old nss code support validity time override for certs that have been validating for certificateUsageSSLServer and certificateUsageSSLServerWithStepUp usages
libpkix does not support this feature.
IIRC, there is a bit defined in the CERTCertificate that means "the invalid
date for this cert is overridden". It should be easy to test for that,
at least in the PKIX_PL_ layer.
P1, we cannot release the CERT_VerifyCert* "wrappers" until this is fixed.
The following code should be added into pkix_pl_cert.c:PKIX_PL_Cert_CheckValidity before checking for cert time validity.
allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
(requiredUsages & certificateUsageSSLServerWithStepUp));
val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);
Created attachment 312740 [details] [diff] [review]
Allow time override for certificateUsageSSLServer and certificateUsageSSLServerWithStepUp usages
Comment on attachment 312740 [details] [diff] [review]