--- ./esc/src/lib/NssHttpClient/engine.h.fix6	2009-06-19 16:07:39.000000000 -0700

+++ ./esc/src/lib/NssHttpClient/engine.h	2009-06-19 16:07:44.000000000 -0700

@@ -22,9 +22,17 @@

 #include "response.h"

 #include "request.h"

+struct BadCertData {

+ PRErrorCode error;

+ PRInt32 port;

+};

+

+typedef struct BadCertData BadCertData;

+

+

 class __EXPORT Engine {

     public:

-        Engine() {};

+        Engine() { _certData = NULL; _sock=NULL;};

         ~Engine() {};

         PRFileDesc *_doConnect(PRNetAddr *addr, PRBool SSLOn = PR_FALSE,

@@ -37,7 +45,8 @@

         static PRIntervalTime globaltimeout;

         PRFileDesc *_sock;

-

+        BadCertData *_certData;

+        BadCertData *getBadCertData() { return _certData;}

         PRFileDesc *getSocket() { return _sock;}

         bool connectionClosed ;

--- ./esc/src/lib/NssHttpClient/engine.cpp.fix6	2009-06-19 16:07:12.000000000 -0700

+++ ./esc/src/lib/NssHttpClient/engine.cpp	2009-06-19 16:07:29.000000000 -0700

@@ -16,6 +16,8 @@

  * All rights reserved.

  * END COPYRIGHT BLOCK **/

+#define FORCE_PR_LOG 1

+

 #include <nspr.h>

 #include "sslproto.h"

 #include <prerror.h>

@@ -27,7 +29,7 @@

 #include "certt.h"

 #include "sslerr.h"

 #include "secerr.h"

-

+#include "CoolKey.h"

 #include "engine.h"

 #include "http.h"

@@ -39,6 +41,9 @@

 int cipherCount = 0;

 int _doVerifyServerCert = 1;

+PRLogModuleInfo *httpEngineLog = PR_NewLogModule("coolKeyHttpEngine");

+

+

 PRIntervalTime Engine::globaltimeout = PR_TicksPerSecond()*30;

 /**

@@ -56,13 +61,26 @@

     SECStatus    secStatus = SECFailure;

     PRErrorCode    err;

+    char tBuff[56];

+

+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,

+                          ("%s myBadCertHandler enter. \n",GetTStamp(tBuff,56)));

+

     /* log invalid cert here */

     if ( !arg ) {

         return secStatus;

     }

-    *(PRErrorCode *)arg = err = PORT_GetError();

+    err = PORT_GetError();

+

+    BadCertData *data = (BadCertData *) arg;

+    if(data) {

+        data->error = err;

+    }

+

+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,

+                          ("%s myBadCertHandler err: %d .  \n",GetTStamp(tBuff,56),err));

     /* If any of the cases in the switch are met, then we will proceed   */

     /* with the processing of the request anyway. Otherwise, the default */    

@@ -91,6 +109,10 @@

     break;

     }

+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,

+                          ("%s myBadCertHandler status: %d .  \n",GetTStamp(tBuff,56),secStatus));

+

+

     return secStatus;

 }

@@ -416,7 +438,6 @@

     return;

 }

-

 void Engine::CloseConnection()

 {

     connectionClosed = true;

@@ -426,7 +447,14 @@

         PR_Close(_sock);

         _sock = NULL;

     }

+

+    if(_certData)

+    {

+        delete _certData;

+        _certData = NULL;

+    }

 }

+

 /**

  * Returns a file descriptor for I/O if the HTTP connection is successful

  * @param addr PRnetAddr structure which points to the server to connect to

@@ -442,21 +470,19 @@

     PRFileDesc *tcpsock = NULL;

     PRFileDesc *sock = NULL;

     connectionClosed = false;

+    _certData = new BadCertData();

     tcpsock = PR_OpenTCPSocket(addr->raw.family);

-   

     if (!tcpsock) {

-

         return NULL;

     }

     nodelay(tcpsock);

     if (PR_TRUE == SSLOn) {

-        sock=SSL_ImportFD(NULL, tcpsock);

