Blame SOURCES/esc-1.1.0-fix6.patch

9ccdfb
--- ./esc/src/lib/NssHttpClient/engine.h.fix6	2009-06-19 16:07:39.000000000 -0700
9ccdfb
+++ ./esc/src/lib/NssHttpClient/engine.h	2009-06-19 16:07:44.000000000 -0700
9ccdfb
@@ -22,9 +22,17 @@
9ccdfb
 #include "response.h"
9ccdfb
 #include "request.h"
9ccdfb
 
9ccdfb
+struct BadCertData {
9ccdfb
+ PRErrorCode error;
9ccdfb
+ PRInt32 port;
9ccdfb
+};
9ccdfb
+
9ccdfb
+typedef struct BadCertData BadCertData;
9ccdfb
+
9ccdfb
+
9ccdfb
 class __EXPORT Engine {
9ccdfb
     public:
9ccdfb
-        Engine() {};
9ccdfb
+        Engine() { _certData = NULL; _sock=NULL;};
9ccdfb
         ~Engine() {};
9ccdfb
 
9ccdfb
         PRFileDesc *_doConnect(PRNetAddr *addr, PRBool SSLOn = PR_FALSE,
9ccdfb
@@ -37,7 +45,8 @@
9ccdfb
         static PRIntervalTime globaltimeout;
9ccdfb
 
9ccdfb
         PRFileDesc *_sock;
9ccdfb
-
9ccdfb
+        BadCertData *_certData;
9ccdfb
+        BadCertData *getBadCertData() { return _certData;}
9ccdfb
         PRFileDesc *getSocket() { return _sock;}
9ccdfb
 
9ccdfb
         bool connectionClosed ;
9ccdfb
--- ./esc/src/lib/NssHttpClient/engine.cpp.fix6	2009-06-19 16:07:12.000000000 -0700
9ccdfb
+++ ./esc/src/lib/NssHttpClient/engine.cpp	2009-06-19 16:07:29.000000000 -0700
9ccdfb
@@ -16,6 +16,8 @@
9ccdfb
  * All rights reserved.
9ccdfb
  * END COPYRIGHT BLOCK **/
9ccdfb
 
9ccdfb
+#define FORCE_PR_LOG 1
9ccdfb
+
9ccdfb
 #include <nspr.h>
9ccdfb
 #include "sslproto.h"
9ccdfb
 #include <prerror.h>
9ccdfb
@@ -27,7 +29,7 @@
9ccdfb
 #include "certt.h"
9ccdfb
 #include "sslerr.h"
9ccdfb
 #include "secerr.h"
9ccdfb
-
9ccdfb
+#include "CoolKey.h"
9ccdfb
 #include "engine.h"
9ccdfb
 #include "http.h"
9ccdfb
 
9ccdfb
@@ -39,6 +41,9 @@
9ccdfb
 int cipherCount = 0;
9ccdfb
 int _doVerifyServerCert = 1;
9ccdfb
 
9ccdfb
+PRLogModuleInfo *httpEngineLog = PR_NewLogModule("coolKeyHttpEngine");
9ccdfb
+
9ccdfb
+
9ccdfb
 PRIntervalTime Engine::globaltimeout = PR_TicksPerSecond()*30;
9ccdfb
 
9ccdfb
 /**
9ccdfb
@@ -56,13 +61,26 @@
9ccdfb
     SECStatus    secStatus = SECFailure;
9ccdfb
     PRErrorCode    err;
9ccdfb
 
9ccdfb
+    char tBuff[56];
9ccdfb
+
9ccdfb
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
9ccdfb
+                          ("%s myBadCertHandler enter. \n",GetTStamp(tBuff,56)));
9ccdfb
+
9ccdfb
     /* log invalid cert here */
9ccdfb
 
9ccdfb
     if ( !arg ) {
9ccdfb
         return secStatus;
9ccdfb
     }
9ccdfb
 
9ccdfb
-    *(PRErrorCode *)arg = err = PORT_GetError();
9ccdfb
+    err = PORT_GetError();
9ccdfb
+
9ccdfb
+    BadCertData *data = (BadCertData *) arg;
9ccdfb
+    if(data) {
9ccdfb
+        data->error = err;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
9ccdfb
+                          ("%s myBadCertHandler err: %d .  \n",GetTStamp(tBuff,56),err));
9ccdfb
 
9ccdfb
     /* If any of the cases in the switch are met, then we will proceed   */
9ccdfb
     /* with the processing of the request anyway. Otherwise, the default */    
9ccdfb
@@ -91,6 +109,10 @@
9ccdfb
     break;
9ccdfb
     }
9ccdfb
 
9ccdfb
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
9ccdfb
+                          ("%s myBadCertHandler status: %d .  \n",GetTStamp(tBuff,56),secStatus));
9ccdfb
+
9ccdfb
+
9ccdfb
     return secStatus;
9ccdfb
 }
9ccdfb
 
9ccdfb
@@ -416,7 +438,6 @@
9ccdfb
     return;
9ccdfb
 }
9ccdfb
 
9ccdfb
-
9ccdfb
 void Engine::CloseConnection()
9ccdfb
 {
9ccdfb
     connectionClosed = true;
9ccdfb
@@ -426,7 +447,14 @@
9ccdfb
         PR_Close(_sock);
9ccdfb
         _sock = NULL;
9ccdfb
     }
9ccdfb
+
9ccdfb
+    if(_certData)
9ccdfb
+    {
9ccdfb
+        delete _certData;
9ccdfb
+        _certData = NULL;
9ccdfb
+    }
9ccdfb
 }
9ccdfb
+
9ccdfb
 /**
9ccdfb
  * Returns a file descriptor for I/O if the HTTP connection is successful
9ccdfb
  * @param addr PRnetAddr structure which points to the server to connect to
9ccdfb
@@ -442,21 +470,19 @@
9ccdfb
     PRFileDesc *tcpsock = NULL;
9ccdfb
     PRFileDesc *sock = NULL;
9ccdfb
     connectionClosed = false;
9ccdfb
+    _certData = new BadCertData();
9ccdfb
 
