Update NSS to NSS 3.13.5 (from NSS 3.13.3).

nss/mozilla/security/nss/lib/certhigh/certvfy.c

Index: nss/mozilla/security/nss/lib/certhigh/certvfy.c
===================================================================
--- nss/mozilla/security/nss/lib/certhigh/certvfy.c	(revision 142244)
+++ nss/mozilla/security/nss/lib/certhigh/certvfy.c	(working copy)
@@ -139,7 +139,7 @@
 	rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags);
 	if (rv == SECSuccess && 
 	    !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
-	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
 	    rv = SECFailure;
 	}
     }
@@ -539,7 +539,10 @@
 		    PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
 		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
 		} else {
-		    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		    if (PORT_GetError() !=
+			SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) {

[Ryan Sleevi, 2012/06/14 22:54:11]

It's weird that this wasn't done as
} else if (PORT_GetError() == ... ) {
  LOG_ERROR_OR_EXIT(...)
} else {
  PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
  LOG_ERROR_OR_EXIT(...)
}

(or even a switch, fwiw).

Just to keep symmetric with line 538 rather than going another layer of nesting.

[wtc, 2012/06/14 23:16:16]

I guess I wanted to avoid duplicating LOG_ERROR_OR_EXIT.

+			PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		    }
 		    LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
 		}
 	    }