Update JSSTrustManager to support trusted peers

JSSTrustManager has been updated to mimic NSS cert validation
which supports trusted peers. The checkCertChain() has been
modified to check whether the cert chain has P,, trust flags,
and if that's the case the cert chain is considered trusted
so it's not necessary to check the cert issuer anymore.

base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java

@@ -59,13 +59,36 @@ public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws
             logger.debug("JSSTrustManager:  - " + cert.getSubjectX500Principal());
         }
 
-        checkIssuerTrusted(certChain);
+        if (!isTrustedPeer(certChain)) {
+            checkIssuerTrusted(certChain);
+        }
 
         checkValidityDates(certChain);
 
         checkKeyUsage(certChain, keyUsage);
     }
 
+    public boolean isTrustedPeer(X509Certificate[] certChain) throws Exception {
+
+        // checking trust flags on leaf cert only
+        X509Certificate leafCert = certChain[certChain.length - 1];
+        logger.debug("JSSTrustManager: Checking trust flags of cert 0x" + leafCert.getSerialNumber().toString(16));
+
+        if (! (leafCert instanceof org.mozilla.jss.crypto.X509Certificate)) {
+            return false;
+        }
+
+        org.mozilla.jss.crypto.X509Certificate jssCert = (org.mozilla.jss.crypto.X509Certificate) leafCert;
+
+        String trustFlags = jssCert.getTrustFlags();
+        logger.debug("JSSTrustManager: - trust flags: " + trustFlags);
+
+        int sslTrust = jssCert.getSSLTrust();
+        return org.mozilla.jss.crypto.X509Certificate.isTrustFlagEnabled(
+                org.mozilla.jss.crypto.X509Certificate.TRUSTED_PEER,
+                sslTrust);
+    }
+
     public void checkIssuerTrusted(X509Certificate[] certChain) throws Exception {
 
         // get CA certs