Created attachment 552141 [details] test program Can't use a CERTValInParam of type cert_pi_trustAnchors to set a self-signed certificate as a trust anchor, then use CERT_PKIXVerifyCert to verify that certificate (for things like expiration, bad signature, etc.) Results in SEC_ERROR_UNKNOWN_ISSUER.
Created attachment 552144 [details] selfsigned.c fix typo
Attachment #552141 - Attachment is obsolete: true
Created attachment 552412 [details] selfsigned.c revocation flags need to be specified for CERT_PKIXVerifyCert to work ( -> updated selfsigned.c)
Attachment #552144 - Attachment is obsolete: true
Created attachment 552414 [details] [diff] [review] CERT_PKIXVerifyCert-selfsigned.patch proposed patch (if the certificate is self-signed (i.e. a root), temporarily set the basic constraints criterion's minimum path length to -2, indicating that the certificate must be an end-entity certificate).
Created attachment 553291 [details] [diff] [review] CERT_PKIXVerifyCert-selfsigned.patch Better patch (previous one was not at all the way to do it).
Attachment #552414 - Attachment is obsolete: true
Created attachment 553617 [details] [diff] [review] CERT_PKIXVerifyCert-selfsigned.patch Using pointer equality for certs. Also, switching out the minimum path length argument only needs to happen in one location, not the two from before.
Attachment #553291 - Attachment is obsolete: true
Comment on attachment 553617 [details] [diff] [review] CERT_PKIXVerifyCert-selfsigned.patch Clearing review. If this patch even still applies, there's a good chance we're not going to be using libpkix, so we don't even need it.
Keeler, we might still need libpkix for backwards compatibility. I would not throiw the effort away. However make sure you also check the certifiacte usages on the self signed case.
No longer blocks: 672600
You need to log in before you can comment on or make changes to this bug.