Fix for 154212 - make CERT_SaveSMimeProfile copy the cert to the database if it

comes from an external source

6 files changed, 121 insertions, 2 deletions

diff --git a/security/coreconf/Darwin.mk b/security/coreconf/Darwin.mk
index 6c2b93c9d..59f5af8fd 100644
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -70,5 +70,7 @@ DSO_LDOPTS	= -dynamiclib -compatibility_version 1 -current_version 1 -install_na
 
 MKSHLIB		= $(CC) -arch $(CPU_ARCH) $(DSO_LDOPTS)
 DLL_SUFFIX	= dylib
+PROCESS_MAP_FILE = grep -v ';+' $(LIBRARY_NAME).def | grep -v ';-' | \
+                sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
 
 G++INCLUDES	= -I/usr/include/g++
diff --git a/security/coreconf/rules.mk b/security/coreconf/rules.mk
index 76043627a..c53c1ffc5 100644
--- a/security/coreconf/rules.mk
+++ b/security/coreconf/rules.mk
@@ -364,6 +364,11 @@ endif
 ifeq ($(OS_TARGET),OpenVMS)
 	@echo "`translate $@`" > $(@:$(DLL_SUFFIX)=vms)
 endif
+ifeq ($(OS_TARGET),Darwin)
+ifdef MAPFILE
+	nmedit -s $(MAPFILE) $@
+endif
+endif
 endif
 endif
 
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index ad0f6864e..3b1081bb8 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -385,6 +385,7 @@ CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nicknam
 */
 #define SEC_CRL_TYPE	1
 #define SEC_KRL_TYPE	0
+#define SEC_CRL_TYPE_NO_ENTRIES	2
 
 extern CERTSignedCrl *
 CERT_DecodeDERCrl (PRArenaPool *arena, SECItem *derSignedCrl,int type);
@@ -532,6 +533,27 @@ extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
 				       void *wincx);
 
 /*
+** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
+** verify a certificate by checking validity times against a certain time,
+** that we trust the issuer, and that the signature on the certificate is
+** valid.
+**	"cert" the certificate to verify
+**	"checkSig" only check signatures if true
+*/
+extern SECStatus
+CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertificateUsage requiredUsages,
+                int64 t, void *wincx, CERTVerifyLog *log,
+                SECCertificateUsage* returnedUsages);
+
+/* same as above, but uses current time */
+extern SECStatus
+CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
+		   PRBool checkSig, SECCertificateUsage requiredUsages,
+                   void *wincx, SECCertificateUsage* returnedUsages);
+
+/*
+** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
 ** verify a certificate by checking validity times against a certain time,
 ** that we trust the issuer, and that the signature on the certificate is
 ** valid.
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
index 3f70dcc84..d2cabb66d 100644
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -473,6 +473,23 @@ typedef enum SECCertUsageEnum {
     certUsageAnyCA = 11
 } SECCertUsage;
 
+typedef PRInt32 SECCertificateUsage;
+
+#define certificateUsageSSLClient              (0x0001)
+#define certificateUsageSSLServer              (0x0002)
+#define certificateUsageSSLServerWithStepUp    (0x0004)
+#define certificateUsageSSLCA                  (0x0008)
+#define certificateUsageEmailSigner            (0x0010)
+#define certificateUsageEmailRecipient         (0x0020)
+#define certificateUsageObjectSigner           (0x0040)
+#define certificateUsageUserCertImport         (0x0080)
+#define certificateUsageVerifyCA               (0x0100)
+#define certificateUsageProtectedObjectSigner  (0x0200)
+#define certificateUsageStatusResponder        (0x0400)
+#define certificateUsageAnyCA                  (0x0800)
+
+#define highestUsage certificateUsageAnyCA
+
 /*
  * Does the cert belong to the user, a peer, or a CA.
  */
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
index 8eb90005a..944a202c6 100644
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -152,6 +152,11 @@ static const SEC_ASN1Template cert_CrlEntryTemplate[] = {
     { 0 }
 };
 
+static const SEC_ASN1Template cert_CrlSkipEntryTemplate[] = {
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
 const SEC_ASN1Template CERT_CrlTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(CERTCrl) },
@@ -178,6 +183,34 @@ const SEC_ASN1Template CERT_CrlTemplate[] = {
     { 0 }
 };
 
+const SEC_ASN1Template CERT_CrlTemplateNoEntries[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrl) },
+    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,signatureAlg),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCrl,derName) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,name),
+	  CERT_NameTemplate },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,lastUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,nextUpdate) },
+/*     { SEC_ASN1_SKIP | SEC_ASN1_SEQUENCE_OF }, */
+/*     { SEC_ASN1_SKIP | SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF }, */
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrl,entries),
+	  cert_CrlSkipEntryTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+	  SEC_ASN1_EXPLICIT | 0,
+	  offsetof(CERTCrl,extensions),
+	  SEC_CERTExtensionsTemplate},
+    { 0 }
+};
+
 static const SEC_ASN1Template cert_SignedCrlTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(CERTSignedCrl) },
@@ -194,6 +227,22 @@ static const SEC_ASN1Template cert_SignedCrlTemplate[] = {
     { 0 }
 };
 
+static const SEC_ASN1Template cert_SignedCrlTemplateNoEntries[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedCrl) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTSignedCrl,signatureWrap.data) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,crl),
+	  CERT_CrlTemplateNoEntries },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedCrl,signatureWrap.signature) },
+    { 0 }
+};
+
 const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[] = {
     { SEC_ASN1_SET_OF, 0, cert_SignedCrlTemplate },
 };
@@ -320,6 +369,8 @@ CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
     PRArenaPool *arena;
     CERTSignedCrl *crl;
     SECStatus rv;
+    const SEC_ASN1Template* crlTemplate = cert_SignedCrlTemplate; /* use full
+                                         template for decoding CRLs */
 
     /* make a new arena */
     if (narena == NULL) {
@@ -353,9 +404,14 @@ CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
 
     /* decode the CRL info */
     switch (type) {
+    case SEC_CRL_TYPE_NO_ENTRIES:
+        crlTemplate = cert_SignedCrlTemplateNoEntries; /*  trimmed template */
+        crl->crl.entries = NULL;
+        /* fall through */
+
     case SEC_CRL_TYPE: 
 	rv = SEC_ASN1DecodeItem
-	     (arena, crl, cert_SignedCrlTemplate, derSignedCrl);
+	     (arena, crl, crlTemplate, derSignedCrl);
 	if (rv != SECSuccess)
 	    break;
         /* check for critical extentions */
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
index 654da08dd..3f52f438e 100644
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -747,7 +747,24 @@ CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
     NSSCryptoContext *cc;
     nssSMIMEProfile *stanProfile = NULL;
     PRBool freeOldProfile = PR_FALSE;
-    
+    PK11SlotInfo* internalslot = PK11_GetInternalKeySlot();
+
+    if (cert && cert->slot != internalslot) {
+          /* this cert comes from an external source, we need to add it
+          to the cert db before creating an S/MIME profile */
+          rv = PK11_ImportCert(internalslot, cert,
+              CK_INVALID_HANDLE, NULL, PR_FALSE);
+
+          PK11_FreeSlot(internalslot);
+
+          if (rv != SECSuccess )
+          {
+              return SECFailure;
+          }
+    } else {
+        PK11_FreeSlot(internalslot);
+    }
+
     emailAddr = cert->emailAddr;
     
     if ( emailAddr == NULL ) {