-

+        sock=SSL_ImportFD(NULL, tcpsock);

         if (!sock) {

             //xxx log

             if( tcpsock != NULL ) {

@@ -516,9 +542,23 @@

         PRErrorCode errCode = 0;

-        rv = SSL_BadCertHook( sock,

+        if(_certData) {

+            _certData->error = errCode;

+            _certData->port  = PR_ntohs(PR_NetAddrInetPort(addr));

+        }

+

+        CoolKeyBadCertHandler overriddenHandler =  CoolKeyGetBadCertHandler();

+

+        if(overriddenHandler)  {

+            rv = SSL_BadCertHook( sock,

+                              (SSLBadCertHandler)overriddenHandler,

+                               (void *)_certData);

+        } else {

+            rv = SSL_BadCertHook( sock,

                               (SSLBadCertHandler)myBadCertHandler,

-                              &errCode );

+                              (void *)_certData);

+        }

+

         rv = SSL_SetURL( sock, serverName );

         if (rv != SECSuccess ) {

@@ -536,8 +576,6 @@

         sock = tcpsock;

     }

-  

-

     if ( PR_Connect(sock, addr, timeout) == PR_FAILURE ) {

         if( sock != NULL ) {

@@ -563,11 +601,17 @@

                                           const PSHttpServer& server,

                                           int timeout, PRBool expectChunked ,PRBool processStreamed) {

     PRNetAddr addr;

-    PRFileDesc *sock = NULL;

     PSHttpResponse *resp = NULL;

     PRBool response_code = 0;

+    char tBuff[56];

+

+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,

+                          ("%s HttpEngine::makeRequest  enter. \n",GetTStamp(tBuff,56)));

+

+

+

     server.getAddr(&addr);

     char *nickName = request.getCertNickName();

@@ -575,8 +619,17 @@

     char *serverName = (char *)server.getAddr();

     _sock = _doConnect( &addr, request.isSSL(), 0, 0,nickName, 0, serverName );

+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,

+                          ("%s HttpEngine::makeRequest  past doConnect sock: %p. \n",

+                          GetTStamp(tBuff,56),_sock));

+

     if ( _sock != NULL) {

         PRBool status = request.send( _sock );

+

+        PR_LOG(httpEngineLog, PR_LOG_DEBUG,

+                          ("%s HttpEngine::makeRequest  past request.send status: %d. \n",

+                          GetTStamp(tBuff,56),status));

+

         if ( status ) {

             resp = new PSHttpResponse( _sock, &request, timeout, expectChunked ,this);

             response_code = resp->processResponse(processStreamed);

--- ./esc/src/lib/NssHttpClient/manifest.mn.fix6	2009-06-19 16:08:05.000000000 -0700

+++ ./esc/src/lib/NssHttpClient/manifest.mn	2009-06-19 16:08:13.000000000 -0700

@@ -24,7 +24,7 @@

 MODULE		= httpchunked

 LIBRARY_NAME	= $(MODULE)

 SHARED_NAME	= $(MODULE)

-REQUIRES	= nss nspr 

+REQUIRES	= nss nspr ckymanager

 ifndef MOZ_OFFSET

 MOZ_OFFSET	= mozilla-1.7.13

 endif

--- ./esc/src/lib/coolkey/NSSManager.h.fix6	2009-06-19 16:06:41.000000000 -0700

+++ ./esc/src/lib/coolkey/NSSManager.h	2009-06-19 16:06:47.000000000 -0700

@@ -70,6 +70,8 @@

   static HRESULT  GetKeyCertNicknames( const CoolKey *aKey,  vector<string> & aStrings  ); 

+  static HRESULT GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength);

+

   static HRESULT GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);

   static HRESULT GetKeyIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);

--- ./esc/src/lib/coolkey/CoolKey.cpp.fix6	2009-06-19 16:02:43.000000000 -0700

+++ ./esc/src/lib/coolkey/CoolKey.cpp	2009-06-19 16:03:03.000000000 -0700

@@ -259,12 +259,14 @@

 static CoolKeyRelease g_Release = NULL;

 static CoolKeyGetConfigValue g_GetConfigValue = NULL;

 static CoolKeySetConfigValue g_SetConfigValue = NULL;

