xmlsecurity-build-with-nss-3.12.0.diff: Support older system nss

2 files changed, 25 insertions, 8 deletions

diff --git a/xmlsecurity/source/xmlsec/nss/certerrors.h b/xmlsecurity/source/xmlsec/nss/certerrors.h
index 9b9801f21f59..7fc37474116c 100644
--- a/xmlsecurity/source/xmlsec/nss/certerrors.h
+++ b/xmlsecurity/source/xmlsec/nss/certerrors.h
@@ -28,7 +28,6 @@
  *
  ************************************************************************/
 
-
 {SEC_ERROR_IO, "An I/O error occurred during security authorization."},
 
 {SEC_ERROR_LIBRARY_FAILURE, "security library failure."},
@@ -372,13 +371,24 @@ an existing cert, but that is not the same cert."},
 
 {SEC_ERROR_LIBPKIX_INTERNAL, "Libpkix internal error occured during cert validation."},
 
+#if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 2 )
+// following 3 errors got first used in NSS 3.12.3
+// they were in the header even in 3.12.2 but there was missing the mapping in pk11err.c
+// see also https://bugzilla.mozilla.org/show_bug.cgi?id=453364
+
 {SEC_ERROR_PKCS11_GENERAL_ERROR, "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred."},
 
 {SEC_ERROR_PKCS11_FUNCTION_FAILED, "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed.  Trying the same operation again might succeed."},
 
 {SEC_ERROR_PKCS11_DEVICE_ERROR, "A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot."},
 
+#endif
+
+#if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 3 )
+// following 2 errors got added in NSS 3.12.4
+
 {SEC_ERROR_BAD_INFO_ACCESS_METHOD, "Unknown information access method in certificate extension."},
 
 {SEC_ERROR_CRL_IMPORT_FAILED, "Error attempting to import a CRL."},
 
+#endif
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
index 9458424afa7c..3bd03822cdc0 100644
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
@@ -830,9 +830,14 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert,
         CERT_DisableOCSPDefaultResponder(certDb);
         CERTValOutParam cvout[5];
         CERTValInParam cvin[3];
+        int ncvinCount=0;
 
-        cvin[0].type = cert_pi_useAIACertFetch;
-        cvin[0].value.scalar.b = PR_TRUE;
+#if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
+        // cert_pi_useAIACertFetch was added in NSS 3.12.1
+        cvin[ncvinCount].type = cert_pi_useAIACertFetch;
+        cvin[ncvinCount].value.scalar.b = PR_TRUE;
+        ncvinCount++;
+#endif
 
         PRUint64 revFlagsLeaf[2];
         PRUint64 revFlagsChain[2];
@@ -879,12 +884,14 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert,
 //            | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
 
 
-        cvin[1].type = cert_pi_revocationFlags;
-        cvin[1].value.pointer.revocation = &rev;
+        cvin[ncvinCount].type = cert_pi_revocationFlags;
+        cvin[ncvinCount].value.pointer.revocation = &rev;
+        ncvinCount++;
         // does not work, not implemented yet in 3.12.4
-//         cvin[2].type = cert_pi_keyusage;
-//         cvin[2].value.scalar.ui = KU_DIGITAL_SIGNATURE;
-        cvin[2].type = cert_pi_end;
+//         cvin[ncvinCount].type = cert_pi_keyusage;
+//         cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
+//         ncvinCount++;
+        cvin[ncvinCount].type = cert_pi_end;
 
         cvout[0].type = cert_po_trustAnchor;
         cvout[0].value.pointer.cert = NULL;