old nss code support validity time override for certs that have been validating for certificateUsageSSLServer and certificateUsageSSLServerWithStepUp usages libpkix does not support this feature.
IIRC, there is a bit defined in the CERTCertificate that means "the invalid date for this cert is overridden". It should be easy to test for that, at least in the PKIX_PL_ layer.
P1, we cannot release the CERT_VerifyCert* "wrappers" until this is fixed.
Priority: P2 → P1
The following code should be added into pkix_pl_cert.c:PKIX_PL_Cert_CheckValidity before checking for cert time validity. allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) || (requiredUsages & certificateUsageSSLServerWithStepUp)); val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);
Created attachment 312740 [details] [diff] [review] Patch v1 Allow time override for certificateUsageSSLServer and certificateUsageSSLServerWithStepUp usages
Attachment #312740 - Flags: review?(nelson)
Comment on attachment 312740 [details] [diff] [review] Patch v1 So simple! r=nelson
Attachment #312740 - Flags: review?(nelson) → review+
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.