+static CoolKeyBadCertHandler g_BadCertHandler = NULL;

 char* CoolKeyVerifyPassword(PK11SlotInfo *,PRBool,void *);

 COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,

 	CoolKeyReference reference, CoolKeyRelease release,

-        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue)

+        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,

+        CoolKeyBadCertHandler badcerthandler)

 {

     char tBuff[56];

     g_Dispatch = dispatch;

@@ -272,6 +274,7 @@

     g_Release = release;

     g_GetConfigValue = getconfigvalue;

     g_SetConfigValue = setconfigvalue;

+    g_BadCertHandler = badcerthandler;

     char * suppressPINPrompt =(char*) CoolKeyGetConfig("esc.security.url");

@@ -997,6 +1000,16 @@

     return NSSManager::GetKeyPolicy(aKey, aBuf, aBufLen);

 }

+

+HRESULT

+CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength)

+{

+    if (!aKey || !aKey->mKeyID || !aBuf || aBufLength < 1)

+        return E_FAIL;

+

+    return NSSManager::GetKeyUID(aKey,aBuf,aBufLength);

+}

+

 HRESULT

 CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)

 {

@@ -1290,6 +1303,13 @@

     return aCUID;

 }

+CoolKeyBadCertHandler CoolKeyGetBadCertHandler()

+{

+    if(g_BadCertHandler)

+        return g_BadCertHandler;

+    return NULL;

+}

+

 const char *CoolKeyGetConfig(const char *aValue)

 {

     if(!g_GetConfigValue || ! aValue)

--- ./esc/src/lib/coolkey/manifest.mn.fix6	2009-06-19 16:05:45.000000000 -0700

+++ ./esc/src/lib/coolkey/manifest.mn	2009-06-19 16:05:54.000000000 -0700

@@ -19,7 +19,6 @@

 XULRUNNER_BASE=$(CORE_DEPTH)/dist/$(OBJDIR)//xulrunner_build

-

 SYS_INC		= /usr/include

 MODULE		= ckymanager

 LIBRARY_NAME	= $(MODULE)

@@ -41,7 +40,7 @@

 		SmartCardMonitoringThread.cpp \

 		$(NULL)

-EXPORTS 	= \

+EXPORTS		= \

 		CoolKey.h \

 		$(NULL)

--- ./esc/src/lib/coolkey/NSSManager.cpp.fix6	2009-06-19 16:06:19.000000000 -0700

+++ ./esc/src/lib/coolkey/NSSManager.cpp	2009-06-19 16:06:28.000000000 -0700

@@ -369,7 +369,7 @@

     aBuf[0]=0;

-    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo \n",GetTStamp(tBuff,56)));

+    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer \n",GetTStamp(tBuff,56)));

     if(!aKey )

         return E_FAIL;

@@ -409,7 +409,7 @@

                         continue;

                     }

                     orgID    = CERT_GetOrgName(&cert->subject);

-                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot  %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));

+                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer ourSlot %p curSlot  %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));

                 }

@@ -437,6 +437,85 @@

     return S_OK;

 }

+HRESULT NSSManager::GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength)

+{

+    char tBuff[56];

+    if(!aBuf)

+        return E_FAIL;

+

+    aBuf[0]=0;

+

+    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID \n",GetTStamp(tBuff,56)));

+

+    if(!aKey )

+        return E_FAIL;

+

+    PK11SlotInfo *slot = GetSlotForKeyID(aKey);

+

+    if (!slot)

+        return E_FAIL;

+

+    CERTCertList *certs = PK11_ListCerts(PK11CertListAll,NULL);

+

+    if (!certs)

+    {

+        PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%sNSSManager::GetKeyUID no certs found! \n",GetTStamp(tBuff,56)));

+        PK11_FreeSlot(slot);

+        return E_FAIL;

+    }

+

+    CERTCertListNode *node= NULL;

+

+    char *certID = NULL;

+

+    for( node = CERT_LIST_HEAD(certs);

+             ! CERT_LIST_END(node, certs);

+             node = CERT_LIST_NEXT(node))     

+    {     

+        if(node->cert) 

