| Index: mozilla/security/nss/lib/certhigh/certvfy.c
|
| ===================================================================
|
| --- mozilla/security/nss/lib/certhigh/certvfy.c (revision 180567)
|
| +++ mozilla/security/nss/lib/certhigh/certvfy.c (working copy)
|
| @@ -371,6 +371,7 @@
|
| int certsListLen = 16;
|
| int namesCount = 0;
|
| PRBool subjectCertIsSelfIssued;
|
| + CERTCertTrust issuerTrust;
|
|
|
| if (revoked) {
|
| *revoked = PR_FALSE;
|
| @@ -571,7 +572,7 @@
|
| LOG_ERROR(log,subjectCert,count,0);
|
| }
|
|
|
| - if ( issuerCert->trust ) {
|
| + if ( CERT_GetCertTrust(issuerCert, &issuerTrust) == SECSuccess) {
|
| /* we have some trust info, but this does NOT imply that this
|
| * cert is actually trusted for any purpose. The cert may be
|
| * explicitly UNtrusted. We won't know until we examine the
|
| @@ -595,7 +596,7 @@
|
| }
|
| }
|
|
|
| - flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
|
| + flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
|
| if (( flags & requiredFlags ) == requiredFlags) {
|
| /* we found a trusted one, so return */
|
| rv = rvFinal;
|
| @@ -617,7 +618,7 @@
|
| * certUsageAnyCA or certUsageStatusResponder. */
|
| for (trustType = trustSSL; trustType < trustTypeNone;
|
| trustType++) {
|
| - flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
|
| + flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
|
| if ((flags & requiredFlags) == requiredFlags) {
|
| rv = rvFinal;
|
| goto done;
|
| @@ -631,7 +632,7 @@
|
| * untrusted */
|
| for (trustType = trustSSL; trustType < trustTypeNone;
|
| trustType++) {
|
| - flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
|
| + flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
|
| /* is it explicitly distrusted? */
|
| if ((flags & CERTDB_TERMINAL_RECORD) &&
|
| ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0)) {
|
| @@ -772,6 +773,7 @@
|
| unsigned int requiredCAKeyUsage;
|
| unsigned int requiredFlags;
|
| CERTCertificate *issuerCert;
|
| + CERTCertTrust certTrust;
|
|
|
|
|
| if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
|
| @@ -837,7 +839,7 @@
|
| isca = PR_TRUE;
|
| }
|
|
|
| - if ( cert->trust ) {
|
| + if ( CERT_GetCertTrust(cert, &certTrust) == SECSuccess ) {
|
| /* we have some trust info, but this does NOT imply that this
|
| * cert is actually trusted for any purpose. The cert may be
|
| * explicitly UNtrusted. We won't know until we examine the
|
| @@ -866,7 +868,7 @@
|
| /*
|
| * check the trust params of the issuer
|
| */
|
| - flags = SEC_GET_TRUST_FLAGS(cert->trust, trustType);
|
| + flags = SEC_GET_TRUST_FLAGS(&certTrust, trustType);
|
| if ( ( flags & requiredFlags ) == requiredFlags) {
|
| /* we found a trusted one, so return */
|
| rv = rvFinal;
|
| @@ -958,16 +960,17 @@
|
| unsigned int *failedFlags, PRBool *trusted)
|
| {
|
| unsigned int flags;
|
| + CERTCertTrust trust;
|
|
|
| *failedFlags = 0;
|
| *trusted = PR_FALSE;
|
|
|
| /* check trust flags to see if this cert is directly trusted */
|
| - if ( cert->trust ) {
|
| + if ( CERT_GetCertTrust(cert, &trust) == SECSuccess ) {
|
| switch ( certUsage ) {
|
| case certUsageSSLClient:
|
| case certUsageSSLServer:
|
| - flags = cert->trust->sslFlags;
|
| + flags = trust.sslFlags;
|
|
|
| /* is the cert directly trusted or not trusted ? */
|
| if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
|
| @@ -983,7 +986,7 @@
|
| break;
|
| case certUsageSSLServerWithStepUp:
|
| /* XXX - step up certs can't be directly trusted, only distrust */
|
| - flags = cert->trust->sslFlags;
|
| + flags = trust.sslFlags;
|
| if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
|
