cert->slot) {
-           // This cert was found on a token, no need to remember it in the temp db.
-@@ -1133,16 +1194,19 @@ SECStatus PR_CALLBACK AuthCertificateCal
-             PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE, 
-                             nickname, PR_FALSE);
-             PK11_FreeSlot(slot);
-           }
-         }
-         PR_FREEIF(nickname);
-       }
- 
-+    }
-+
-+    if (certList) {
-       CERT_DestroyCertList(certList);
-     }
- 
-     // The connection may get terminated, for example, if the server requires
-     // a client cert. Let's provide a minimal SSLStatus
-     // to the caller that contains at least the cert and its status.
-     if (!status) {
-       status = new nsSSLStatus();
-diff --git a/security/manager/ssl/src/nsNSSCallbacks.h b/security/manager/ssl/src/nsNSSCallbacks.h
---- a/security/manager/ssl/src/nsNSSCallbacks.h
-+++ b/security/manager/ssl/src/nsNSSCallbacks.h
-@@ -50,16 +50,19 @@
- 
- char* PR_CALLBACK
- PK11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void* arg);
- 
- void PR_CALLBACK HandshakeCallback(PRFileDesc *fd, void *client_data);
- SECStatus PR_CALLBACK AuthCertificateCallback(void* client_data, PRFileDesc* fd,
-                                               PRBool checksig, PRBool isServer);
- 
-+PRErrorCode PSM_SSL_BlacklistDigiNotar(CERTCertificate * serverCert,
-+                                       CERTCertList * serverCertChain);
-+
- SECStatus RegisterMyOCSPAIAInfoCallback();
- SECStatus UnregisterMyOCSPAIAInfoCallback();
- 
- class nsHTTPListener : public nsIStreamLoaderObserver
- {
- private:
-   // For XPCOM implementations that are not a base class for some other
-   // class, it is good practice to make the destructor non-virtual and
-diff --git a/security/manager/ssl/src/nsNSSIOLayer.cpp b/security/manager/ssl/src/nsNSSIOLayer.cpp
---- a/security/manager/ssl/src/nsNSSIOLayer.cpp
-+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
-@@ -221,17 +221,18 @@ nsNSSSocketInfo::nsNSSSocketInfo()
-     mForSTARTTLS(PR_FALSE),
-     mHandshakePending(PR_TRUE),
-     mCanceled(PR_FALSE),
-     mHasCleartextPhase(PR_FALSE),
-     mHandshakeInProgress(PR_FALSE),
-     mAllowTLSIntoleranceTimeout(PR_TRUE),
-     mRememberClientAuthCertificate(PR_FALSE),
-     mHandshakeStartTime(0),
--    mPort(0)
-+    mPort(0),
-+    mIsCertIssuerBlacklisted(PR_FALSE)
- {
-   mThreadData = new nsSSLSocketThreadData;
- }
- 
- nsNSSSocketInfo::~nsNSSSocketInfo()
- {
-   delete mThreadData;
- 
-@@ -3437,16 +3438,20 @@ nsNSSBadCertHandler(void *arg, PRFileDes
-       cvout[0].value.pointer.log = verify_log;
-       cvout[1].type = cert_po_end;
- 
-       srv = CERT_PKIXVerifyCert(peerCert, certificateUsageSSLServer,
-                                 survivingParams->GetRawPointerForNSS(),
-                                 cvout, (void*)infoObject);
-     }
- 
-+    if (infoObject->IsCertIssuerBlacklisted()) {
-+      collected_errors |= nsICertOverrideService::ERROR_UNTRUSTED;
-+    }
-+
-     // We ignore the result code of the cert verification.
-     // Either it is a failure, which is expected, and we'll process the
-     //                         verify log below.
-     // Or it is a success, then a domain mismatch is the only 
-     //                     possible failure. 
- 
-     CERTVerifyLogNode *i_node;
-     for (i_node = verify_log->head; i_node; i_node = i_node->next)
-diff --git a/security/manager/ssl/src/nsNSSIOLayer.h b/security/manager/ssl/src/nsNSSIOLayer.h
---- a/security/manager/ssl/src/nsNSSIOLayer.h
-+++ b/security/manager/ssl/src/nsNSSIOLayer.h
-@@ -197,16 +197,22 @@ public:
- 
-   /* Set SSL Status values */
-   nsresult SetSSLStatus(nsSSLStatus *aSSLStatus);
-   nsSSLStatus* SSLStatus() { return mSSLStatus; }
-   PRBool hasCertErrors();
-   
-   PRStatus CloseSocketAndDestroy();
-   
-+  PRBool IsCertIssuerBlacklisted() const {
-+    return mIsCertIssuerBlacklisted;
-+  }
-+  void SetCertIssuerBlacklisted() {
-+    mIsCertIssuerBlacklisted = PR_TRUE;
-+  }
- protected:
-   nsCOMPtr<nsIInterfaceRequestor> mCallbacks;
-   PRFileDesc* mFd;
-   nsCOMPtr<nsIX509Cert> mCert;
-   nsCOMPtr<nsIX509Cert> mPreviousCert; // DocShellDependent
-   enum { 
-     blocking_state_unknown, is_nonblocking_socket, is_blocking_socket 
-   } mBlockingState;
-@@ -224,16 +230,17 @@ protected:
-   PRPackedBool mCanceled;
-   PRPackedBool mHasCleartextPhase;
-   PRPackedBool mHandshakeInProgress;
-   PRPackedBool mAllowTLSIntoleranceTimeout;
-   PRPackedBool mRememberClientAuthCertificate;
-   PRIntervalTime mHandshakeStartTime;
-   PRInt32 mPort;
-   nsXPIDLCString mHostName;
-+  PRErrorCode mIsCertIssuerBlacklisted;
- 
-   /* SSL Status */
-   nsRefPtr<nsSSLStatus> mSSLStatus;
- 
-   nsresult ActivateSSL();
- 
-   nsSSLSocketThreadData *mThreadData;
- 
-
-diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h
---- a/security/nss/lib/ckfw/builtins/nssckbi.h
-+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
-@@ -72,18 +72,18 @@
-  *     ...
-  *   - NSS 3.29 branch: 250-255
-  *
-  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
-  * whether we may use its full range (0-255) or only 0-99 because
-  * of the comment in the CK_VERSION type definition.
-  */
- #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
--#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 83
--#define NSS_BUILTINS_LIBRARY_VERSION "1.83"
-+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 85
-+#define NSS_BUILTINS_LIBRARY_VERSION "1.85"
- 
- /* These version numbers detail the semantic changes to the ckfw engine. */
- #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
- #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
- 
- /* These version numbers detail the semantic changes to ckbi itself 
-  * (new PKCS #11 objects), etc. */
- #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
-