#92131, SSL client authentication,

fixing memory leak, fixing crash, fixing spacing, adding extra space to layout
r=javi@netscape.com sr=blizzard@mozilla.org
You can reach me at kai.engert@gmx.de

security/manager/pki/resources/content/clientauthask.xul

@@ -57,7 +57,7 @@
     </menulist>
     <html>&clientAuthAsk.message3;</html>
     <textbox readonly="true" id="details" multiline="true"
-      style="height: 10em; width=80em;"/>
+      style="height: 11em; width=80em;"/>
     </groupbox>
   <separator/>
   <hbox>

security/manager/ssl/src/nsNSSIOLayer.cpp

@@ -1466,6 +1466,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
   char* extracted = NULL;
   PRIntn keyError = 0; /* used for private key retrieval error */
   SSM_UserCertChoice certChoice;
+  PRUint32 NumberOfCerts = 0;
 	
   /* do some argument checking */
   if (socket == NULL || caNames == NULL || pRetCert == NULL ||
@@ -1558,6 +1559,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
 
       node = CERT_LIST_NEXT(node);
     }
+
     if (cert == NULL) {
         goto noCert;
     }
@@ -1574,7 +1576,6 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
     PRUnichar **certDetailsList = NULL;
     PRBool canceled;
 
-
     /* find all user certs that are valid and for SSL */
     /* note that we are allowing expired certs in this list */
     certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), 
@@ -1604,6 +1605,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
     /* filter it further for hostname restriction */
     node = CERT_LIST_HEAD(certList);
     while (!CERT_LIST_END(node, certList)) {
+      ++NumberOfCerts;
 #if 0 /* XXX Fix this */
       if (!CERT_MatchesScopeOfUse(node->cert, conn->hostName,
                                   conn->hostIP, conn->port)) {
@@ -1624,10 +1626,13 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
     nicknames = CERT_NicknameStringsFromCertList(certList,
                                                  NICKNAME_EXPIRED_STRING,
                                                  NICKNAME_NOT_YET_VALID_STRING);
+
     if (nicknames == NULL) {
       goto loser;
     }
 
+    NS_ASSERTION(nicknames->numnicknames == NumberOfCerts, "nicknames->numnicknames != NumberOfCerts");
+
     /* Get the SSL Certificate */
     serverCert = SSL_PeerCertificate(socket);
     if (serverCert == NULL) {
@@ -1653,20 +1658,19 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
          ++i, node = CERT_LIST_NEXT(node)
         )
     {
-                    nsNSSCertificate *c0 = new nsNSSCertificate(node->cert);
+      nsNSSCertificate *tempCert = new nsNSSCertificate(node->cert);
+      NS_ADDREF(tempCert);
 
-                    nsCOMPtr<nsIX509Cert> c1 = c0;
+      nsCOMPtr<nsIX509Cert> x509 = do_QueryInterface(tempCert);
 
-                    nsCOMPtr<nsIX509Cert> c2;
+      nsCOMPtr<nsIX509Cert> x509Proxy;
       proxyman->GetProxyForObject( NS_UI_THREAD_EVENTQ,
                                    nsIX509Cert::GetIID(),
-                                                 c1,
+                                   x509,
                                    PROXY_SYNC | PROXY_ALWAYS,
-                                                 getter_AddRefs(c2));
-
-                    if (!c2)
-                      break;
+                                   getter_AddRefs(x509Proxy));
 
+      if (x509Proxy) {
         nsAutoString nickWithSerial;
         nsAutoString str;
         nsAutoString info;
@@ -1679,7 +1683,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
           str.Append(NS_LITERAL_STRING("\n"));
         }
 
-                    if (NS_SUCCEEDED(c2->GetSubjectName(&temp1)) && temp1 && nsCharTraits<PRUnichar>::length(temp1)) {
+        if (NS_SUCCEEDED(x509Proxy->GetSubjectName(&temp1)) && temp1 && nsCharTraits<PRUnichar>::length(temp1)) {
           str.Append(NS_LITERAL_STRING("  "));
           if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString(NS_LITERAL_STRING("CertDumpSubject").get(), info))) {
             str.Append(info);
@@ -1690,7 +1694,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
           str.Append(NS_LITERAL_STRING("\n"));
         }
 
-                    if (NS_SUCCEEDED(c2->GetSerialNumber(&temp1)) && temp1 && nsCharTraits<PRUnichar>::length(temp1)) {
+        if (NS_SUCCEEDED(x509Proxy->GetSerialNumber(&temp1)) && temp1 && nsCharTraits<PRUnichar>::length(temp1)) {
           str.Append(NS_LITERAL_STRING("  "));
           if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString(NS_LITERAL_STRING("CertDumpSerialNo").get(), info))) {
             str.Append(info);
@@ -1710,7 +1714,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
         {
           nsCOMPtr<nsIX509CertValidity> validity;
           nsCOMPtr<nsIX509CertValidity> originalValidity;
-                      rv = c2->GetValidity(getter_AddRefs(originalValidity));
+          rv = x509Proxy->GetValidity(getter_AddRefs(originalValidity));
           if (NS_SUCCEEDED(rv) && originalValidity) {
             proxyman->GetProxyForObject( NS_UI_THREAD_EVENTQ,
                                          nsIX509CertValidity::GetIID(),
@@ -1750,7 +1754,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
         }
 
         PRUint32 tempInt = 0;
-                    if (NS_SUCCEEDED(c2->GetPurposes(&tempInt, &temp1)) && temp1 && nsCharTraits<PRUnichar>::length(temp1)) {
+        if (NS_SUCCEEDED(x509Proxy->GetPurposes(&tempInt, &temp1)) && temp1 && nsCharTraits<PRUnichar>::length(temp1)) {
           str.Append(NS_LITERAL_STRING("  "));
           if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString(NS_LITERAL_STRING("CertInfoPurposes").get(), info))) {
             str.Append(info);
@@ -1766,7 +1770,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
           str.Append(NS_LITERAL_STRING("\n"));
         }
 
-                    if (NS_SUCCEEDED(c2->GetIssuerName(&temp1)) && temp1 && nsCharTraits<PRUnichar>::length(temp1)) {
+        if (NS_SUCCEEDED(x509Proxy->GetIssuerName(&temp1)) && temp1 && nsCharTraits<PRUnichar>::length(temp1)) {
           str.Append(NS_LITERAL_STRING("  "));
           if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString(NS_LITERAL_STRING("CertDumpSubject").get(), info))) {
             str.Append(info);
@@ -1793,9 +1797,11 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
         certDetailsList[i] = str.ToNewUnicode();
       }
 
+      NS_RELEASE(tempCert);
+    }
+
     /* Throw up the client auth dialog and get back the index of the selected cert */
-		rv = getNSSDialogs((void**)&dialogs,
-			               NS_GET_IID(nsIClientAuthDialogs));
+    rv = getNSSDialogs((void**)&dialogs, NS_GET_IID(nsIClientAuthDialogs));
 
     if (NS_FAILED(rv)) goto loser;
 
@@ -1817,8 +1823,8 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
 
     for (i = 0, node = CERT_LIST_HEAD(certList);
          !CERT_LIST_END(node, certList);
-             ++i, node = CERT_LIST_NEXT(node)
-            ) {
+         ++i, node = CERT_LIST_NEXT(node)) {
+
       if (i == selectedIndex) {
         cert = CERT_DupCertificate(node->cert);
         break;
@@ -1843,6 +1849,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
     }
   }
   goto done;
+
 noCert:
 loser:
   if (ret == SECSuccess) {