Index: nss/mozilla/security/nss/lib/certdb/certdb.c |
=================================================================== |
--- nss/mozilla/security/nss/lib/certdb/certdb.c (revision 142244) |
+++ nss/mozilla/security/nss/lib/certdb/certdb.c (working copy) |
@@ -39,7 +39,7 @@ |
/* |
* Certificate handling code |
* |
- * $Id: certdb.c,v 1.120 2011/11/17 00:20:20 bsmith%mozilla.com Exp $ |
+ * $Id: certdb.c,v 1.121.2.1 2012/04/03 00:38:19 wtc%google.com Exp $ |
*/ |
#include "nssilock.h" |
@@ -596,6 +596,20 @@ |
nsCertType |= NS_CERT_TYPE_SSL_SERVER; |
} |
} |
+ /* |
+ * Treat certs with step-up OID as also having SSL server type. |
+ * COMODO needs this behaviour until June 2020. See Bug 737802. |
+ */ |
+ if (findOIDinOIDSeqByTagNum(extKeyUsage, |
+ SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) == |
+ SECSuccess){ |
+ if (basicConstraintPresent == PR_TRUE && |
+ (basicConstraint.isCA)) { |
+ nsCertType |= NS_CERT_TYPE_SSL_CA; |
+ } else { |
+ nsCertType |= NS_CERT_TYPE_SSL_SERVER; |
+ } |
+ } |
if (findOIDinOIDSeqByTagNum(extKeyUsage, |
SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == |
SECSuccess){ |
@@ -2941,6 +2955,7 @@ |
PORT_Assert(certTrustLock != NULL); |
if (!certTrustLock) { |
PZ_DestroyLock(certRefCountLock); |
+ certRefCountLock = NULL; |
return SECFailure; |
} |
} |