Fix problem where DH certs were always rejected when verifying them
authorchrisk%netscape.com
Tue, 20 Jun 2000 16:15:32 +0000
changeset 383 1264b1ea574f3fdf58d43d365a3af17252c46b8a
parent 382 a02461ce8fa87e1bbc64499c46676888ab04ff24
child 384 370021482121f6eda2c685342bf0fab64ff2bc5d
push idunknown
push userunknown
push dateunknown
Fix problem where DH certs were always rejected when verifying them for EMail encryption. A Diffie-Hellman key needs to be tested for KU_KEY_AGREEMENT, not KU_KEY_ENCIPHERMENT.
security/nss/lib/certdb/certdb.c
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1037,17 +1037,18 @@ CERT_CheckKeyUsage(CERTCertificate *cert
 {
     SECKEYPublicKey *key;
     
     /* choose between key agreement or key encipherment based on key
      * type in cert
      */
     if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) {
 	key = CERT_ExtractPublicKey(cert);
-	if ( ( key->keyType == keaKey ) || ( key->keyType == fortezzaKey ) ) {
+	if ( ( key->keyType == keaKey ) || ( key->keyType == fortezzaKey ) ||
+	     ( key->keyType == dhKey ) ) {
 	    requiredUsage |= KU_KEY_AGREEMENT;
 	} else {
 	    requiredUsage |= KU_KEY_ENCIPHERMENT;
 	} 
 
 	/* now turn off the special bit */
 	requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT);