From 275a8ac0ed27d2b079f75b28e9b7d1b96168982b Mon Sep 17 00:00:00 2001
From: Bob Relyea <rrelyea@redhat.com>
Date: Mon, 7 Feb 2022 09:36:14 -0800
Subject: [PATCH] Rebase to NSS 3.75

---
 .gitignore                    |  1 +
 nss-fix-PayPal-upstream.patch | 42 +++++++++++++++++++++++++++++++++++
 nss.spec                      | 10 +++++++--
 sources                       |  2 +-
 4 files changed, 52 insertions(+), 3 deletions(-)
 create mode 100644 nss-fix-PayPal-upstream.patch

diff --git a/.gitignore b/.gitignore
index 60d4d3e..086a490 100644
--- a/.gitignore
+++ b/.gitignore
@@ -68,3 +68,4 @@ TestUser51.cert
 /nspr-4.32.tar.gz
 /nss-3.71.tar.gz
 /nss-3.73.tar.gz
+/nss-3.75.tar.gz
diff --git a/nss-fix-PayPal-upstream.patch b/nss-fix-PayPal-upstream.patch
new file mode 100644
index 0000000..71e78cb
--- /dev/null
+++ b/nss-fix-PayPal-upstream.patch
@@ -0,0 +1,42 @@
+diff --git a/tests/chains/chains.sh b/tests/chains/chains.sh
+--- a/tests/chains/chains.sh
++++ b/tests/chains/chains.sh
+@@ -917,7 +917,7 @@
+     done
+ 
+     VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+-    VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
++    VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${VFY_TIME_OPT} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+ 
+     TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
+     echo "${SCRIPTNAME}: ${TESTNAME}"
+@@ -1118,6 +1118,7 @@
+             ;;
+         "verify")
+             VERIFY="${VALUE}"
++            VFY_TIME_OPT=
+             TRUST=
+             TRUST_AND_DB=
+             POLICY=
+@@ -1126,6 +1127,9 @@
+             REV_OPTS=
+             USAGE_OPT=
+             ;;
++        "at_time")
++            VFY_TIME_OPT="-b ${VALUE}"
++            ;;
+         "cert")
+             VERIFY="${VERIFY} ${VALUE}"
+             ;;
+diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
+--- a/tests/chains/scenarios/realcerts.cfg
++++ b/tests/chains/scenarios/realcerts.cfg
+@@ -22,6 +22,7 @@
+ 
+ verify PayPalEE:x
+   policy OID.2.16.840.1.114412.2.1 
++  at_time 2201010000Z
+   result pass
+ 
+ verify BrAirWaysBadSig:x
+
diff --git a/nss.spec b/nss.spec
index 8cd76cf..84d2c44 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,5 +1,5 @@
 %global nspr_version 4.32.0
-%global nss_version 3.73.0
+%global nss_version 3.75.0
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
@@ -7,7 +7,7 @@
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
-%global nspr_release %[%baserelease+3]
+%global nspr_release %[%baserelease+4]
 # only need to update this as we added new
 # algorithms under nss policy control
 %global crypto_policies_version 20210118
@@ -132,6 +132,8 @@ Patch4:           iquote.patch
 Patch12:          nss-signtool-format.patch
 # fedora disabled dbm by default
 Patch40:          nss-no-dbm-man-page.patch
+# fix PayPal issue
+Patch45:          nss-fix-PayPal-upstream.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -1059,6 +1061,10 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Mon Feb 7 2022 Bob Relyea <rrelyea@redhat.com> - 3.75.0-1
+- Update to 3.75
+- fix PayPal expiration issue
+
 * Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.73.0-1
 - Update to 3.73
 - includes CVE 2021-43527
diff --git a/sources b/sources
index b87949a..9f55f36 100644
--- a/sources
+++ b/sources
@@ -3,5 +3,5 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.73.tar.gz) = 84b6e4ce8838f77674a5587cd227fa103c80f1b36c8bfb9b60a175157f131e59153c79ee77b29feffa57f49b217a90a8a091ee368eb0bc03312894e386a4c01b
+SHA512 (nss-3.75.tar.gz) = 0ad42f663b48649d7d16dc8b8956d2971a9566c0f7f655dd0609b94877f400977e5ad693f2eb44e1e277e55d1669294f07b3ba7a32573d3d72837b3944adf86d
 SHA512 (nspr-4.32.tar.gz) = da9b65b374783d20a2e589211b411816d899e296e91175d376e59df1919144c1808c155a234d6ceefdf7b8ae8f47cec98d92a5aa3150a579513251860e50dcb7