473944 - Trust anchor is not trusted when requireFreshInfo flag is set. r=nelson

2 files changed, 62 insertions, 0 deletions

diff --git a/security/nss/lib/libpkix/include/pkix_errorstrings.h b/security/nss/lib/libpkix/include/pkix_errorstrings.h
index 9d0f337df..20bfd5e22 100755
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -944,6 +944,7 @@ PKIX_ERRORENTRY(QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION,Qualifiers in cri
 PKIX_ERRORENTRY(REALLOCFAILED,PKIX_PL_Realloc failed,0),
 PKIX_ERRORENTRY(RECEIVEDCORRUPTEDOBJECTARGUMENT,Received corrupted object argument,0),
 PKIX_ERRORENTRY(REGISTERCERTSTOREFAILED,RegisterCertStores failed,0),
+PKIX_ERRORENTRY(REMOVEDUPUNTRUSTEDCERTSFAILED, pkix_Build_RemoveDupUntrustedCerts failed,0),
 PKIX_ERRORENTRY(REQUESTNOTANHTTPDEFAULTCLIENT,request is not an HttpDefaultClient,0),
 PKIX_ERRORENTRY(RESOURCELIMITSGETMAXDEPTHFAILED,PKIX_ResourceLimits_GetMaxDepth failed,0),
 PKIX_ERRORENTRY(RESOURCELIMITSGETMAXFANOUTFAILED,PKIX_ResourceLimits_GetMaxFanout failed,0),
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c
index 1c180054c..df19eecdf 100755
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -1615,6 +1615,62 @@ cleanup:
 }
 
 
+static PKIX_Error*
+pkix_Build_RemoveDupUntrustedCerts(
+    PKIX_List *trustedCertList,
+    PKIX_List *certsFound,
+    void *plContext)
+{
+    PKIX_UInt32 trustIndex;
+    PKIX_PL_Cert *trustCert = NULL, *cert = NULL;
+
+    PKIX_ENTER(BUILD, "pkix_Build_RemoveDupUntrustedCerts");
+    if (trustedCertList == NULL || certsFound == NULL) {
+        goto cleanup;
+    }
+    for (trustIndex = 0;trustIndex < trustedCertList->length;
+        trustIndex++) {
+        PKIX_UInt32 certIndex = 0;
+        PKIX_CHECK(
+            PKIX_List_GetItem(trustedCertList,
+                              trustIndex,
+                              (PKIX_PL_Object **)&trustCert,
+                              plContext),
+            PKIX_LISTGETITEMFAILED);
+        
+        while (certIndex < certsFound->length) {
+            PKIX_Boolean result = PKIX_FALSE;
+            PKIX_DECREF(cert);
+            PKIX_CHECK(
+                PKIX_List_GetItem(certsFound, certIndex,
+                                  (PKIX_PL_Object **)&cert,
+                                  plContext),
+                PKIX_LISTGETITEMFAILED);
+            PKIX_CHECK(
+                PKIX_PL_Object_Equals((PKIX_PL_Object *)trustCert,
+                                      (PKIX_PL_Object *)cert,
+                                      &result,
+                                      plContext),
+                PKIX_OBJECTEQUALSFAILED);
+            if (!result) {
+                certIndex += 1;
+                continue;
+            }
+            PKIX_CHECK(
+                PKIX_List_DeleteItem(certsFound, certIndex,
+                                     plContext),
+                PKIX_LISTDELETEITEMFAILED);
+        }
+        PKIX_DECREF(trustCert);
+    }
+cleanup:
+    PKIX_DECREF(cert);
+    PKIX_DECREF(trustCert);
+
+    PKIX_RETURN(BUILD);
+}
+
+
 /*
  * FUNCTION: pkix_Build_GatherCerts
  * DESCRIPTION:
@@ -1798,6 +1854,11 @@ pkix_Build_GatherCerts(
                 certSelParams, &trustedCertList,
                 plContext),
             PKIX_FAILTOSELECTCERTSFROMANCHORS);
+        PKIX_CHECK(
+            pkix_Build_RemoveDupUntrustedCerts(trustedCertList,
+                                               certsFound,
+                                               plContext),
+            PKIX_REMOVEDUPUNTRUSTEDCERTSFAILED);
 
         PKIX_CHECK(
             pkix_List_MergeLists(trustedCertList,