Bug 938046 - Part 3. Iterate only through valid users on getchain r=dkeeler

2013-12-11 13:04:07 -08:00 · 2013-12-11 13:04:07 -08:00 · c653f8bfb9
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@ -856,10 +856,18 @@ nsNSSCertificate::GetChain(nsIArray **_rvChain)
                                 nullptr, /*XXX fixme*/
                                 CertVerifier::FLAG_LOCAL_ONLY,
                                 &pkixNssChain);
+  // This is the whitelist of all non-SSLServer usages that are supported by
+  // verifycert.
+  const int otherUsagesToTest = certificateUsageSSLClient |
+                                certificateUsageSSLCA |
+                                certificateUsageEmailSigner |
+                                certificateUsageEmailRecipient |
+                                certificateUsageObjectSigner |
+                                certificateUsageStatusResponder;
  for (int usage = certificateUsageSSLClient;
       usage < certificateUsageAnyCA && !pkixNssChain;
       usage = usage << 1) {
-    if (usage == certificateUsageSSLServer) {
+    if ((usage & otherUsagesToTest) == 0) {
      continue;
    }
    PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("pipnss: PKIX attempting chain(%d) for '%s'\n",usage, mCert->nickname));