Fix for bug 232392 . Fix erroneous root CA tests in NSS libraries . r=nelson

security/nss/lib/certhigh/certvfy.c

@@ -1043,8 +1043,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
     /* make sure that the issuer is not self signed.  If it is, then
      * stop here to prevent looping.
      */
-    rvCompare = SECITEM_CompareItem(&cert->derSubject, &cert->derIssuer);
-    if (rvCompare == SECEqual) {
+    if (cert->isRoot) {
 	    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
 	    LOG_ERROR(log, cert, 0, 0);
 	    goto loser;
@@ -1973,8 +1972,7 @@ CERT_GetCertChainFromCert(CERTCertificate *cert, int64 time, SECCertUsage usage)
             return chain;
         }
 
-	if (SECITEM_CompareItem(&cert->derIssuer, &cert->derSubject)
-	    == SECEqual) {
+	if (cert->isRoot) {
             /* return complete chain */
 	    return chain;
 	}

security/nss/lib/cryptohi/seckey.c

@@ -502,9 +502,7 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
     }
 
     /* check if the cert is self-signed */
-    rvCompare = (SECStatus)SECITEM_CompareItem(&subjectCert->derSubject,
-				    &subjectCert->derIssuer);
-    if (rvCompare == SECEqual) {
+    if (subjectCert->isRoot) {
       /* fail since cert is self-signed and has no pqg params. */
 	return SECFailure;     
     }

security/nss/lib/pk11wrap/pk11cert.c

@@ -354,8 +354,7 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
 	     * valid CA's which are self-signed here. They must have an object
 	     * ID of '0'.  */ 
 	    if (pk11_isID0(slot,certID) && 
-		SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer)
-							   == SECEqual) {
+		cert->isRoot) {
 		trustflags |= CERTDB_TRUSTED_CA;
 		/* is the slot a fortezza card? allow the user or
 		 * admin to turn on objectSigning, but don't turn

security/nss/lib/ssl/cmpcert.c

@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: cmpcert.c,v 1.5 2007-07-06 03:16:54 julien.pierre.bugs%sun.com Exp $ */
+/* $Id: cmpcert.c,v 1.6 2008-02-01 22:09:09 julien.pierre.boogz%sun.com Exp $ */
 
 #include <stdio.h>
 #include <string.h>
@@ -79,7 +79,7 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
     
     /* compute an alternate issuer name for compatibility with 2.0
      * enterprise server, which send the CA names without
-     * the outer layer of DER hearder
+     * the outer layer of DER header
      */
     rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
     if ( rv == SECSuccess ) {