Detect empty emailAddr strings in CERTCertificates. Bugzilla bug 211540.

Modified Files:
    cmd/dbck/dbck.c cmd/signtool/util.c lib/certdb/certdb.c
    lib/certdb/stanpcertdb.c lib/pkcs7/p7decode.c lib/pki/certificate.c
    lib/pki/pki3hack.c lib/smime/cmssiginfo.c lib/softoken/pkcs11u.c

9 files changed, 34 insertions, 26 deletions

diff --git a/security/nss/cmd/dbck/dbck.c b/security/nss/cmd/dbck/dbck.c
index b906b84a8..a5fa1e6fd 100644
--- a/security/nss/cmd/dbck/dbck.c
+++ b/security/nss/cmd/dbck/dbck.c
@@ -304,7 +304,7 @@ dumpSubjectEntry(certDBEntrySubject *entry, int num, PRFileDesc *outfile)
     PR_fprintf(outfile, "## %s\n", subjectName);
     if (entry->nickname)
 	PR_fprintf(outfile, "## Subject nickname:  %s\n", entry->nickname);
-    if (entry->emailAddr)
+    if (entry->emailAddr && entry->emailAddr[0])
 	PR_fprintf(outfile, "## Subject email address:  %s\n", 
 	           entry->emailAddr);
     PR_fprintf(outfile, "## This subject has %d cert(s).\n", entry->ncerts);
@@ -443,7 +443,7 @@ mapSubjectEntries(certDBArray *dbArray)
 	} else {
 	    subjMap->pNickname = NoNickname;
 	}
-	if (subjectEntry->emailAddr) {
+	if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
 	    /* Subject should have an smime entry, so create a link. */
 	    for (mElem = PR_LIST_HEAD(&dbArray->smime.link);
 	         mElem != &dbArray->smime.link; mElem = PR_NEXT_LINK(mElem)) {
@@ -794,7 +794,7 @@ verboseOutput(certDBArray *dbArray, dbDebugInfo *info)
 		PR_fprintf(info->out, "-->(MISSING NICKNAME ENTRY)\n");
 	    }
 	}
-	if (subjectEntry->emailAddr) {
+	if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
 	    /* walk each subject handle to it's smime entry */
 	    if (map_handle_is_ok(info, smap->pSMime, -1)) {
 		ref = ((certDBEntryMap *)smap->pSMime->appData)->index;
@@ -1060,7 +1060,7 @@ IsEmailCert(CERTCertificate *cert)
     /* XXX Nelson has cert for KTrilli which does not have either
      * of above but is email cert (has cert->emailAddr). 
      */
-    if (!tmp1 && !tmp2 && !cert->emailAddr) {
+    if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) {
 	return NULL;
     }
 
@@ -1085,7 +1085,7 @@ IsEmailCert(CERTCertificate *cert)
 	    return NULL;
     }
 
