Bug 853812: Expose OCSP POST function to applications, r=rsleevi

3 files changed, 47 insertions, 28 deletions

diff --git a/lib/certhigh/ocsp.c b/lib/certhigh/ocsp.c
index 195724174..7f880d7ac 100644
--- a/lib/certhigh/ocsp.c
+++ b/lib/certhigh/ocsp.c
@@ -2981,7 +2981,7 @@ loser:
  * errors appropriate to the problem will be set.
  */
 static PRFileDesc *
-ocsp_SendEncodedRequest(const char *location, SECItem *encodedRequest)
+ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
 {
     char *hostname = NULL;
     char *path = NULL;
@@ -3341,7 +3341,7 @@ static SECItem *
 fetchOcspHttpClientV1(PRArenaPool *arena, 
                       const SEC_HttpClientFcnV1 *hcv1, 
                       const char *location, 
-                      SECItem *encodedRequest)
+                      const SECItem *encodedRequest)
 {
     char *hostname = NULL;
     char *path = NULL;
@@ -3515,9 +3515,7 @@ ocsp_GetEncodedOCSPResponseFromRequest(PRArenaPool *arena,
 {
     SECItem *encodedRequest = NULL;
     SECItem *encodedResponse = NULL;
-    PRFileDesc *sock = NULL;
     SECStatus rv;
-    const SEC_HttpClientFcn *registeredHttpClient = NULL;
 
     rv = CERT_AddOCSPAcceptableResponses(request,
 					 SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
@@ -3528,26 +3526,7 @@ ocsp_GetEncodedOCSPResponseFromRequest(PRArenaPool *arena,
     if (encodedRequest == NULL)
 	goto loser;
 
-    registeredHttpClient = SEC_GetRegisteredHttpClient();
-
-    if (registeredHttpClient
-            &&
-            registeredHttpClient->version == 1) {
-        encodedResponse = fetchOcspHttpClientV1(
-                              arena,
-                              &registeredHttpClient->fcnTable.ftable1,
-                              location,
-                              encodedRequest);
-    }
-    else {
-      /* use internal http client */
-    
-      sock = ocsp_SendEncodedRequest(location, encodedRequest);
-      if (sock == NULL)
-	  goto loser;
-
-      encodedResponse = ocsp_GetEncodedResponse(arena, sock);
-    }
+    encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
 
     if (encodedResponse != NULL && pRequest != NULL) {
 	*pRequest = request;
@@ -3559,8 +3538,33 @@ loser:
 	CERT_DestroyOCSPRequest(request);
     if (encodedRequest != NULL)
 	SECITEM_FreeItem(encodedRequest, PR_TRUE);
-    if (sock != NULL)
-	PR_Close(sock);
+
+    return encodedResponse;
+}
+
+SECItem *
+CERT_PostOCSPRequest(PLArenaPool *arena,  const char *location, 
+                     const SECItem *encodedRequest)
+{
+    const SEC_HttpClientFcn *registeredHttpClient;
+    SECItem *encodedResponse = NULL;
+
+    registeredHttpClient = SEC_GetRegisteredHttpClient();
+
+    if (registeredHttpClient && registeredHttpClient->version == 1) {
+        encodedResponse = fetchOcspHttpClientV1(
+                              arena,
+                              &registeredHttpClient->fcnTable.ftable1,
+                              location,
+                              encodedRequest);
+    } else {
+        /* use internal http client */
+        PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest);
+        if (sock) {
+            encodedResponse = ocsp_GetEncodedResponse(arena, sock);
+            PR_Close(sock);
+        }
+    }
 
     return encodedResponse;
 }
@@ -4485,7 +4489,7 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
  *     This result should be freed (via PORT_Free) when no longer in use.
  */
 char *
-CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert)
+CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
 {
     CERTGeneralName *locname = NULL;
     SECItem *location = NULL;
diff --git a/lib/certhigh/ocsp.h b/lib/certhigh/ocsp.h
index 52aff79b4..7f9d5b6a7 100644
--- a/lib/certhigh/ocsp.h
+++ b/lib/certhigh/ocsp.h
@@ -420,7 +420,7 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
  *     This result should be freed (via PORT_Free) when no longer in use.
  */
 extern char *
-CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert);
+CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert);
 
 /*
  * FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack
@@ -697,6 +697,20 @@ CERT_CreateEncodedOCSPSuccessResponse(
 extern SECItem*
 CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error);
 
+/* Sends an OCSP request using the HTTP POST method to the location addressed
+ * by the URL in |location| parameter. The request body will be
+ * |encodedRequest|, which must be a valid encoded OCSP request. On success,
+ * the server's response is returned and the caller must free it using
+ * SECITEM_FreeItem. On failure, NULL is returned. No parsing or validation of
+ * the HTTP response is done.
+ *
+ * If a default HTTP client has been registered with
+ * SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an
+ * internal HTTP client is used.
+ */
+SECItem* CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
+                              const SECItem *encodedRequest);
+
 /************************************************************************/
 SEC_END_PROTOS
 
diff --git a/lib/nss/nss.def b/lib/nss/nss.def
index c80a5fb36..9daa1e50f 100644
--- a/lib/nss/nss.def
+++ b/lib/nss/nss.def
@@ -1032,6 +1032,7 @@ PK11_SignWithSymKey;
 CERT_EncodeNameConstraintsExtension;
 PK11_Decrypt;
 PK11_Encrypt;
+CERT_PostOCSPRequest;
 ;+    local:
 ;+       *;
 ;+};