Bug 670454 - Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons", r=bsmith, a=LegNeato THUNDERBIRD_6_0b2_BUILD1 THUNDERBIRD_6_0b2_RELEASE
authorKai Engert <kaie@kuix.de>
Wed, 20 Jul 2011 18:21:53 +0200
changeset 70576 d66a5a76f6ba5fcb4777dc638a01d3ff442ffe0f
parent 70575 f677bd469294f68ab763f0cb67c13f8980725e7c
child 70577 2a9230c6dd259b9bad741fab63365b27eaf72e78
child 70579 b064fd888b6f48b91b9d2ecc722c1fb86a47056d
child 70582 dddc7c7a39753e98531a09f53d5d3c4482b8975b
child 70588 eeabcaa28b68956fc3133b7ec844431323715e35
push id1
push usersledru@mozilla.com
push dateThu, 04 Dec 2014 17:57:20 +0000
reviewersbsmith, LegNeato
bugs670454
milestone6.0
Bug 670454 - Certificates usage in Certificate Viewer is always shown as "could not verify this certificate for unknown reasons", r=bsmith, a=LegNeato
security/manager/ssl/src/nsUsageArrayHelper.cpp
--- a/security/manager/ssl/src/nsUsageArrayHelper.cpp
+++ b/security/manager/ssl/src/nsUsageArrayHelper.cpp
@@ -176,30 +176,34 @@ nsUsageArrayHelper::GetUsagesArray(const
     if (nssComponent) {
       nssComponent->SkipOcsp();
     }
   }
   
   PRUint32 &count = *_count;
   count = 0;
   SECCertificateUsage usages = 0;
-  SECStatus verifyResult;
-
+  int err = 0;
+  
 if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
-  verifyResult =
+  // CERT_VerifyCertificateNow returns SECFailure unless the certificate is
+  // valid for all the given usages. Hoewver, we are only looking for the list
+  // of usages for which the cert *is* valid.
+  (void)
   CERT_VerifyCertificateNow(defaultcertdb, mCert, PR_TRUE,
 			    certificateUsageSSLClient |
 			    certificateUsageSSLServer |
 			    certificateUsageSSLServerWithStepUp |
 			    certificateUsageEmailSigner |
 			    certificateUsageEmailRecipient |
 			    certificateUsageObjectSigner |
 			    certificateUsageSSLCA |
 			    certificateUsageStatusResponder,
 			    NULL, &usages);
+  err = PR_GetError();
 }
 else {
   nsresult nsrv;
   nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
   if (!inss)
     return nsrv;
   nsRefPtr<nsCERTValInParamWrapper> survivingParams;
   if (localOnly)
@@ -210,30 +214,23 @@ else {
   if (NS_FAILED(nsrv))
     return nsrv;
 
   CERTValOutParam cvout[2];
   cvout[0].type = cert_po_usages;
   cvout[0].value.scalar.usages = 0;
   cvout[1].type = cert_po_end;
   
-  verifyResult =
   CERT_PKIXVerifyCert(mCert, certificateUsageCheckAllUsages,
                       survivingParams->GetRawPointerForNSS(),
                       cvout, NULL);
-
+  err = PR_GetError();
   usages = cvout[0].value.scalar.usages;
 }
 
-  if (verifyResult != SECSuccess) {
-    int err = PR_GetError();
-    verifyFailed(_verified, err);
-    return NS_OK;
-  }
-
   // The following list of checks must be < max_returned_out_array_size
   
   check(suffix, usages & certificateUsageSSLClient, count, outUsages);
   check(suffix, usages & certificateUsageSSLServer, count, outUsages);
   check(suffix, usages & certificateUsageSSLServerWithStepUp, count, outUsages);
   check(suffix, usages & certificateUsageEmailSigner, count, outUsages);
   check(suffix, usages & certificateUsageEmailRecipient, count, outUsages);
   check(suffix, usages & certificateUsageObjectSigner, count, outUsages);
@@ -249,11 +246,15 @@ else {
 #if 0
   check(suffix, usages & certificateUsageAnyCA, count, outUsages);
 #endif
 
   if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly && nssComponent) {
     nssComponent->SkipOcspOff();
   }
 
-  *_verified = nsNSSCertificate::VERIFIED_OK;
+  if (count == 0) {
+    verifyFailed(_verified, err);
+  } else {
+    *_verified = nsNSSCertificate::VERIFIED_OK;
+  }
   return NS_OK;
 }