- Update expired test certificates (fixed in upstream bug 852781)

- Add upstream patch to fix rhbz#872761

.gitignore

@@ -4,6 +4,9 @@ blank-secmod.db
 blank-cert9.db
 blank-key4.db
 PayPalEE.cert
+TestCA.ca.cert
+TestUser50.cert
+TestUser51.cert
 /nss-pem-20120811.tar.bz2
 /dummy-sources-for-testing
 /nss-3.14.3-stripped.tar.bz2

nss-872761.patch

@@ -0,0 +1,58 @@
+Index: mozilla/security/nss/cmd/lib/secutil.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v
+retrieving revision 1.126
+diff -u -u -r1.126 secutil.c
+--- mozilla/security/nss/cmd/lib/secutil.c	7 Jan 2013 04:11:49 -0000	1.126
++++ mozilla/security/nss/cmd/lib/secutil.c	19 Apr 2013 22:43:02 -0000
+@@ -504,6 +504,8 @@
+ 
+ 	/* Read in ascii data */
+ 	rv = SECU_FileToItem(&filedata, inFile);
++	if (rv != SECSuccess)
++	    return rv;
+ 	asc = (char *)filedata.data;
+ 	if (!asc) {
+ 	    fprintf(stderr, "unable to read data from input file\n");
+@@ -519,20 +521,28 @@
+ 		body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
+ 	    if (body)
+ 		trailer = strstr(++body, "-----END");
+-	    if (trailer != NULL) {
++	    if (trailer != NULL)
+ 		*trailer = '\0';
+-	    } else {
++	    if (!body || !trailer) {
+ 		fprintf(stderr, "input has header but no trailer\n");
+ 		PORT_Free(filedata.data);
+ 		return SECFailure;
+ 	    }
+ 	} else {
+-	    body = asc;
++	    /* need one additional byte for zero terminator */
++	    rv = SECITEM_ReallocItem(NULL, &filedata, filedata.len, filedata.len+1);
++	    if (rv != SECSuccess) {
++		PORT_Free(filedata.data);
++		return rv;
++	    }
++	    filedata.len = filedata.len+1;
++	    body = (char*)filedata.data;
++	    body[filedata.len-1] = '\0';
+ 	}
+      
+ 	/* Convert to binary */
+ 	rv = ATOB_ConvertAsciiToItem(der, body);
+-	if (rv) {
++	if (rv != SECSuccess) {
+ 	    fprintf(stderr, "error converting ascii to binary (%s)\n",
+ 		    SECU_Strerror(PORT_GetError()));
+ 	    PORT_Free(filedata.data);
+@@ -543,7 +553,7 @@
+     } else {
+ 	/* Read in binary der */
+ 	rv = SECU_FileToItem(der, inFile);
+-	if (rv) {
++	if (rv != SECSuccess) {
+ 	    fprintf(stderr, "error converting der (%s)\n", 
+ 		    SECU_Strerror(PORT_GetError()));
+ 	    return SECFailure;

nss.spec

@@ -11,7 +11,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.14.3
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -61,12 +61,16 @@ Source8:          system-pkcs11.txt
 Source9:          setup-nsssysinit.sh
 Source10:         PayPalEE.cert
 Source12:         %{name}-pem-20120811.tar.bz2
+Source17:         TestCA.ca.cert
+Source18:         TestUser50.cert
+Source19:         TestUser51.cert
 
 Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
 Patch6:           nss-enable-pem.patch
 Patch16:          nss-539183.patch
 Patch18:          nss-646045.patch
+Patch19:          nss-872761.patch
 # must statically link pem against the freebl in the buildroot
 # Needed only when freebl on tree has new APIS
 Patch25:          nsspem-use-system-freebl.patch
@@ -150,6 +154,9 @@ low level services.
 %prep
 %setup -q
 %{__cp} %{SOURCE10} -f ./mozilla/security/nss/tests/libpkix/certs
+%{__cp} %{SOURCE17} -f ./mozilla/security/nss/tests/libpkix/certs
+%{__cp} %{SOURCE18} -f ./mozilla/security/nss/tests/libpkix/certs
+%{__cp} %{SOURCE19} -f ./mozilla/security/nss/tests/libpkix/certs
 %setup -q -T -D -n %{name}-%{version} -a 12
 
 %patch2 -p0 -b .relro
@@ -157,10 +164,11 @@ low level services.
 %patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
 %patch18 -p0 -b .646045
+%patch19 -p0 -b .872761
 # link pem against buildroot's freebl, essential when mixing and matching
 %patch25 -p0 -b .systemfreebl
 # activate for stable and beta branches
-#%patch29 -p0 -b .cbcrandomivoff
+%patch29 -p0 -b .cbcrandomivoff
 %patch39 -p1 -b .nobypass
 %patch40 -p1 -b .noocsptest
 %patch43 -p0 -b .nosoftokentests
@@ -611,6 +619,10 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 
 
 %changelog
+* Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 3.14.3-2
+- Add upstream patch to fix rhbz#872761
+- Update expired test certificates (fixed in upstream bug 852781)
+
 * Fri Feb 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-1
 - Update to NSS_3_14_3_RTM
 - sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
@@ -643,31 +655,29 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 - Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it
 - Install nssck.api in /usr/includes/nss3
 
-* Mon Nov 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-10
+* Mon Nov 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-7
 - Bug 870864 - Add support in NSS for Secure Boot
 
-* Sat Nov 10 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-9
+* Fri Nov 09 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-6
 - Disable bypass code at build time and return failure on attempts to enable at runtime
 - Bug 806588 - Disable SSL PKCS #11 bypass at build time
+- Fix changelog release tags to match what was actually built
 
-* Sun Nov 04 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-8
+* Mon Nov 05 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-5
 - Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
 - Bug 872124 - nss-3.14 breaks fedpkg new-sources
-- Fix should be considered preliminary since the patch may change upon upstream approval
- 
-* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-7
+
+* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-4
 - Add a dummy source file for testing /preventing fedpkg breakage
 - Helps test the fedpkg new-sources and upload commands for breakage by nss updates
 - Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources
 
-* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-6
-- Fix a previous unwanted merge from f18
-- Update the SS_SSL_CBC_RANDOM_IV patch to match new sources while
-- Keeping the patch disabled while we are still in rawhide and
-- State in comment that patch is needed for both stable and beta branches
-- Update .gitignore to download only the new sources
+* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-3
+- Reenable patch to set NSS_SSL_CBC_RANDOM_IV to 1 by default
+- Update the patch to account for the new sources
+- Resolves Bug 872124 - nss 3.14 breaks fedpkg new-sources
 
-* Wed Oct 31 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-5
+* Wed Oct 31 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-2
 - Fix the spec file so sechash.h gets installed
 - Resolves: rhbz#871882 - missing header: sechash.h in nss 3.14
 
@@ -694,36 +704,24 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 * Fri Oct 05 2012 Kai Engert <kaie@redhat.com> - 3.13.6-1
 - Update to NSS_3_13_6_RTM
 
-* Mon Aug 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-8
+* Fri Aug 31 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-8
 - Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3
 - Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
 - Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer 
 - Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix
+- Selective merge from master
 
 * Mon Aug 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-7
 - Fix pluggable ecc support
 
-* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.5-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
-
-* Sun Jul 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-5
-- Fix checkin comment to prevent unwanted expansions of percents
-
-* Sun Jul 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-4
+* Sun Jul 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-1
+- Update to NSS_3_13_5_RTM
 - Resolves: Bug 830410 - Missing Requires %%{?_isa}
 - Use Requires: %%{name}%%{?_isa} = %%{version}-%%{release} on tools
 - Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib
 - Enable sha224 portion of powerup selftest when running test suites
 - Require nspr 4.9.1
-
-* Wed Jun 20 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-3
-- Resolves: rhbz#833529 - revert unwanted change to nss.pc.in
-
-* Tue Jun 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-2
-- Resolves: rhbz#833529 - Remove unwanted space from the Libs: line on nss.pc.in
-
-* Mon Jun 18 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-1
-- Update to NSS_3_13_5_RTM
+- Selective merge from master
 
 * Fri Apr 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-3
 - Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3

sources

@@ -3,7 +3,10 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-bf47cecad861efa77d1488ad4a73cb5b  PayPalEE.cert
+838b7b6e0c3563059f6e77d149666448  PayPalEE.cert
+f998b70c1be25e8bb9f5fdb5d50eb6f2  TestCA.ca.cert
+1b7b6808cd77d5df29bf5bb9e5fac967  TestUser50.cert
+ab0b56dd505a995425c03e5266f7c8d6  TestUser51.cert
 2a06bf7b815d1a666cc3587b895506ce  nss-pem-20120811.tar.bz2
 0be54f196b5da7e9008eb13a71bc2cb0  dummy-sources-for-testing
 43be35fcc852361748b59ba8ecd2e239  nss-3.14.3-stripped.tar.bz2