Blob Blame History Raw
--- ./esc/src/lib/NssHttpClient/engine.h.fix6	2009-06-19 16:07:39.000000000 -0700
+++ ./esc/src/lib/NssHttpClient/engine.h	2009-06-19 16:07:44.000000000 -0700
@@ -22,9 +22,17 @@
 #include "response.h"
 #include "request.h"
 
+struct BadCertData {
+ PRErrorCode error;
+ PRInt32 port;
+};
+
+typedef struct BadCertData BadCertData;
+
+
 class __EXPORT Engine {
     public:
-        Engine() {};
+        Engine() { _certData = NULL; _sock=NULL;};
         ~Engine() {};
 
         PRFileDesc *_doConnect(PRNetAddr *addr, PRBool SSLOn = PR_FALSE,
@@ -37,7 +45,8 @@
         static PRIntervalTime globaltimeout;
 
         PRFileDesc *_sock;
-
+        BadCertData *_certData;
+        BadCertData *getBadCertData() { return _certData;}
         PRFileDesc *getSocket() { return _sock;}
 
         bool connectionClosed ;
--- ./esc/src/lib/NssHttpClient/engine.cpp.fix6	2009-06-19 16:07:12.000000000 -0700
+++ ./esc/src/lib/NssHttpClient/engine.cpp	2009-06-19 16:07:29.000000000 -0700
@@ -16,6 +16,8 @@
  * All rights reserved.
  * END COPYRIGHT BLOCK **/
 
+#define FORCE_PR_LOG 1
+
 #include <nspr.h>
 #include "sslproto.h"
 #include <prerror.h>
@@ -27,7 +29,7 @@
 #include "certt.h"
 #include "sslerr.h"
 #include "secerr.h"
-
+#include "CoolKey.h"
 #include "engine.h"
 #include "http.h"
 
@@ -39,6 +41,9 @@
 int cipherCount = 0;
 int _doVerifyServerCert = 1;
 
+PRLogModuleInfo *httpEngineLog = PR_NewLogModule("coolKeyHttpEngine");
+
+
 PRIntervalTime Engine::globaltimeout = PR_TicksPerSecond()*30;
 
 /**
@@ -56,13 +61,26 @@
     SECStatus    secStatus = SECFailure;
     PRErrorCode    err;
 
+    char tBuff[56];
+
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+                          ("%s myBadCertHandler enter. \n",GetTStamp(tBuff,56)));
+
     /* log invalid cert here */
 
     if ( !arg ) {
         return secStatus;
     }
 
-    *(PRErrorCode *)arg = err = PORT_GetError();
+    err = PORT_GetError();
+
+    BadCertData *data = (BadCertData *) arg;
+    if(data) {
+        data->error = err;
+    }
+
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+                          ("%s myBadCertHandler err: %d .  \n",GetTStamp(tBuff,56),err));
 
     /* If any of the cases in the switch are met, then we will proceed   */
     /* with the processing of the request anyway. Otherwise, the default */    
@@ -91,6 +109,10 @@
     break;
     }
 
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+                          ("%s myBadCertHandler status: %d .  \n",GetTStamp(tBuff,56),secStatus));
+
+
     return secStatus;
 }
 
@@ -416,7 +438,6 @@
     return;
 }
 
-
 void Engine::CloseConnection()
 {
     connectionClosed = true;
@@ -426,7 +447,14 @@
         PR_Close(_sock);
         _sock = NULL;
     }
+
+    if(_certData)
+    {
+        delete _certData;
+        _certData = NULL;
+    }
 }
+
 /**
  * Returns a file descriptor for I/O if the HTTP connection is successful
  * @param addr PRnetAddr structure which points to the server to connect to
@@ -442,21 +470,19 @@
     PRFileDesc *tcpsock = NULL;
     PRFileDesc *sock = NULL;
     connectionClosed = false;
+    _certData = new BadCertData();
 
     tcpsock = PR_OpenTCPSocket(addr->raw.family);
-   
 
     if (!tcpsock) {
-
         return NULL;
     }
 
     nodelay(tcpsock);
 
     if (PR_TRUE == SSLOn) {
-        sock=SSL_ImportFD(NULL, tcpsock);
-
 
+        sock=SSL_ImportFD(NULL, tcpsock);
         if (!sock) {
             //xxx log
             if( tcpsock != NULL ) {
@@ -516,9 +542,23 @@
 
