1) When looking for a trust token, return tokens in the following priority order:

1) r/w token with trust.
2) r/o token with trust.
3) r/w token
4) r/o token

Also, don't crash if we try to change the trust on a cert in temp storage, just return an error.

security/nss/lib/pki/pki3hack.c

@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.60 $ $Date: 2002/07/10 03:24:14 $ $Name:  $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.61 $ $Date: 2002/07/10 21:34:01 $ $Name:  $";
 #endif /* DEBUG */
 
 /*
@@ -804,6 +804,8 @@ stan_GetTrustToken
   NSSCertificate *c
 )
 {
+    NSSToken *ttok = NULL;
+    NSSToken *rtok = NULL;
     NSSToken *tok = NULL;
     nssCryptokiObject **ip;
     nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
@@ -816,16 +818,26 @@ stan_GetTrustToken
 		nssToken_FindTrustForCertificate(instance->token, NULL,
 		&c->encoding, &c->issuer, &c->serial, 
 		nssTokenSearchType_TokenOnly);
+	NSSToken *ctok = instance->token;
+	PRBool ro = PK11_IsReadOnly(ctok->pk11slot);
+
 	if (to) {
 	    nssCryptokiObject_Destroy(to);
-	    tok = instance->token;
+	    ttok = ctok;
- 	    if (!PK11_IsReadOnly(tok->pk11slot))  {
+ 	    if (!ro) {
 		break;
 	    }
+	} else {
+	    if (!rtok && ro) {
+		rtok = ctok;
+	    } 
+	    if (!tok && !ro) {
+		tok = ctok;
+	    }
 	}
     }
     nssCryptokiObjectArray_Destroy(instances);
-    return tok;
+    return ttok ? ttok : (tok ? tok : rtok);
 }
 
 NSS_EXTERN PRStatus
@@ -886,7 +898,7 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
     td = STAN_GetDefaultTrustDomain();
     tok = stan_GetTrustToken(c);
     moving_object = PR_FALSE;
-    if (PK11_IsReadOnly(tok->pk11slot))  {
+    if (tok && PK11_IsReadOnly(tok->pk11slot))  {
 	tokens = nssList_CreateIterator(td->tokenList);
 	if (!tokens) return PR_FAILURE;
 	for (tok  = (NSSToken *)nssListIterator_Start(tokens);