diff options
author | ian.mcgreer%sun.com <devnull@localhost> | 2002-02-12 00:38:16 +0000 |
---|---|---|
committer | ian.mcgreer%sun.com <devnull@localhost> | 2002-02-12 00:38:16 +0000 |
commit | 880d16ba116784ea3a38f89f7fa52a02974a757e (patch) | |
tree | 78eab41f01c1e595ff48bcff6c3b595140cf447b | |
parent | 82b0153f8df75f2dec98cb0bbff7ac49c6f72abb (diff) | |
download | nss-hg-880d16ba116784ea3a38f89f7fa52a02974a757e.tar.gz |
bug 124082, don't change trust of existing CA certs during PKCS#12 import
-rw-r--r-- | security/nss/lib/certdb/certdb.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 2068f81e1..983908737 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -1904,7 +1904,19 @@ CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage, if ( caOnly && ( !isCA ) ) { return(SECSuccess); } - + /* In NSS 3.4, certs are given zero trust upon import. However, this + * function needs to set up default CA trust (CERTDB_VALID_CA), or + * PKCS#12 imported certs will not show up correctly. In the case of a + * CA cert with zero trust, continue with this function. But if the cert + * does already have some trust bits, exit and do not change them. + */ + if (isCA && cert->trust && + (cert->trust->sslFlags | + cert->trust->emailFlags | + cert->trust->objectSigningFlags)) { + return(SECSuccess); + } + saveit = PR_TRUE; PORT_Memset((void *)&trust, 0, sizeof(trust)); |