-    if (cert->emailAddr) {
+    if (cert->emailAddr && cert->emailAddr[0]) {
 	email = PORT_Strdup(cert->emailAddr);
     } else {
 	if (tmp1)
@@ -1137,7 +1137,7 @@ deleteAllEntriesForCert(CERTCertDBHandle *handle, CERTCertificate *cert,
 	DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]);
     }
     DeleteDBSubjectEntry(handle, &cert->derSubject);
-    if (subjectEntry->emailAddr) {
+    if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
 	smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr);
 	if (smimeEntry) {
 	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
@@ -1500,7 +1500,7 @@ findNewestSubjectForEmail(CERTCertDBHandle *handle, int subjectNum,
 	subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i];
 	if (!subjectEntry2)
 	    continue;
-	if (subjectEntry2->emailAddr && 
+	if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] &&
 	     PORT_Strcmp(subjectEntry1->emailAddr, 
 	                 subjectEntry2->emailAddr) == 0) {
 	    /*  Found a subject using the same email address.  */
@@ -1513,7 +1513,8 @@ findNewestSubjectForEmail(CERTCertDBHandle *handle, int subjectNum,
 	smimeEntry = (certDBEntrySMime*)&smime.entries[i];
 	if (smimeEntry->common.arena == NULL)
 	    continue;
-	if (PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
+	if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && 
+	    PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
 	    /*  Find which of the subjects uses this S/MIME entry.  */
 	    for (j=0; j<ns && *subjectWithSMime < 0; j++) {
 		sNum = subjectsForEmail[j];
diff --git a/security/nss/cmd/signtool/util.c b/security/nss/cmd/signtool/util.c
index c1b401e33..efaa916db 100644
--- a/security/nss/cmd/signtool/util.c
+++ b/security/nss/cmd/signtool/util.c
@@ -617,7 +617,7 @@ displayVerifyLog(CERTVerifyLog *log)
 		/* Get a name for this cert */
 		if(cert->nickname != NULL) {
 			name = cert->nickname;
-		} else if(cert->emailAddr != NULL) {
+		} else if(cert->emailAddr && cert->emailAddr[0]) {
 			name = cert->emailAddr;
 		} else {
 			name = cert->subjectName;
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 06fe67499..5c1adc99d 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -565,7 +565,7 @@ cert_GetCertType(CERTCertificate *cert)
 	 * to be used for email
 	 */
 	if ( ( nsCertType & NS_CERT_TYPE_SSL_CLIENT ) &&
-	    cert->emailAddr ) {
+	    cert->emailAddr && cert->emailAddr[0]) {
 	    nsCertType |= NS_CERT_TYPE_EMAIL;
 	}
 	/*
@@ -2164,7 +2164,7 @@ CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage,
 		trust.emailFlags = CERTDB_VALID_CA;
 	    }
 	} else {
-	    if ( cert->emailAddr == NULL ) {
+	    if ( !cert->emailAddr || !cert->emailAddr[0] ) {
 		saveit = PR_FALSE;
 	    }
 	    
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
index 6e9c8f418..61e9508bc 100644
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -293,7 +293,7 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
                                             (NSSUTF8 *)nickname, 
                                             PORT_Strlen(nickname));
     }
-    if (cc->emailAddr) {
+    if (cc->emailAddr && cc->emailAddr[0]) {
 	c->email = nssUTF8_Create(c->object.arena, 
 	                          nssStringType_PrintableString, 
 	                          (NSSUTF8 *)cc->emailAddr, 
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
index 447502176..cba3ac9ef 100644
--- a/security/nss/lib/pkcs7/p7decode.c
+++ b/security/nss/lib/pkcs7/p7decode.c
@@ -1835,7 +1835,7 @@ savecert:
      * Only save the smime profile if we are checking an email message and
      * the cert has an email address in it.
      */
-    if ( ( cert->emailAddr != NULL ) &&
+    if ( cert->emailAddr && cert->emailAddr[0] &&
 	( ( certusage == certUsageEmailSigner ) ||
 	 ( certusage == certUsageEmailRecipient ) ) ) {
 	SECItem *profile = NULL;
@@ -2005,7 +2005,7 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7ContentInfo *cinfo, int selector)
 	container = CERT_GetCommonName (&signercert->subject);
 	break;
       case sec_email_address:
-	if(signercert->emailAddr) {
+	if(signercert->emailAddr && signercert->emailAddr[0]) {
 	    container = PORT_Strdup(signercert->emailAddr);
 	} else {
 	    container = NULL;
diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c
index 532c967a9..e9417cc09 100644
--- a/security/nss/lib/pki/certificate.c
+++ b/security/nss/lib/pki/certificate.c
@@ -383,7 +383,6 @@ filter_certs_for_valid_issuers (
     NSSCertificate **cp;
     nssDecodedCert *dcp;
     int nextOpenSlot = 0;
-    int i;
 
