Can't use a CERTValInParam of type cert_pi_trustAnchors to set a self-signed certificate as a trust anchor, then use CERT_PKIXVerifyCert to verify that certificate (for things like expiration, bad signature, etc.) Results in SEC_ERROR_UNKNOWN_ISSUER.

fix typo

revocation flags need to be specified for CERT_PKIXVerifyCert to work ( -> updated selfsigned.c)

proposed patch (if the certificate is self-signed (i.e. a root), temporarily set the basic constraints criterion's minimum path length to -2, indicating that the certificate must be an end-entity certificate).

Better patch (previous one was not at all the way to do it).

Using pointer equality for certs. Also, switching out the minimum path length argument only needs to happen in one location, not the two from before.

Comment on attachment 553617 [details] [diff] [review] CERT_PKIXVerifyCert-selfsigned.patch Clearing review. If this patch even still applies, there's a good chance we're not going to be using libpkix, so we don't even need it.

Keeler, we might still need libpkix for backwards compatibility. I would not throiw the effort away. However make sure you also check the certifiacte usages on the self signed case.