Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value

nss-3.47-certdb-temp-cert.patch

@@ -1,7 +1,35 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1575381287 -3600
+#      Tue Dec 03 14:54:47 2019 +0100
+# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe
+# Parent  d64102b76a437f24d98a20480dcc9f1655143e7c
+Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
+
+Summary:
+When a builtin root module is loaded after some temp certs being
+loaded, our certificate lookup logic preferred those temp certs over
+perm certs stored on the root module.  This was a problem because such
+temp certs are usually not accompanied with trust information.
+
+This makes the certificate lookup logic capable of handling such
+situations by checking if the trust information is attached to temp
+certs and otherwise falling back to perm certs.
+
+Reviewers: rrelyea, keeler
+
+Reviewed By: rrelyea
+
+Subscribers: reviewbot, heftig
+
+Bug #: 1593167
+
+Differential Revision: https://phabricator.services.mozilla.com/D54726
+
 diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
 --- a/lib/pki/pki3hack.c
 +++ b/lib/pki/pki3hack.c
-@@ -921,11 +921,11 @@
+@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate *
      }
      if (!cc->nssCertificate || forceUpdate) {
          fill_CERTCertificateFields(c, cc, forceUpdate);
@@ -10,12 +38,27 @@ diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
 -        /* if it's a perm cert, it might have been stored before the
 -         * trust, so look for the trust again.  But a temp cert can be
 -         * ignored.
+-         */
+-        CERTCertTrust *trust = NULL;
+-        trust = nssTrust_GetCERTCertTrustForCert(c, cc);
 +    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
-+        /* If it's a perm cert, it might have been stored before the
-+         * trust, so look for the trust again. If it's a temp cert, it
-+         * might have been stored before the builtin module is loaded,
-+         * so still need to look for the trust again.
-          */
-         CERTCertTrust *trust = NULL;
-         trust = nssTrust_GetCERTCertTrustForCert(c, cc);
-
++        CERTCertTrust *trust;
++        if (!c->object.cryptoContext) {
++            /* If it's a perm cert, it might have been stored before the
++             * trust, so look for the trust again.
++             */
++            trust = nssTrust_GetCERTCertTrustForCert(c, cc);
++        } else {
++            /* If it's a temp cert, it might have been stored before
++             * the builtin module is loaded, so look for the trust
++             * again, but not set the empty trust if not found.
++             */
++            NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
++            if (!t) {
++                goto loser;
++            }
++            trust = cert_trust_from_stan_trust(t, cc->arena);
++        }
+ 
+         CERT_LockCertTrust(cc);
+         cc->trust = trust;

nss.spec

@@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          3%{?dist}
+Release:          4%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -874,6 +874,9 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-4
+- Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
+
 * Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-3
 - Update nss-3.47-certdb-temp-cert.patch to the final version