Issue #1338 - Part 2: Update NSS to 3.48-RTM

1 files changed, 33 insertions, 4 deletions

diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
index 9cac70ca6..aae1184a8 100644
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -35,6 +35,7 @@ typedef struct CERTCertListStr CERTCertList;
 typedef struct CERTCertListNodeStr CERTCertListNode;
 typedef struct CERTCertNicknamesStr CERTCertNicknames;
 typedef struct CERTCertTrustStr CERTCertTrust;
+typedef struct CERTCertDistrustStr CERTCertDistrust;
 typedef struct CERTCertificateStr CERTCertificate;
 typedef struct CERTCertificateListStr CERTCertificateList;
 typedef struct CERTCertificateRequestStr CERTCertificateRequest;
@@ -141,6 +142,18 @@ struct CERTCertTrustStr {
 };
 
 /*
+ * Distrust dates for specific certificate usages.
+ * These dates are hardcoded in nssckbi/builtins. They are DER encoded to be
+ * compatible with the format of certdata.txt, other date fields in certs and
+ * existing functions to read these dates. Clients should check the distrust
+ * date in certificates to avoid trusting a CA for service they have ceased to
+ * support */
+struct CERTCertDistrustStr {
+    SECItem serverDistrustAfter;
+    SECItem emailDistrustAfter;
+};
+
+/*
  * defined the types of trust that exist
  */
 typedef enum SECTrustTypeEnum {
@@ -279,6 +292,8 @@ struct CERTCertificateStr {
     PK11SlotInfo *slot;        /*if this cert came of a token, which is it*/
     CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
     PRBool ownSlot;            /*true if the cert owns the slot reference */
+    /* These fields are used in nssckbi/builtins CAs. */
+    CERTCertDistrust *distrust;
 };
 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */
 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
@@ -416,6 +431,19 @@ struct CERTDistNamesStr {
     void *head; /* private */
 };
 
+/*
+ * NS_CERT_TYPE defines are used in two areas:
+ * 1) The old NSS Cert Type Extension, which is a certificate extension in the
+ * actual cert. It was created before the x509 Extended Key Usage Extension,
+ * which has now taken over it's function. This field is only 8 bits wide
+ * 2) The nsCertType entry in the CERTCertificate structure. This field is
+ * 32 bits wide.
+ * Any entries in this table greater than 0x80 will not be able to be encoded
+ * in an NSS Cert Type Extension, but can still be represented internally in
+ * the nsCertType field.
+ */
+#define NS_CERT_TYPE_IPSEC_CA (0x200)         /* outside the NS Cert Type Extenstion */
+#define NS_CERT_TYPE_IPSEC (0x100)            /* outside the NS Cert Type Extenstion */
 #define NS_CERT_TYPE_SSL_CLIENT (0x80)        /* bit 0 */
 #define NS_CERT_TYPE_SSL_SERVER (0x40)        /* bit 1 */
 #define NS_CERT_TYPE_EMAIL (0x20)             /* bit 2 */
@@ -430,11 +458,12 @@ struct CERTDistNamesStr {
 
 #define NS_CERT_TYPE_APP                                                      \
     (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
-     NS_CERT_TYPE_OBJECT_SIGNING)
+     NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING)
 
-#define NS_CERT_TYPE_CA                            \
-    (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \
-     NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER)
+#define NS_CERT_TYPE_CA                                                \
+    (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |                     \
+     NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \
+     NS_CERT_TYPE_IPSEC_CA)
 typedef enum SECCertUsageEnum {
     certUsageSSLClient = 0,
     certUsageSSLServer = 1,