modify last patch to only take effect if the slot certs are not publicly readable, and to not update the token cert list more than once

2 files changed, 8 insertions, 4 deletions

diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
index 86c58ead8..c3839594e 100644
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -725,8 +725,9 @@ PK11_Logout(PK11SlotInfo *slot)
     PK11_EnterSlotMonitor(slot);
     crv = PK11_GETTAB(slot)->C_Logout(slot->session);
     PK11_ExitSlotMonitor(slot);
-    if (slot->nssToken) {
-	   nssToken_DestroyCertList(slot->nssToken, PR_TRUE);
+    if (slot->nssToken && !PK11_IsFriendly(slot)) {
+	/* If the slot certs are not public readable, destroy them */
+	nssToken_DestroyCertList(slot->nssToken, PR_TRUE);
     }
     if (crv != CKR_OK) {
 	PORT_SetError(PK11_MapError(crv));
@@ -1143,8 +1144,8 @@ PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
     }
     if (rv == SECSuccess) {
 	rv = pk11_CheckVerifyTest(slot);
-	if (rv == SECSuccess && slot->nssToken) {
-	    /* notify stan about the login */
+	if (rv == SECSuccess && slot->nssToken && !PK11_IsFriendly(slot)) {
+	    /* notify stan about the login if certs are not public readable */
 	    nssToken_LoadCerts(slot->nssToken);
 	}
     } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
index ad9dbe5f0..0fc28ee26 100644
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -247,6 +247,9 @@ nssToken_LoadCerts(NSSToken *token)
 	    if (!token->certList) {
 		return PR_FAILURE;
 	    }
+	} else if (nssList_Count(token->certList) > 0) {
+	    /* already been done */
+	    return PR_SUCCESS;
 	}
 	/* ignore the rv, just work without the list */
 	(void)nssToken_TraverseCertificates(token, NULL, &search);