+        {

+            CERTCertificate *cert = node->cert;

+

+            if(cert)

+            {

+                if(cert->slot == slot)

+                {

+                    if(IsCACert(cert))

+                    {

+                        continue;

+                    }

+

+                    certID = CERT_GetCertUid(&cert->subject);

+

+                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID ourSlot %p curSlot  %p certID %s  \n",GetTStamp(tBuff,56),slot,cert->slot,certID));

+           

+                }

+

+                if(certID)

+                    break;

+            }

+        }

+

+    }

+

+    if(certID && ((int)strlen(certID)  <  aBufLength))

+    {

+        strcpy(aBuf,certID);

+    }

+

+    if(certs)

+      CERT_DestroyCertList(certs);

+

+    if(slot)

+      PK11_FreeSlot(slot);

+

+    if(certID)

+        PORT_Free(certID);

+

+    return S_OK;

+}

+

+

 HRESULT NSSManager::GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)

 {

     char tBuff[56];

@@ -487,6 +566,10 @@

                     certID = CERT_GetCommonName(&cert->subject);

+                    if(!certID) {

+                        certID = CERT_GetCertUid(&cert->subject);

+                    }

+

                     PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot  %p certID %s  \n",GetTStamp(tBuff,56),slot,cert->slot,certID));

                 }

--- ./esc/src/lib/coolkey/CoolKey.h.fix6	2009-06-19 16:04:59.000000000 -0700

+++ ./esc/src/lib/coolkey/CoolKey.h	2009-06-19 16:05:05.000000000 -0700

@@ -26,6 +26,7 @@

 // platforms (coreconf will do the appropriate processing.

 #define COOLKEY_API

+#include "ssl.h"

 #include <string.h>

 #include <stdlib.h>

 #include <vector>

@@ -100,7 +101,7 @@

 typedef HRESULT (*CoolKeySetConfigValue)(const char *name,const char *value);

 typedef const char * (*CoolKeyGetConfigValue)(const char *name);

-

+typedef SECStatus (*CoolKeyBadCertHandler)(void *arg, PRFileDesc *fd);

 extern "C" {

@@ -112,7 +113,8 @@

 COOLKEY_API HRESULT CoolKeyUnregisterListener(CoolKeyListener* aListener);

 COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,

                         CoolKeyReference reference, CoolKeyRelease release,

-                        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue);

+                        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,

+                        CoolKeyBadCertHandler badcerthandler=NULL);

 COOLKEY_API bool    CoolKeyRequiresAuthentication(const CoolKey *aKey);

 COOLKEY_API bool    CoolKeyHasApplet(const CoolKey *aKey);

@@ -133,6 +135,8 @@

 COOLKEY_API HRESULT CoolKeyGetCertInfo(const CoolKey *aKey, char *aCertNickname, std::string & aCertInfo);

+COOLKEY_API HRESULT CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength);

+

 COOLKEY_API HRESULT CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);

 COOLKEY_API HRESULT CoolKeyGetIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);

@@ -257,6 +261,9 @@

 const char *CoolKeyGetConfig(const char *aName);

 HRESULT     CoolKeySetConfig(const char *aName,const char *aValue);

+CoolKeyBadCertHandler CoolKeyGetBadCertHandler();

+

+

 }

--- ./esc/src/lib/coolkey/Makefile.fix6	2009-06-19 16:05:24.000000000 -0700

+++ ./esc/src/lib/coolkey/Makefile	2009-06-19 16:05:32.000000000 -0700

@@ -35,6 +35,9 @@

 	echo "Build Linux or Windows."

 	make -f common.mk

+export::

+	make -f common.mk export

+

 endif

 ifeq ($(OS_ARCH),Darwin)

--- ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul.fix6	2009-06-19 16:01:21.000000000 -0700

+++ ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul	2009-06-19 16:01:43.000000000 -0700