         PRErrorCode errCode = 0;
 
-        rv = SSL_BadCertHook( sock,
+        if(_certData) {
+            _certData->error = errCode;
+            _certData->port  = PR_ntohs(PR_NetAddrInetPort(addr));
+        }
+
+        CoolKeyBadCertHandler overriddenHandler =  CoolKeyGetBadCertHandler();
+
+        if(overriddenHandler)  {
+            rv = SSL_BadCertHook( sock,
+                              (SSLBadCertHandler)overriddenHandler,
+                               (void *)_certData);
+        } else {
+            rv = SSL_BadCertHook( sock,
                               (SSLBadCertHandler)myBadCertHandler,
-                              &errCode );
+                              (void *)_certData);
+        }
+
         rv = SSL_SetURL( sock, serverName );
 
         if (rv != SECSuccess ) {
@@ -536,8 +576,6 @@
         sock = tcpsock;
     }
 
-  
-
     if ( PR_Connect(sock, addr, timeout) == PR_FAILURE ) {
 
         if( sock != NULL ) {
@@ -563,11 +601,17 @@
                                           const PSHttpServer& server,
                                           int timeout, PRBool expectChunked ,PRBool processStreamed) {
     PRNetAddr addr;
-    PRFileDesc *sock = NULL;
     PSHttpResponse *resp = NULL;
 
     PRBool response_code = 0;
 
+    char tBuff[56];
+
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+                          ("%s HttpEngine::makeRequest  enter. \n",GetTStamp(tBuff,56)));
+
+
+
     server.getAddr(&addr);
 
     char *nickName = request.getCertNickName();
@@ -575,8 +619,17 @@
     char *serverName = (char *)server.getAddr();
     _sock = _doConnect( &addr, request.isSSL(), 0, 0,nickName, 0, serverName );
 
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+                          ("%s HttpEngine::makeRequest  past doConnect sock: %p. \n",
+                          GetTStamp(tBuff,56),_sock));
+
     if ( _sock != NULL) {
         PRBool status = request.send( _sock );
+
+        PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+                          ("%s HttpEngine::makeRequest  past request.send status: %d. \n",
+                          GetTStamp(tBuff,56),status));
+
         if ( status ) {
             resp = new PSHttpResponse( _sock, &request, timeout, expectChunked ,this);
             response_code = resp->processResponse(processStreamed);
--- ./esc/src/lib/NssHttpClient/manifest.mn.fix6	2009-06-19 16:08:05.000000000 -0700
+++ ./esc/src/lib/NssHttpClient/manifest.mn	2009-06-19 16:08:13.000000000 -0700
@@ -24,7 +24,7 @@
 MODULE		= httpchunked
 LIBRARY_NAME	= $(MODULE)
 SHARED_NAME	= $(MODULE)
-REQUIRES	= nss nspr 
+REQUIRES	= nss nspr ckymanager
 ifndef MOZ_OFFSET
 MOZ_OFFSET	= mozilla-1.7.13
 endif
--- ./esc/src/lib/coolkey/NSSManager.h.fix6	2009-06-19 16:06:41.000000000 -0700
+++ ./esc/src/lib/coolkey/NSSManager.h	2009-06-19 16:06:47.000000000 -0700
@@ -70,6 +70,8 @@
 
   static HRESULT  GetKeyCertNicknames( const CoolKey *aKey,  vector<string> & aStrings  ); 
 
+  static HRESULT GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength);
+
   static HRESULT GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
 
   static HRESULT GetKeyIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
--- ./esc/src/lib/coolkey/CoolKey.cpp.fix6	2009-06-19 16:02:43.000000000 -0700
+++ ./esc/src/lib/coolkey/CoolKey.cpp	2009-06-19 16:03:03.000000000 -0700
@@ -259,12 +259,14 @@
 static CoolKeyRelease g_Release = NULL;
 static CoolKeyGetConfigValue g_GetConfigValue = NULL;
 static CoolKeySetConfigValue g_SetConfigValue = NULL;
+static CoolKeyBadCertHandler g_BadCertHandler = NULL;
 
 char* CoolKeyVerifyPassword(PK11SlotInfo *,PRBool,void *);
 
 COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,
 	CoolKeyReference reference, CoolKeyRelease release,
-        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue)
+        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,
+        CoolKeyBadCertHandler badcerthandler)
 {
     char tBuff[56];
     g_Dispatch = dispatch;
@@ -272,6 +274,7 @@
     g_Release = release;
     g_GetConfigValue = getconfigvalue;
     g_SetConfigValue = setconfigvalue;
+    g_BadCertHandler = badcerthandler;
 
     char * suppressPINPrompt =(char*) CoolKeyGetConfig("esc.security.url");
 
@@ -997,6 +1000,16 @@
   
     return NSSManager::GetKeyPolicy(aKey, aBuf, aBufLen);
 }
+
+HRESULT
+CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength)
+{
+    if (!aKey || !aKey->mKeyID || !aBuf || aBufLength < 1)
+        return E_FAIL;
+
+    return NSSManager::GetKeyUID(aKey,aBuf,aBufLength);
+}
+
 HRESULT
 CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
 {
@@ -1290,6 +1303,13 @@
     return aCUID;
 }
 
+CoolKeyBadCertHandler CoolKeyGetBadCertHandler()
+{
+    if(g_BadCertHandler)
+        return g_BadCertHandler;
+    return NULL;
+}
+
 const char *CoolKeyGetConfig(const char *aValue)
 {
     if(!g_GetConfigValue || ! aValue)
--- ./esc/src/lib/coolkey/manifest.mn.fix6	2009-06-19 16:05:45.000000000 -0700
+++ ./esc/src/lib/coolkey/manifest.mn	2009-06-19 16:05:54.000000000 -0700
@@ -19,7 +19,6 @@
 
 XULRUNNER_BASE=$(CORE_DEPTH)/dist/$(OBJDIR)//xulrunner_build
 
-
 SYS_INC		= /usr/include
 MODULE		= ckymanager
 LIBRARY_NAME	= $(MODULE)
@@ -41,7 +40,7 @@
 		SmartCardMonitoringThread.cpp \
 		$(NULL)
 
-EXPORTS 	= \
+EXPORTS		= \
 		CoolKey.h \
 		$(NULL)
 
--- ./esc/src/lib/coolkey/NSSManager.cpp.fix6	2009-06-19 16:06:19.000000000 -0700
+++ ./esc/src/lib/coolkey/NSSManager.cpp	2009-06-19 16:06:28.000000000 -0700
@@ -369,7 +369,7 @@
 
     aBuf[0]=0;
 
-    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo \n",GetTStamp(tBuff,56)));
+    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer \n",GetTStamp(tBuff,56)));
 
     if(!aKey )
         return E_FAIL;
@@ -409,7 +409,7 @@
                         continue;
                     }
                     orgID    = CERT_GetOrgName(&cert->subject);
-                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot  %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));
+                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer ourSlot %p curSlot  %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));
 