9ccdfb
     tcpsock = PR_OpenTCPSocket(addr->raw.family);
9ccdfb
-   
9ccdfb
 
9ccdfb
     if (!tcpsock) {
9ccdfb
-
9ccdfb
         return NULL;
9ccdfb
     }
9ccdfb
 
9ccdfb
     nodelay(tcpsock);
9ccdfb
 
9ccdfb
     if (PR_TRUE == SSLOn) {
9ccdfb
-        sock=SSL_ImportFD(NULL, tcpsock);
9ccdfb
-
9ccdfb
 
9ccdfb
+        sock=SSL_ImportFD(NULL, tcpsock);
9ccdfb
         if (!sock) {
9ccdfb
             //xxx log
9ccdfb
             if( tcpsock != NULL ) {
9ccdfb
@@ -516,9 +542,23 @@
9ccdfb
 
9ccdfb
         PRErrorCode errCode = 0;
9ccdfb
 
9ccdfb
-        rv = SSL_BadCertHook( sock,
9ccdfb
+        if(_certData) {
9ccdfb
+            _certData->error = errCode;
9ccdfb
+            _certData->port  = PR_ntohs(PR_NetAddrInetPort(addr));
9ccdfb
+        }
9ccdfb
+
9ccdfb
+        CoolKeyBadCertHandler overriddenHandler =  CoolKeyGetBadCertHandler();
9ccdfb
+
9ccdfb
+        if(overriddenHandler)  {
9ccdfb
+            rv = SSL_BadCertHook( sock,
9ccdfb
+                              (SSLBadCertHandler)overriddenHandler,
9ccdfb
+                               (void *)_certData);
9ccdfb
+        } else {
9ccdfb
+            rv = SSL_BadCertHook( sock,
9ccdfb
                               (SSLBadCertHandler)myBadCertHandler,
9ccdfb
-                              &errCode );
9ccdfb
+                              (void *)_certData);
9ccdfb
+        }
9ccdfb
+
9ccdfb
         rv = SSL_SetURL( sock, serverName );
9ccdfb
 
9ccdfb
         if (rv != SECSuccess ) {
9ccdfb
@@ -536,8 +576,6 @@
9ccdfb
         sock = tcpsock;
9ccdfb
     }
9ccdfb
 
9ccdfb
-  
9ccdfb
-
9ccdfb
     if ( PR_Connect(sock, addr, timeout) == PR_FAILURE ) {
9ccdfb
 
9ccdfb
         if( sock != NULL ) {
9ccdfb
@@ -563,11 +601,17 @@
9ccdfb
                                           const PSHttpServer& server,
9ccdfb
                                           int timeout, PRBool expectChunked ,PRBool processStreamed) {
9ccdfb
     PRNetAddr addr;
9ccdfb
-    PRFileDesc *sock = NULL;
9ccdfb
     PSHttpResponse *resp = NULL;
9ccdfb
 
9ccdfb
     PRBool response_code = 0;
9ccdfb
 
9ccdfb
+    char tBuff[56];
9ccdfb
+
9ccdfb
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
9ccdfb
+                          ("%s HttpEngine::makeRequest  enter. \n",GetTStamp(tBuff,56)));
9ccdfb
+
9ccdfb
+
9ccdfb
+
9ccdfb
     server.getAddr(&addr);
9ccdfb
 
9ccdfb
     char *nickName = request.getCertNickName();
9ccdfb
@@ -575,8 +619,17 @@
9ccdfb
     char *serverName = (char *)server.getAddr();
9ccdfb
     _sock = _doConnect( &addr, request.isSSL(), 0, 0,nickName, 0, serverName );
9ccdfb
 
9ccdfb
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
9ccdfb
+                          ("%s HttpEngine::makeRequest  past doConnect sock: %p. \n",
9ccdfb
+                          GetTStamp(tBuff,56),_sock));
9ccdfb
+
9ccdfb
     if ( _sock != NULL) {
9ccdfb
         PRBool status = request.send( _sock );
9ccdfb
+
9ccdfb
+        PR_LOG(httpEngineLog, PR_LOG_DEBUG,
9ccdfb
+                          ("%s HttpEngine::makeRequest  past request.send status: %d. \n",
9ccdfb
+                          GetTStamp(tBuff,56),status));
9ccdfb
+
9ccdfb
         if ( status ) {
9ccdfb
             resp = new PSHttpResponse( _sock, &request, timeout, expectChunked ,this);
9ccdfb
             response_code = resp->processResponse(processStreamed);
9ccdfb
--- ./esc/src/lib/NssHttpClient/manifest.mn.fix6	2009-06-19 16:08:05.000000000 -0700
9ccdfb
+++ ./esc/src/lib/NssHttpClient/manifest.mn	2009-06-19 16:08:13.000000000 -0700
9ccdfb
@@ -24,7 +24,7 @@
9ccdfb
 MODULE		= httpchunked
9ccdfb
 LIBRARY_NAME	= $(MODULE)
9ccdfb
 SHARED_NAME	= $(MODULE)
9ccdfb
-REQUIRES	= nss nspr 
9ccdfb
+REQUIRES	= nss nspr ckymanager
9ccdfb
 ifndef MOZ_OFFSET
9ccdfb
 MOZ_OFFSET	= mozilla-1.7.13
9ccdfb
 endif
9ccdfb
--- ./esc/src/lib/coolkey/NSSManager.h.fix6	2009-06-19 16:06:41.000000000 -0700
9ccdfb
+++ ./esc/src/lib/coolkey/NSSManager.h	2009-06-19 16:06:47.000000000 -0700
9ccdfb
@@ -70,6 +70,8 @@
9ccdfb
 
