Workaround the occasional SSL server cert that has the step-up OID but

not the SSL server OID. Patch by Aaron Spangler <aaron@spangler.ods.org> Bug 231775. r=nelson
2024-10-12 12:55:46 +00:00 · 2004-12-02 22:08:14 +00:00 · 2004-12-02 22:08:14 +00:00 · 5bf350b4f7
commit 5bf350b4f7
parent 00604bd42b
1 changed files with 13 additions and 1 deletions
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@ -19,6 +19,7 @@
 * the Initial Developer. All Rights Reserved.
 *
 * Contributor(s):
+ *    Aaron Spangler <aaron@spangler.ods.org>
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
@ -37,7 +38,7 @@
 /*
 * Certificate handling code
 *
- * $Id: certdb.c,v 1.70 2004/07/01 00:26:00 nelsonb%netscape.com Exp $
+ * $Id: certdb.c,v 1.71 2004/12/02 22:08:14 nelsonb%netscape.com Exp $
 */

 #include "nssilock.h"
@ -603,6 +604,17 @@ cert_GetCertType(CERTCertificate *cert)
 		nsCertType |= NS_CERT_TYPE_SSL_SERVER;
 	    }
 	}
+	/* Treat certs with step-up OID as also having SSL server type. */
+	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
+				    SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
+	    SECSuccess){
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		nsCertType |= NS_CERT_TYPE_SSL_CA;
+	    } else {
+		nsCertType |= NS_CERT_TYPE_SSL_SERVER;
+	    }
+	}
 	if (findOIDinOIDSeqByTagNum(extKeyUsage,
 				    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) ==
 	    SECSuccess){