From 7292dd3723289429e6a6419f8267c0d41e199e86 Mon Sep 17 00:00:00 2001
From: Elio Maldonado <emaldona@redhat.com>
Date: Mon, 18 Oct 2010 15:54:32 -0700
Subject: [PATCH] - Fix certificates trust order (#643134) - Apply
 nss-sysinit-userdb-first.patch last

---
 nss-sysinit-userdb-first.patch | 51 +++++++++++++++++++++-------------
 nss.spec                       | 12 ++++++--
 2 files changed, 41 insertions(+), 22 deletions(-)

diff --git a/nss-sysinit-userdb-first.patch b/nss-sysinit-userdb-first.patch
index cbfbb9a..f3ea0ab 100755
--- a/nss-sysinit-userdb-first.patch
+++ b/nss-sysinit-userdb-first.patch
@@ -1,19 +1,20 @@
-diff -up ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig ./mozilla/security/nss/lib/sysinit/nsssysinit.c
---- ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig	2010-06-17 09:17:30.732643399 -0700
-+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c	2010-06-17 09:20:22.691642397 -0700
-@@ -263,9 +263,18 @@ get_list(char *filename, char *stripped_
+diff -up ./mozilla/security/nss/lib/sysinit/nsssysinit.c.603313 ./mozilla/security/nss/lib/sysinit/nsssysinit.c
+--- ./mozilla/security/nss/lib/sysinit/nsssysinit.c.603313	2010-10-15 13:57:42.719738316 -0700
++++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c	2010-10-15 14:07:51.704637349 -0700
+@@ -263,16 +263,26 @@ get_list(char *filename, char *stripped_
      sysdb = getSystemDB();
      userdb = getUserDB();
  
 -    /* Don't open root's user DB */
-+    /* return a list of databases to open. First the system database. */
++    /* return a list of databases to open. First the system database */
 +    if (sysdb) {
-+	    const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
-+	    module_list[next++] = PR_smprintf(
-+	      "library= "
-+	      "module=\"NSS system database\" "
-+	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
-+	      "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
++        const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
++	module_list[next++] = PR_smprintf(
++	    "library= "
++	    "module=\"NSS system database\" "
++	    "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
++	    "NSS=\"trustOrder=80 %sflags=internal,critical\"",
++            sysdb, readonly, nssflags);
 +    }
 +
 +    /* Next the user database, but not for root. */
@@ -22,10 +23,23 @@ diff -up ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig ./mozilla/security
  	module_list[next++] = PR_smprintf(
  	    "library= "
  	    "module=\"NSS User database\" "
-@@ -284,40 +293,6 @@ get_list(char *filename, char *stripped_
- 		userdb, stripped_parameters);
- 	}
+ 	    "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
+-        "NSS=\"trustOrder=75 %sflags=internal%s\"",
+-        userdb, stripped_parameters, nssflags,
+-        isFIPS ? ",FIPS" : "");
++            "NSS=\"trustOrder=75 %sflags=internal%s\"",
++            userdb, stripped_parameters, nssflags,
++            isFIPS ? ",FIPS" : "");
  
+ 	/* now open the user's defined PKCS #11 modules */
+ 	/* skip the local user DB entry */
+@@ -281,41 +291,7 @@ get_list(char *filename, char *stripped_
+ 	    "module=\"NSS User database\" "
+ 	    "parameters=\"configdir='sql:%s' %s\" "
+ 	    "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"", 
+-		userdb, stripped_parameters);
+-	}
+-
 -#if 0
 -	/* This doesn't actually work. If we register
 -		both this and the sysdb (in either order)
@@ -57,9 +71,8 @@ diff -up ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig ./mozilla/security
 -	      "library= "
 -	      "module=\"NSS system database\" "
 -	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
--	      "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
--    }
--
-     /* that was the last module */
-     module_list[next] = 0;
+-	      "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags);
++            userdb, stripped_parameters);
+     }
  
+     /* that was the last module */
diff --git a/nss.spec b/nss.spec
index a200433..d163044 100644
--- a/nss.spec
+++ b/nss.spec
@@ -6,7 +6,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.12.8
-Release:          5%{?dist}
+Release:          6%{?dist}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -42,9 +42,10 @@ Source12:         %{name}-pem-20100809.tar.bz2
 Patch3:           renegotiate-transitional.patch
 Patch6:           nss-enable-pem.patch
 Patch7:           nsspem-596674.patch
-Patch8:           nss-sysinit-userdb-first.patch
 Patch9:           0001-Add-support-for-PKCS-8-encoded-private-keys.patch
 Patch10:          0001-Do-not-define-SEC_SkipTemplate.patch
+Patch11:          nss-sysinit-fix-trustorder.patch
+Patch12:          nss-sysinit-userdb-first.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -116,9 +117,10 @@ low level services.
 %patch3 -p0 -b .transitional
 %patch6 -p0 -b .libpem
 %patch7 -p0 -b .596674
-%patch8 -p0 -b .603313
 %patch9 -p1 -b .pkcs8privatekey
 %patch10 -p1 -b .noskiptemplate
+%patch11 -p1 -b .643134
+%patch12 -p0 -b .603313
 
 
 %build
@@ -490,6 +492,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 %{_libdir}/libnssckfw.a
 
 %changelog
+* Wed Oct 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-6
+- Fix certificates trust order (#643134)
+- Apply nss-sysinit-userdb-first.patch last
+
 * Wed Oct 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-5
 - Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248)