old nss code support validity time override for certs that have been validating for certificateUsageSSLServer and certificateUsageSSLServerWithStepUp usages libpkix does not support this feature.
IIRC, there is a bit defined in the CERTCertificate that means "the invalid date for this cert is overridden". It should be easy to test for that, at least in the PKIX_PL_ layer.
P1, we cannot release the CERT_VerifyCert* "wrappers" until this is fixed.
The following code should be added into pkix_pl_cert.c:PKIX_PL_Cert_CheckValidity before checking for cert time validity. allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) || (requiredUsages & certificateUsageSSLServerWithStepUp)); val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);
Created attachment 312740 [details] [diff] [review] Patch v1 Allow time override for certificateUsageSSLServer and certificateUsageSSLServerWithStepUp usages
Comment on attachment 312740 [details] [diff] [review] Patch v1 So simple! r=nelson