9ccdfb
   static HRESULT  GetKeyCertNicknames( const CoolKey *aKey,  vector<string> & aStrings  ); 
9ccdfb
 
9ccdfb
+  static HRESULT GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength);
9ccdfb
+
9ccdfb
   static HRESULT GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
9ccdfb
 
9ccdfb
   static HRESULT GetKeyIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
9ccdfb
--- ./esc/src/lib/coolkey/CoolKey.cpp.fix6	2009-06-19 16:02:43.000000000 -0700
9ccdfb
+++ ./esc/src/lib/coolkey/CoolKey.cpp	2009-06-19 16:03:03.000000000 -0700
9ccdfb
@@ -259,12 +259,14 @@
9ccdfb
 static CoolKeyRelease g_Release = NULL;
9ccdfb
 static CoolKeyGetConfigValue g_GetConfigValue = NULL;
9ccdfb
 static CoolKeySetConfigValue g_SetConfigValue = NULL;
9ccdfb
+static CoolKeyBadCertHandler g_BadCertHandler = NULL;
9ccdfb
 
9ccdfb
 char* CoolKeyVerifyPassword(PK11SlotInfo *,PRBool,void *);
9ccdfb
 
9ccdfb
 COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,
9ccdfb
 	CoolKeyReference reference, CoolKeyRelease release,
9ccdfb
-        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue)
9ccdfb
+        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,
9ccdfb
+        CoolKeyBadCertHandler badcerthandler)
9ccdfb
 {
9ccdfb
     char tBuff[56];
9ccdfb
     g_Dispatch = dispatch;
9ccdfb
@@ -272,6 +274,7 @@
9ccdfb
     g_Release = release;
9ccdfb
     g_GetConfigValue = getconfigvalue;
9ccdfb
     g_SetConfigValue = setconfigvalue;
9ccdfb
+    g_BadCertHandler = badcerthandler;
9ccdfb
 
9ccdfb
     char * suppressPINPrompt =(char*) CoolKeyGetConfig("esc.security.url");
9ccdfb
 
9ccdfb
@@ -997,6 +1000,16 @@
9ccdfb
   
9ccdfb
     return NSSManager::GetKeyPolicy(aKey, aBuf, aBufLen);
9ccdfb
 }
9ccdfb
+
9ccdfb
+HRESULT
9ccdfb
+CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength)
9ccdfb
+{
9ccdfb
+    if (!aKey || !aKey->mKeyID || !aBuf || aBufLength < 1)
9ccdfb
+        return E_FAIL;
9ccdfb
+
9ccdfb
+    return NSSManager::GetKeyUID(aKey,aBuf,aBufLength);
9ccdfb
+}
9ccdfb
+
9ccdfb
 HRESULT
9ccdfb
 CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
9ccdfb
 {
9ccdfb
@@ -1290,6 +1303,13 @@
9ccdfb
     return aCUID;
9ccdfb
 }
9ccdfb
 
9ccdfb
+CoolKeyBadCertHandler CoolKeyGetBadCertHandler()
9ccdfb
+{
9ccdfb
+    if(g_BadCertHandler)
9ccdfb
+        return g_BadCertHandler;
9ccdfb
+    return NULL;
9ccdfb
+}
9ccdfb
+
9ccdfb
 const char *CoolKeyGetConfig(const char *aValue)
9ccdfb
 {
9ccdfb
     if(!g_GetConfigValue || ! aValue)
9ccdfb
--- ./esc/src/lib/coolkey/manifest.mn.fix6	2009-06-19 16:05:45.000000000 -0700
9ccdfb
+++ ./esc/src/lib/coolkey/manifest.mn	2009-06-19 16:05:54.000000000 -0700
9ccdfb
@@ -19,7 +19,6 @@
9ccdfb
 
9ccdfb
 XULRUNNER_BASE=$(CORE_DEPTH)/dist/$(OBJDIR)//xulrunner_build
9ccdfb
 
9ccdfb
-
9ccdfb
 SYS_INC		= /usr/include
9ccdfb
 MODULE		= ckymanager
9ccdfb
 LIBRARY_NAME	= $(MODULE)
9ccdfb
@@ -41,7 +40,7 @@
9ccdfb
 		SmartCardMonitoringThread.cpp \
9ccdfb
 		$(NULL)
9ccdfb
 
9ccdfb
-EXPORTS 	= \
9ccdfb
+EXPORTS		= \
9ccdfb
 		CoolKey.h \
9ccdfb
 		$(NULL)
9ccdfb
 
9ccdfb
--- ./esc/src/lib/coolkey/NSSManager.cpp.fix6	2009-06-19 16:06:19.000000000 -0700
9ccdfb
+++ ./esc/src/lib/coolkey/NSSManager.cpp	2009-06-19 16:06:28.000000000 -0700
9ccdfb
@@ -369,7 +369,7 @@
9ccdfb
 
9ccdfb
     aBuf[0]=0;
9ccdfb
 
9ccdfb
-    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo \n",GetTStamp(tBuff,56)));
9ccdfb
+    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer \n",GetTStamp(tBuff,56)));
9ccdfb
 
9ccdfb
     if(!aKey )
9ccdfb
         return E_FAIL;
9ccdfb
@@ -409,7 +409,7 @@
9ccdfb
                         continue;
9ccdfb
                     }
9ccdfb
                     orgID    = CERT_GetOrgName(&cert->subject);
9ccdfb
-                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot  %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));
9ccdfb
+                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer ourSlot %p curSlot  %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));
9ccdfb
 
