Update to NSS 3.12.7 and NSPR 4.8.6....

nss/mozilla/security/nss/lib/certdb/genname.c

 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 24 matching lines @@
  * ***** END LICENSE BLOCK ***** */
 
 #include "plarena.h"
 #include "seccomon.h"
 #include "secitem.h"
 #include "secoidt.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "certt.h"
 #include "cert.h"
+#include "certi.h"
 #include "xconst.h"
 #include "secerr.h"
 #include "secoid.h"
 #include "prprf.h"
 #include "genname.h"
 
 SEC_ASN1_MKSUB(SEC_AnyTemplate)
 SEC_ASN1_MKSUB(SEC_IntegerTemplate)
 SEC_ASN1_MKSUB(SEC_IA5StringTemplate)
 SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
@@ skipping 1020 matching lines @@
     /* combine new names with old one. */
     name = cert_CombineNamesLists(name, nameList);
     /* TODO: unmark arena */
     return SECSuccess;
 
 loser:
     /* TODO: release arena back to mark */
     return SECFailure;
 }
 
+/* Extract all names except Subject Common Name from a cert 
+** in preparation for a name constraints test.
+*/
+CERTGeneralName *
+CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena)
+{
+    return CERT_GetConstrainedCertificateNames(cert, arena, PR_FALSE);
+}
+
 /* This function is called by CERT_VerifyCertChain to extract all
 ** names from a cert in preparation for a name constraints test.
 */
 CERTGeneralName *
-CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena)
+CERT_GetConstrainedCertificateNames(CERTCertificate *cert, PRArenaPool *arena,
+                                    PRBool includeSubjectCommonName)
 {
     CERTGeneralName  *DN;
-    CERTGeneralName  *altName         = NULL;
-    SECItem          altNameExtension = {siBuffer, NULL, 0 };
+    CERTGeneralName  *SAN;
+    PRUint32         numDNSNames = 0;
     SECStatus        rv;
 
+    if (!arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
     /* TODO: mark arena */
     DN = CERT_NewGeneralName(arena, certDirectoryName);
     if (DN == NULL) {
         goto loser;
     }
     rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject);
     if (rv != SECSuccess) {
         goto loser;
     }
     rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject);
     if (rv != SECSuccess) {
         goto loser;
     }
     /* Extract email addresses from DN, construct CERTGeneralName structs 
     ** for them, add them to the name list 
     */
     rv = cert_ExtractDNEmailAddrs(DN, arena);
     if (rv != SECSuccess)
         goto loser;
 
     /* Now extract any GeneralNames from the subject name names extension. */
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
-                                &altNameExtension);
+    SAN = cert_GetSubjectAltNameList(cert, arena);
+    if (SAN) {
+        numDNSNames = cert_CountDNSPatterns(SAN);
+        DN = cert_CombineNamesLists(DN, SAN);
+    }
+    if (!numDNSNames && includeSubjectCommonName) {
+        char *cn = CERT_GetCommonName(&cert->subject);
+        if (cn) {
+            CERTGeneralName *CN = CERT_NewGeneralName(arena, certDNSName);
+            if (CN) {
+                SECItem cnItem = {siBuffer, NULL, 0};
+                cnItem.data = (unsigned char *)cn;
+                cnItem.len  = strlen(cn);
+                rv = SECITEM_CopyItem(arena, &CN->name.other, &cnItem);
+                if (rv == SECSuccess) {
+                    DN = cert_CombineNamesLists(DN, CN);
+                }
+            }
+            PORT_Free(cn);
+        }
+    }
     if (rv == SECSuccess) {
-        altName = CERT_DecodeAltNameExtension(arena, &altNameExtension);
-        rv = altName ? SECSuccess : SECFailure;
+        /* TODO: unmark arena */
+        return DN;
     }
-    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND)
-        rv = SECSuccess;
-    if (altNameExtension.data)
-        SECITEM_FreeItem(&altNameExtension, PR_FALSE);
-    if (rv != SECSuccess)
-        goto loser;
-    DN = cert_CombineNamesLists(DN, altName);
-
-    /* TODO: unmark arena */
-    return DN;
 loser:
     /* TODO: release arena to mark */
     return NULL;
 }
 
 /* Returns SECSuccess if name matches constraint per RFC 3280 rules for 
 ** URI name constraints.  SECFailure otherwise.
 ** If the constraint begins with a dot, it is a domain name, otherwise
 ** It is a host name.  Examples:
 **  Constraint            Name             Result
@@ skipping 822 matching lines @@
             break;
         }
         list->name = cert_CombineNamesLists(list->name, name);
         list->len++;
 done:
         PZ_Unlock(list->lock);
     }
     return;
 }
 #endif