@@ -65,7 +65,7 @@

       <tabs id="certMgrTabbox" onselect="CertsTabsSelected();">

         <tab id="mine_tab" label="&certmgr.tab.mine;" selected="true"/>

         <tab id="others_tab" hidden="true" label="&certmgr.tab.others2;"/>

-        <tab id="websites_tab" hidden="true" label="&certmgr.tab.websites3;"/>

+        <tab id="websites_tab" hidden="false" label="&certmgr.tab.websites3;"/>

         <tab id="ca_tab" hidden="false" label="&certmgr.tab.ca;"/>

         <tab id="orphan_tab" hidden="true" label="&certmgr.tab.orphan2;"/>

--- ./esc/src/app/xpcom/rhCoolKey.cpp.fix6	2009-06-19 15:56:20.000000000 -0700

+++ ./esc/src/app/xpcom/rhCoolKey.cpp	2009-06-19 15:57:48.000000000 -0700

@@ -30,7 +30,7 @@

 #else

 #include "nsServiceManagerUtils.h"

 #endif

-

+#include "pipnss/nsICertOverrideService.h"

 #include "nsIPrefBranch.h"

 #include "nsIPrefService.h"

 #include "nsCOMPtr.h"

@@ -69,6 +69,7 @@

 #endif

 #define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"

+#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"

 static const nsIID kIModuleIID = NS_IMODULE_IID;

 static const nsIID kIFactoryIID = NS_IFACTORY_IID;

@@ -89,6 +90,7 @@

 std::list< nsCOMPtr <rhIKeyNotify>  > rhCoolKey::gNotifyListeners;

+PRLock* rhCoolKey::certCBLock=NULL;

 PRBool rhCoolKey::gAutoEnrollBlankTokens = PR_FALSE; 

@@ -190,6 +192,13 @@

         mCSPListener = nsnull;

     #endif

+    certCBLock = PR_NewLock();

+

+    if(!certCBLock) {

+       PR_LOG( coolKeyLog, PR_LOG_ERROR, ("%s Failed to create lock exiting! \n",GetTStamp(tBuff,56)));

+        exit(1);

+    }

+

     PRBool res = InitInstance();

     if(res == PR_FALSE)

@@ -207,6 +216,10 @@

     char tBuff[56];

     PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s rhCoolKey::~rhCoolKey: %p \n",GetTStamp(tBuff,56),this));

+

+    if(certCBLock) {

+        PR_DestroyLock(certCBLock);

+    }

 }

 void rhCoolKey::ShutDownInstance()

@@ -255,6 +268,212 @@

     return S_OK;

 }

+struct BadCertData {

+     PRErrorCode error; 

+     PRInt32 port;

+};  

+

+typedef struct BadCertData BadCertData;

+

+SECStatus rhCoolKey::badCertHandler(void *arg, PRFileDesc *fd)

+{

+    SECStatus    secStatus = SECFailure;

+    PRErrorCode    err;

+    char *host = NULL;

+    PRInt32 port = 0;

+    CERTCertificate *serverCert = NULL;

+    PRUint32 errorBits = 0;

+    char tBuff[56];

+    

+    PR_Lock(certCBLock);

+

+    if (!arg || !fd) {

+        PR_Unlock(certCBLock);

+        return secStatus;

+    }

+

+    // Retrieve callback data from NssHttpClient

+    // Caller cleans up this data

+    BadCertData *data = (BadCertData *) arg;

+    data->error = err = PORT_GetError();

+

+

+    /* If any of the cases in the switch are met, then we will proceed   */

+

+    switch (err) {

+    case SEC_ERROR_INVALID_AVA:

+    case SEC_ERROR_INVALID_TIME:

+    case SEC_ERROR_BAD_SIGNATURE:

+    case SEC_ERROR_EXPIRED_CERTIFICATE:

+    case SEC_ERROR_UNKNOWN_ISSUER:

+    case SEC_ERROR_UNTRUSTED_CERT:

+    case SEC_ERROR_CERT_VALID:

+    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:

+    case SEC_ERROR_CRL_EXPIRED:

+    case SEC_ERROR_CRL_BAD_SIGNATURE:

+    case SEC_ERROR_EXTENSION_VALUE_INVALID:

+    case SEC_ERROR_CA_CERT_INVALID:

+    case SEC_ERROR_CERT_USAGES_INVALID:

+    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:

+    case SEC_ERROR_EXTENSION_NOT_FOUND: // Added by Rob 5/21/2002

+        secStatus = SECSuccess;

