diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def

--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix	2010-12-21 12:35:04.360044000 -0800

+++ jss-4.2.6/mozilla/security/jss/lib/jss.def	2010-12-21 12:36:05.364105000 -0800

@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG

 Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;

 Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;

 Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;

+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;

 ;+    local:

 ;+       *;

 ;+};

diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java

--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix	2010-12-21 12:36:24.417124000 -0800

+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java	2010-12-21 12:43:54.777575000 -0800

@@ -157,6 +157,19 @@ public final class CryptoManager impleme

         public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");

         public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");

         public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");

+

+        /*

+                 The folllowing usages cannot be verified:

+                   certUsageAnyCA

+                   certUsageProtectedObjectSigner

+                   certUsageUserCertImport

+                   certUsageVerifyCA

+        */

+        public static final int basicCertificateUsages = /*0x0b80;*/

+                certificateUsageUserCertImport |

+                certificateUsageVerifyCA |

+                certificateUsageProtectedObjectSigner |

+                certificateUsageAnyCA ;

     }

     public final static class NotInitializedException extends Exception {}

@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme

      * against Now.

      * @param nickname The nickname of the certificate to verify.

      * @param checkSig verify the signature of the certificate

-     * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check

-     * @return true for success; false otherwise

+     * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage

      *

      * @exception InvalidNicknameException If the nickname is null

      * @exception ObjectNotFoundException If no certificate could be found

      *      with the given nickname.

      */

+    public int isCertValid(String nickname, boolean checkSig)

+        throws ObjectNotFoundException, InvalidNicknameException

+    {

+        if (nickname==null) {

+            throw new InvalidNicknameException("Nickname must be non-null");

+        }

+        int currCertificateUsage = 0x0000; // initialize it to 0

+        currCertificateUsage = verifyCertificateNowCUNative(nickname,

+                checkSig);

+        return currCertificateUsage;

+    }

+

+    private native int verifyCertificateNowCUNative(String nickname,

+        boolean checkSig) throws ObjectNotFoundException;

+    /////////////////////////////////////////////////////////////

+    // isCertValid

+    /////////////////////////////////////////////////////////////

+    /**

+     * Verify a certificate that exists in the given cert database,

+     * check if is valid and that we trust the issuer. Verify time

+     * against Now.

+     * @param nickname The nickname of the certificate to verify.

+     * @param checkSig verify the signature of the certificate

+     * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above

+     * @return true for success; false otherwise

+     *

+     * @exception InvalidNicknameException If the nickname is null

+     * @exception ObjectNotFoundException If no certificate could be found

+     *      with the given nickname.

+     */

     public boolean isCertValid(String nickname, boolean checkSig,

             CertificateUsage certificateUsage)

         throws ObjectNotFoundException, InvalidNicknameException

@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme

         if (nickname==null) {

             throw new InvalidNicknameException("Nickname must be non-null");

         }

-        // 0 certificate usage was supposed to get current usage, however,

-        // it is not exposed at this point

-        return verifyCertificateNowNative(nickname,

-              checkSig,

-              (certificateUsage == null) ? 0:certificateUsage.getUsage());

+        // 0 certificate usage will get current usage

+        // should call isCertValid() call above that returns certificate usage

+        if ((certificateUsage == null) ||

+                (certificateUsage == CertificateUsage.CheckAllUsages)){

+            int currCertificateUsage = 0x0000;

+            currCertificateUsage = verifyCertificateNowCUNative(nickname,

+                checkSig);

+

+            if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ 

+                // cert is good for nothing

+                return false;

+            } else

+                return true;

+        } else {

+            return verifyCertificateNowNative(nickname, checkSig,

+              certificateUsage.getUsage());

+        }

     }

     private native boolean verifyCertificateNowNative(String nickname,

diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c

--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix	2010-12-21 12:36:29.023129000 -0800

+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c	2010-12-21 16:03:34.599742000 -0800

@@ -1574,18 +1574,16 @@ finish:

     }

 }

+

 /***********************************************************************

- * CryptoManager.verifyCertificateNowNative

- *

- * Returns JNI_TRUE if success, JNI_FALSE otherwise

+ * CryptoManager.verifyCertificateNow

  */

-JNIEXPORT jboolean JNICALL

-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,

-        jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)

+SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,

+        jboolean checkSig, jint required_certificateUsage,

+         SECCertificateUsage *currUsage)

 {

     SECStatus         rv    = SECFailure;

     SECCertificateUsage      certificateUsage;

-    SECCertificateUsage      currUsage;  /* unexposed for now */

     CERTCertificate   *cert=NULL;

     char *nickname=NULL;

@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif

         JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);

         goto finish;

     } else {

-    /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to

-     * just get the current usage (which we are not passing back for now

-     * but will bypass the certificate usage check

+    /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will

+     * retrieve the current valid usage into currUsage

      */

         rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,

-            checkSig, certificateUsage, NULL, &currUsage );

+            checkSig, certificateUsage, NULL, currUsage );

+        if ((rv == SECSuccess) && certificateUsage == 0x0000) {

+            if (*currUsage == 

+                ( certUsageUserCertImport |

+                certUsageVerifyCA |

+                certUsageProtectedObjectSigner |

+                certUsageAnyCA )) {

+

+              /* the cert is good for nothing 

+                 The folllowing usages cannot be verified:

+                   certUsageAnyCA

+                   certUsageProtectedObjectSigner

+                   certUsageUserCertImport

+                   certUsageVerifyCA

+                    (0x0b80) */

+                rv =SECFailure;

+            }

+        }

     }

 finish:

@@ -1617,6 +1631,49 @@ finish:

     if(cert != NULL) {

        CERT_DestroyCertificate(cert);

     }

+

+    return rv;

+}

+

+/***********************************************************************

+ * CryptoManager.verifyCertificateNowCUNative

+ *

+ * Returns jint which contains bits in SECCertificateUsage that reflects

+ * the cert usage(s) that the cert is good for

+ * if the cert is good for nothing, returned value is

+ *                 (0x0b80):

+ *                 certUsageUserCertImport |

+ *                 certUsageVerifyCA |

+ *                 certUsageProtectedObjectSigner |

+ *                 certUsageAnyCA

+ */

+JNIEXPORT jint JNICALL

+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,

+        jobject self, jstring nickString, jboolean checkSig)

+{

+    SECStatus         rv    = SECFailure;

+    SECCertificateUsage      currUsage = 0x0000;

+

+    rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);

+    /* rv is ignored */

+

+    return currUsage;

+}

+

+/***********************************************************************

+ * CryptoManager.verifyCertificateNowNative

+ *

+ * Returns JNI_TRUE if success, JNI_FALSE otherwise

+ */

+JNIEXPORT jboolean JNICALL

+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,

+        jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)

+{

+    SECStatus         rv    = SECFailure;

+    SECCertificateUsage      currUsage = 0x0000;

+

+    rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);

+

     if( rv == SECSuccess) {

         return JNI_TRUE;

     } else {

@@ -1624,7 +1681,6 @@ finish:

     }

 }

-

 /***********************************************************************

  * CryptoManager.verifyCertNowNative

  * note: this calls obsolete NSS function