From 2ce19dbaa4b49fc43e08c6bd779795148b7b9ddb Mon Sep 17 00:00:00 2001
From: "kaie%kuix.de" <kaie%kuix.de>
Date: Fri, 16 Feb 2007 08:01:40 +0000
Subject: [PATCH] Bug 370136, Firefox 2.0.0.1 and later breaks automatic client
 certificate authentification. Fixes a regression introduced with the fix for
 bug 328346. Thanks a lot to Momtchil Momtchev for identifying the cause and
 providing the initial patch. r=kengert/rrelyea

---
 security/manager/ssl/src/nsNSSIOLayer.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/security/manager/ssl/src/nsNSSIOLayer.cpp b/security/manager/ssl/src/nsNSSIOLayer.cpp
index 79bf00422a85..0c8900e3624a 100644
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -79,6 +79,7 @@
 #include "secasn1.h"
 #include "certdb.h"
 #include "cert.h"
+#include "keyhi.h"
 
 
 //#define DEBUG_SSL_VERBOSE //Enable this define to get minimal 
@@ -2245,6 +2246,8 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
       privKey = PK11_FindKeyByAnyCert(node->cert, wincx);
       if (privKey != NULL) {
         if (hasExplicitKeyUsageNonRepudiation(node->cert)) {
+          SECKEY_DestroyPrivateKey(privKey);
+          privKey = NULL;
           // Not a prefered cert
           if (!low_prio_nonrep_cert) // did not yet find a low prio cert
             low_prio_nonrep_cert = CERT_DupCertificate(node->cert);
@@ -2267,6 +2270,7 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
     if (!cert && low_prio_nonrep_cert) {
       cert = low_prio_nonrep_cert;
       low_prio_nonrep_cert = NULL; // take it away from the cleaner
+      privKey = PK11_FindKeyByAnyCert(cert, wincx);
     }
 
     if (cert == NULL) {