9ccdfb
                 }
9ccdfb
 
9ccdfb
@@ -437,6 +437,85 @@
9ccdfb
     return S_OK;
9ccdfb
 }
9ccdfb
 
9ccdfb
+HRESULT NSSManager::GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength)
9ccdfb
+{
9ccdfb
+    char tBuff[56];
9ccdfb
+    if(!aBuf)
9ccdfb
+        return E_FAIL;
9ccdfb
+
9ccdfb
+    aBuf[0]=0;
9ccdfb
+
9ccdfb
+    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID \n",GetTStamp(tBuff,56)));
9ccdfb
+
9ccdfb
+    if(!aKey )
9ccdfb
+        return E_FAIL;
9ccdfb
+
9ccdfb
+    PK11SlotInfo *slot = GetSlotForKeyID(aKey);
9ccdfb
+
9ccdfb
+    if (!slot)
9ccdfb
+        return E_FAIL;
9ccdfb
+
9ccdfb
+    CERTCertList *certs = PK11_ListCerts(PK11CertListAll,NULL);
9ccdfb
+
9ccdfb
+    if (!certs)
9ccdfb
+    {
9ccdfb
+        PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%sNSSManager::GetKeyUID no certs found! \n",GetTStamp(tBuff,56)));
9ccdfb
+        PK11_FreeSlot(slot);
9ccdfb
+        return E_FAIL;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    CERTCertListNode *node= NULL;
9ccdfb
+
9ccdfb
+    char *certID = NULL;
9ccdfb
+
9ccdfb
+    for( node = CERT_LIST_HEAD(certs);
9ccdfb
+             ! CERT_LIST_END(node, certs);
9ccdfb
+             node = CERT_LIST_NEXT(node))     
9ccdfb
+    {     
9ccdfb
+        if(node->cert) 
9ccdfb
+        {
9ccdfb
+            CERTCertificate *cert = node->cert;
9ccdfb
+
9ccdfb
+            if(cert)
9ccdfb
+            {
9ccdfb
+                if(cert->slot == slot)
9ccdfb
+                {
9ccdfb
+                    if(IsCACert(cert))
9ccdfb
+                    {
9ccdfb
+                        continue;
9ccdfb
+                    }
9ccdfb
+
9ccdfb
+                    certID = CERT_GetCertUid(&cert->subject);
9ccdfb
+
9ccdfb
+                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID ourSlot %p curSlot  %p certID %s  \n",GetTStamp(tBuff,56),slot,cert->slot,certID));
9ccdfb
+           
9ccdfb
+                }
9ccdfb
+
9ccdfb
+                if(certID)
9ccdfb
+                    break;
9ccdfb
+            }
9ccdfb
+        }
9ccdfb
+
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    if(certID && ((int)strlen(certID)  <  aBufLength))
9ccdfb
+    {
9ccdfb
+        strcpy(aBuf,certID);
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    if(certs)
9ccdfb
+      CERT_DestroyCertList(certs);
9ccdfb
+
9ccdfb
+    if(slot)
9ccdfb
+      PK11_FreeSlot(slot);
9ccdfb
+
9ccdfb
+    if(certID)
9ccdfb
+        PORT_Free(certID);
9ccdfb
+
9ccdfb
+    return S_OK;
9ccdfb
+}
9ccdfb
+
9ccdfb
+
9ccdfb
 HRESULT NSSManager::GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
9ccdfb
 {
9ccdfb
     char tBuff[56];
9ccdfb
@@ -487,6 +566,10 @@
9ccdfb
 
9ccdfb
                     certID = CERT_GetCommonName(&cert->subject);
9ccdfb
 
9ccdfb
+                    if(!certID) {
9ccdfb
+                        certID = CERT_GetCertUid(&cert->subject);
9ccdfb
+                    }
9ccdfb
+
9ccdfb
                     PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot  %p certID %s  \n",GetTStamp(tBuff,56),slot,cert->slot,certID));
9ccdfb
 
9ccdfb
                 }
9ccdfb
--- ./esc/src/lib/coolkey/CoolKey.h.fix6	2009-06-19 16:04:59.000000000 -0700
9ccdfb
+++ ./esc/src/lib/coolkey/CoolKey.h	2009-06-19 16:05:05.000000000 -0700
9ccdfb
@@ -26,6 +26,7 @@
9ccdfb
 // platforms (coreconf will do the appropriate processing.
9ccdfb
 #define COOLKEY_API
9ccdfb
 
9ccdfb
+#include "ssl.h"
9ccdfb
 #include <string.h>
9ccdfb
 #include <stdlib.h>
9ccdfb
 #include <vector>
9ccdfb
@@ -100,7 +101,7 @@
9ccdfb
 
9ccdfb
 typedef HRESULT (*CoolKeySetConfigValue)(const char *name,const char *value);
9ccdfb
 typedef const char * (*CoolKeyGetConfigValue)(const char *name);
9ccdfb
-
9ccdfb
+typedef SECStatus (*CoolKeyBadCertHandler)(void *arg, PRFileDesc *fd);
9ccdfb
 
9ccdfb
 
9ccdfb
 extern "C" {
9ccdfb
@@ -112,7 +113,8 @@
9ccdfb
 COOLKEY_API HRESULT CoolKeyUnregisterListener(CoolKeyListener* aListener);
9ccdfb
 COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,
9ccdfb
                         CoolKeyReference reference, CoolKeyRelease release,
9ccdfb
-                        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue);
9ccdfb
+                        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,
9ccdfb
+                        CoolKeyBadCertHandler badcerthandler=NULL);
9ccdfb
 
9ccdfb
 COOLKEY_API bool    CoolKeyRequiresAuthentication(const CoolKey *aKey);
9ccdfb
 COOLKEY_API bool    CoolKeyHasApplet(const CoolKey *aKey);
9ccdfb
@@ -133,6 +135,8 @@
9ccdfb
 
9ccdfb
 COOLKEY_API HRESULT CoolKeyGetCertInfo(const CoolKey *aKey, char *aCertNickname, std::string & aCertInfo);
9ccdfb
 
9ccdfb
+COOLKEY_API HRESULT CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength);
9ccdfb
+
9ccdfb
 COOLKEY_API HRESULT CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
9ccdfb
 COOLKEY_API HRESULT CoolKeyGetIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
9ccdfb
 