+    break;

+    default:

+        secStatus = SECFailure;

+    break;

+    }

+

+    if(secStatus == SECSuccess)  {

+        PR_Unlock(certCBLock);

+        return secStatus;

+    }

+

+    // Collect errors to compare with override service output

+    switch(err) {

+    case SEC_ERROR_UNTRUSTED_ISSUER:

+        errorBits |= nsICertOverrideService::ERROR_UNTRUSTED;

+    break;

+    case SSL_ERROR_BAD_CERT_DOMAIN:

+        errorBits |= nsICertOverrideService::ERROR_MISMATCH;

+    break;

+    case SEC_ERROR_EXPIRED_CERTIFICATE:

+        errorBits |= nsICertOverrideService::ERROR_TIME;

+    default:

+    break;

+    };

+

+    // Now proceed to see if we have an exception.

+    // Get the server certificate that was rejected.

+    serverCert = SSL_PeerCertificate(fd);

+

+    if(!serverCert) {

+        PR_Unlock(certCBLock);

+        return secStatus;

+    }

+

+    port = data->port;

+    host = SSL_RevealURL(fd);

+

+    if(!host || port <= 0) {

+        PR_Unlock(certCBLock);

+        return secStatus;

+    }

+

+    PR_LOG(coolKeyLog, PR_LOG_DEBUG,

+                          ("%s rhCoolKey::badCertHandler enter: error: %d  url: %s port: %d \n",

+                          GetTStamp(tBuff,56),err,host,port)

+    );

+

+    PRBool isTemporaryOverride = PR_FALSE;

+    PRUint32 overrideBits = 0;

+    PRBool overrideResult = PR_FALSE;

+

+    // Use the nsICertOverrideService to see if we have

+    // previously trusted this certificate.

+    nsCOMPtr<nsICertOverrideService> overrideService =

+       do_GetService(NS_CERTOVERRIDE_CONTRACTID);

+

+    const nsEmbedCString nsHost(host);

+    nsEmbedCString hashAlg,fingerPrint;

+

+    nsresult nsrv;

+    unsigned char* fingerprint=NULL;

+    if(overrideService) {

+        nsrv = overrideService->GetValidityOverride((const nsACString &)nsHost,

+            port,(nsACString &)hashAlg,

+            (nsACString&)fingerPrint,&overrideBits,

+            &isTemporaryOverride,&overrideResult

+        );

+        if(nsrv == NS_OK) { 

+           PR_LOG(coolKeyLog, PR_LOG_DEBUG,

+               ("%s rhCoolKey::badCertHandler res %d print %s len %d bits %u temp %d alg: %s  \n",

+               GetTStamp(tBuff,56),overrideResult,fingerPrint.get(),

+               fingerPrint.Length(),overrideBits, isTemporaryOverride,hashAlg.get())

+           );

+       }

+

+       PRBool certMatches = PR_FALSE;

+

+       if( (nsrv == NS_OK) && overrideResult) {

+            SECItem oid;

+            oid.data = nsnull;

+            oid.len = 0;

+            SECStatus srv = SEC_StringToOID(nsnull, &oid,

+                    hashAlg.get(), hashAlg.Length());

+

+            if (srv != SECSuccess)  {

+               PR_Free(host);

+               host=NULL;

+               CERT_DestroyCertificate(serverCert);

+               serverCert=NULL;

+               PR_Unlock(certCBLock);

+               return secStatus;

+            }

+

+            SECOidTag oid_tag = SECOID_FindOIDTag(&oid;;

+

+            unsigned int hash_len = HASH_ResultLenByOidTag(oid_tag);

+            fingerprint = new unsigned char[hash_len];

+

+            if(!fingerprint)  {

+                CERT_DestroyCertificate(serverCert);

+                serverCert=NULL;

+                PR_Unlock(certCBLock);

+                return secStatus;

+            }

+

+            SECItem computedPrint;

+            memset(fingerprint, 0, sizeof fingerprint);

+            PK11_HashBuf(oid_tag, fingerprint,

+            serverCert->derCert.data, serverCert->derCert.len);