Bug 1000483: Remove unused isTrustAnchor parameter from CheckKeyUsage, r=cviecco
authorBrian Smith <brian@briansmith.org>
Wed, 23 Apr 2014 13:38:19 -0700
changeset 181059 375a5b87253c2ca8128be75aa5302782e62e7603
parent 181058 dfe1fe631991852c195062ed83ef6e81712b024a
child 181060 617e8978be14dc6c56d820bd5f85653d954404b8
push id272
push userpvanderbeken@mozilla.com
push dateMon, 05 May 2014 16:31:18 +0000
reviewerscviecco
bugs1000483
milestone32.0a1
Bug 1000483: Remove unused isTrustAnchor parameter from CheckKeyUsage, r=cviecco
security/pkix/lib/pkixcheck.cpp
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -37,25 +37,25 @@ CheckTimes(const CERTCertificate* cert, 
 
   return Success;
 }
 
 // 4.2.1.3. Key Usage (id-ce-keyUsage)
 // Modeled after GetKeyUsage in certdb.c
 Result
 CheckKeyUsage(EndEntityOrCA endEntityOrCA,
-              bool isTrustAnchor,
               const SECItem* encodedKeyUsage,
               KeyUsages requiredKeyUsagesIfPresent,
               PLArenaPool* arena)
 {
   if (!encodedKeyUsage) {
-    // TODO: Reject certificates that are being used to verify certificate
-    // signatures unless the certificate is a trust anchor, to reduce the
-    // chances of an end-entity certificate being abused as a CA certificate.
+    // TODO(bug 970196): Reject certificates that are being used to verify
+    // certificate signatures unless the certificate is a trust anchor, to
+    // reduce the chances of an end-entity certificate being abused as a CA
+    // certificate.
     // if (endEntityOrCA == MustBeCA && !isTrustAnchor) {
     //   return Fail(RecoverableError, SEC_ERROR_INADEQUATE_KEY_USAGE);
     // }
     //
     // TODO: Users may configure arbitrary certificates as trust anchors, not
     // just roots. We should only allow a certificate without a key usage to be
     // used as a CA when it is self-issued and self-signed.
     return Success;
@@ -500,17 +500,17 @@ CheckIssuerIndependentProperties(TrustDo
     return FatalError;
   }
 
   // 4.2.1.1. Authority Key Identifier is ignored (see bug 965136).
 
   // 4.2.1.2. Subject Key Identifier is ignored (see bug 965136).
 
   // 4.2.1.3. Key Usage
-  rv = CheckKeyUsage(endEntityOrCA, isTrustAnchor, cert.encodedKeyUsage,
+  rv = CheckKeyUsage(endEntityOrCA, cert.encodedKeyUsage,
                      requiredKeyUsagesIfPresent, arena);
   if (rv != Success) {
     return rv;
   }
 
   // 4.2.1.4. Certificate Policies
   rv = CheckCertificatePolicies(cert, endEntityOrCA, isTrustAnchor,
                                 requiredPolicy);