From 3cef16049fc67eaebaab6d7268d7d4c64a395691 Mon Sep 17 00:00:00 2001
From: "alexei.volkov.bugs%sun.com"
 <alexei.volkov.bugs%sun.com@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Tue, 11 Mar 2008 23:23:41 +0000
Subject: [PATCH] 390381 -  libpkix rejects cert chain when root CA cert has no
 basic constraints. Patch  adds eku checker data into processing params.
 r=nelson

git-svn-id: svn://10.0.0.236/trunk@247589 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/security/nss/lib/certhigh/certvfypkix.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/mozilla/security/nss/lib/certhigh/certvfypkix.c b/mozilla/security/nss/lib/certhigh/certvfypkix.c
index 2de2baee460..e4eac3694aa 100644
--- a/mozilla/security/nss/lib/certhigh/certvfypkix.c
+++ b/mozilla/security/nss/lib/certhigh/certvfypkix.c
@@ -405,6 +405,10 @@ cert_ProcessingParamsSetKuAndEku(
                                                   plContext),
         PKIX_COMCERTSELPARAMSSETEXTKEYUSAGEFAILED);
 
+    PKIX_CHECK(
+        PKIX_PL_EkuChecker_Create(procParams, plContext),
+        PKIX_EKUCHECKERINITIALIZEFAILED);
+
 cleanup:
     PKIX_DECREF(extKeyUsage);
     PKIX_DECREF(certSelector);
@@ -530,13 +534,6 @@ cert_CreatePkixProcessingParams(
                                                        certSelector, plContext),
         PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
 
-#ifdef PKIX_NOTDEF
-    /* Code should be enabled after patch for 390532 is integrated. */
-    PKIX_CHECK(
-        PKIX_PL_EkuChecker_Create(procParams, plContext),
-        PKIX_EKUCHECKERINITIALIZEFAILED);
-#endif /* PKIX_NOTDEF */
-
     PKIX_CHECK(
         PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
         PKIX_PK11CERTSTORECREATEFAILED);