Last Comment Bug 390530 - libpkix does not support time override
: libpkix does not support time override
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P1 enhancement (vote)
: 3.12
Assigned To: Alexei Volkov
Depends on:
  Show dependency treegraph
Reported: 2007-08-01 14:25 PDT by Alexei Volkov
Modified: 2011-11-03 23:53 PDT (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Patch v1 (1.38 KB, patch)
2008-03-31 09:05 PDT, Alexei Volkov
nelson: review+
Details | Diff | Splinter Review

Description Alexei Volkov 2007-08-01 14:25:31 PDT
old nss code support validity time override for certs that have been validating for certificateUsageSSLServer and certificateUsageSSLServerWithStepUp usages

libpkix does not support this feature.
Comment 1 Nelson Bolyard (seldom reads bugmail) 2007-08-01 18:44:04 PDT
IIRC, there is a bit defined in the CERTCertificate that means "the invalid
date for this cert is overridden".  It should be easy to test for that,
at least in the PKIX_PL_ layer.
Comment 2 Nelson Bolyard (seldom reads bugmail) 2007-08-08 13:26:43 PDT
P1, we cannot release the CERT_VerifyCert* "wrappers" until this is fixed.
Comment 3 Alexei Volkov 2007-08-22 16:52:00 PDT
The following code should be added into pkix_pl_cert.c:PKIX_PL_Cert_CheckValidity before checking for cert time validity.

allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
                        (requiredUsages & certificateUsageSSLServerWithStepUp));
val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);
Comment 4 Alexei Volkov 2008-03-31 09:05:45 PDT
Created attachment 312740 [details] [diff] [review]
Patch v1

Allow time override for certificateUsageSSLServer and certificateUsageSSLServerWithStepUp usages
Comment 5 Nelson Bolyard (seldom reads bugmail) 2008-03-31 11:39:43 PDT
Comment on attachment 312740 [details] [diff] [review]
Patch v1

So simple!  
Comment 6 Alexei Volkov 2008-03-31 12:07:09 PDT

Note You need to log in before you can comment on or make changes to this bug.