Uprev NSS to 3.18 RTM

nss/lib/certdb/crl.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Moved from secpkcs7.c
  */
  
 #include "cert.h"
 #include "certi.h"
@@ skipping 1105 matching lines @@
         {
             return SECFailure;
         }
     }
     /* free the array of CRLs */
     if (cache->crls)
     {
         PORT_Free(cache->crls);
     }
     /* destroy the cert */
-    if (cache->issuer)
+    if (cache->issuerDERCert)
     {
-        CERT_DestroyCertificate(cache->issuer);
+        SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
     }
     /* free the subject */
     if (cache->subject)
     {
         SECITEM_FreeItem(cache->subject, PR_TRUE);
     }
     /* free the distribution points */
     if (cache->distributionPoint)
     {
         SECITEM_FreeItem(cache->distributionPoint, PR_TRUE);
@@ skipping 425 matching lines @@
     if (PR_TRUE == GetOpaqueCRLFields(crlobject->crl)->decodingError)
     {
         crlobject->sigChecked = PR_TRUE; /* we can never verify a CRL
             with bogus DER. Mark it checked so we won't try again */
         PORT_SetError(SEC_ERROR_BAD_DER);
         return SECSuccess;
     }
     else
     {
         SECStatus signstatus = SECFailure;
-        if (cache->issuer)
+        if (cache->issuerDERCert)
         {
-            signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
+            CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
+                cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
+
+            if (issuer) {
+                signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
                                         wincx);
+                CERT_DestroyCertificate(issuer);
+            }
         }
         if (SECSuccess != signstatus)
         {
-            if (!cache->issuer)
+            if (!cache->issuerDERCert)
             {
                 /* we tried to verify without an issuer cert . This is
                    because this CRL came through a call to SEC_FindCrlByName.
                    So, we don't cache this verification failure. We'll try
                    to verify the CRL again when a certificate from that issuer
                    becomes available */
             } else
             {
                 crlobject->sigChecked = PR_TRUE;
             }
@@ skipping 326 matching lines @@
         }
         if (PR_TRUE == mustunlock)
         {
             cache->lastcheck = PR_Now();
             DPCache_UnlockWrite();
             mustunlock = PR_FALSE;
         }
     }
 
     /* add issuer certificate if it was previously unavailable */
-    if (issuer && (NULL == cache->issuer) &&
+    if (issuer && (NULL == cache->issuerDERCert) &&
         (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
     {
         /* if we didn't have a valid issuer cert yet, but we do now. add it */
         DPCache_LockWrite();
-        if (!cache->issuer)
+        if (!cache->issuerDERCert)
         {
             dirty = PR_TRUE;
-            cache->issuer = CERT_DupCertificate(issuer);    
+            cache->dbHandle = issuer->dbhandle;
+            cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
         }
         DPCache_UnlockWrite();
     }
 
     /* verify CRLs that couldn't be checked when inserted into the cache
        because the issuer cert or a verification date was unavailable.
        These are CRLs that were inserted into the cache through
        SEC_FindCrlByName, or through manual insertion, rather than through a
        certificate verification (CERT_CheckCRL) */
 
-    if (cache->issuer && vfdate )
+    if (cache->issuerDERCert && vfdate )
     {
         mustunlock = PR_FALSE;
         /* re-process all unverified CRLs */
         for (i = 0; i < cache->ncrls ; i++)
         {
             CachedCrl* savcrl = cache->crls[i];
             if (!savcrl)
             {
                 continue;
             }
@@ skipping 236 matching lines @@
 #else
     cache->lock = PR_NewLock();
 #endif
     if (!cache->lock)
     {
         PORT_Free(cache);
         return SECFailure;
     }
     if (issuer)
     {
-        cache->issuer = CERT_DupCertificate(issuer);
+        cache->dbHandle = issuer->dbhandle;
+        cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
     }
     cache->distributionPoint = SECITEM_DupItem(dp);
     cache->subject = SECITEM_DupItem(subject);
     cache->lastfetch = 0;
     cache->lastcheck = 0;
     *returned = cache;
     return SECSuccess;
 }
 
 /* create an issuer cache object (per CA subject ) */
@@ skipping 1147 matching lines @@
            to CERT_CacheCRL previously. That API takes a SECItem*, thus, we
            just do a pointer comparison here.
         */
         if (b->crl->derCrl == a->crl->derCrl)
         {
             *isDupe = PR_TRUE;
         }
     }
     return SECSuccess;
 }