                 }
 
@@ -437,6 +437,85 @@
     return S_OK;
 }
 
+HRESULT NSSManager::GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength)
+{
+    char tBuff[56];
+    if(!aBuf)
+        return E_FAIL;
+
+    aBuf[0]=0;
+
+    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID \n",GetTStamp(tBuff,56)));
+
+    if(!aKey )
+        return E_FAIL;
+
+    PK11SlotInfo *slot = GetSlotForKeyID(aKey);
+
+    if (!slot)
+        return E_FAIL;
+
+    CERTCertList *certs = PK11_ListCerts(PK11CertListAll,NULL);
+
+    if (!certs)
+    {
+        PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%sNSSManager::GetKeyUID no certs found! \n",GetTStamp(tBuff,56)));
+        PK11_FreeSlot(slot);
+        return E_FAIL;
+    }
+
+    CERTCertListNode *node= NULL;
+
+    char *certID = NULL;
+
+    for( node = CERT_LIST_HEAD(certs);
+             ! CERT_LIST_END(node, certs);
+             node = CERT_LIST_NEXT(node))     
+    {     
+        if(node->cert) 
+        {
+            CERTCertificate *cert = node->cert;
+
+            if(cert)
+            {
+                if(cert->slot == slot)
+                {
+                    if(IsCACert(cert))
+                    {
+                        continue;
+                    }
+
+                    certID = CERT_GetCertUid(&cert->subject);
+
+                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID ourSlot %p curSlot  %p certID %s  \n",GetTStamp(tBuff,56),slot,cert->slot,certID));
+           
+                }
+
+                if(certID)
+                    break;
+            }
+        }
+
+    }
+
+    if(certID && ((int)strlen(certID)  <  aBufLength))
+    {
+        strcpy(aBuf,certID);
+    }
+
+    if(certs)
+      CERT_DestroyCertList(certs);
+
+    if(slot)
+      PK11_FreeSlot(slot);
+
+    if(certID)
+        PORT_Free(certID);
+
+    return S_OK;
+}
+
+
 HRESULT NSSManager::GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
 {
     char tBuff[56];
@@ -487,6 +566,10 @@
 
                     certID = CERT_GetCommonName(&cert->subject);
 
+                    if(!certID) {
+                        certID = CERT_GetCertUid(&cert->subject);
+                    }
+
                     PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot  %p certID %s  \n",GetTStamp(tBuff,56),slot,cert->slot,certID));
 
                 }
--- ./esc/src/lib/coolkey/CoolKey.h.fix6	2009-06-19 16:04:59.000000000 -0700
+++ ./esc/src/lib/coolkey/CoolKey.h	2009-06-19 16:05:05.000000000 -0700
@@ -26,6 +26,7 @@
 // platforms (coreconf will do the appropriate processing.
 #define COOLKEY_API
 
+#include "ssl.h"
 #include <string.h>
 #include <stdlib.h>
 #include <vector>
@@ -100,7 +101,7 @@
 
 typedef HRESULT (*CoolKeySetConfigValue)(const char *name,const char *value);
 typedef const char * (*CoolKeyGetConfigValue)(const char *name);
-
+typedef SECStatus (*CoolKeyBadCertHandler)(void *arg, PRFileDesc *fd);
 
 
 extern "C" {
@@ -112,7 +113,8 @@
 COOLKEY_API HRESULT CoolKeyUnregisterListener(CoolKeyListener* aListener);
 COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,
                         CoolKeyReference reference, CoolKeyRelease release,
-                        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue);
+                        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,
+                        CoolKeyBadCertHandler badcerthandler=NULL);
 
 COOLKEY_API bool    CoolKeyRequiresAuthentication(const CoolKey *aKey);
 COOLKEY_API bool    CoolKeyHasApplet(const CoolKey *aKey);
@@ -133,6 +135,8 @@
 
 COOLKEY_API HRESULT CoolKeyGetCertInfo(const CoolKey *aKey, char *aCertNickname, std::string & aCertInfo);
 
+COOLKEY_API HRESULT CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength);
+
 COOLKEY_API HRESULT CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
 COOLKEY_API HRESULT CoolKeyGetIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
 
@@ -257,6 +261,9 @@
 
 const char *CoolKeyGetConfig(const char *aName);
 HRESULT     CoolKeySetConfig(const char *aName,const char *aValue);
+CoolKeyBadCertHandler CoolKeyGetBadCertHandler();
+
+
 
 }
 
--- ./esc/src/lib/coolkey/Makefile.fix6	2009-06-19 16:05:24.000000000 -0700
+++ ./esc/src/lib/coolkey/Makefile	2009-06-19 16:05:32.000000000 -0700
@@ -35,6 +35,9 @@
 	echo "Build Linux or Windows."
 	make -f common.mk
 