9ccdfb
@@ -257,6 +261,9 @@
9ccdfb
 
9ccdfb
 const char *CoolKeyGetConfig(const char *aName);
9ccdfb
 HRESULT     CoolKeySetConfig(const char *aName,const char *aValue);
9ccdfb
+CoolKeyBadCertHandler CoolKeyGetBadCertHandler();
9ccdfb
+
9ccdfb
+
9ccdfb
 
9ccdfb
 }
9ccdfb
 
9ccdfb
--- ./esc/src/lib/coolkey/Makefile.fix6	2009-06-19 16:05:24.000000000 -0700
9ccdfb
+++ ./esc/src/lib/coolkey/Makefile	2009-06-19 16:05:32.000000000 -0700
9ccdfb
@@ -35,6 +35,9 @@
9ccdfb
 	echo "Build Linux or Windows."
9ccdfb
 	make -f common.mk
9ccdfb
 
9ccdfb
+export::
9ccdfb
+	make -f common.mk export
9ccdfb
+
9ccdfb
 endif
9ccdfb
 
9ccdfb
 ifeq ($(OS_ARCH),Darwin)
9ccdfb
--- ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul.fix6	2009-06-19 16:01:21.000000000 -0700
9ccdfb
+++ ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul	2009-06-19 16:01:43.000000000 -0700
9ccdfb
@@ -65,7 +65,7 @@
9ccdfb
       <tabs id="certMgrTabbox" onselect="CertsTabsSelected();">
9ccdfb
         <tab id="mine_tab" label="&certmgr.tab.mine;" selected="true"/>
9ccdfb
         <tab id="others_tab" hidden="true" label="&certmgr.tab.others2;"/>
9ccdfb
-        <tab id="websites_tab" hidden="true" label="&certmgr.tab.websites3;"/>
9ccdfb
+        <tab id="websites_tab" hidden="false" label="&certmgr.tab.websites3;"/>
9ccdfb
         <tab id="ca_tab" hidden="false" label="&certmgr.tab.ca;"/>
9ccdfb
         <tab id="orphan_tab" hidden="true" label="&certmgr.tab.orphan2;"/>
9ccdfb
 
9ccdfb
--- ./esc/src/app/xpcom/rhCoolKey.cpp.fix6	2009-06-19 15:56:20.000000000 -0700
9ccdfb
+++ ./esc/src/app/xpcom/rhCoolKey.cpp	2009-06-19 15:57:48.000000000 -0700
9ccdfb
@@ -30,7 +30,7 @@
9ccdfb
 #else
9ccdfb
 #include "nsServiceManagerUtils.h"
9ccdfb
 #endif
9ccdfb
-
9ccdfb
+#include "pipnss/nsICertOverrideService.h"
9ccdfb
 #include "nsIPrefBranch.h"
9ccdfb
 #include "nsIPrefService.h"
9ccdfb
 #include "nsCOMPtr.h"
9ccdfb
@@ -69,6 +69,7 @@
9ccdfb
 #endif
9ccdfb
 
9ccdfb
 #define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
9ccdfb
+#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
9ccdfb
 
9ccdfb
 static const nsIID kIModuleIID = NS_IMODULE_IID;
9ccdfb
 static const nsIID kIFactoryIID = NS_IFACTORY_IID;
9ccdfb
@@ -89,6 +90,7 @@
9ccdfb
 
9ccdfb
 std::list< nsCOMPtr <rhIKeyNotify>  > rhCoolKey::gNotifyListeners;
9ccdfb
 
9ccdfb
+PRLock* rhCoolKey::certCBLock=NULL;
9ccdfb
 
9ccdfb
 PRBool rhCoolKey::gAutoEnrollBlankTokens = PR_FALSE; 
9ccdfb
 
9ccdfb
@@ -190,6 +192,13 @@
9ccdfb
         mCSPListener = nsnull;
9ccdfb
     #endif
9ccdfb
 
9ccdfb
+    certCBLock = PR_NewLock();
9ccdfb
+
9ccdfb
+    if(!certCBLock) {
9ccdfb
+       PR_LOG( coolKeyLog, PR_LOG_ERROR, ("%s Failed to create lock exiting! \n",GetTStamp(tBuff,56)));
9ccdfb
+        exit(1);
9ccdfb
+    }
9ccdfb
+
9ccdfb
     PRBool res = InitInstance();
9ccdfb
 
9ccdfb
     if(res == PR_FALSE)
9ccdfb
@@ -207,6 +216,10 @@
9ccdfb
 
9ccdfb
     char tBuff[56];
9ccdfb
     PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s rhCoolKey::~rhCoolKey: %p \n",GetTStamp(tBuff,56),this));
9ccdfb
+
9ccdfb
+    if(certCBLock) {
9ccdfb
+        PR_DestroyLock(certCBLock);
9ccdfb
+    }
9ccdfb
 }
9ccdfb
 
9ccdfb
 void rhCoolKey::ShutDownInstance()
9ccdfb
@@ -255,6 +268,212 @@
9ccdfb
     return S_OK;
9ccdfb
 }
9ccdfb
 
