When searching a trust domain (set of tokens) for certs, NSS first puts all matching certs from the cache into a collection. Then, each matching cert instance from a token is added to the collection. When multiple instances of the same cert are detected, NSS forces a refresh of the CERTCertificate. However, this also occurs when the same instance of a cached cert is detected. There is no need to refresh in this case, as we have just located the cached instance we already knew about. This has a side effect of not allowing the value of cert->trust to be set temporarily, as the refresh constantly overwrites that value.
This patch makes it so that the trust is preserved, but I'm seeing *tons* of run time asserts in PR_Calloc and PR_Free calls which leads me to believe something funky may be happening with memory allocation/freeing as a result of this patch.
Created attachment 110774 [details] [diff] [review] rev 2 That's what you get for asking for a patch late on Friday afternoon :) There was something very obviously wrong with the last patch that I didn't see before. This patch implements the same idea, but (hopefully) correctly. I don't have a test case though.
Comment on attachment 110774 [details] [diff] [review] rev 2 r=wtc. It seems clearer to rename the 'foundIt' parameter 'newInstance' (and reverse the true/false sense) or 'alreadyInCollection'. Javi, could you test this patch? Bob, could you review this patch, too?
the latest patch preserves the trust bits without throwing up all those Assertions from within the memory allocator module.
Comment on attachment 110774 [details] [diff] [review] rev 2 It looks OK, though I would like to make sure it doesn't break smart cards before we officially bless it.
I just tested Ian's patch with a smart card with Bob looking over my shoulder. Ian, please go ahead and check in your patch on the trunk. After it passes QA on all platforms, we will check it in on the NSS_3_7_BRANCH.
Patch rev 2 checked into the tip and NSS_3_7_BRANCH of NSS.