Bugzilla bug 232380: deleted CERT_FindExpiredIssuer, which is dead code.

In cert_VerifyCertChain, make sure that subjectCert and issuerCert never point to the same cert to prevent from destroying that cert twice. r=jpierre,nelsonb. Modified Files: certdb/cert.h certhigh/certvfy.c
2004-01-28 21:51:10 +00:00 · 2004-01-28 21:51:10 +00:00 · 218facb68e
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@ -34,7 +34,7 @@
 /*
 * cert.h - public data structures and prototypes for the certificate library
 *
- * $Id: cert.h,v 1.43 2003-12-03 00:09:04 wchang0222%aol.com Exp $
+ * $Id: cert.h,v 1.44 2004-01-28 21:51:09 wchang0222%aol.com Exp $
 */

 #ifndef _CERT_H_
@ -645,13 +645,6 @@ CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
 		     PRBool checkSig, SECCertUsage certUsage, int64 t,
 		     void *wincx, CERTVerifyLog *log);

-/*
-** This must only be called on a cert that is known to have an issuer
-** with an invalid time
-*/
-extern CERTCertificate *
-CERT_FindExpiredIssuer (CERTCertDBHandle *handle, CERTCertificate *cert);
-
 /*
 ** Read a base64 ascii encoded DER certificate and convert it to our
 ** internal format.
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@ -165,64 +165,6 @@ CERT_VerifySignedData(CERTSignedData *sd, CERTCertificate *cert,
 }


-/*
- * This must only be called on a cert that is known to have an issuer
- * with an invalid time
- */
-CERTCertificate *
-CERT_FindExpiredIssuer(CERTCertDBHandle *handle, CERTCertificate *cert)
-{
-    CERTCertificate *issuerCert = NULL;
-    CERTCertificate *subjectCert;
-    int              count;
-    SECStatus        rv;
-    SECComparison    rvCompare;
-    
-    subjectCert = CERT_DupCertificate(cert);
-    if ( subjectCert == NULL ) {
-	goto loser;
-    }
-    
-    for ( count = 0; count < CERT_MAX_CERT_CHAIN; count++ ) {
-	/* find the certificate of the issuer */
-	issuerCert = CERT_FindCertByName(handle, &subjectCert->derIssuer);
-    
-	if ( ! issuerCert ) {
-	    goto loser;
-	}
-
-	rv = CERT_CertTimesValid(issuerCert);
-	if ( rv == SECFailure ) {
-	    /* this is the invalid issuer */
-	    CERT_DestroyCertificate(subjectCert);
-	    return(issuerCert);
-	}
-
-	/* make sure that the issuer is not self signed.  If it is, then
-	 * stop here to prevent looping.
-	 */
-	rvCompare = SECITEM_CompareItem(&issuerCert->derSubject,
-				 &issuerCert->derIssuer);
-	if (rvCompare == SECEqual) {
-	    PORT_Assert(0);		/* No expired issuer! */
-	    goto loser;
-	}
-	CERT_DestroyCertificate(subjectCert);
-	subjectCert = issuerCert;
-    }
-
-loser:
-    if ( issuerCert ) {
-	CERT_DestroyCertificate(issuerCert);
-    }
-    
-    if ( subjectCert ) {
-	CERT_DestroyCertificate(subjectCert);
-    }
-    
-    return(NULL);
-}
-
 /* Software FORTEZZA installation hack. The software fortezza installer does
 * not have access to the krl and cert.db file. Accept FORTEZZA Certs without
 * KRL's in this case. 
@ -978,11 +920,11 @@ cert_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,

 	CERT_DestroyCertificate(subjectCert);
 	subjectCert = issuerCert;
+	issuerCert = NULL;
    }

-    subjectCert = NULL;
    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-    LOG_ERROR(log,issuerCert,count,0);
+    LOG_ERROR(log,subjectCert,count,0);
 loser:
    rv = SECFailure;
 done: