390381 - libpkix rejects cert chain when root CA cert has no basic constraints. Patch adds eku checker data into processing params. r=nelson

git-svn-id: svn://10.0.0.236/trunk@247589 18797224-902f-48f8-a5cc-f745e15eee43
2008-03-11 23:23:41 +00:00 · 2008-03-11 23:23:41 +00:00 · 3cef16049f
commit 3cef16049f
parent 6228a05754
1 changed files with 4 additions and 7 deletions
--- a/mozilla/security/nss/lib/certhigh/certvfypkix.c
+++ b/mozilla/security/nss/lib/certhigh/certvfypkix.c
@ -405,6 +405,10 @@ cert_ProcessingParamsSetKuAndEku(
                                                  plContext),
        PKIX_COMCERTSELPARAMSSETEXTKEYUSAGEFAILED);

+    PKIX_CHECK(
+        PKIX_PL_EkuChecker_Create(procParams, plContext),
+        PKIX_EKUCHECKERINITIALIZEFAILED);
+
 cleanup:
    PKIX_DECREF(extKeyUsage);
    PKIX_DECREF(certSelector);
@ -530,13 +534,6 @@ cert_CreatePkixProcessingParams(
                                                       certSelector, plContext),
        PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);

-#ifdef PKIX_NOTDEF
-    /* Code should be enabled after patch for 390532 is integrated. */
-    PKIX_CHECK(
-        PKIX_PL_EkuChecker_Create(procParams, plContext),
-        PKIX_EKUCHECKERINITIALIZEFAILED);
-#endif /* PKIX_NOTDEF */
-
    PKIX_CHECK(
        PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
        PKIX_PK11CERTSTORECREATEFAILED);