diff options
author | Wan-Teh Chang <wtc@google.com> | 2013-12-19 13:57:07 -0800 |
---|---|---|
committer | Wan-Teh Chang <wtc@google.com> | 2013-12-19 13:57:07 -0800 |
commit | 008225182a4cfb931522460f69cc1bdcc2555484 (patch) | |
tree | 70d28079da69d3fcbbf1f1d76c7cd493ab98f931 | |
parent | 3b9af6c7ea637b33d0c4d396a3055c4e6a2a6be3 (diff) | |
download | nss-hg-008225182a4cfb931522460f69cc1bdcc2555484.tar.gz |
Bug 436414: Rename "mechanism" to "method" in function or variable/argumentNSS_3_15_4_BETA9
names that refer to the HTTP GET and POST methods. Do not export
CERT_GetEncodedOCSPResponseByMethod because it is not declared in ocsp.h.
Rename CERT_GetSPKIDigest to CERT_GetSubjectPublicKeyDigest. r=briansmith.
-rw-r--r-- | cmd/httpserv/httpserv.c | 12 | ||||
-rw-r--r-- | lib/certdb/cert.h | 8 | ||||
-rw-r--r-- | lib/certhigh/ocsp.c | 88 | ||||
-rw-r--r-- | lib/certhigh/ocspsig.c | 4 | ||||
-rw-r--r-- | lib/libpkix/pkix/checker/pkix_ocspchecker.c | 11 | ||||
-rw-r--r-- | lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c | 14 | ||||
-rw-r--r-- | lib/nss/nss.def | 3 |
7 files changed, 73 insertions, 67 deletions
diff --git a/cmd/httpserv/httpserv.c b/cmd/httpserv/httpserv.c index 61ddaf97f..6f37e42a8 100644 --- a/cmd/httpserv/httpserv.c +++ b/cmd/httpserv/httpserv.c @@ -1070,19 +1070,19 @@ ocsp_CreateSelfCAID(PLArenaPool *arena, CERTCertificate *cert, PRTime time) goto loser; } - if (CERT_GetSPKIDigest(arena, cert, SEC_OID_SHA1, - &(certID->issuerKeyHash)) == NULL) { + if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_SHA1, + &certID->issuerKeyHash) == NULL) { goto loser; } certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data; certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len; /* cache the other two hash algorithms as well */ - if (CERT_GetSPKIDigest(arena, cert, SEC_OID_MD5, - &(certID->issuerMD5KeyHash)) == NULL) { + if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD5, + &certID->issuerMD5KeyHash) == NULL) { goto loser; } - if (CERT_GetSPKIDigest(arena, cert, SEC_OID_MD2, - &(certID->issuerMD2KeyHash)) == NULL) { + if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD2, + &certID->issuerMD2KeyHash) == NULL) { goto loser; } diff --git a/lib/certdb/cert.h b/lib/certdb/cert.h index e62cbe5cf..1d4fe9c9f 100644 --- a/lib/certdb/cert.h +++ b/lib/certdb/cert.h @@ -1504,14 +1504,18 @@ CERT_UnlockCertTrust(const CERTCertificate *cert); /* * Digest the cert's subject public key using the specified algorithm. + * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding + * the tag, length, and number of unused bits) rather than the whole + * subjectPublicKeyInfo field. + * * The necessary storage for the digest data is allocated. If "fill" is * non-null, the data is put there, otherwise a SECItem is allocated. * Allocation from "arena" if it is non-null, heap otherwise. Any problem * results in a NULL being returned (and an appropriate error set). */ extern SECItem * -CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert, - SECOidTag digestAlg, SECItem *fill); +CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert, + SECOidTag digestAlg, SECItem *fill); /* * Digest the cert's subject name using the specified algorithm. diff --git a/lib/certhigh/ocsp.c b/lib/certhigh/ocsp.c index fea6bf775..d99493534 100644 --- a/lib/certhigh/ocsp.c +++ b/lib/certhigh/ocsp.c @@ -107,7 +107,7 @@ static SECItem * ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, CERTOCSPRequest *request, const char *location, - const char *mechanism, + const char *method, PRTime time, PRBool addServiceLocator, void *pwArg, @@ -1629,8 +1629,8 @@ loser: * results in a NULL being returned (and an appropriate error set). */ SECItem * -CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert, - SECOidTag digestAlg, SECItem *fill) +CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert, + SECOidTag digestAlg, SECItem *fill) { SECItem spk; @@ -1716,19 +1716,19 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time) goto loser; } - if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_SHA1, - &(certID->issuerKeyHash)) == NULL) { + if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1, + &certID->issuerKeyHash) == NULL) { goto loser; } certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data; certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len; /* cache the other two hash algorithms as well */ - if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD5, - &(certID->issuerMD5KeyHash)) == NULL) { + if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5, + &certID->issuerMD5KeyHash) == NULL) { goto loser; } - if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD2, - &(certID->issuerMD2KeyHash)) == NULL) { + if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2, + &certID->issuerMD2KeyHash) == NULL) { goto loser; } @@ -3467,7 +3467,7 @@ loser: } /* - * FUNCTION: CERT_GetEncodedOCSPResponseByMechanism + * FUNCTION: CERT_GetEncodedOCSPResponseByMethod * Creates and sends a request to an OCSP responder, then reads and * returns the (encoded) response. * INPUTS: @@ -3485,10 +3485,10 @@ loser: * sent and whether there are any trusted responders in place. * const char *location * The location of the OCSP responder (a URL). - * const char *mechanism - * The protocol mechanisms used when retrieving the OCSP response. + * const char *method + * The protocol method used when retrieving the OCSP response. * Currently support: "GET" (http GET) and "POST" (http POST). - * Additionals mechanisms for http or other protocols might be added + * Additionals methods for http or other protocols might be added * in the future. * PRTime time * Indicates the time for which the certificate status is to be @@ -3518,19 +3518,19 @@ loser: * Other errors are low-level problems (no memory, bad database, etc.). */ SECItem * -CERT_GetEncodedOCSPResponseByMechanism(PLArenaPool *arena, CERTCertList *certList, - const char *location, const char *mechanism, - PRTime time, PRBool addServiceLocator, - CERTCertificate *signerCert, void *pwArg, - CERTOCSPRequest **pRequest) +CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList, + const char *location, const char *method, + PRTime time, PRBool addServiceLocator, + CERTCertificate *signerCert, void *pwArg, + CERTOCSPRequest **pRequest) { CERTOCSPRequest *request; request = CERT_CreateOCSPRequest(certList, time, addServiceLocator, signerCert); if (!request) return NULL; - return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, - mechanism, time, addServiceLocator, + return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, + method, time, addServiceLocator, pwArg, pRequest); } @@ -3540,7 +3540,7 @@ CERT_GetEncodedOCSPResponseByMechanism(PLArenaPool *arena, CERTCertList *certLis * returns the (encoded) response. * * This is a legacy API that behaves identically to - * CERT_GetEncodedOCSPResponseByMechanism using the "POST" mechanism. + * CERT_GetEncodedOCSPResponseByMethod using the "POST" method. */ SECItem * CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, @@ -3549,9 +3549,9 @@ CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, CERTCertificate *signerCert, void *pwArg, CERTOCSPRequest **pRequest) { - return CERT_GetEncodedOCSPResponseByMechanism(arena, certList, location, - "POST", time, addServiceLocator, - signerCert, pwArg, pRequest); + return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location, + "POST", time, addServiceLocator, + signerCert, pwArg, pRequest); } /* URL encode a buffer that consists of base64-characters, only, @@ -3624,7 +3624,7 @@ static SECItem * ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, CERTOCSPRequest *request, const char *location, - const char *mechanism, + const char *method, PRTime time, PRBool addServiceLocator, void *pwArg, @@ -3646,10 +3646,10 @@ ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, if (encodedRequest == NULL) goto loser; - if (!strcmp(mechanism, "GET")) { + if (!strcmp(method, "GET")) { encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest); } - else if (!strcmp(mechanism, "POST")) { + else if (!strcmp(method, "POST")) { encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest); } else { @@ -3673,7 +3673,7 @@ static SECItem * cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, const SECItem *encodedRequest); -/* using HTTP GET mechanism */ +/* using HTTP GET method */ static SECItem * cert_GetOCSPResponse(PLArenaPool *arena, const char *location, const SECItem *encodedRequest) @@ -3778,7 +3778,7 @@ ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena, CERTOCSPCertID *certID, CERTCertificate *singleCert, const char *location, - const char *mechanism, + const char *method, PRTime time, PRBool addServiceLocator, void *pwArg, @@ -3789,8 +3789,8 @@ ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena, addServiceLocator, NULL); if (!request) return NULL; - return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, - mechanism, time, addServiceLocator, + return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, + method, time, addServiceLocator, pwArg, pRequest); } @@ -3881,19 +3881,22 @@ ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert) item.data = buf; item.len = SHA1_LENGTH; - if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_SHA1, &item) == NULL) { + if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1, + &item) == NULL) { return PR_FALSE; } if (SECITEM_ItemsAreEqual(certIndex,&item)) { return PR_TRUE; } - if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD5, &item) == NULL) { + if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5, + &item) == NULL) { return PR_FALSE; } if (SECITEM_ItemsAreEqual(certIndex,&item)) { return PR_TRUE; } - if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD2, &item) == NULL) { + if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2, + &item) == NULL) { return PR_FALSE; } if (SECITEM_ItemsAreEqual(certIndex,&item)) { @@ -4446,7 +4449,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm); - keyHash = CERT_GetSPKIDigest(NULL, signerCert, hashAlg, NULL); + keyHash = CERT_GetSubjectPublicKeyDigest(NULL, signerCert, hashAlg, NULL); if (keyHash != NULL) { keyHashEQ = @@ -4493,7 +4496,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, return PR_FALSE; } - keyHash = CERT_GetSPKIDigest(NULL, issuerCert, hashAlg, NULL); + keyHash = CERT_GetSubjectPublicKeyDigest(NULL, issuerCert, hashAlg, NULL); nameHash = CERT_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL); CERT_DestroyCertificate(issuerCert); @@ -5279,22 +5282,21 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, */ do { - const char *mechanism; + const char *method; PRBool validResponseWithAccurateInfo = PR_FALSE; retry = PR_FALSE; *rv_ocsp = SECFailure; if (currentStage == stageGET) { - mechanism = "GET"; - } else if (currentStage == stagePOST) { - mechanism = "POST"; + method = "GET"; } else { - PORT_Assert(0); /* our code is flawed */ + PORT_Assert(currentStage == stagePOST); + method = "POST"; } encodedResponse = ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert, - location, mechanism, + location, method, time, locationIsDefault, pwArg, &request); @@ -5310,6 +5312,8 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, case ocspCertStatus_revoked: validResponseWithAccurateInfo = PR_TRUE; break; + default: + break; } *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time); } diff --git a/lib/certhigh/ocspsig.c b/lib/certhigh/ocspsig.c index 58fc95c13..16cd1e0ea 100644 --- a/lib/certhigh/ocspsig.c +++ b/lib/certhigh/ocspsig.c @@ -472,8 +472,8 @@ CERT_CreateEncodedOCSPSuccessResponse( } else { responderIDTemplate = ocsp_ResponderIDByKeyTemplate; - if (!CERT_GetSPKIDigest(tmpArena, responderCert, SEC_OID_SHA1, - &rid->responderIDValue.keyHash)) + if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert, + SEC_OID_SHA1, &rid->responderIDValue.keyHash)) goto done; } diff --git a/lib/libpkix/pkix/checker/pkix_ocspchecker.c b/lib/libpkix/pkix/checker/pkix_ocspchecker.c index c5b704050..481aa52b5 100644 --- a/lib/libpkix/pkix/checker/pkix_ocspchecker.c +++ b/lib/libpkix/pkix/checker/pkix_ocspchecker.c @@ -275,21 +275,20 @@ pkix_OcspChecker_CheckExternal( } do { - const char *mechanism; + const char *method; passed = PKIX_TRUE; retry = PR_FALSE; if (currentStage == stageGET) { - mechanism = "GET"; - } else if (currentStage == stagePOST) { - mechanism = "POST"; + method = "GET"; } else { - PORT_Assert(0); /* our code is flawed */ + PORT_Assert(currentStage == stagePOST); + method = "POST"; } /* send request and create a response object */ PKIX_CHECK_NO_GOTO( - pkix_pl_OcspResponse_Create(request, mechanism, NULL, + pkix_pl_OcspResponse_Create(request, method, NULL, checker->certVerifyFcn, &nbioContext, &response, diff --git a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c index 6338f6f78..fa5d6e9d5 100644 --- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c +++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c @@ -341,7 +341,7 @@ pkix_pl_OcspResponse_RegisterSelf(void *plContext) * PARAMETERS * "request" * Address of the OcspRequest for which a response is desired. - * "httpMechanism" + * "httpMethod" * GET or POST * "responder" * Address, if non-NULL, of the SEC_HttpClientFcn to be sent the OCSP @@ -366,7 +366,7 @@ pkix_pl_OcspResponse_RegisterSelf(void *plContext) PKIX_Error * pkix_pl_OcspResponse_Create( PKIX_PL_OcspRequest *request, - const char *httpMechanism, + const char *httpMethod, void *responder, PKIX_PL_VerifyCallback verifyFcn, void **pNBIOContext, @@ -392,7 +392,7 @@ pkix_pl_OcspResponse_Create( PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Create"); PKIX_NULLCHECK_TWO(pNBIOContext, pResponse); - if (!strcmp(httpMechanism, "GET") && !strcmp(httpMechanism, "POST")) { + if (!strcmp(httpMethod, "GET") && !strcmp(httpMethod, "POST")) { PKIX_ERROR(PKIX_INVALIDOCSPHTTPMETHOD); } @@ -431,7 +431,7 @@ pkix_pl_OcspResponse_Create( if (httpClient && (httpClient->version == 1)) { char *fullGetPath = NULL; const char *sessionPath = NULL; - PRBool usePOST = !strcmp(httpMechanism, "POST"); + PRBool usePOST = !strcmp(httpMethod, "POST"); hcv1 = &(httpClient->fcnTable.ftable1); @@ -456,7 +456,7 @@ pkix_pl_OcspResponse_Create( } else { /* calculate, are we allowed to use GET? */ enum { max_get_request_size = 255 }; /* defined by RFC2560 */ - unsigned char b64ReqBuf[max_get_request_size+1]; + char b64ReqBuf[max_get_request_size+1]; size_t base64size; size_t slashLengthIfNeeded = 0; size_t pathLength; @@ -473,7 +473,7 @@ pkix_pl_OcspResponse_Create( PKIX_ERROR(PKIX_OCSPGETREQUESTTOOBIG); } memset(b64ReqBuf, 0, sizeof(b64ReqBuf)); - PL_Base64Encode(encodedRequest->data, encodedRequest->len, b64ReqBuf); + PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len, b64ReqBuf); urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL); getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded; fullGetPath = (char*)PORT_Alloc(getURLLength); @@ -491,7 +491,7 @@ pkix_pl_OcspResponse_Create( } rv = (*hcv1->createFcn)(serverSession, "http", - sessionPath, httpMechanism, + sessionPath, httpMethod, PR_SecondsToInterval(timeout), &sessionRequest); sessionPath = NULL; diff --git a/lib/nss/nss.def b/lib/nss/nss.def index 92b68688e..9804777e6 100644 --- a/lib/nss/nss.def +++ b/lib/nss/nss.def @@ -1040,9 +1040,8 @@ CERT_AddCertToListHead; ;+NSS_3.15.4 { # NSS 3.15.4 release ;+ global: CERT_ForcePostMethodForOCSP; -CERT_GetEncodedOCSPResponseByMechanism; -CERT_GetSPKIDigest; CERT_GetSubjectNameDigest; +CERT_GetSubjectPublicKeyDigest; ;+ local: ;+ *; ;+}; |