Update NSS to NSS_3_15_BETA2.

nss/lib/pkcs7/p7decode.c

Index: nss/lib/pkcs7/p7decode.c
===================================================================
--- nss/lib/pkcs7/p7decode.c	(revision 195639)
+++ nss/lib/pkcs7/p7decode.c	(working copy)
@@ -1246,13 +1246,17 @@
 
 
 /*
- * SEC_PKCS7ContentVerifySignature
+ * sec_pkcs7_verify_signature
+ *
  *	Look at a PKCS7 contentInfo and check if the signature is good.
  *	The digest was either calculated earlier (and is stored in the
  *	contentInfo itself) or is passed in via "detached_digest".
  *
  *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
+ *	for the purpose specified by "certusage" at
+ * 	- "*atTime" if "atTime" is not null, or
+ * 	- the signing time if the signing time is available in "cinfo", or
+ *	- the current time (as returned by PR_Now).
  *
  *	In addition, if "keepcerts" is true, add any new certificates found
  *	into our local database.
@@ -1281,7 +1285,8 @@
 			   SECCertUsage certusage,
 			   const SECItem *detached_digest,
 			   HASH_HashType digest_type,
-			   PRBool keepcerts)
+			   PRBool keepcerts,
+			   const PRTime *atTime)
 {
     SECAlgorithmID **digestalgs, *bulkid;
     const SECItem *digest;
@@ -1299,7 +1304,8 @@
     SECItem *content_type;
     PK11SymKey *sigkey;
     SECItem *encoded_stime;
-    int64 stime;
+    PRTime stime;
+    PRTime verificationTime;
     SECStatus rv;
 
     /*
@@ -1436,8 +1442,14 @@
      * in a time (and for non-S/MIME callers to pass in nothing, or
      * maybe make them pass in the current time, always?).
      */
-    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage,
-			 encoded_stime != NULL ? stime : PR_Now(),
+    if (atTime) {
+	verificationTime = *atTime;
+    } else if (encoded_stime != NULL) {
+	verificationTime = stime;
+    } else {
+	verificationTime = PR_Now();
+    }
+    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, verificationTime,
 			 cinfo->pwfn_arg, NULL) != SECSuccess)
 	{
 	/*
@@ -1518,14 +1530,6 @@
 	goto done;
     }
 
-#ifndef NSS_ECC_MORE_THAN_SUITE_B
-    if (encTag == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
-	PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	goto done;
-    }
-#endif
-
-
     if (signerinfo->authAttr != NULL) {
 	SEC_PKCS7Attribute *attr;
 	SECItem *value;
@@ -1590,7 +1594,6 @@
 	    goto done;
 	}
 
-
 	goodsig = (PRBool)(VFY_VerifyDataDirect(encoded_attrs.data, 
 				   encoded_attrs.len,
 				   publickey, &(signerinfo->encDigest),
@@ -1757,7 +1760,7 @@
 			 PRBool keepcerts)
 {
     return sec_pkcs7_verify_signature (cinfo, certusage,
-				       NULL, HASH_AlgNULL, keepcerts);
+				       NULL, HASH_AlgNULL, keepcerts, 0);
 }
 
 /*
@@ -1779,9 +1782,31 @@
 {
     return sec_pkcs7_verify_signature (cinfo, certusage,
 				       detached_digest, digest_type,
-				       keepcerts);
+				       keepcerts, NULL);
 }
 
+/*
+ * SEC_PKCS7VerifyDetachedSignatureAtTime
+ *      Look at a PKCS7 contentInfo and check if the signature matches
+ *      a passed-in digest (calculated, supposedly, from detached contents).
+ *      The verification checks that the signing cert is valid and trusted
+ *      for the purpose specified by "certusage" at time "atTime".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ */
+PRBool
+SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
+				       SECCertUsage certusage,
+				       const SECItem *detached_digest,
+				       HASH_HashType digest_type,
+				       PRBool keepcerts,
+				       PRTime atTime)
+{
+    return sec_pkcs7_verify_signature (cinfo, certusage,
+				       detached_digest, digest_type,
+				       keepcerts, &atTime);
+}
 
 /*
  * Return the asked-for portion of the name of the signer of a PKCS7
@@ -1844,7 +1869,7 @@
 	 * some valid usage to pass in.
 	 */
 	(void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner,
-					   NULL, HASH_AlgNULL, PR_FALSE);
+					   NULL, HASH_AlgNULL, PR_FALSE, 0);
 	signercert = signerinfos[0]->cert;
 	if (signercert == NULL)
 	    return NULL;