Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Bug 670454 - Certificates usage in Certificate Viewer is always shown…

… as "could not verify this certificate for unknown reasons", r=bsmith, a=LegNeato

--HG--
extra : transplant_source : %C9%CD%C5%DFU%F4%02%91%B3bd%13%C3%C9%BD%7CF%0Atv
  • Loading branch information...
commit 01b47482868ad179dba8c7cbf47f8c6ae85d5a6f 1 parent 732a6e5
@kaie kaie authored
Showing with 13 additions and 12 deletions.
  1. +13 −12 security/manager/ssl/src/nsUsageArrayHelper.cpp
View
25 security/manager/ssl/src/nsUsageArrayHelper.cpp
@@ -181,10 +181,13 @@ nsUsageArrayHelper::GetUsagesArray(const char *suffix,
PRUint32 &count = *_count;
count = 0;
SECCertificateUsage usages = 0;
- SECStatus verifyResult;
-
+ int err = 0;
+
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
- verifyResult =
+ // CERT_VerifyCertificateNow returns SECFailure unless the certificate is
+ // valid for all the given usages. Hoewver, we are only looking for the list
+ // of usages for which the cert *is* valid.
+ (void)
CERT_VerifyCertificateNow(defaultcertdb, mCert, PR_TRUE,
certificateUsageSSLClient |
certificateUsageSSLServer |
@@ -195,6 +198,7 @@ if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
certificateUsageSSLCA |
certificateUsageStatusResponder,
NULL, &usages);
+ err = PR_GetError();
}
else {
nsresult nsrv;
@@ -215,20 +219,13 @@ else {
cvout[0].value.scalar.usages = 0;
cvout[1].type = cert_po_end;
- verifyResult =
CERT_PKIXVerifyCert(mCert, certificateUsageCheckAllUsages,
survivingParams->GetRawPointerForNSS(),
cvout, NULL);
-
+ err = PR_GetError();
usages = cvout[0].value.scalar.usages;
}
- if (verifyResult != SECSuccess) {
- int err = PR_GetError();
- verifyFailed(_verified, err);
- return NS_OK;
- }
-
// The following list of checks must be < max_returned_out_array_size
check(suffix, usages & certificateUsageSSLClient, count, outUsages);
@@ -254,6 +251,10 @@ else {
nssComponent->SkipOcspOff();
}
- *_verified = nsNSSCertificate::VERIFIED_OK;
+ if (count == 0) {
+ verifyFailed(_verified, err);
+ } else {
+ *_verified = nsNSSCertificate::VERIFIED_OK;
+ }
return NS_OK;
}
Please sign in to comment.
Something went wrong with that request. Please try again.