| * authoritative */
|
| if (( flags & CERTDB_TRUSTED ) == 0) {
|
| @@ -994,7 +997,7 @@
|
| }
|
| break;
|
| case certUsageSSLCA:
|
| - flags = cert->trust->sslFlags;
|
| + flags = trust.sslFlags;
|
| if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
|
| * authoritative */
|
| if (( flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA) ) == 0) {
|
| @@ -1006,7 +1009,7 @@
|
| break;
|
| case certUsageEmailSigner:
|
| case certUsageEmailRecipient:
|
| - flags = cert->trust->emailFlags;
|
| + flags = trust.emailFlags;
|
| if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
|
| * authoritative */
|
| if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
|
| @@ -1021,7 +1024,7 @@
|
|
|
| break;
|
| case certUsageObjectSigner:
|
| - flags = cert->trust->objectSigningFlags;
|
| + flags = trust.objectSigningFlags;
|
|
|
| if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
|
| * authoritative */
|
| @@ -1036,21 +1039,21 @@
|
| break;
|
| case certUsageVerifyCA:
|
| case certUsageStatusResponder:
|
| - flags = cert->trust->sslFlags;
|
| + flags = trust.sslFlags;
|
| /* is the cert directly trusted or not trusted ? */
|
| if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
|
| ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
|
| *trusted = PR_TRUE;
|
| return SECSuccess;
|
| }
|
| - flags = cert->trust->emailFlags;
|
| + flags = trust.emailFlags;
|
| /* is the cert directly trusted or not trusted ? */
|
| if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
|
| ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
|
| *trusted = PR_TRUE;
|
| return SECSuccess;
|
| }
|
| - flags = cert->trust->objectSigningFlags;
|
| + flags = trust.objectSigningFlags;
|
| /* is the cert directly trusted or not trusted ? */
|
| if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
|
| ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
|
| @@ -1061,7 +1064,7 @@
|
| case certUsageAnyCA:
|
| case certUsageUserCertImport:
|
| /* do we distrust these certs explicitly */
|
| - flags = cert->trust->sslFlags;
|
| + flags = trust.sslFlags;
|
| if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
|
| * authoritative */
|
| if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
|
| @@ -1069,7 +1072,7 @@
|
| return SECFailure;
|
| }
|
| }
|
| - flags = cert->trust->emailFlags;
|
| + flags = trust.emailFlags;
|
| if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
|
| * authoritative */
|
| if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
|
| @@ -1079,7 +1082,7 @@
|
| }
|
| /* fall through */
|
| case certUsageProtectedObjectSigner:
|
| - flags = cert->trust->objectSigningFlags;
|
| + flags = trust.objectSigningFlags;
|
| if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
|
| * authoritative */
|
| if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
|
| @@ -1430,6 +1433,7 @@
|
| {
|
| CERTCertList *certList = NULL;
|
| CERTCertificate *cert = NULL;
|
| + CERTCertTrust certTrust;
|
| unsigned int requiredTrustFlags;
|
| SECTrustType requiredTrustType;
|
| unsigned int flags;
|
| @@ -1471,10 +1475,10 @@
|
| if ( ( owner == certOwnerCA ) && preferTrusted &&
|
| ( requiredTrustType != trustTypeNone ) ) {
|
|
|
| - if ( cert->trust == NULL ) {
|
| + if ( CERT_GetCertTrust(cert, &certTrust) != SECSuccess ) {
|
| flags = 0;
|
| } else {
|
| - flags = SEC_GET_TRUST_FLAGS(cert->trust, requiredTrustType);
|
| + flags = SEC_GET_TRUST_FLAGS(&certTrust, requiredTrustType);
|
| }
|
|
|
| if ( ( flags & requiredTrustFlags ) != requiredTrustFlags ) {
|
|
|
Chromium Code Reviews
Issue 12197027:
Merge NSS_3_14_2_RTM. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/