diff options
author | Brian Smith <bsmith@mozilla.com> | 2013-05-03 00:04:21 -0700 |
---|---|---|
committer | Brian Smith <bsmith@mozilla.com> | 2013-05-03 00:04:21 -0700 |
commit | 2e8290933864a9b126828b745b83d8930c92b4a4 (patch) | |
tree | 90a0a1a836ebb9420fa3ac4c3a006b0d926a1a46 | |
parent | 095f5f2af7434e147b40434300d50a0580bedfda (diff) | |
download | nss-hg-2e8290933864a9b126828b745b83d8930c92b4a4.tar.gz |
Bug 853812: Expose OCSP POST function to applications, r=rsleevi
-rw-r--r-- | lib/certhigh/ocsp.c | 58 | ||||
-rw-r--r-- | lib/certhigh/ocsp.h | 16 | ||||
-rw-r--r-- | lib/nss/nss.def | 1 |
3 files changed, 47 insertions, 28 deletions
diff --git a/lib/certhigh/ocsp.c b/lib/certhigh/ocsp.c index 195724174..7f880d7ac 100644 --- a/lib/certhigh/ocsp.c +++ b/lib/certhigh/ocsp.c @@ -2981,7 +2981,7 @@ loser: * errors appropriate to the problem will be set. */ static PRFileDesc * -ocsp_SendEncodedRequest(const char *location, SECItem *encodedRequest) +ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest) { char *hostname = NULL; char *path = NULL; @@ -3341,7 +3341,7 @@ static SECItem * fetchOcspHttpClientV1(PRArenaPool *arena, const SEC_HttpClientFcnV1 *hcv1, const char *location, - SECItem *encodedRequest) + const SECItem *encodedRequest) { char *hostname = NULL; char *path = NULL; @@ -3515,9 +3515,7 @@ ocsp_GetEncodedOCSPResponseFromRequest(PRArenaPool *arena, { SECItem *encodedRequest = NULL; SECItem *encodedResponse = NULL; - PRFileDesc *sock = NULL; SECStatus rv; - const SEC_HttpClientFcn *registeredHttpClient = NULL; rv = CERT_AddOCSPAcceptableResponses(request, SEC_OID_PKIX_OCSP_BASIC_RESPONSE); @@ -3528,26 +3526,7 @@ ocsp_GetEncodedOCSPResponseFromRequest(PRArenaPool *arena, if (encodedRequest == NULL) goto loser; - registeredHttpClient = SEC_GetRegisteredHttpClient(); - - if (registeredHttpClient - && - registeredHttpClient->version == 1) { - encodedResponse = fetchOcspHttpClientV1( - arena, - ®isteredHttpClient->fcnTable.ftable1, - location, - encodedRequest); - } - else { - /* use internal http client */ - - sock = ocsp_SendEncodedRequest(location, encodedRequest); - if (sock == NULL) - goto loser; - - encodedResponse = ocsp_GetEncodedResponse(arena, sock); - } + encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest); if (encodedResponse != NULL && pRequest != NULL) { *pRequest = request; @@ -3559,8 +3538,33 @@ loser: CERT_DestroyOCSPRequest(request); if (encodedRequest != NULL) SECITEM_FreeItem(encodedRequest, PR_TRUE); - if (sock != NULL) - PR_Close(sock); + + return encodedResponse; +} + +SECItem * +CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, + const SECItem *encodedRequest) +{ + const SEC_HttpClientFcn *registeredHttpClient; + SECItem *encodedResponse = NULL; + + registeredHttpClient = SEC_GetRegisteredHttpClient(); + + if (registeredHttpClient && registeredHttpClient->version == 1) { + encodedResponse = fetchOcspHttpClientV1( + arena, + ®isteredHttpClient->fcnTable.ftable1, + location, + encodedRequest); + } else { + /* use internal http client */ + PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest); + if (sock) { + encodedResponse = ocsp_GetEncodedResponse(arena, sock); + PR_Close(sock); + } + } return encodedResponse; } @@ -4485,7 +4489,7 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, * This result should be freed (via PORT_Free) when no longer in use. */ char * -CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert) +CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert) { CERTGeneralName *locname = NULL; SECItem *location = NULL; diff --git a/lib/certhigh/ocsp.h b/lib/certhigh/ocsp.h index 52aff79b4..7f9d5b6a7 100644 --- a/lib/certhigh/ocsp.h +++ b/lib/certhigh/ocsp.h @@ -420,7 +420,7 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, * This result should be freed (via PORT_Free) when no longer in use. */ extern char * -CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert); +CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert); /* * FUNCTION: CERT_RegisterAlternateOCSPAIAInfoCallBack @@ -697,6 +697,20 @@ CERT_CreateEncodedOCSPSuccessResponse( extern SECItem* CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error); +/* Sends an OCSP request using the HTTP POST method to the location addressed + * by the URL in |location| parameter. The request body will be + * |encodedRequest|, which must be a valid encoded OCSP request. On success, + * the server's response is returned and the caller must free it using + * SECITEM_FreeItem. On failure, NULL is returned. No parsing or validation of + * the HTTP response is done. + * + * If a default HTTP client has been registered with + * SEC_RegisterDefaultHttpClient then that client is used. Otherwise, an + * internal HTTP client is used. + */ +SECItem* CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, + const SECItem *encodedRequest); + /************************************************************************/ SEC_END_PROTOS diff --git a/lib/nss/nss.def b/lib/nss/nss.def index c80a5fb36..9daa1e50f 100644 --- a/lib/nss/nss.def +++ b/lib/nss/nss.def @@ -1032,6 +1032,7 @@ PK11_SignWithSymKey; CERT_EncodeNameConstraintsExtension; PK11_Decrypt; PK11_Encrypt; +CERT_PostOCSPRequest; ;+ local: ;+ *; ;+}; |