+export::
+	make -f common.mk export
+
 endif
 
 ifeq ($(OS_ARCH),Darwin)
--- ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul.fix6	2009-06-19 16:01:21.000000000 -0700
+++ ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul	2009-06-19 16:01:43.000000000 -0700
@@ -65,7 +65,7 @@
       <tabs id="certMgrTabbox" onselect="CertsTabsSelected();">
         <tab id="mine_tab" label="&certmgr.tab.mine;" selected="true"/>
         <tab id="others_tab" hidden="true" label="&certmgr.tab.others2;"/>
-        <tab id="websites_tab" hidden="true" label="&certmgr.tab.websites3;"/>
+        <tab id="websites_tab" hidden="false" label="&certmgr.tab.websites3;"/>
         <tab id="ca_tab" hidden="false" label="&certmgr.tab.ca;"/>
         <tab id="orphan_tab" hidden="true" label="&certmgr.tab.orphan2;"/>
 
--- ./esc/src/app/xpcom/rhCoolKey.cpp.fix6	2009-06-19 15:56:20.000000000 -0700
+++ ./esc/src/app/xpcom/rhCoolKey.cpp	2009-06-19 15:57:48.000000000 -0700
@@ -30,7 +30,7 @@
 #else
 #include "nsServiceManagerUtils.h"
 #endif
-
+#include "pipnss/nsICertOverrideService.h"
 #include "nsIPrefBranch.h"
 #include "nsIPrefService.h"
 #include "nsCOMPtr.h"
@@ -69,6 +69,7 @@
 #endif
 
 #define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
+#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
 
 static const nsIID kIModuleIID = NS_IMODULE_IID;
 static const nsIID kIFactoryIID = NS_IFACTORY_IID;
@@ -89,6 +90,7 @@
 
 std::list< nsCOMPtr <rhIKeyNotify>  > rhCoolKey::gNotifyListeners;
 
+PRLock* rhCoolKey::certCBLock=NULL;
 
 PRBool rhCoolKey::gAutoEnrollBlankTokens = PR_FALSE; 
 
@@ -190,6 +192,13 @@
         mCSPListener = nsnull;
     #endif
 
+    certCBLock = PR_NewLock();
+
+    if(!certCBLock) {
+       PR_LOG( coolKeyLog, PR_LOG_ERROR, ("%s Failed to create lock exiting! \n",GetTStamp(tBuff,56)));
+        exit(1);
+    }
+
     PRBool res = InitInstance();
 
     if(res == PR_FALSE)
@@ -207,6 +216,10 @@
 
     char tBuff[56];
     PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s rhCoolKey::~rhCoolKey: %p \n",GetTStamp(tBuff,56),this));
+
+    if(certCBLock) {
+        PR_DestroyLock(certCBLock);
+    }
 }
 
