Update NSS to NSS 3.14 Beta 1.

mozilla/security/nss/lib/cryptohi/seckey.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "cryptohi.h"
 #include "keyhi.h"
 #include "secoid.h"
 #include "secitem.h"
 #include "secder.h"
 #include "base64.h"
 #include "secasn1.h"
@@ skipping 307 matching lines @@
 
     /* check if cert chain length exceeds the maximum length*/
     if (count > CERT_MAX_CERT_CHAIN) {
         return SECFailure;
     }
 
     oid = SECOID_FindOID(&subjectCert->subjectPublicKeyInfo.algorithm.algorithm);            
     if (oid != NULL) {  
         tag = oid->offset;
              
-        /* Check if cert has a DSA public key. If not, return
-         * success since no PQG params need to be updated.  */
+        /* Check if cert has a DSA or EC public key. If not, return
+         * success since no PQG params need to be updated.
+         *
+         * Question: do we really need to do this for EC keys. They don't have
+         * PQG parameters, but they do have parameters. The question is does
+         * the child cert inherit thost parameters for EC from the parent, or
+         * do we always include those parameters in each cert.
+         */
 
         if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
+             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
              (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
              (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {
             
             return SECSuccess;
         }
     } else {
         return SECFailure;  /* return failure if oid is NULL */  
     }
 
@@ skipping 22 matching lines @@
 
     oid = SECOID_FindOID(&issuerCert->subjectPublicKeyInfo.algorithm.algorithm);
     if (oid != NULL) {  
         tag = oid->offset;
              
         /* Check if issuer cert has a DSA public key. If not,
          * return failure.   */
 
         if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
+             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
              (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
              (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {            
             rv = SECFailure;
             goto loser;
         }
     } else {
         rv = SECFailure;  /* return failure if oid is NULL */  
         goto loser;
     }
@@ skipping 608 matching lines @@
 SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
 {
     unsigned char b0;
     unsigned size;
 
     switch (pubk->keyType) {
     case rsaKey:
         b0 = pubk->u.rsa.modulus.data[0];
         return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
     case dsaKey:
-        return DSA_SIGNATURE_LEN;
+        return pubk->u.dsa.params.subPrime.len * 2;
     case ecKey:
         /* Get the base point order length in bits and adjust */
         size =  SECKEY_ECParamsToBasePointOrderLen(
                 &pubk->u.ec.DEREncodedParams);
         return ((size + 7)/8) * 2;
     default:
         break;
     }
     PORT_SetError(SEC_ERROR_INVALID_KEY);
     return 0;
@@ skipping 900 matching lines @@
         key->staticflags &= (~SECKEY_##attribute); \
     }
 
 SECStatus
 SECKEY_CacheStaticFlags(SECKEYPrivateKey* key)
 {
     SECStatus rv = SECFailure;
     if (key && key->pkcs11Slot && key->pkcs11ID) {
         key->staticflags |= SECKEY_Attributes_Cached;
         SECKEY_CacheAttribute(key, CKA_PRIVATE);
+        SECKEY_CacheAttribute(key, CKA_ALWAYS_AUTHENTICATE);
         rv = SECSuccess;
     }
     return rv;
 }