diff options
author | alexei.volkov.bugs%sun.com <devnull@localhost> | 2008-07-08 21:34:53 +0000 |
---|---|---|
committer | alexei.volkov.bugs%sun.com <devnull@localhost> | 2008-07-08 21:34:53 +0000 |
commit | 34e1ec9bea77ac97b46a866f722b807e3a1a16c3 (patch) | |
tree | d6a97ea82f6613fc6afe8ee5dc042bb2100612e3 | |
parent | 7210612c307cb61168f82cd204c90de9a1c38056 (diff) | |
download | nss-hg-34e1ec9bea77ac97b46a866f722b807e3a1a16c3.tar.gz |
408847 - pkix_OcspChecker_Check does not support specified responder (and given signercert). r=nelson
-rw-r--r-- | security/nss/lib/certhigh/ocsp.c | 2 | ||||
-rw-r--r-- | security/nss/lib/certhigh/ocspi.h | 21 | ||||
-rwxr-xr-x | security/nss/lib/libpkix/include/pkix_pl_pki.h | 1 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c | 1 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c | 32 | ||||
-rw-r--r-- | security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h | 1 |
6 files changed, 35 insertions, 23 deletions
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index d20b64e1a..14b95abe3 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -4481,7 +4481,7 @@ loser: * * The result needs to be freed (PORT_Free) when no longer in use. */ -static char * +char * ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool *isDefault) { diff --git a/security/nss/lib/certhigh/ocspi.h b/security/nss/lib/certhigh/ocspi.h index 4d31dd39d..913cc81ef 100644 --- a/security/nss/lib/certhigh/ocspi.h +++ b/security/nss/lib/certhigh/ocspi.h @@ -138,4 +138,25 @@ SECStatus cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, PRBool *certIDWasConsumed); +/* + * FUNCTION: ocsp_GetResponderLocation + * Check ocspx context for user-designated responder URI first. If not + * found, checks cert AIA extension. + * INPUTS: + * CERTCertDBHandle *handle + * certificate DB of the cert that is being checked + * CERTCertificate *cert + * The certificate being examined. + * PRBool *certIDWasConsumed + * Out parameter, if set to true, URI of default responder is + * returned. + * RETURN: + * Responder URI. + */ +char * +ocsp_GetResponderLocation(CERTCertDBHandle *handle, + CERTCertificate *cert, + PRBool *isDefault); + + #endif /* _OCSPI_H_ */ diff --git a/security/nss/lib/libpkix/include/pkix_pl_pki.h b/security/nss/lib/libpkix/include/pkix_pl_pki.h index 02a4fa165..5fbe92b5a 100755 --- a/security/nss/lib/libpkix/include/pkix_pl_pki.h +++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h @@ -2574,7 +2574,6 @@ pkix_pl_OcspRequest_Create( PKIX_PL_Cert *cert, PKIX_PL_OcspCertID *cid, PKIX_PL_Date *validity, - PKIX_Boolean addServiceLocator, PKIX_PL_Cert *signerCert, PKIX_Boolean *pURIFound, PKIX_PL_OcspRequest **pRequest, diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c index c5f13050e..912fd40e0 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c @@ -213,7 +213,6 @@ pkix_OcspChecker_Check( (cert, cid, validity, - PKIX_FALSE, /* PKIX_Boolean addServiceLocator */ NULL, /* PKIX_PL_Cert *signerCert */ &uriFound, &request, diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c index d71cbc1d8..0ab8e5d48 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c @@ -268,9 +268,6 @@ pkix_pl_OcspRequest_RegisterSelf(void *plContext) * "validity" * Address of the Date for which the Cert's validity is to be determined. * May be NULL. - * "addServiceLocator" - * Boolean value indicating whether the request should include the - * AddServiceLocator extension * "signerCert" * Address of the Cert to be used, if present, in signing the request. * May be NULL. @@ -290,7 +287,6 @@ pkix_pl_OcspRequest_Create( PKIX_PL_Cert *cert, PKIX_PL_OcspCertID *cid, PKIX_PL_Date *validity, - PKIX_Boolean addServiceLocator, PKIX_PL_Cert *signerCert, PKIX_Boolean *pURIFound, PKIX_PL_OcspRequest **pRequest, @@ -298,6 +294,7 @@ pkix_pl_OcspRequest_Create( { PKIX_PL_OcspRequest *ocspRequest = NULL; + CERTCertDBHandle *handle = NULL; SECStatus rv = SECFailure; SECItem *encoding = NULL; CERTOCSPRequest *certRequest = NULL; @@ -325,8 +322,6 @@ pkix_pl_OcspRequest_Create( PKIX_INCREF(validity); ocspRequest->validity = validity; - ocspRequest->addServiceLocator = addServiceLocator; - PKIX_INCREF(signerCert); ocspRequest->signerCert = signerCert; @@ -341,21 +336,23 @@ pkix_pl_OcspRequest_Create( * Does this Cert have an Authority Information Access extension with * the URI of an OCSP responder? */ - location = CERT_GetOCSPAuthorityInfoAccessLocation(nssCert); - + handle = CERT_GetDefaultCertDB(); + location = ocsp_GetResponderLocation(handle, nssCert, + &addServiceLocatorExtension); if (location == NULL) { locError = PORT_GetError(); - if (locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) { - *pURIFound = PKIX_FALSE; - goto cleanup; - } else { - PKIX_ERROR(PKIX_ERRORFINDINGORPROCESSINGURI); + if (locError == SEC_ERROR_EXTENSION_NOT_FOUND || + locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) { + PORT_SetError(0); + *pURIFound = PKIX_FALSE; + goto cleanup; } - } else { - ocspRequest->location = location; - *pURIFound = PKIX_TRUE; + PKIX_ERROR(PKIX_ERRORFINDINGORPROCESSINGURI); } + ocspRequest->location = location; + *pURIFound = PKIX_TRUE; + if (signerCert != NULL) { nssSignerCert = signerCert->nssCert; } @@ -367,9 +364,6 @@ pkix_pl_OcspRequest_Create( time = PR_Now(); } - addServiceLocatorExtension = - ((addServiceLocator == PKIX_TRUE)? PR_TRUE : PR_FALSE); - certRequest = cert_CreateSingleCertOCSPRequest( cid->certID, cert->nssCert, time, addServiceLocatorExtension, nssSignerCert); diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h index 2012a64e3..573c8240c 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h @@ -67,7 +67,6 @@ pkix_pl_OcspRequest_Create( PKIX_PL_Cert *cert, PKIX_PL_OcspCertID *cid, PKIX_PL_Date *validity, - PKIX_Boolean addServiceLocator, PKIX_PL_Cert *signerCert, PKIX_Boolean *pURIFound, PKIX_PL_OcspRequest **pRequest, |