src/net/third_party/nss/patches/peercertchain.patch

diff -pu -r a/net/third_party/nss/ssl/sslauth.c b/net/third_party/nss/ssl/sslauth.c
--- a/net/third_party/nss/ssl/sslauth.c	2012-04-25 07:50:12.000000000 -0700
+++ b/net/third_party/nss/ssl/sslauth.c	2012-11-09 15:22:49.448098805 -0800
@@ -28,6 +28,41 @@ SSL_PeerCertificate(PRFileDesc *fd)
 }
 
 /* NEED LOCKS IN HERE.  */
+SECStatus
+SSL_PeerCertificateChain(PRFileDesc *fd, CERTCertificate **certs,
+			 unsigned int *numCerts, unsigned int maxNumCerts)
+{
+    sslSocket *ss;
+    ssl3CertNode* cur;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    if (!ss->opt.useSecurity)
+	return SECFailure;
+
+    if (ss->sec.peerCert == NULL) {
+      *numCerts = 0;
+      return SECSuccess;
+    }
+
+    *numCerts = 1;  /* for the leaf certificate */
+    if (maxNumCerts > 0)
+	certs[0] = CERT_DupCertificate(ss->sec.peerCert);
+
+    for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
+	if (*numCerts < maxNumCerts)
+	    certs[*numCerts] = CERT_DupCertificate(cur->cert);
+	(*numCerts)++;
+    }
+
+    return SECSuccess;
+}
+
+/* NEED LOCKS IN HERE.  */
 CERTCertificate *
 SSL_LocalCertificate(PRFileDesc *fd)
 {
diff -pu -r a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
--- a/net/third_party/nss/ssl/ssl.h	2012-09-21 14:58:43.000000000 -0700
+++ b/net/third_party/nss/ssl/ssl.h	2012-11-09 15:22:49.448098805 -0800
@@ -398,6 +398,18 @@ SSL_IMPORT SECStatus SSL_SecurityStatus(
 SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
 
 /*
+** Return references to the certificates presented by the SSL peer.
+** |maxNumCerts| must contain the size of the |certs| array. On successful
+** return, |*numCerts| contains the number of certificates available and
+** |certs| will contain references to as many certificates as would fit.
+** Therefore if |*numCerts| contains a value less than or equal to
+** |maxNumCerts|, then all certificates were returned.
+*/
+SSL_IMPORT SECStatus SSL_PeerCertificateChain(
+	PRFileDesc *fd, CERTCertificate **certs,
+	unsigned int *numCerts, unsigned int maxNumCerts);
+
+/*
 ** Authenticate certificate hook. Called when a certificate comes in
 ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
 ** certificate.