diff options
Diffstat (limited to 'security/nss/lib/pki/pki3hack.c')
-rw-r--r-- | security/nss/lib/pki/pki3hack.c | 55 |
1 files changed, 42 insertions, 13 deletions
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index fab3a7a02..29d2fb5a4 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -825,6 +825,36 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced cc->trust = trust; CERT_UnlockCertTrust(cc); } + /* Read the distrust fields from a nssckbi/builtins certificate and + * fill the fields in CERTCertificate structure when any valid date + * is found. */ + if (PK11_IsReadOnly(cc->slot) && PK11_HasRootCerts(cc->slot)) { + /* The values are hard-coded and readonly. Read just once. */ + if (cc->distrust == NULL) { + CERTCertDistrust distrustModel; + SECItem model = { siUTCTime, NULL, 0 }; + distrustModel.serverDistrustAfter = model; + distrustModel.emailDistrustAfter = model; + SECStatus rServer = PK11_ReadAttribute( + cc->slot, cc->pkcs11ID, CKA_NSS_SERVER_DISTRUST_AFTER, + cc->arena, &distrustModel.serverDistrustAfter); + SECStatus rEmail = PK11_ReadAttribute( + cc->slot, cc->pkcs11ID, CKA_NSS_EMAIL_DISTRUST_AFTER, + cc->arena, &distrustModel.emailDistrustAfter); + /* Only allocate the Distrust structure if a valid date is found. + * The result length of a encoded valid timestamp is exactly 13 */ + const unsigned int kDistrustFieldSize = 13; + if ((rServer == SECSuccess && rEmail == SECSuccess) && + (distrustModel.serverDistrustAfter.len == kDistrustFieldSize || + distrustModel.emailDistrustAfter.len == kDistrustFieldSize)) { + CERTCertDistrust *tmpPtr = PORT_ArenaAlloc( + cc->arena, sizeof(CERTCertDistrust)); + PORT_Memcpy(tmpPtr, &distrustModel, + sizeof(CERTCertDistrust)); + cc->distrust = tmpPtr; + } + } + } } if (instance) { nssCryptokiObject_Destroy(instance); @@ -1002,20 +1032,19 @@ STAN_GetNSSCertificate(CERTCertificate *cc) &c->issuer, cc->derIssuer.len, cc->derIssuer.data); nssItem_Create(arena, &c->subject, cc->derSubject.len, cc->derSubject.data); - if (PR_TRUE) { - /* CERTCertificate stores serial numbers decoded. I need the DER - * here. sigh. - */ - SECItem derSerial; - SECStatus secrv; - secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial); - if (secrv == SECFailure) { - nssArena_Destroy(arena); - return NULL; - } - nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data); - PORT_Free(derSerial.data); + /* CERTCertificate stores serial numbers decoded. I need the DER + * here. sigh. + */ + SECItem derSerial; + SECStatus secrv; + secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial); + if (secrv == SECFailure) { + nssArena_Destroy(arena); + return NULL; } + nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data); + PORT_Free(derSerial.data); + if (cc->emailAddr && cc->emailAddr[0]) { c->email = nssUTF8_Create(arena, nssStringType_PrintableString, |