 void rhCoolKey::ShutDownInstance()
@@ -255,6 +268,212 @@
     return S_OK;
 }
 
+struct BadCertData {
+     PRErrorCode error; 
+     PRInt32 port;
+};  
+
+typedef struct BadCertData BadCertData;
+
+SECStatus rhCoolKey::badCertHandler(void *arg, PRFileDesc *fd)
+{
+    SECStatus    secStatus = SECFailure;
+    PRErrorCode    err;
+    char *host = NULL;
+    PRInt32 port = 0;
+    CERTCertificate *serverCert = NULL;
+    PRUint32 errorBits = 0;
+    char tBuff[56];
+    
+    PR_Lock(certCBLock);
+
+    if (!arg || !fd) {
+        PR_Unlock(certCBLock);
+        return secStatus;
+    }
+
+    // Retrieve callback data from NssHttpClient
+    // Caller cleans up this data
+    BadCertData *data = (BadCertData *) arg;
+    data->error = err = PORT_GetError();
+
+
+    /* If any of the cases in the switch are met, then we will proceed   */
+
+    switch (err) {
+    case SEC_ERROR_INVALID_AVA:
+    case SEC_ERROR_INVALID_TIME:
+    case SEC_ERROR_BAD_SIGNATURE:
+    case SEC_ERROR_EXPIRED_CERTIFICATE:
+    case SEC_ERROR_UNKNOWN_ISSUER:
+    case SEC_ERROR_UNTRUSTED_CERT:
+    case SEC_ERROR_CERT_VALID:
+    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+    case SEC_ERROR_CRL_EXPIRED:
+    case SEC_ERROR_CRL_BAD_SIGNATURE:
+    case SEC_ERROR_EXTENSION_VALUE_INVALID:
+    case SEC_ERROR_CA_CERT_INVALID:
+    case SEC_ERROR_CERT_USAGES_INVALID:
+    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
+    case SEC_ERROR_EXTENSION_NOT_FOUND: // Added by Rob 5/21/2002
+        secStatus = SECSuccess;
+    break;
+    default:
+        secStatus = SECFailure;
+    break;
+    }
+
+    if(secStatus == SECSuccess)  {
+        PR_Unlock(certCBLock);
+        return secStatus;
+    }
+
+    // Collect errors to compare with override service output
+    switch(err) {
+    case SEC_ERROR_UNTRUSTED_ISSUER:
+        errorBits |= nsICertOverrideService::ERROR_UNTRUSTED;
+    break;
+    case SSL_ERROR_BAD_CERT_DOMAIN:
+        errorBits |= nsICertOverrideService::ERROR_MISMATCH;
+    break;
+    case SEC_ERROR_EXPIRED_CERTIFICATE:
+        errorBits |= nsICertOverrideService::ERROR_TIME;
+    default:
+    break;
+    };
+
+    // Now proceed to see if we have an exception.
+    // Get the server certificate that was rejected.
+    serverCert = SSL_PeerCertificate(fd);
+
+    if(!serverCert) {
+        PR_Unlock(certCBLock);
+        return secStatus;
+    }
+
+    port = data->port;
+    host = SSL_RevealURL(fd);
+
+    if(!host || port <= 0) {
+        PR_Unlock(certCBLock);
+        return secStatus;
+    }
+
+    PR_LOG(coolKeyLog, PR_LOG_DEBUG,
+                          ("%s rhCoolKey::badCertHandler enter: error: %d  url: %s port: %d \n",
+                          GetTStamp(tBuff,56),err,host,port)
+    );
+
+    PRBool isTemporaryOverride = PR_FALSE;
+    PRUint32 overrideBits = 0;
+    PRBool overrideResult = PR_FALSE;
+
+    // Use the nsICertOverrideService to see if we have
+    // previously trusted this certificate.
+    nsCOMPtr<nsICertOverrideService> overrideService =
+       do_GetService(NS_CERTOVERRIDE_CONTRACTID);
+
+    const nsEmbedCString nsHost(host);
+    nsEmbedCString hashAlg,fingerPrint;
+
+    nsresult nsrv;
+    unsigned char* fingerprint=NULL;
+    if(overrideService) {
+        nsrv = overrideService->GetValidityOverride((const nsACString &)nsHost,
+            port,(nsACString &)hashAlg,
+            (nsACString&)fingerPrint,&overrideBits,
+            &isTemporaryOverride,&overrideResult
+        );
+        if(nsrv == NS_OK) { 
+           PR_LOG(coolKeyLog, PR_LOG_DEBUG,
+               ("%s rhCoolKey::badCertHandler res %d print %s len %d bits %u temp %d alg: %s  \n",
+               GetTStamp(tBuff,56),overrideResult,fingerPrint.get(),
+               fingerPrint.Length(),overrideBits, isTemporaryOverride,hashAlg.get())
+           );
+       }
+
+       PRBool certMatches = PR_FALSE;
+
+       if( (nsrv == NS_OK) && overrideResult) {
+            SECItem oid;
+            oid.data = nsnull;
+            oid.len = 0;
+            SECStatus srv = SEC_StringToOID(nsnull, &oid,
+                    hashAlg.get(), hashAlg.Length());
+
+            if (srv != SECSuccess)  {
+               PR_Free(host);
+               host=NULL;
+               CERT_DestroyCertificate(serverCert);
+               serverCert=NULL;
+               PR_Unlock(certCBLock);
+               return secStatus;
+            }
+
+            SECOidTag oid_tag = SECOID_FindOIDTag(&oid);
+
+            unsigned int hash_len = HASH_ResultLenByOidTag(oid_tag);
+            fingerprint = new unsigned char[hash_len];
+
+            if(!fingerprint)  {
+                CERT_DestroyCertificate(serverCert);
+                serverCert=NULL;
+                PR_Unlock(certCBLock);
+                return secStatus;
+            }
+
+            SECItem computedPrint;
+            memset(fingerprint, 0, sizeof fingerprint);
+            PK11_HashBuf(oid_tag, fingerprint,
+            serverCert->derCert.data, serverCert->derCert.len);
+            CERT_DestroyCertificate(serverCert);
+            serverCert=NULL;
+
+            computedPrint.data=fingerprint;
+            computedPrint.len=hash_len;
+
+            char *formattedPrint = CERT_Hexify(&computedPrint,1);
+            char *inputPrint = (char *)fingerPrint.get();
+
+            //Compare fingerprints.
+
+            if(formattedPrint && inputPrint)  {
+                if(!PL_strcmp(formattedPrint, inputPrint))
+                    certMatches = PR_TRUE;
+            }
+            PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s certMatches: %d  \n",
+                GetTStamp(tBuff,56),certMatches)
+            );
+
+            if(formattedPrint)  {
+                PORT_Free(formattedPrint);
+                formattedPrint = NULL;
+            }
+      } else {
+          PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s override test failed. \n",
+              GetTStamp(tBuff,56))
+          );
+      }
+
+      if( certMatches ) {
+         if(overrideBits | errorBits)
+             secStatus = SECSuccess;   
+      }
+    }
+
+    PR_Free(host);
+    host = NULL;
+    if(fingerprint)  {
+        delete [] fingerprint;
+        fingerprint = NULL;
+    }
+
+    PR_Unlock(certCBLock);
+
+    return secStatus;
+}
+
+
 HRESULT rhCoolKey::doSetCoolKeyConfigValue(const char *aName, const char *aValue) 
 {
 
@@ -340,7 +559,7 @@
     nssComponent
     = do_GetService(PSM_COMPONENT_CONTRACTID); 
 
-    CoolKeySetCallbacks(Dispatch,Reference, Release,doGetCoolKeyConfigValue ,doSetCoolKeyConfigValue);
+    CoolKeySetCallbacks(Dispatch,Reference, Release,doGetCoolKeyConfigValue ,doSetCoolKeyConfigValue,badCertHandler);
 
     mProxy = CreateProxyObject();
 
@@ -1262,6 +1481,38 @@
 }
 
 /* string GetCoolKeyIssuedTo (in unsigned long aKeyType, in string aKeyID); */
+NS_IMETHODIMP rhCoolKey::GetCoolKeyUID(PRUint32 aKeyType, const char *aKeyID, char **uid)
+{
+    char tBuff[56];
+    if (!aKeyID) {
+        return NS_ERROR_FAILURE;
+    }
+
+    AutoCoolKey key(aKeyType, ( char *)aKeyID);
+
+    char buff[512];
+    int bufLength = 512;
+    buff[0] = 0;
+   
+    CoolKeyGetUID(&key, (char *) buff, bufLength);
+
+    if(!buff[0])
+    {
+        return NS_OK;
+    }
+
+    PR_LOG(coolKeyLog,PR_LOG_DEBUG,("%s rhCoolKey::RhGetCoolKeyGetUID  %s \n",GetTStamp(tBuff,56),(char *) buff));
+
+    char *temp =  (char *) nsMemory::Clone(buff,sizeof(char) * strlen(buff) + 1);
+
+    *uid = temp;
+
+    return NS_OK;
+
+}
+
+
+/* string GetCoolKeyIssuedTo (in unsigned long aKeyType, in string aKeyID); */
 NS_IMETHODIMP rhCoolKey::GetCoolKeyIssuedTo(PRUint32 aKeyType, const char *aKeyID, char **issuedTo)
 {
     char tBuff[56];
--- ./esc/src/app/xpcom/rhICoolKey.idl.fix6	2009-06-19 16:00:20.000000000 -0700
+++ ./esc/src/app/xpcom/rhICoolKey.idl	2009-06-19 16:00:32.000000000 -0700
@@ -66,6 +66,8 @@
 
     string GetCoolKeyCertInfo(in unsigned long aKeyType, in string aKeyID, in string aCertNickname);
 
