| Index: nss/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c
|
| ===================================================================
|
| --- nss/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c (revision 142244)
|
| +++ nss/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c (working copy)
|
| @@ -175,7 +175,7 @@
|
| * "trustChain"
|
| * Address of List of certificates traversed. Must be non-NULL.
|
| * "parentState"
|
| - * Address of previous ForwardBuilder state
|
| + * Address of previous ForwardBuilderState
|
| * "pState"
|
| * Address where ForwardBuilderState will be stored. Must be non-NULL.
|
| * "plContext"
|
| @@ -3156,7 +3156,7 @@
|
| *
|
| * This function initiates the search for a BuildChain, using the parameters
|
| * provided in "procParams" and, if continuing a search that was suspended
|
| - * for I/O, using the ForwardBuilderState pointed to by "state".
|
| + * for I/O, using the ForwardBuilderState pointed to by "pState".
|
| *
|
| * If a successful chain is built, this function stores the BuildResult at
|
| * "pBuildResult". Alternatively, if an operation using non-blocking I/O
|
| @@ -3231,7 +3231,6 @@
|
| PKIX_ValidateResult *valResult = NULL;
|
| PKIX_BuildResult *buildResult = NULL;
|
| PKIX_List *certList = NULL;
|
| - PKIX_TrustAnchor *matchingAnchor = NULL;
|
| PKIX_ForwardBuilderState *state = NULL;
|
| PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
|
| PKIX_CertSelector_MatchCallback selectorCallback = NULL;
|
| @@ -3346,9 +3345,6 @@
|
| &trusted,
|
| plContext),
|
| PKIX_CERTISCERTTRUSTEDFAILED);
|
| - /* future: look at the |trusted| flag and force success. We only
|
| - * want to do this if we aren't validating against a policy (like
|
| - * EV). */
|
|
|
| PKIX_CHECK(PKIX_PL_Cert_GetAllSubjectNames
|
| (targetCert,
|
| @@ -3406,6 +3402,36 @@
|
| goto cleanup;
|
| }
|
| }
|
| +
|
| + /* If the EE cert is trusted, force success. We only want to do
|
| + * this if we aren't validating against a policy (like EV). */
|
| + if (trusted && procParams->initialPolicies == NULL) {
|
| + if (pVerifyNode != NULL) {
|
| + PKIX_Error *tempResult =
|
| + pkix_VerifyNode_Create(targetCert, 0, NULL,
|
| + pVerifyNode,
|
| + plContext);
|
| + if (tempResult) {
|
| + pkixErrorResult = tempResult;
|
| + pkixErrorCode = PKIX_VERIFYNODECREATEFAILED;
|
| + pkixErrorClass = PKIX_FATAL_ERROR;
|
| + goto cleanup;
|
| + }
|
| + }
|
| + PKIX_CHECK(pkix_ValidateResult_Create
|
| + (targetPubKey, NULL /* anchor */,
|
| + NULL /* policyTree */, &valResult, plContext),
|
| + PKIX_VALIDATERESULTCREATEFAILED);
|
| + PKIX_CHECK(
|
| + pkix_BuildResult_Create(valResult, tentativeChain,
|
| + &buildResult, plContext),
|
| + PKIX_BUILDRESULTCREATEFAILED);
|
| + *pBuildResult = buildResult;
|
| + /* Note that *pState is NULL. The only side effect is that
|
| + * the cert chain won't be cached in PKIX_BuildChain, which
|
| + * is fine. */
|
| + goto cleanup;
|
| + }
|
|
|
| PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
|
| (procParams, &certStores, plContext),
|
| @@ -3579,11 +3605,9 @@
|
|
|
| state->status = BUILD_INITIAL;
|
|
|
| - if (!matchingAnchor) {
|
| - pkixErrorResult =
|
| - pkix_BuildForwardDepthFirstSearch(&nbioContext, state,
|
| - &valResult, plContext);
|
| - }
|
| + pkixErrorResult =
|
| + pkix_BuildForwardDepthFirstSearch(&nbioContext, state,
|
| + &valResult, plContext);
|
|
|
| /* non-null nbioContext means the build would block */
|
| if (pkixErrorResult == NULL && nbioContext != NULL) {
|
| @@ -3628,7 +3652,6 @@
|
| PKIX_DECREF(tentativeChain);
|
| PKIX_DECREF(valResult);
|
| PKIX_DECREF(certList);
|
| - PKIX_DECREF(matchingAnchor);
|
| PKIX_DECREF(trustedCert);
|
| PKIX_DECREF(state);
|
| PKIX_DECREF(aiaMgr);
|
|
|
Chromium Code Reviews
Issue 10540165:
Update NSS to NSS 3.13.5 (from NSS 3.13.3). (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/