Bug 384459, ignore issuer and serial number components of authority key ID

extension when they don't match.  Don't report them in certutil either.
r=rrelyea, sr=wtc

2 files changed, 15 insertions, 36 deletions

diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index f31b35605..8755bbe1f 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -2042,14 +2042,6 @@ secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level)
 	int snPresent = (kid->authCertSerialNumber.data &&
 	                 kid->authCertSerialNumber.len);
 
-        if ((keyIDPresent && !issuerPresent && !snPresent) ||
-	    (!keyIDPresent && issuerPresent && snPresent)) {
-	    /* all is well */
-	} else {
-	    SECU_Indent(out, level);
-	    fprintf(out, 
-	    "Error: KeyID OR (Issuer AND Serial) must be present, not both.\n");
-	}
 	if (keyIDPresent)
 	    SECU_PrintAsHex(out, &kid->keyID, "Key ID", level);
 	if (issuerPresent)
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
index 33eb61684..5e42bc157 100644
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -319,19 +319,18 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id)
     nssCertIDMatch match = nssCertIDMatch_Unknown;
 
     /* keyIdentifier */
-    if (authKeyID->keyID.len > 0) {
-	if (CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
-	    PRBool skiEqual;
-	    skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
-	    PORT_Free(skid.data);
-	    if (skiEqual) {
-		/* change the state to positive match, but keep going */
-		match = nssCertIDMatch_Yes;
-	    } else {
-		/* exit immediately on failure */
-		return nssCertIDMatch_No;
-	    }
-	} /* else fall through */
+    if (authKeyID->keyID.len > 0 &&
+	CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
+	PRBool skiEqual;
+	skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
+	PORT_Free(skid.data);
+	if (skiEqual) {
+	    /* change the state to positive match, but keep going */
+	    match = nssCertIDMatch_Yes;
+	} else {
+	    /* exit immediately on failure */
+	    return nssCertIDMatch_No;
+	}
     }
 
     /* issuer/serial (treated as pair) */
@@ -342,27 +341,15 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id)
 	caName = (SECItem *)CERT_GetGeneralNameByType(
 	                                        authKeyID->authCertIssuer,
 						certDirectoryName, PR_TRUE);
-	if (caName == NULL) {
-	    /* this is some kind of error, so treat it as unknown */
-	    return nssCertIDMatch_Unknown;
-	}
-	if (SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
+	if (caName != NULL &&
+	    SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
 	    SECITEM_ItemsAreEqual(&c->serialNumber, caSN)) 
 	{
-	    /* change the state to positive match, but keep going */
 	    match = nssCertIDMatch_Yes;
 	} else {
-	    /* exit immediately on failure */
-	    return nssCertIDMatch_No;
+	    match = nssCertIDMatch_Unknown;
 	}
     }
-
-    /* If the issued cert has a keyIdentifier field with a value, but
-     * this issuer cert does not have a subjectKeyID extension, and
-     * the issuer/serial number fields of the authKeyID extension
-     * are empty, the state will be Unknown.  Otherwise it should have
-     * been set to Yes.
-     */
     return match;
 }