Final patch for Bug 155626 which enables 3rd party apps to use the NSS

libraries to encode/decode OCSP responses/requests on their own.

5 files changed, 112 insertions, 57 deletions

diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index ad0a3c962..a4807a44c 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -599,9 +599,11 @@ loser:
 SECStatus
 CERT_DestroyOCSPCertID(CERTOCSPCertID* certID)
 {
-    if (certID->poolp)
+    if (certID->poolp) {
 	PORT_FreeArena(certID->poolp, PR_FALSE);
-    return SECSuccess;
+	return SECSuccess;
+    }
+    return SECFailure;
 }
 
 
@@ -1414,7 +1416,7 @@ CERT_DecodeOCSPResponse(SECItem *src)
     PRArenaPool *arena = NULL;
     CERTOCSPResponse *response = NULL;
     SECStatus rv = SECFailure;
-    OCSPResponseStatus sv;
+    ocspResponseStatus sv;
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (arena == NULL) {
@@ -1434,9 +1436,9 @@ CERT_DecodeOCSPResponse(SECItem *src)
 	goto loser;
     }
 
-    sv = (OCSPResponseStatus) DER_GetInteger(&response->responseStatus);
+    sv = (ocspResponseStatus) DER_GetInteger(&response->responseStatus);
     response->statusValue = sv;
-    if (sv != OCSPResponse_successful) {
+    if (sv != ocspResponse_successful) {
 	/*
 	 * If the response status is anything but successful, then we
 	 * are all done with decoding; the status is all there is.
@@ -3328,27 +3330,27 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
      * Otherwise, we continue to find the actual per-cert status
      * in the response.
      */
-    switch (CERT_GetStatusValue(response)) {
-      case OCSPResponse_successful:
+    switch (response->statusValue) {
+      case ocspResponse_successful:
 	break;
-      case OCSPResponse_malformedRequest:
+      case ocspResponse_malformedRequest:
 	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
 	goto loser;
-      case OCSPResponse_internalError:
+      case ocspResponse_internalError:
 	PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
 	goto loser;
-      case OCSPResponse_tryLater:
+      case ocspResponse_tryLater:
 	PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
 	goto loser;
-      case OCSPResponse_sigRequired:
+      case ocspResponse_sigRequired:
 	/* XXX We *should* retry with a signature, if possible. */
 	PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
 	goto loser;
-      case OCSPResponse_unauthorized:
+      case ocspResponse_unauthorized:
 	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
 	goto loser;
-      case OCSPResponse_other:
-      case OCSPResponse_unused:
+      case ocspResponse_other:
+      case ocspResponse_unused:
       default:
 	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
 	goto loser;
@@ -3385,9 +3387,6 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
     certID = request->tbsRequest->requestList[0]->reqCert;
     rv = CERT_GetOCSPStatusForCertID(handle, response, certID, 
                                      signerCert, time);
-    /*
-     * Add back the loser clause and corresponding free's...
-     */
 loser:
     if (issuerCert != NULL)
 	CERT_DestroyCertificate(issuerCert);
@@ -3969,9 +3968,35 @@ loser:
     return(NULL);
 }
 
-OCSPResponseStatus
-CERT_GetStatusValue(CERTOCSPResponse *response)
+SECStatus
+CERT_GetOCSPResponseStatus(CERTOCSPResponse *response)
 {
     PORT_Assert(response);
-    return response->statusValue;
+    if (response->statusValue == ocspResponse_successful)
+	return SECSuccess;
+
+    switch (response->statusValue) {
+      case ocspResponse_malformedRequest:
+	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+	break;
+      case ocspResponse_internalError:
+	PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+	break;
+      case ocspResponse_tryLater:
+	PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
+	break;
+      case ocspResponse_sigRequired:
+	/* XXX We *should* retry with a signature, if possible. */
+	PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
+	break;
+      case ocspResponse_unauthorized:
+	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
+	break;
+      case ocspResponse_other:
+      case ocspResponse_unused:
+      default:
+	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
+	break;
+    }
+    return SECFailure;
 }
diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h
index 0c9f46b3d..6d5ffd058 100644
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -476,21 +476,55 @@ CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
                             int64             time);
 
 /*
- * FUNCTION CERT_GetStatusValue
+ * FUNCTION CERT_GetOCSPResponseStatus
  *   Returns the response status for the response passed.
  * INPUTS:
  *   CERTOCSPResponse *response
  *     The response to query for status
  *  RETURN:
- *    OCSPResponseStatus an enumeration corresponding to the possible
- *    return values listed in the OCSP spec.
+ *    Returns SECSuccess if the response has a successful status value.
+ *    Otherwise it returns SECFailure and sets one of the following error
+ *    codes via PORT_SetError
+ *        SEC_ERROR_OCSP_MALFORMED_REQUEST
+ *        SEC_ERROR_OCSP_SERVER_ERROR
+ *        SEC_ERROR_OCSP_TRY_SERVER_LATER
+ *        SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
+ *        SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
+ *        SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
  */
-extern OCSPResponseStatus
-CERT_GetStatusValue(CERTOCSPResponse *response);
+extern SECStatus
+CERT_GetOCSPResponseStatus(CERTOCSPResponse *response);
 
