From 2d58a01154d26dad227dd16a8a4e77fe78b29a42 Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@mozilla.com>
Date: Thu, 6 Mar 2014 10:04:04 -0800
Subject: [PATCH] Bug 969188 - Part 1/3 - Fix mozilla::pkix handling of trusted
 v1 certificates. r=briansmith

--HG--
extra : rebase_source : 242b4849a7820d23518936a8c86ddcb7d9684394
---
 security/pkix/lib/pkixcheck.cpp | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/security/pkix/lib/pkixcheck.cpp b/security/pkix/lib/pkixcheck.cpp
index 0ba8eab42bb..4c3c41555a1 100644
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -234,18 +234,10 @@ CheckBasicConstraints(const BackCert& cert,
     // TODO: add check for self-signedness?
     if (endEntityOrCA == MustBeCA && isTrustAnchor) {
       const CERTCertificate* nssCert = cert.GetNSSCert();
-
-      der::Input versionDer;
-      if (versionDer.Init(nssCert->version.data, nssCert->version.len)
-            != der::Success) {
-        return RecoverableError;
-      }
-      uint8_t version;
-      if (der::OptionalVersion(versionDer, version) || der::End(versionDer)
-            != der::Success) {
-        return RecoverableError;
-      }
-      if (version == 1) {
+      // We only allow trust anchor CA certs to omit the
+      // basicConstraints extension if they are v1. v1 is encoded
+      // implicitly.
+      if (!nssCert->version.data && !nssCert->version.len) {
         basicConstraints.isCA = true;
         basicConstraints.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
       }