Bug 1763524 - handle the builtin roots module better when scanning for client certificates r=jschanck

Scanning for client certificates involves looking through each slot in each
PKCS#11 module. There may be many certificates that don't have corresponding
private keys in the NSS softoken, so it's more efficient to search for private
keys and then find any matching certificates. This reasoning also applies to
the NSS builtin roots module, which is the change this patch makes.

Differential Revision: https://phabricator.services.mozilla.com/D143859

security/manager/ssl/nsNSSComponent.cpp

@@ -2677,11 +2677,15 @@ UniqueCERTCertList FindClientCertificatesWithPrivateKeys() {
       PK11SlotInfo* slot = list->module->slots[i];
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
               ("    slot '%s'", PK11_GetSlotName(slot)));
-      // If this is the internal certificate/key slot, there may be many more
-      // certificates than private keys, so search by private keys.
-      if (internalSlot.get() == slot) {
+      // If this is the internal certificate/key slot or the slot on the
+      // builtin roots module, there may be many more certificates than private
+      // keys, so search by private keys (PK11_HasRootCerts will be true if the
+      // slot contains an object with the vendor-specific CK_CLASS
+      // CKO_NSS_BUILTIN_ROOT_LIST, which should only be the case for the NSS
+      // builtin roots module).
+      if (internalSlot.get() == slot || PK11_HasRootCerts(slot)) {
         MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
-                ("    (looking at internal slot)"));
+                ("    (looking at internal/builtin slot)"));
         if (PK11_Authenticate(slot, true, nullptr) != SECSuccess) {
           MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("    (couldn't authenticate)"));
           continue;