+/*
+ * FUNCTION CERT_CreateOCSPCertID
+ *  Returns the OCSP certID for the certificate passed in.
+ * INPUTS:
+ *  CERTCertificate *cert
+ *    The certificate for which to create the certID for.
+ *  int64 time
+ *    The time at which the id is requested for.  This is used
+ *    to determine the appropriate issuer for the cert since
+ *    the issuing CA may be an older expired certificate.
+ *  RETURN:
+ *    A new copy of a CERTOCSPCertID*.  The memory for this certID
+ *    should be freed by calling CERT_DestroyOCSPCertID when the 
+ *    certID is no longer necessary.
+ */
 extern CERTOCSPCertID*
 CERT_CreateOCSPCertID(CERTCertificate *cert, int64 time);
 
+/*
+ * FUNCTION: CERT_DestroyOCSPCertID
+ *  Frees the memory associated with the certID passed in.
+ * INPUTS:
+ *  CERTOCSPCertID* certID
+ *    The certID that the caller no longer needs and wants to 
+ *    free the associated memory.
+ * RETURN:
+ *  SECSuccess if freeing the memory was successful.  Returns
+ *  SECFailure if the memory passed in was not allocated with
+ *  a call to CERT_CreateOCSPCertID.
+ */
 extern SECStatus
 CERT_DestroyOCSPCertID(CERTOCSPCertID* certID);
 /************************************************************************/
diff --git a/security/nss/lib/certhigh/ocspt.h b/security/nss/lib/certhigh/ocspt.h
index 10218bc05..3f1563855 100644
--- a/security/nss/lib/certhigh/ocspt.h
+++ b/security/nss/lib/certhigh/ocspt.h
@@ -56,33 +56,4 @@ typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
 typedef struct CERTOCSPCertStatusStr CERTOCSPCertStatus;
 typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
 
-/*
- * Making these types public so that it is possible for 3rpd party
- * apps to parse and look at the fields of an OCSP response.
- */
-
-/*
- * This describes the value of the responseStatus field in an OCSPResponse.
- * The corresponding ASN.1 definition is:
- *
- * OCSPResponseStatus   ::=     ENUMERATED {
- *      successful              (0),    --Response has valid confirmations
- *      malformedRequest        (1),    --Illegal confirmation request
- *      internalError           (2),    --Internal error in issuer
- *      tryLater                (3),    --Try again later
- *                                      --(4) is not used
- *      sigRequired             (5),    --Must sign the request
- *      unauthorized            (6),    --Request unauthorized
- * }
- */
-typedef enum {
-    OCSPResponse_successful = 0,
-    OCSPResponse_malformedRequest = 1,
-    OCSPResponse_internalError = 2,
-    OCSPResponse_tryLater = 3,
-    OCSPResponse_unused = 4,
-    OCSPResponse_sigRequired = 5,
-    OCSPResponse_unauthorized = 6,
-    OCSPResponse_other                  /* unknown/unrecognized value */
-} OCSPResponseStatus;
 #endif /* _OCSPT_H_ */
diff --git a/security/nss/lib/certhigh/ocspti.h b/security/nss/lib/certhigh/ocspti.h
index c7e51e62c..2bb7bfe72 100644
--- a/security/nss/lib/certhigh/ocspti.h
+++ b/security/nss/lib/certhigh/ocspti.h
@@ -204,16 +204,41 @@ struct CERTOCSPCertIDStr {
 };
 
 /*
+ * This describes the value of the responseStatus field in an OCSPResponse.
+ * The corresponding ASN.1 definition is:
+ *
+ * OCSPResponseStatus	::=	ENUMERATED {
+ *	successful		(0),	--Response has valid confirmations
+ *	malformedRequest	(1),	--Illegal confirmation request
+ *	internalError		(2),	--Internal error in issuer
+ *	tryLater		(3),	--Try again later
+ *					--(4) is not used
+ *	sigRequired		(5),	--Must sign the request
+ *	unauthorized		(6),	--Request unauthorized
+ * }
+ */
+typedef enum {
+    ocspResponse_successful = 0,
+    ocspResponse_malformedRequest = 1,
+    ocspResponse_internalError = 2,
+    ocspResponse_tryLater = 3,
+    ocspResponse_unused = 4,
+    ocspResponse_sigRequired = 5,
+    ocspResponse_unauthorized = 6,
+    ocspResponse_other			/* unknown/unrecognized value */
+} ocspResponseStatus;
+
+/*
  * An OCSPResponse is what is sent (encoded) by an OCSP responder.
  *
  * The field "responseStatus" is the ASN.1 encoded value; the field
  * "statusValue" is simply that same value translated into our local
- * type OCSPResponseStatus.
+ * type ocspResponseStatus.
  */
 struct CERTOCSPResponseStr {
     PRArenaPool *arena;			/* local; not part of encoding */
     SECItem responseStatus;		/* an ENUMERATED, see above */
-    OCSPResponseStatus statusValue;	/* local; not part of encoding */
+    ocspResponseStatus statusValue;	/* local; not part of encoding */
     ocspResponseBytes *responseBytes;	/* only when status is successful */
 };
 
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index 990bcaa12..e83d7dfeb 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -692,7 +692,7 @@ CERT_CreateOCSPRequest;
 CERT_GetOCSPStatusForCertID;
 CERT_DecodeOCSPResponse;
 CERT_VerifyOCSPResponseSignature;
-CERT_GetStatusValue;
+CERT_GetOCSPResponseStatus;
 CERT_DestroyOCSPCertID;
 CERT_CreateOCSPCertID;
 ;+    local: