1 files changed, 42 insertions, 13 deletions

diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
index fab3a7a02..29d2fb5a4 100644
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -825,6 +825,36 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
             cc->trust = trust;
             CERT_UnlockCertTrust(cc);
         }
+        /* Read the distrust fields from a nssckbi/builtins certificate and
+         * fill the fields in CERTCertificate structure when any valid date
+         * is found. */
+        if (PK11_IsReadOnly(cc->slot) && PK11_HasRootCerts(cc->slot)) {
+            /* The values are hard-coded and readonly. Read just once. */
+            if (cc->distrust == NULL) {
+                CERTCertDistrust distrustModel;
+                SECItem model = { siUTCTime, NULL, 0 };
+                distrustModel.serverDistrustAfter = model;
+                distrustModel.emailDistrustAfter = model;
+                SECStatus rServer = PK11_ReadAttribute(
+                    cc->slot, cc->pkcs11ID, CKA_NSS_SERVER_DISTRUST_AFTER,
+                    cc->arena, &distrustModel.serverDistrustAfter);
+                SECStatus rEmail = PK11_ReadAttribute(
+                    cc->slot, cc->pkcs11ID, CKA_NSS_EMAIL_DISTRUST_AFTER,
+                    cc->arena, &distrustModel.emailDistrustAfter);
+                /* Only allocate the Distrust structure if a valid date is found.
+                 * The result length of a encoded valid timestamp is exactly 13 */
+                const unsigned int kDistrustFieldSize = 13;
+                if ((rServer == SECSuccess && rEmail == SECSuccess) &&
+                    (distrustModel.serverDistrustAfter.len == kDistrustFieldSize ||
+                     distrustModel.emailDistrustAfter.len == kDistrustFieldSize)) {
+                    CERTCertDistrust *tmpPtr = PORT_ArenaAlloc(
+                        cc->arena, sizeof(CERTCertDistrust));
+                    PORT_Memcpy(tmpPtr, &distrustModel,
+                                sizeof(CERTCertDistrust));
+                    cc->distrust = tmpPtr;
+                }
+            }
+        }
     }
     if (instance) {
         nssCryptokiObject_Destroy(instance);
@@ -1002,20 +1032,19 @@ STAN_GetNSSCertificate(CERTCertificate *cc)
                    &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
     nssItem_Create(arena,
                    &c->subject, cc->derSubject.len, cc->derSubject.data);
-    if (PR_TRUE) {
-        /* CERTCertificate stores serial numbers decoded.  I need the DER
-        * here.  sigh.
-        */
-        SECItem derSerial;
-        SECStatus secrv;
-        secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
-        if (secrv == SECFailure) {
-            nssArena_Destroy(arena);
-            return NULL;
-        }
-        nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
-        PORT_Free(derSerial.data);
+    /* CERTCertificate stores serial numbers decoded.  I need the DER
+    * here.  sigh.
+    */
+    SECItem derSerial;
+    SECStatus secrv;
+    secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+    if (secrv == SECFailure) {
+        nssArena_Destroy(arena);
+        return NULL;
     }
+    nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
+    PORT_Free(derSerial.data);
+
     if (cc->emailAddr && cc->emailAddr[0]) {
         c->email = nssUTF8_Create(arena,
                                   nssStringType_PrintableString,