9ccdfb
+struct BadCertData {
9ccdfb
+     PRErrorCode error; 
9ccdfb
+     PRInt32 port;
9ccdfb
+};  
9ccdfb
+
9ccdfb
+typedef struct BadCertData BadCertData;
9ccdfb
+
9ccdfb
+SECStatus rhCoolKey::badCertHandler(void *arg, PRFileDesc *fd)
9ccdfb
+{
9ccdfb
+    SECStatus    secStatus = SECFailure;
9ccdfb
+    PRErrorCode    err;
9ccdfb
+    char *host = NULL;
9ccdfb
+    PRInt32 port = 0;
9ccdfb
+    CERTCertificate *serverCert = NULL;
9ccdfb
+    PRUint32 errorBits = 0;
9ccdfb
+    char tBuff[56];
9ccdfb
+    
9ccdfb
+    PR_Lock(certCBLock);
9ccdfb
+
9ccdfb
+    if (!arg || !fd) {
9ccdfb
+        PR_Unlock(certCBLock);
9ccdfb
+        return secStatus;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    // Retrieve callback data from NssHttpClient
9ccdfb
+    // Caller cleans up this data
9ccdfb
+    BadCertData *data = (BadCertData *) arg;
9ccdfb
+    data->error = err = PORT_GetError();
9ccdfb
+
9ccdfb
+
9ccdfb
+    /* If any of the cases in the switch are met, then we will proceed   */
9ccdfb
+
9ccdfb
+    switch (err) {
9ccdfb
+    case SEC_ERROR_INVALID_AVA:
9ccdfb
+    case SEC_ERROR_INVALID_TIME:
9ccdfb
+    case SEC_ERROR_BAD_SIGNATURE:
9ccdfb
+    case SEC_ERROR_EXPIRED_CERTIFICATE:
9ccdfb
+    case SEC_ERROR_UNKNOWN_ISSUER:
9ccdfb
+    case SEC_ERROR_UNTRUSTED_CERT:
9ccdfb
+    case SEC_ERROR_CERT_VALID:
9ccdfb
+    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
9ccdfb
+    case SEC_ERROR_CRL_EXPIRED:
9ccdfb
+    case SEC_ERROR_CRL_BAD_SIGNATURE:
9ccdfb
+    case SEC_ERROR_EXTENSION_VALUE_INVALID:
9ccdfb
+    case SEC_ERROR_CA_CERT_INVALID:
9ccdfb
+    case SEC_ERROR_CERT_USAGES_INVALID:
9ccdfb
+    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
9ccdfb
+    case SEC_ERROR_EXTENSION_NOT_FOUND: // Added by Rob 5/21/2002
9ccdfb
+        secStatus = SECSuccess;
9ccdfb
+    break;
9ccdfb
+    default:
9ccdfb
+        secStatus = SECFailure;
9ccdfb
+    break;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    if(secStatus == SECSuccess)  {
9ccdfb
+        PR_Unlock(certCBLock);
9ccdfb
+        return secStatus;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    // Collect errors to compare with override service output
9ccdfb
+    switch(err) {
9ccdfb
+    case SEC_ERROR_UNTRUSTED_ISSUER:
9ccdfb
+        errorBits |= nsICertOverrideService::ERROR_UNTRUSTED;
9ccdfb
+    break;
9ccdfb
+    case SSL_ERROR_BAD_CERT_DOMAIN:
9ccdfb
+        errorBits |= nsICertOverrideService::ERROR_MISMATCH;
9ccdfb
+    break;
9ccdfb
+    case SEC_ERROR_EXPIRED_CERTIFICATE:
9ccdfb
+        errorBits |= nsICertOverrideService::ERROR_TIME;
9ccdfb
+    default:
9ccdfb
+    break;
9ccdfb
+    };
9ccdfb
+
9ccdfb
+    // Now proceed to see if we have an exception.
9ccdfb
+    // Get the server certificate that was rejected.
9ccdfb
+    serverCert = SSL_PeerCertificate(fd);
9ccdfb
+
9ccdfb
+    if(!serverCert) {
9ccdfb
+        PR_Unlock(certCBLock);
9ccdfb
+        return secStatus;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    port = data->port;
9ccdfb
+    host = SSL_RevealURL(fd);
9ccdfb
+
9ccdfb
+    if(!host || port <= 0) {
9ccdfb
+        PR_Unlock(certCBLock);
9ccdfb
+        return secStatus;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    PR_LOG(coolKeyLog, PR_LOG_DEBUG,
9ccdfb
+                          ("%s rhCoolKey::badCertHandler enter: error: %d  url: %s port: %d \n",
9ccdfb
+                          GetTStamp(tBuff,56),err,host,port)
9ccdfb
+    );
9ccdfb
+
9ccdfb
+    PRBool isTemporaryOverride = PR_FALSE;
9ccdfb
+    PRUint32 overrideBits = 0;
9ccdfb
+    PRBool overrideResult = PR_FALSE;
9ccdfb
+
9ccdfb
+    // Use the nsICertOverrideService to see if we have
9ccdfb
+    // previously trusted this certificate.
9ccdfb
+    nsCOMPtr<nsICertOverrideService> overrideService =
9ccdfb
+       do_GetService(NS_CERTOVERRIDE_CONTRACTID);
9ccdfb
+
9ccdfb
+    const nsEmbedCString nsHost(host);
9ccdfb
+    nsEmbedCString hashAlg,fingerPrint;
9ccdfb
+
9ccdfb
+    nsresult nsrv;
9ccdfb
+    unsigned char* fingerprint=NULL;
9ccdfb
+    if(overrideService) {
9ccdfb
+        nsrv = overrideService->GetValidityOverride((const nsACString &)nsHost,
9ccdfb
+            port,(nsACString &)hashAlg,
9ccdfb
+            (nsACString&)fingerPrint,&overrideBits,
9ccdfb
+            &isTemporaryOverride,&overrideResult
9ccdfb
+        );
9ccdfb
+        if(nsrv == NS_OK) { 
9ccdfb
+           PR_LOG(coolKeyLog, PR_LOG_DEBUG,
9ccdfb
+               ("%s rhCoolKey::badCertHandler res %d print %s len %d bits %u temp %d alg: %s  \n",
9ccdfb
+               GetTStamp(tBuff,56),overrideResult,fingerPrint.get(),
9ccdfb
+               fingerPrint.Length(),overrideBits, isTemporaryOverride,hashAlg.get())
9ccdfb
+           );
9ccdfb
+       }
9ccdfb
+
9ccdfb
+       PRBool certMatches = PR_FALSE;
9ccdfb
+
9ccdfb
+       if( (nsrv == NS_OK) && overrideResult) {
9ccdfb
+            SECItem oid;
9ccdfb
+            oid.data = nsnull;
9ccdfb
+            oid.len = 0;
9ccdfb
+            SECStatus srv = SEC_StringToOID(nsnull, &oid,
9ccdfb
+                    hashAlg.get(), hashAlg.Length());
9ccdfb
+
9ccdfb
+            if (srv != SECSuccess)  {
9ccdfb
+               PR_Free(host);
9ccdfb
+               host=NULL;
9ccdfb
+               CERT_DestroyCertificate(serverCert);
9ccdfb
+               serverCert=NULL;
9ccdfb
+               PR_Unlock(certCBLock);
9ccdfb
+               return secStatus;
9ccdfb
+            }
9ccdfb
+
9ccdfb
+            SECOidTag oid_tag = SECOID_FindOIDTag(&oid;;
9ccdfb
+
9ccdfb
+            unsigned int hash_len = HASH_ResultLenByOidTag(oid_tag);
9ccdfb
+            fingerprint = new unsigned char[hash_len];
9ccdfb
+
9ccdfb
+            if(!fingerprint)  {
9ccdfb
+                CERT_DestroyCertificate(serverCert);
9ccdfb
+                serverCert=NULL;
9ccdfb
+                PR_Unlock(certCBLock);
9ccdfb
+                return secStatus;
9ccdfb
+            }
9ccdfb
+
9ccdfb
+            SECItem computedPrint;
9ccdfb
+            memset(fingerprint, 0, sizeof fingerprint);
9ccdfb
+            PK11_HashBuf(oid_tag, fingerprint,
9ccdfb
+            serverCert->derCert.data, serverCert->derCert.len);
9ccdfb
+            CERT_DestroyCertificate(serverCert);
9ccdfb
+            serverCert=NULL;
9ccdfb
+
9ccdfb
+            computedPrint.data=fingerprint;
9ccdfb
+            computedPrint.len=hash_len;
9ccdfb
+
9ccdfb
+            char *formattedPrint = CERT_Hexify(&computedPrint,1);
9ccdfb
+            char *inputPrint = (char *)fingerPrint.get();
9ccdfb
+
9ccdfb
+            //Compare fingerprints.
9ccdfb
+
9ccdfb
+            if(formattedPrint && inputPrint)  {
9ccdfb
+                if(!PL_strcmp(formattedPrint, inputPrint))
9ccdfb
+                    certMatches = PR_TRUE;
9ccdfb
+            }
9ccdfb
+            PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s certMatches: %d  \n",
9ccdfb
+                GetTStamp(tBuff,56),certMatches)
9ccdfb
+            );
9ccdfb
+
9ccdfb
+            if(formattedPrint)  {
9ccdfb
+                PORT_Free(formattedPrint);
9ccdfb
+                formattedPrint = NULL;
9ccdfb
+            }
9ccdfb
+      } else {
9ccdfb
+          PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s override test failed. \n",
9ccdfb
+              GetTStamp(tBuff,56))
9ccdfb
+          );
9ccdfb
+      }
9ccdfb
+
9ccdfb
+      if( certMatches ) {
9ccdfb
+         if(overrideBits | errorBits)
9ccdfb
+             secStatus = SECSuccess;   
9ccdfb
+      }
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    PR_Free(host);
9ccdfb
+    host = NULL;
9ccdfb
+    if(fingerprint)  {
9ccdfb
+        delete [] fingerprint;
9ccdfb
+        fingerprint = NULL;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    PR_Unlock(certCBLock);
9ccdfb
+
9ccdfb
+    return secStatus;
9ccdfb
+}
9ccdfb
+
9ccdfb
+
9ccdfb
 HRESULT rhCoolKey::doSetCoolKeyConfigValue(const char *aName, const char *aValue) 
9ccdfb
 {
9ccdfb
 
