408847 - pkix_OcspChecker_Check does not support specified responder (and given signercert). r=nelson

author: alexei.volkov.bugs%sun.com <devnull@localhost> 2008-07-08 21:34:53 +0000
committer: alexei.volkov.bugs%sun.com <devnull@localhost> 2008-07-08 21:34:53 +0000
commit: 34e1ec9bea77ac97b46a866f722b807e3a1a16c3 (patch)
tree: d6a97ea82f6613fc6afe8ee5dc042bb2100612e3
parent: 7210612c307cb61168f82cd204c90de9a1c38056 (diff)
download: nss-hg-34e1ec9bea77ac97b46a866f722b807e3a1a16c3.tar.gz
6 files changed, 35 insertions, 23 deletions
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index d20b64e1a..14b95abe3 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -4481,7 +4481,7 @@ loser:
  *
  * The result needs to be freed (PORT_Free) when no longer in use.
  */
-static char *
+char *
 ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
 			  PRBool *isDefault)
 {
diff --git a/security/nss/lib/certhigh/ocspi.h b/security/nss/lib/certhigh/ocspi.h
index 4d31dd39d..913cc81ef 100644
--- a/security/nss/lib/certhigh/ocspi.h
+++ b/security/nss/lib/certhigh/ocspi.h
@@ -138,4 +138,25 @@ SECStatus
 cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
                                    PRBool         *certIDWasConsumed);
 
+/*
+ * FUNCTION: ocsp_GetResponderLocation
+ *  Check ocspx context for user-designated responder URI first. If not
+ *  found, checks cert AIA extension.
+ * INPUTS:
+ *  CERTCertDBHandle *handle
+ *    certificate DB of the cert that is being checked
+ *  CERTCertificate *cert
+ *     The certificate being examined.
+ *  PRBool *certIDWasConsumed
+ *    Out parameter, if set to true, URI of default responder is
+ *    returned.
+ *  RETURN:
+ *    Responder URI.
+ */
+char *
+ocsp_GetResponderLocation(CERTCertDBHandle *handle,
+                          CERTCertificate *cert,
+                          PRBool *isDefault);
+
+
 #endif /* _OCSPI_H_ */
diff --git a/security/nss/lib/libpkix/include/pkix_pl_pki.h b/security/nss/lib/libpkix/include/pkix_pl_pki.h
index 02a4fa165..5fbe92b5a 100755
--- a/security/nss/lib/libpkix/include/pkix_pl_pki.h
+++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h
@@ -2574,7 +2574,6 @@ pkix_pl_OcspRequest_Create(
         PKIX_PL_Cert *cert,
         PKIX_PL_OcspCertID *cid,
         PKIX_PL_Date *validity,
-        PKIX_Boolean addServiceLocator,
         PKIX_PL_Cert *signerCert,
         PKIX_Boolean *pURIFound,
         PKIX_PL_OcspRequest **pRequest,
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
index c5f13050e..912fd40e0 100644
--- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
@@ -213,7 +213,6 @@ pkix_OcspChecker_Check(
                         (cert,
                         cid,
                         validity,
-                        PKIX_FALSE,     /* PKIX_Boolean addServiceLocator */
                         NULL,           /* PKIX_PL_Cert *signerCert */
                         &uriFound,
                         &request,
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
index d71cbc1d8..0ab8e5d48 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
@@ -268,9 +268,6 @@ pkix_pl_OcspRequest_RegisterSelf(void *plContext)
  *  "validity"
  *     Address of the Date for which the Cert's validity is to be determined.
  *     May be NULL.
- *  "addServiceLocator"
- *     Boolean value indicating whether the request should include the
- *     AddServiceLocator extension
  *  "signerCert"
  *     Address of the Cert to be used, if present, in signing the request.
  *     May be NULL.
@@ -290,7 +287,6 @@ pkix_pl_OcspRequest_Create(
         PKIX_PL_Cert *cert,
         PKIX_PL_OcspCertID *cid,
         PKIX_PL_Date *validity,
-        PKIX_Boolean addServiceLocator,
         PKIX_PL_Cert *signerCert,
         PKIX_Boolean *pURIFound,
         PKIX_PL_OcspRequest **pRequest,
@@ -298,6 +294,7 @@ pkix_pl_OcspRequest_Create(
 {
         PKIX_PL_OcspRequest *ocspRequest = NULL;
 
+        CERTCertDBHandle *handle = NULL;
         SECStatus rv = SECFailure;
         SECItem *encoding = NULL;
         CERTOCSPRequest *certRequest = NULL;
@@ -325,8 +322,6 @@ pkix_pl_OcspRequest_Create(
         PKIX_INCREF(validity);
         ocspRequest->validity = validity;
 
-        ocspRequest->addServiceLocator = addServiceLocator;
-
         PKIX_INCREF(signerCert);
         ocspRequest->signerCert = signerCert;
 
@@ -341,21 +336,23 @@ pkix_pl_OcspRequest_Create(
          * Does this Cert have an Authority Information Access extension with
          * the URI of an OCSP responder?
          */
-        location = CERT_GetOCSPAuthorityInfoAccessLocation(nssCert);
-
+        handle = CERT_GetDefaultCertDB();
+        location = ocsp_GetResponderLocation(handle, nssCert,
+                                             &addServiceLocatorExtension);
         if (location == NULL) {
                 locError = PORT_GetError();
-                if (locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
-                        *pURIFound = PKIX_FALSE;
-                        goto cleanup;
-                } else {
-                        PKIX_ERROR(PKIX_ERRORFINDINGORPROCESSINGURI);
+                if (locError == SEC_ERROR_EXTENSION_NOT_FOUND ||
+                    locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
+                    PORT_SetError(0);
+                    *pURIFound = PKIX_FALSE;
+                    goto cleanup;
                 }
-        } else {
-                ocspRequest->location = location;
-                *pURIFound = PKIX_TRUE;
+                PKIX_ERROR(PKIX_ERRORFINDINGORPROCESSINGURI);
         }
 
+        ocspRequest->location = location;
+        *pURIFound = PKIX_TRUE;
+
         if (signerCert != NULL) {
                 nssSignerCert = signerCert->nssCert;
         }
@@ -367,9 +364,6 @@ pkix_pl_OcspRequest_Create(
                 time = PR_Now();
 	}
 
-        addServiceLocatorExtension = 
-                ((addServiceLocator == PKIX_TRUE)? PR_TRUE : PR_FALSE);
-
         certRequest = cert_CreateSingleCertOCSPRequest(
                 cid->certID, cert->nssCert, time, 
                 addServiceLocatorExtension, nssSignerCert);
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
index 2012a64e3..573c8240c 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
@@ -67,7 +67,6 @@ pkix_pl_OcspRequest_Create(
         PKIX_PL_Cert *cert,
         PKIX_PL_OcspCertID *cid,
         PKIX_PL_Date *validity,
-        PKIX_Boolean addServiceLocator,
         PKIX_PL_Cert *signerCert,
         PKIX_Boolean *pURIFound,
         PKIX_PL_OcspRequest **pRequest,
author	alexei.volkov.bugs%sun.com <devnull@localhost>	2008-07-08 21:34:53 +0000
committer	alexei.volkov.bugs%sun.com <devnull@localhost>	2008-07-08 21:34:53 +0000
commit	34e1ec9bea77ac97b46a866f722b807e3a1a16c3 (patch)
tree	d6a97ea82f6613fc6afe8ee5dc042bb2100612e3
parent	7210612c307cb61168f82cd204c90de9a1c38056 (diff)
download	nss-hg-34e1ec9bea77ac97b46a866f722b807e3a1a16c3.tar.gz