libpkix uses PKIX_ValidateNode tree to indicate cert problems found during cert selection process. Some paths of chain building/validation does not update final PKIX_ValidateNode tree with cert selection failure reasons.
Alexei, "some paths" ? What paths? Please provide enough information that another developer can know what code to start examining.
Does bug 390888 need to be fixed before this bug is fixed? That is, does bug 390888 block this bug? Or does this bug need to be fixed first? Does this bug block 390888?
An example is of a path which chains to a root which violates the basic constraints path length. In this case, pkix_CertSelector_DefaultMatch() will fail, and pkix_Build_GatherCerts() will return an empty list, because no cert matches the requirements. There is no ValidateNode created in this case.
This may be fixed. We need a test case.
This bug is fixed. Closing.