9ccdfb
@@ -340,7 +559,7 @@
9ccdfb
     nssComponent
9ccdfb
     = do_GetService(PSM_COMPONENT_CONTRACTID); 
9ccdfb
 
9ccdfb
-    CoolKeySetCallbacks(Dispatch,Reference, Release,doGetCoolKeyConfigValue ,doSetCoolKeyConfigValue);
9ccdfb
+    CoolKeySetCallbacks(Dispatch,Reference, Release,doGetCoolKeyConfigValue ,doSetCoolKeyConfigValue,badCertHandler);
9ccdfb
 
9ccdfb
     mProxy = CreateProxyObject();
9ccdfb
 
9ccdfb
@@ -1262,6 +1481,38 @@
9ccdfb
 }
9ccdfb
 
9ccdfb
 /* string GetCoolKeyIssuedTo (in unsigned long aKeyType, in string aKeyID); */
9ccdfb
+NS_IMETHODIMP rhCoolKey::GetCoolKeyUID(PRUint32 aKeyType, const char *aKeyID, char **uid)
9ccdfb
+{
9ccdfb
+    char tBuff[56];
9ccdfb
+    if (!aKeyID) {
9ccdfb
+        return NS_ERROR_FAILURE;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    AutoCoolKey key(aKeyType, ( char *)aKeyID);
9ccdfb
+
9ccdfb
+    char buff[512];
9ccdfb
+    int bufLength = 512;
9ccdfb
+    buff[0] = 0;
9ccdfb
+   
9ccdfb
+    CoolKeyGetUID(&key, (char *) buff, bufLength);
9ccdfb
+
9ccdfb
+    if(!buff[0])
9ccdfb
+    {
9ccdfb
+        return NS_OK;
9ccdfb
+    }
9ccdfb
+
9ccdfb
+    PR_LOG(coolKeyLog,PR_LOG_DEBUG,("%s rhCoolKey::RhGetCoolKeyGetUID  %s \n",GetTStamp(tBuff,56),(char *) buff));
9ccdfb
+
9ccdfb
+    char *temp =  (char *) nsMemory::Clone(buff,sizeof(char) * strlen(buff) + 1);
9ccdfb
+
9ccdfb
+    *uid = temp;
9ccdfb
+
9ccdfb
+    return NS_OK;
9ccdfb
+
9ccdfb
+}
9ccdfb
+
9ccdfb
+
9ccdfb
+/* string GetCoolKeyIssuedTo (in unsigned long aKeyType, in string aKeyID); */
9ccdfb
 NS_IMETHODIMP rhCoolKey::GetCoolKeyIssuedTo(PRUint32 aKeyType, const char *aKeyID, char **issuedTo)
9ccdfb
 {
9ccdfb
     char tBuff[56];
9ccdfb
--- ./esc/src/app/xpcom/rhICoolKey.idl.fix6	2009-06-19 16:00:20.000000000 -0700
9ccdfb
+++ ./esc/src/app/xpcom/rhICoolKey.idl	2009-06-19 16:00:32.000000000 -0700
9ccdfb
@@ -66,6 +66,8 @@
9ccdfb
 
