Bug 303010 Certificate upgrade can drop S/MIME certificates

r=wtc.

Delay loading the S/MIME records on upgrade until the cert is loaded

1 files changed, 42 insertions, 23 deletions

diff --git a/security/nss/lib/softoken/pcertdb.c b/security/nss/lib/softoken/pcertdb.c
index e92f1b993..c344b525f 100644
--- a/security/nss/lib/softoken/pcertdb.c
+++ b/security/nss/lib/softoken/pcertdb.c
@@ -3521,6 +3521,9 @@ UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
 	case certDBEntryTypeSubject:
 	case certDBEntryTypeContentVersion:
 	case certDBEntryTypeNickname:
+	/* smime profiles need entries created after the certs have
+         * been imported, loop over them in a second run */
+	case certDBEntryTypeSMimeProfile:
 	    break;
 
 	case certDBEntryTypeCert:
@@ -3568,22 +3571,45 @@ UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
 	    crlEntry.common.arena = NULL;
 	    break;
 
-	case certDBEntryTypeSMimeProfile:
-    	    smimeEntry.common.version = (unsigned int)dataBuf[0];
-	    smimeEntry.common.type = entryType;
-	    smimeEntry.common.flags = (unsigned int)dataBuf[2];
-	    smimeEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	    rv = DecodeDBSMimeEntry(&smimeEntry,&dbEntry,(char *)dbKey.data);
-	    /* decode entry */
+	default:
+	    break;
+	}
+    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
+
+    /* now loop again updating just the SMimeProfile. */
+    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
+
+    if ( ret ) {
+	return(SECFailure);
+    }
+    
+    do {
+	unsigned char *dataBuf = (unsigned char *)data.data;
+	unsigned char *keyBuf = (unsigned char *)key.data;
+	dbEntry.data = &dataBuf[SEC_DB_ENTRY_HEADER_LEN];
+	dbEntry.len = data.size - SEC_DB_ENTRY_HEADER_LEN;
+ 	entryType = (certDBEntryType) keyBuf[0];
+	if (entryType != certDBEntryTypeSMimeProfile) {
+	    continue;
+	}
+	dbKey.data = &keyBuf[SEC_DB_KEY_HEADER_LEN];
+	dbKey.len = key.size - SEC_DB_KEY_HEADER_LEN;
+	if ((dbEntry.len <= 0) || (dbKey.len <= 0)) {
+	    continue;
+	}
+        smimeEntry.common.version = (unsigned int)dataBuf[0];
+	smimeEntry.common.type = entryType;
+	smimeEntry.common.flags = (unsigned int)dataBuf[2];
+	smimeEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	/* decode entry */
+	rv = DecodeDBSMimeEntry(&smimeEntry,&dbEntry,(char *)dbKey.data);
+	if (rv == SECSuccess) {
 	    nsslowcert_UpdateSMimeProfile(handle, smimeEntry.emailAddr,
 		&smimeEntry.subjectName, &smimeEntry.smimeOptions,
 						 &smimeEntry.optionsDate);
-	    PORT_FreeArena(smimeEntry.common.arena, PR_FALSE);
-	    smimeEntry.common.arena = NULL;
-	    break;
-	default:
-	    break;
 	}
+	PORT_FreeArena(smimeEntry.common.arena, PR_FALSE);
+	smimeEntry.common.arena = NULL;
     } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
 
     (* updatedb->close)(updatedb);
@@ -4037,17 +4063,6 @@ openNewCertDB(const char *appName, const char *prefix, const char *certdbname,
     }
 
     /* Verify version number; */
-
-    if (appName) {
-	updatedb = dbsopen(certdbname, NO_RDONLY, 0600, DB_HASH, 0);
-	if (updatedb) {
-	    rv = UpdateV8DB(handle, updatedb);
-	    db_FinishTransaction(handle->permCertDB,PR_FALSE);
-	    db_InitComplete(handle->permCertDB);
-	    return(rv);
-	}
-    }
-
     versionEntry = NewDBVersionEntry(0);
     if ( versionEntry == NULL ) {
 	rv = SECFailure;
@@ -4064,6 +4079,10 @@ openNewCertDB(const char *appName, const char *prefix, const char *certdbname,
 
     /* rv must already be Success here because of previous if statement */
     /* try to upgrade old db here */
+    if (appName &&
+       (updatedb = dbsopen(certdbname, NO_RDONLY, 0600, DB_HASH, 0)) != NULL) {
+	rv = UpdateV8DB(handle, updatedb);
+    }
     if ((updatedb = nsslowcert_openolddb(namecb,cbarg,7)) != NULL) {
 	rv = UpdateV7DB(handle, updatedb);
     } else if ((updatedb = nsslowcert_openolddb(namecb,cbarg,6)) != NULL) {