Update NSS to NSS 3.14 Beta 1.

mozilla/security/nss/lib/pki/pki3hack.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef DEBUG
 static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.109 $ $Date: 2012/07/27 21:41:52 $";
 #endif /* DEBUG */
 
 /*
  * Hacks to integrate NSS 3.4 and NSS 4.0 certificates.
@@ skipping 394 matching lines @@
         } else {
             certType = cc->nsCertType;
         }
         if (!(certType & requiredCertType)) {
             match = PR_FALSE;
         }
     }
     return match;
 }
 
+static PRBool
+nss3certificate_isTrustedForUsage(nssDecodedCert *dc, const NSSUsage *usage)
+{
+    CERTCertificate *cc;
+    PRBool ca;
+    SECStatus secrv;
+    unsigned int requiredFlags;
+    unsigned int trustFlags;
+    SECTrustType trustType;
+    CERTCertTrust trust;
+
+    /* This is for NSS 3.3 functions that do not specify a usage */
+    if (usage->anyUsage) {
+        return PR_FALSE;  /* XXX is this right? */
+    }
+    cc = (CERTCertificate *)dc->data;
+    ca = usage->nss3lookingForCA;
+    if (!ca) {
+        PRBool trusted;
+        unsigned int failedFlags;
+        secrv = cert_CheckLeafTrust(cc, usage->nss3usage,
+                                    &failedFlags, &trusted);
+        return secrv == SECSuccess && trusted;
+    }
+    secrv = CERT_TrustFlagsForCACertUsage(usage->nss3usage, &requiredFlags,
+                                          &trustType);
+    if (secrv != SECSuccess) {
+        return PR_FALSE;
+    }
+    secrv = CERT_GetCertTrust(cc, &trust);
+    if (secrv != SECSuccess) {
+        return PR_FALSE;
+    }
+    if (trustType == trustTypeNone) {
+        /* normally trustTypeNone usages accept any of the given trust bits
+         * being on as acceptable. */
+        trustFlags = trust.sslFlags | trust.emailFlags |
+                     trust.objectSigningFlags;
+    } else {
+        trustFlags = SEC_GET_TRUST_FLAGS(&trust, trustType);
+    }
+    return (trustFlags & requiredFlags) == requiredFlags;
+}
+
 static NSSASCII7 *
 nss3certificate_getEmailAddress(nssDecodedCert *dc)
 {
     CERTCertificate *cc = (CERTCertificate *)dc->data;
     return (cc && cc->emailAddr && cc->emailAddr[0])
             ? (NSSASCII7 *)cc->emailAddr : NULL;
 }
 
 static PRStatus
 nss3certificate_getDERSerialNumber(nssDecodedCert *dc, 
@@ skipping 30 matching lines @@
             rvDC->type                = NSSCertificateType_PKIX;
             rvDC->data                = (void *)cert;
             rvDC->getIdentifier       = nss3certificate_getIdentifier;
             rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
             rvDC->matchIdentifier     = nss3certificate_matchIdentifier;
             rvDC->isValidIssuer       = nss3certificate_isValidIssuer;
             rvDC->getUsage            = nss3certificate_getUsage;
             rvDC->isValidAtTime       = nss3certificate_isValidAtTime;
             rvDC->isNewerThan         = nss3certificate_isNewerThan;
             rvDC->matchUsage          = nss3certificate_matchUsage;
+            rvDC->isTrustedForUsage   = nss3certificate_isTrustedForUsage;
             rvDC->getEmailAddress     = nss3certificate_getEmailAddress;
             rvDC->getDERSerialNumber  = nss3certificate_getDERSerialNumber;
         } else {
             CERT_DestroyCertificate(cert);
         }
     }
     return rvDC;
 }
 
 static nssDecodedCert *
 create_decoded_pkix_cert_from_nss3cert (
   NSSArena *arenaOpt,
   CERTCertificate *cc
 )
 {
     nssDecodedCert *rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
     if (rvDC) {
         rvDC->type                = NSSCertificateType_PKIX;
         rvDC->data                = (void *)cc;
         rvDC->getIdentifier       = nss3certificate_getIdentifier;
         rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
         rvDC->matchIdentifier     = nss3certificate_matchIdentifier;
         rvDC->isValidIssuer       = nss3certificate_isValidIssuer;
         rvDC->getUsage            = nss3certificate_getUsage;
         rvDC->isValidAtTime       = nss3certificate_isValidAtTime;
         rvDC->isNewerThan         = nss3certificate_isNewerThan;
         rvDC->matchUsage          = nss3certificate_matchUsage;
+        rvDC->isTrustedForUsage   = nss3certificate_isTrustedForUsage;
         rvDC->getEmailAddress     = nss3certificate_getEmailAddress;
+        rvDC->getDERSerialNumber  = nss3certificate_getDERSerialNumber;
     }
     return rvDC;
 }
 
 NSS_IMPLEMENT PRStatus
 nssDecodedPKIXCertificate_Destroy (
   nssDecodedCert *dc
 )
 {
     CERTCertificate *cert = (CERTCertificate *)dc->data;
@@ skipping 863 matching lines @@
     td = STAN_GetDefaultTrustDomain();
     cc = STAN_GetDefaultCryptoContext();
     printf("\n\nCertificates in the cache:\n");
     nssTrustDomain_DumpCacheInfo(td, cert_dump_iter, NULL);
     printf("\n\nCertificates in the temporary store:\n");
     if (cc->certStore) {
         nssCertificateStore_DumpStoreInfo(cc->certStore, cert_dump_iter, NULL);
     }
 }