core/nss to 3.47.1-4

core/nss/PKGBUILD

@@ -8,7 +8,7 @@
 pkgbase=nss
 pkgname=(nss ca-certificates-mozilla)
 pkgver=3.47.1
-pkgrel=1
+pkgrel=4
 pkgdesc="Network Security Services"
 url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
 arch=(x86_64)
@@ -17,9 +17,11 @@ _nsprver=4.20
 depends=("nspr>=${_nsprver}" sqlite zlib sh p11-kit)
 makedepends=(perl python gyp)
 source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"
+        nss-3.47-certdb-temp-cert.patch
         certdata2pem.py bundle.sh
         0001-Remove-ARM-AES-from-freebl-gyp.patch)
 sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb'
+            'd2a0631328883bdee211d02f0748c97d72ef1462f28415e85efcfb0a6d066dd3'
             '0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0'
             '3bfadf722da6773bdabdd25bdf78158648043d1b7e57615574f189a88ca865dd'
             '8372d34fdeeebd23e1daa7ee1f67510f050cba30c884f81e067dba46f94d1dcf')
@@ -31,6 +33,9 @@ prepare() {
   ln -sr nss/lib/ckfw/builtins/certdata.txt ../certs/
   ln -sr nss/lib/ckfw/builtins/nssckbi.h ../certs/
 
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
+  patch -d nss -Np1 < ../nss-3.47-certdb-temp-cert.patch
+
   if [[ $CARCH != "aarch64" ]]; then
     patch -p1 -d nss -i $srcdir/0001-Remove-ARM-AES-from-freebl-gyp.patch
   fi

core/nss/nss-3.47-certdb-temp-cert.patch

@@ -0,0 +1,64 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1575381287 -3600
+#      Tue Dec 03 14:54:47 2019 +0100
+# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe
+# Parent  d64102b76a437f24d98a20480dcc9f1655143e7c
+Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
+
+Summary:
+When a builtin root module is loaded after some temp certs being
+loaded, our certificate lookup logic preferred those temp certs over
+perm certs stored on the root module.  This was a problem because such
+temp certs are usually not accompanied with trust information.
+
+This makes the certificate lookup logic capable of handling such
+situations by checking if the trust information is attached to temp
+certs and otherwise falling back to perm certs.
+
+Reviewers: rrelyea, keeler
+
+Reviewed By: rrelyea
+
+Subscribers: reviewbot, heftig
+
+Bug #: 1593167
+
+Differential Revision: https://phabricator.services.mozilla.com/D54726
+
+diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
+--- a/lib/pki/pki3hack.c
++++ b/lib/pki/pki3hack.c
+@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate *
+     }
+     if (!cc->nssCertificate || forceUpdate) {
+         fill_CERTCertificateFields(c, cc, forceUpdate);
+-    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
+-               !c->object.cryptoContext) {
+-        /* if it's a perm cert, it might have been stored before the
+-         * trust, so look for the trust again.  But a temp cert can be
+-         * ignored.
+-         */
+-        CERTCertTrust *trust = NULL;
+-        trust = nssTrust_GetCERTCertTrustForCert(c, cc);
++    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
++        CERTCertTrust *trust;
++        if (!c->object.cryptoContext) {
++            /* If it's a perm cert, it might have been stored before the
++             * trust, so look for the trust again.
++             */
++            trust = nssTrust_GetCERTCertTrustForCert(c, cc);
++        } else {
++            /* If it's a temp cert, it might have been stored before
++             * the builtin module is loaded, so look for the trust
++             * again, but not set the empty trust if not found.
++             */
++            NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
++            if (!t) {
++                goto loser;
++            }
++            trust = cert_trust_from_stan_trust(t, cc->arena);
++        }
+ 
+         CERT_LockCertTrust(cc);
+         cc->trust = trust;