From d07c7a50f5545787b888e6c2abcbb458681ec3b1 Mon Sep 17 00:00:00 2001
From: "jpierre%netscape.com" <jpierre%netscape.com>
Date: Wed, 9 Apr 2003 22:23:10 +0000
Subject: [PATCH] Fix for 201259 . Make the default client auth callback
 NSS_GetClientAuthData work with dual-key certs. r=nelsonb, sr=wtc

---
 security/nss/lib/ssl/authcert.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c
index b780c3bb7881..fbac5fb1e239 100644
--- a/security/nss/lib/ssl/authcert.c
+++ b/security/nss/lib/ssl/authcert.c
@@ -32,7 +32,7 @@
  * may use your version of this file under either the MPL or the
  * GPL.
  *
- * $Id: authcert.c,v 1.2 2001/12/07 01:36:21 relyea%netscape.com Exp $
+ * $Id: authcert.c,v 1.3 2003/04/09 22:23:10 jpierre%netscape.com Exp $
  */
 
 #include <stdio.h>
@@ -68,7 +68,9 @@ NSS_GetClientAuthData(void *                       arg,
   proto_win = SSL_RevealPinArg(socket);
   
   if (chosenNickName) {
-    cert = PK11_FindCertFromNickname(chosenNickName, proto_win);
+    cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
+                                    chosenNickName, certUsageSSLClient,
+                                    PR_FALSE, proto_win);	
     if ( cert ) {
       privkey = PK11_FindKeyByAnyCert(cert, proto_win);
       if ( privkey ) {
@@ -85,7 +87,9 @@ NSS_GetClientAuthData(void *                       arg,
 				  SEC_CERT_NICKNAMES_USER, proto_win);
     if (names != NULL) {
       for (i = 0; i < names->numnicknames; i++) {
-	cert = PK11_FindCertFromNickname(names->nicknames[i],proto_win);
+	cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
+                            names->nicknames[i], certUsageSSLClient,
+                            PR_FALSE, proto_win);	
 	if ( !cert )
 	  continue;
 	/* Only check unexpired certs */