Cert viewer displays the chain to the issuer. Nowadays there maybe be multiple possible chains, and the chain using the classic NSS code might display the "wrong chain". The "right chain" is the one that will be prefered by NSS libPKIX verification code, the chain that resulted in a successful verification. Bug 479393 is supposed to change all of PSM's verifications to make use of the new libPKIX verif. engine. The displayed chain should be identical to the chain used when verifying the cert.

Implementing this will require changing the way that PSM gets the cert chain it displays. The existing NSS methods for getting/constructing a cert chain, including - repeated calls to CERT_FindCertIssuer (as done by CERT_GetCertChainFromCert) - a single call to CERT_GetCertChainFromCert - a single call to CERT_CertChainFromCert all have the properties that - they do not require the chain to be complete or valid - they may return incomplete and/or invalid chains - they do not necessarily return the same chain as validated by libPKIX. IMO, the only way to get a cert chain that is the one validated by libPKIX is to have libPKIX output that chain as a side effect of doing a chain validation. Obviously, it will be necessary to use the new CERT_PKIXVerifyCert API to get this output, as the old API has no way to output it. I don't recall whether CERT_PKIXVerifyCert already has a way to output the validated chain, or not. If not, we would need to add that capability. That would necessitate an NSS RFE which would block this PSM RFE. Alexei, can you enlighten us about that question/issue? Does CERT_PKIXVerifyCert already have a way to output the verified chain? Also, Does it have a way to output an unverified chain?

Ideally this bug should have a patch at the same time as 479393 gets done. Adding dependency.

When libpkix is enabled, the libpkix-based path building and/or validation logic must be used. When libpkix is disabled, the non-libpkix path building and/or validation logic must be used. The certificate viewer already potentially displays EV certificate chains (which are always built using libpkix already) differently than the code that makes trust decisions in PSM, basically because of bug 650307. > Does CERT_PKIXVerifyCert already have a way to output the verified chain? Yes, it does. > Does it have a way to output an unverified chain? This still needs to be investigated.

Brian and I think this does not block "switch to pkix by default", but it should be fixed soon; moving it to a tracker bug for major PKIX related issues.