+    string GetCoolKeyUID(in unsigned long aKeyType, in string aKeyID);
+
     string GetCoolKeyIssuedTo(in unsigned long aKeyType, in string aKeyID);
    
     string GetCoolKeyIssuer(in unsigned long aKeyType, in string aKeyID);
--- ./esc/src/app/xpcom/Makefile.sdk.fix6	2009-06-19 15:54:52.000000000 -0700
+++ ./esc/src/app/xpcom/Makefile.sdk	2009-06-19 15:55:43.000000000 -0700
@@ -109,7 +109,7 @@
 CPPFLAGS += -fno-rtti \
                 -fno-exceptions \
                 -fshort-wchar -fPIC
-GECKO_LD_LIBS=-L$(GECKO_SDK_PATH)/lib    $(GECKO_SDK_PATH)/lib/libxpcomglue.a -lnss3 -lcrmf -lssl3 -lsmime3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
+GECKO_LD_LIBS=-L$(GECKO_SDK_PATH)/lib    $(GECKO_SDK_PATH)/lib/libxpcomglue.a -lnssutil3 -lnss3 -lcrmf -lssl3 -lsmime3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
 endif
 
 ifeq ($(OS_ARCH),WINNT)
@@ -145,7 +145,7 @@
 GECKO_INCLUDES		+= -I $(GECKO_SDK_PATH)/sdk/include
 OBJECT			= rhCoolKey.obj
 OBJECTCSP		= CoolKeyCSP.obj 
-COOL_LDFLAGS		=   -IMPLIB:fake-import /LIBPATH:$(CORE_DIST)/lib ckymanager.lib httpchunked.lib $(GECKO_LD_LIBS) nss3.lib ssl3.lib smime3.lib softokn3.lib  /LIBPATH:$(CKY_LIB_LDD) libckyapplet.lib  crypt32.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib /NODEFAULTLIB:libc.lib
+COOL_LDFLAGS		=   -IMPLIB:fake-import /LIBPATH:$(CORE_DIST)/lib ckymanager.lib httpchunked.lib $(GECKO_LD_LIBS) nssutil3.lib nss3.lib ssl3.lib smime3.lib softokn3.lib  /LIBPATH:$(CKY_LIB_LDD) libckyapplet.lib  crypt32.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib /NODEFAULTLIB:libc.lib
 endif
 
 ifeq ($(OS_ARCH),Darwin)
--- ./esc/src/app/xpcom/rhCoolKey.h.fix6	2009-06-19 15:58:21.000000000 -0700
+++ ./esc/src/app/xpcom/rhCoolKey.h	2009-06-19 15:58:28.000000000 -0700
@@ -22,6 +22,15 @@
 #include "nsIGenericFactory.h"
 #include "nsEmbedString.h"
 #include <list>
+#include "nspr.h"
+#include "prio.h"
+#include "ssl.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "sslerr.h"
+#include "secerr.h"
+#include "sechash.h"
+
 #include "CoolKey.h"
 #include "nsCOMPtr.h"
 #include "nsIObserver.h"
@@ -92,6 +101,7 @@
 
     static HRESULT doSetCoolKeyConfigValue(const char *aName, const char *aValue); 
     static const char *doGetCoolKeyConfigValue(const char *aName );
+    static SECStatus badCertHandler(void *arg, PRFileDesc *fd);
 
 protected:
   /* additional members */
@@ -107,6 +117,8 @@
 
     static std::list< nsCOMPtr <rhIKeyNotify> > gNotifyListeners;
 
+    static PRLock* certCBLock;
+
     rhICoolKey* mProxy;
 
     static PRBool      gAutoEnrollBlankTokens;