390381 - libpkix rejects cert chain when root CA cert has no basic constraints.

Patch: log correct error info. r=nelson

3 files changed, 2 insertions, 3 deletions

diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c
index cae016667..713c1bf3e 100644
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -835,7 +835,7 @@ cert_PkixErrorToNssCode(
         }
         if (pkixLog) {
             PR_LOG(pkixLog, 1, ("Error at level %d: %s\n", errLevel,
-                                PKIX_ErrorText[error->errCode]));
+                                PKIX_ErrorText[errPtr->errCode]));
         }
         errPtr = errPtr->cause;
         errLevel += 1; 
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c
index b150b3e06..c00900d63 100755
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -1038,6 +1038,7 @@ cleanup:
             goto cleanup; \
         } \
         if (verifyNode) { \
+            PKIX_DECREF(verifyNode->error); \
             PKIX_INCREF(pkixErrorResult); \
             verifyNode->error = pkixErrorResult; \
         } \
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c
index 133dfe266..19777d6fe 100755
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c
@@ -328,7 +328,6 @@ pkix_pl_EkuChecker_Check(
         void *plContext)
 {
         pkix_pl_EkuChecker *state = NULL;
-        PKIX_List *certEkuList = NULL;
         PKIX_Boolean checkPassed = PKIX_TRUE;
 
         PKIX_ENTER(EKUCHECKER, "pkix_pl_EkuChecker_Check");
@@ -357,7 +356,6 @@ pkix_pl_EkuChecker_Check(
 
 cleanup:
 
-        PKIX_DECREF(certEkuList);
         PKIX_DECREF(state);
 
         PKIX_RETURN(EKUCHECKER);