9ccdfb
     string GetCoolKeyCertInfo(in unsigned long aKeyType, in string aKeyID, in string aCertNickname);
9ccdfb
 
9ccdfb
+    string GetCoolKeyUID(in unsigned long aKeyType, in string aKeyID);
9ccdfb
+
9ccdfb
     string GetCoolKeyIssuedTo(in unsigned long aKeyType, in string aKeyID);
9ccdfb
    
9ccdfb
     string GetCoolKeyIssuer(in unsigned long aKeyType, in string aKeyID);
9ccdfb
--- ./esc/src/app/xpcom/Makefile.sdk.fix6	2009-06-19 15:54:52.000000000 -0700
9ccdfb
+++ ./esc/src/app/xpcom/Makefile.sdk	2009-06-19 15:55:43.000000000 -0700
9ccdfb
@@ -109,7 +109,7 @@
9ccdfb
 CPPFLAGS += -fno-rtti \
9ccdfb
                 -fno-exceptions \
9ccdfb
                 -fshort-wchar -fPIC
9ccdfb
-GECKO_LD_LIBS=-L$(GECKO_SDK_PATH)/lib    $(GECKO_SDK_PATH)/lib/libxpcomglue.a -lnss3 -lcrmf -lssl3 -lsmime3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
9ccdfb
+GECKO_LD_LIBS=-L$(GECKO_SDK_PATH)/lib    $(GECKO_SDK_PATH)/lib/libxpcomglue.a -lnssutil3 -lnss3 -lcrmf -lssl3 -lsmime3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
9ccdfb
 endif
9ccdfb
 
9ccdfb
 ifeq ($(OS_ARCH),WINNT)
9ccdfb
@@ -145,7 +145,7 @@
9ccdfb
 GECKO_INCLUDES		+= -I $(GECKO_SDK_PATH)/sdk/include
9ccdfb
 OBJECT			= rhCoolKey.obj
9ccdfb
 OBJECTCSP		= CoolKeyCSP.obj 
9ccdfb
-COOL_LDFLAGS		=   -IMPLIB:fake-import /LIBPATH:$(CORE_DIST)/lib ckymanager.lib httpchunked.lib $(GECKO_LD_LIBS) nss3.lib ssl3.lib smime3.lib softokn3.lib  /LIBPATH:$(CKY_LIB_LDD) libckyapplet.lib  crypt32.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib /NODEFAULTLIB:libc.lib
9ccdfb
+COOL_LDFLAGS		=   -IMPLIB:fake-import /LIBPATH:$(CORE_DIST)/lib ckymanager.lib httpchunked.lib $(GECKO_LD_LIBS) nssutil3.lib nss3.lib ssl3.lib smime3.lib softokn3.lib  /LIBPATH:$(CKY_LIB_LDD) libckyapplet.lib  crypt32.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib /NODEFAULTLIB:libc.lib
9ccdfb
 endif
9ccdfb
 
9ccdfb
 ifeq ($(OS_ARCH),Darwin)
9ccdfb
--- ./esc/src/app/xpcom/rhCoolKey.h.fix6	2009-06-19 15:58:21.000000000 -0700
9ccdfb
+++ ./esc/src/app/xpcom/rhCoolKey.h	2009-06-19 15:58:28.000000000 -0700
9ccdfb
@@ -22,6 +22,15 @@
9ccdfb
 #include "nsIGenericFactory.h"
9ccdfb
 #include "nsEmbedString.h"
9ccdfb
 #include <list>
9ccdfb
+#include "nspr.h"
9ccdfb
+#include "prio.h"
9ccdfb
+#include "ssl.h"
9ccdfb
+#include "pk11func.h"
9ccdfb
+#include "cert.h"
9ccdfb
+#include "sslerr.h"
9ccdfb
+#include "secerr.h"
9ccdfb
+#include "sechash.h"
9ccdfb
+
9ccdfb
 #include "CoolKey.h"
9ccdfb
 #include "nsCOMPtr.h"
9ccdfb
 #include "nsIObserver.h"
9ccdfb
@@ -92,6 +101,7 @@
9ccdfb
 
9ccdfb
     static HRESULT doSetCoolKeyConfigValue(const char *aName, const char *aValue); 
9ccdfb
     static const char *doGetCoolKeyConfigValue(const char *aName );
9ccdfb
+    static SECStatus badCertHandler(void *arg, PRFileDesc *fd);
9ccdfb
 
9ccdfb
 protected:
9ccdfb
   /* additional members */
9ccdfb
@@ -107,6 +117,8 @@
9ccdfb
 
9ccdfb
     static std::list< nsCOMPtr <rhIKeyNotify> > gNotifyListeners;
9ccdfb
 
9ccdfb
+    static PRLock* certCBLock;
9ccdfb
+
9ccdfb
     rhICoolKey* mProxy;
9ccdfb
 
9ccdfb
     static PRBool      gAutoEnrollBlankTokens;