     for (cp = certs; *cp; cp++) {
 	dcp = nssCertificate_GetDecoding(*cp);
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
index 6998d84d6..eb8dd7f78 100644
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -394,7 +394,8 @@ static NSSASCII7 *
 nss3certificate_getEmailAddress(nssDecodedCert *dc)
 {
     CERTCertificate *cc = (CERTCertificate *)dc->data;
-    return cc ? (NSSASCII7 *)cc->emailAddr : NULL;
+    return (cc && cc->emailAddr && cc->emailAddr[0])
+	    ? (NSSASCII7 *)cc->emailAddr : NULL;
 }
 
 static PRStatus
@@ -865,7 +866,7 @@ STAN_GetNSSCertificate(CERTCertificate *cc)
 	nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
 	PORT_Free(derSerial.data);
     }
-    if (cc->emailAddr) {
+    if (cc->emailAddr && cc->emailAddr[0]) {
         c->email = nssUTF8_Create(arena,
                                   nssStringType_PrintableString,
                                   (NSSUTF8 *)cc->emailAddr,
diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c
index caed8db89..89b942222 100644
--- a/security/nss/lib/smime/cmssiginfo.c
+++ b/security/nss/lib/smime/cmssiginfo.c
@@ -56,10 +56,13 @@
  * SIGNERINFO
  */
 NSSCMSSignerInfo *
-nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag);
+nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, 
+	CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, 
+	SECKEYPrivateKey *signingKey, SECOidTag digestalgtag);
 
 NSSCMSSignerInfo *
-NSS_CMSSignerInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, SECItem *subjKeyID, SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag)
+NSS_CMSSignerInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, SECItem *subjKeyID, 
+	SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag)
 {
     return nss_cmssignerinfo_create(cmsg, NSSCMSSignerID_SubjectKeyID, NULL, subjKeyID, pubKey, signingKey, digestalgtag); 
 }
@@ -71,7 +74,9 @@ NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag d
 }
 
 NSSCMSSignerInfo *
-nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag)
+nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, 
+	CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, 
+	SECKEYPrivateKey *signingKey, SECOidTag digestalgtag)
 {
     void *mark;
     NSSCMSSignerInfo *signerinfo;
@@ -646,7 +651,7 @@ NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo)
     if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL)
 	return NULL;
 
-    if (signercert->emailAddr == NULL)
+    if (!signercert->emailAddr || !signercert->emailAddr[0])
 	return NULL;
 
     return (PORT_Strdup(signercert->emailAddr));
@@ -916,11 +921,12 @@ NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo)
 	/* no preferred cert found?
 	 * find the cert the signerinfo is signed with instead */
 	cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb);
-	if (cert == NULL || cert->emailAddr == NULL)
+	if (cert == NULL || cert->emailAddr == NULL || !cert->emailAddr[0])
 	    return SECFailure;
     }
 
-    /* verify this cert for encryption (has been verified for signing so far) */    /* don't verify this cert for encryption. It may just be a signing cert.
+    /* verify this cert for encryption (has been verified for signing so far) */
+    /* don't verify this cert for encryption. It may just be a signing cert.
      * that's OK, we can still save the S/MIME profile. The encryption cert
      * should have already been saved */
 #ifdef notdef
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
index b8d8db941..046dcdde6 100644
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -1199,9 +1199,10 @@ pk11_FindCertAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
 	return pk11_NewTokenAttribute(type,cert->derSN.data,
 						cert->derSN.len, PR_FALSE);
     case CKA_NETSCAPE_EMAIL:
-	return cert->emailAddr ? pk11_NewTokenAttribute(type, cert->emailAddr,
-				PORT_Strlen(cert->emailAddr), PR_FALSE) :
-					(PK11Attribute *) &pk11_StaticNullAttr;
+	return (cert->emailAddr && cert->emailAddr[0])
+	    ? pk11_NewTokenAttribute(type, cert->emailAddr,
+	                             PORT_Strlen(cert->emailAddr), PR_FALSE) 
+	    : (PK11Attribute *) &pk11_StaticNullAttr;
     default:
 	break;
     }