2 files changed, 22 insertions, 4 deletions

diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c
index c45901ec3..346e473a9 100644
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -804,12 +804,30 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
     /* don't know? look it up */
     if (keyType == nullKey) {
         CK_KEY_TYPE pk11Type = CKK_RSA;
+        SECItem info;
 
         pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE);
         isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE);
         switch (pk11Type) {
             case CKK_RSA:
                 keyType = rsaKey;
+                /* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */
+                rv = PK11_ReadAttribute(slot, privID, CKA_PUBLIC_KEY_INFO, NULL, &info);
+                if (rv == SECSuccess) {
+                    CERTSubjectPublicKeyInfo *spki;
+
+                    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&info);
+                    if (spki) {
+                        SECOidTag tag;
+
+                        tag = SECOID_GetAlgorithmTag(&spki->algorithm);
+                        if (tag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE)
+                            keyType = rsaPssKey;
+                        SECKEY_DestroySubjectPublicKeyInfo(spki);
+                    }
+                    SECITEM_FreeItem(&info, PR_FALSE);
+                }
+
                 break;
             case CKK_DSA:
                 keyType = dsaKey;
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
index fc30222b3..c165e1ef2 100644
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -547,16 +547,16 @@ secmod_applyCryptoPolicy(const char *policyString,
         for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
             const oidValDef *algOpt = &algOptList[i];
             unsigned name_size = algOpt->name_size;
-            PRBool newValue = PR_FALSE;
+            PRBool newOption = PR_FALSE;
 
             if ((length >= name_size) && (cipher[name_size] == '/')) {
-                newValue = PR_TRUE;
+                newOption = PR_TRUE;
             }
-            if ((newValue || algOpt->name_size == length) &&
+            if ((newOption || algOpt->name_size == length) &&
                 PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
                 PRUint32 value = algOpt->val;
                 PRUint32 enable, disable;
-                if (newValue) {
+                if (newOption) {
                     value = secmod_parsePolicyValue(&cipher[name_size] + 1,
                                                     length - name_size - 1);
                 }