Uprev NSS from 3.18.0 RTM to 3.19.0 RTM

nss/lib/certdb/cert.h

Index: nss/lib/certdb/cert.h
diff --git a/nss/lib/certdb/cert.h b/nss/lib/certdb/cert.h
index 6e0bdb0892fc5e673b2ec6202c9f660ead3dd111..4564dc2ddecbf3e5219806c298eb911b10da64dc 100644
--- a/nss/lib/certdb/cert.h
+++ b/nss/lib/certdb/cert.h
@@ -1172,6 +1172,20 @@ CERT_GetNextGeneralName(CERTGeneralName *current);
 extern CERTGeneralName *
 CERT_GetPrevGeneralName(CERTGeneralName *current);
 
+/*
+ * Look up name constraints for some certs that do not include name constraints
+ * (Most importantly, root certificates)
+ *
+ * If a matching subject is found, |extensions| will be populated with a copy of the
+ * DER-encoded name constraints extension. The data in |extensions| will point to
+ * memory that the caller owns.
+ *
+ * There is no mechanism to configure imposed name constraints right now.  All
+ * imposed name constraints are built into NSS.
+ */
+SECStatus
+CERT_GetImposedNameConstraints(const SECItem *derSubject, SECItem *extensions);
+
 CERTNameConstraint *
 CERT_GetNextNameConstraint(CERTNameConstraint *current);
 
@@ -1543,6 +1557,9 @@ CERT_CheckNameSpace(PLArenaPool          *arena,
 
 /*
  * Extract and allocate the name constraints extension from the CA cert.
+ * If the certificate contains no name constraints extension, but
+ * CERT_GetImposedNameConstraints returns a name constraints extension
+ * for the subject of the certificate, then that extension will be returned.
  */
 extern SECStatus
 CERT_FindNameConstraintsExten(PLArenaPool      *arena,