From a07ba7e5816bd73deba25859c7a8b531d1ec79db Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@mozilla.com>
Date: Wed, 11 Dec 2013 13:04:07 -0800
Subject: [PATCH]  Bug 938046 - Part 3. Iterate only through valid users on
 getchain  r=dkeeler

---
 security/manager/ssl/src/nsNSSCertificate.cpp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/security/manager/ssl/src/nsNSSCertificate.cpp b/security/manager/ssl/src/nsNSSCertificate.cpp
index 6002f7ec0ab..c592801573c 100644
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -856,10 +856,18 @@ nsNSSCertificate::GetChain(nsIArray **_rvChain)
                                  nullptr, /*XXX fixme*/
                                  CertVerifier::FLAG_LOCAL_ONLY,
                                  &pkixNssChain);
+  // This is the whitelist of all non-SSLServer usages that are supported by
+  // verifycert.
+  const int otherUsagesToTest = certificateUsageSSLClient |
+                                certificateUsageSSLCA |
+                                certificateUsageEmailSigner |
+                                certificateUsageEmailRecipient |
+                                certificateUsageObjectSigner |
+                                certificateUsageStatusResponder;
   for (int usage = certificateUsageSSLClient;
        usage < certificateUsageAnyCA && !pkixNssChain;
        usage = usage << 1) {
-    if (usage == certificateUsageSSLServer) {
+    if ((usage & otherUsagesToTest) == 0) {
       continue;
     }
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("pipnss: PKIX attempting chain(%d) for '%s'\n",usage, mCert->nickname));