Bug 406755, EV certs not recognized as EV with some cross-certification scenarios Additional patch for Earlier EV verification, v8 r=wtc, r=nelson, blocking1.9=dsicore

security/manager/ssl/src/nsNSSCallbacks.cpp

@@ -914,7 +914,20 @@ SECStatus PR_CALLBACK AuthCertificateCallback(void* client_data, PRFileDesc* fd,
   CERTCertificateCleaner serverCertCleaner(serverCert);
 
   if (serverCert) {
+    nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
+    nsRefPtr<nsSSLStatus> status = infoObject->SSLStatus();
+    nsRefPtr<nsNSSCertificate> nsc;
+
+    if (!status || !status->mServerCert) {
+      nsc = new nsNSSCertificate(serverCert);
+    }
+
     if (SECSuccess == rv) {
+      if (nsc) {
+        PRBool dummyIsEV;
+        nsc->GetIsExtendedValidation(&dummyIsEV); // the nsc object will cache the status
+      }
+    
       CERTCertList *certList = CERT_GetCertChainFromCert(serverCert, PR_Now(), certUsageSSLCA);
 
       nsCOMPtr<nsINSSComponent> nssComponent;
@@ -958,15 +971,12 @@ SECStatus PR_CALLBACK AuthCertificateCallback(void* client_data, PRFileDesc* fd,
     // The connection may get terminated, for example, if the server requires
     // a client cert. Let's provide a minimal SSLStatus
     // to the caller that contains at least the cert and its status.
-    nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
-
-    nsRefPtr<nsSSLStatus> status = infoObject->SSLStatus();
     if (!status) {
       status = new nsSSLStatus();
       infoObject->SetSSLStatus(status);
     }
     if (status && !status->mServerCert) {
-      status->mServerCert = new nsNSSCertificate(serverCert);
+      status->mServerCert = nsc;
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
              ("AuthCertificateCallback setting NEW cert %p\n", status->mServerCert.get()));
     }