NSSCryptoContext_ImportCertificate cannot inform the caller that the cert already exists as a temp cert, is is necessary to work around this in CERT_NewTempCertificate by doing a lookup on the cert after it was imported.

r=relyea

1 files changed, 17 insertions, 0 deletions

diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
index 1cf111a47..5bc46a139 100644
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -180,6 +180,7 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
     NSSCryptoContext *context;
     NSSArena *arena;
     CERTCertificate *cc;
+    NSSCertificate *tempCert;
     NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
     if (!isperm) {
 	NSSDER encoding;
@@ -241,10 +242,26 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
 	                          PORT_Strlen(cc->emailAddr));
     }
     context = STAN_GetDefaultCryptoContext();
+    /* this function cannot detect if the cert exists as a temp cert now, but
+     * didn't when CERT_NewTemp was first called.
+     */
     nssrv = NSSCryptoContext_ImportCertificate(context, c);
     if (nssrv != PR_SUCCESS) {
 	goto loser;
     }
+    /* so find the entry in the temp store */
+    tempCert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(context,
+                                                                   &c->issuer,
+                                                                   &c->serial);
+    /* destroy the copy */
+    NSSCertificate_Destroy(c);
+    if (tempCert) {
+	/* and use the "official" entry */
+	c = tempCert;
+	cc = STAN_GetCERTCertificate(c);
+    } else {
+	return NULL;
+    }
     c->object.trustDomain = STAN_GetDefaultTrustDomain();
     cc->istemp = PR_TRUE;
     cc->isperm = PR_FALSE;