Bug 611451: Update NSS to NSS_3_14_1_BETA3. Also include the fixes for
authorWan-Teh Chang <wtc@google.com>
Wed, 12 Dec 2012 13:19:33 -0800
changeset 115834 0956fb40dbe2ddbeb37583eb0ca0afe928784647
parent 115833 b2b5567fe14ade36ff101d941295a116de0fa744
child 115835 97addca5ceae10500489541813eb0f8433ed6f44
push id19570
push userwtc@google.com
push dateWed, 12 Dec 2012 21:19:41 +0000
treeherdermozilla-inbound@0956fb40dbe2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs611451, 811317, 818741, 813401
milestone20.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 611451: Update NSS to NSS_3_14_1_BETA3. Also include the fixes for bug 811317, bug 818741, bug 813401.
security/coreconf/Darwin.mk
security/coreconf/coreconf.dep
security/coreconf/rules.mk
security/nss/TAG-INFO
security/nss/TAG-INFO-CKBI
security/nss/cmd/ocspclnt/manifest.mn
security/nss/cmd/ocspresp/ocspresp.c
security/nss/lib/certdb/certi.h
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
security/nss/lib/certhigh/ocspsig.c
security/nss/lib/certhigh/ocspt.h
security/nss/lib/certhigh/ocspti.h
security/nss/lib/nss/nss.def
security/nss/lib/util/utilmod.c
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -103,13 +103,16 @@ ARCH		= darwin
 DSO_CFLAGS	= -fPIC
 # May override this with different compatibility and current version numbers.
 DARWIN_DYLIB_VERSIONS = -compatibility_version 1 -current_version 1
 # May override this with -bundle to create a loadable module.
 DSO_LDOPTS	= -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @executable_path/$(notdir $@) -headerpad_max_install_names
 
 MKSHLIB		= $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
 DLL_SUFFIX	= dylib
+ifdef MAPFILE
+	MKSHLIB += -exported_symbols_list $(MAPFILE)
+endif
 PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
                 sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
 
 USE_SYSTEM_ZLIB = 1
 ZLIB_LIBS	= -lz
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/coreconf/rules.mk
+++ b/security/coreconf/rules.mk
@@ -303,21 +303,16 @@ ifdef MT
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;2; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 endif
 else
 	$(MKSHLIB) -o $@ $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 	chmod +x $@
-ifeq ($(OS_TARGET),Darwin)
-ifdef MAPFILE
-	nmedit -s $(MAPFILE) $@
-endif
-endif
 endif
 endif
 
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 $(RES): $(RESNAME)
 	@$(MAKE_OBJDIR)
 # The resource compiler does not understand the -U option.
 ifdef NS_USE_GCC
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_14_1_BETA2
+NSS_3_14_1_BETA3
--- a/security/nss/TAG-INFO-CKBI
+++ b/security/nss/TAG-INFO-CKBI
@@ -1,1 +1,1 @@
-NSS_3_14_1_BETA2
+NSS_3_14_1_BETA3
--- a/security/nss/cmd/ocspclnt/manifest.mn
+++ b/security/nss/cmd/ocspclnt/manifest.mn
@@ -17,10 +17,8 @@ REQUIRES = dbm seccmd
 
 # WINNT uses EXTRA_LIBS as the list of libs to link in.
 # Unix uses     OS_LIBS for that purpose.
 # We can solve this via conditional makefile code, but 
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 # So, look in the local Makefile for the defines for the list of libs.
 
 PROGRAM = ocspclnt
-
-USE_STATIC_LIBS = 1
--- a/security/nss/cmd/ocspresp/ocspresp.c
+++ b/security/nss/cmd/ocspresp/ocspresp.c
@@ -31,79 +31,77 @@ getCaAndSubjectCert(CERTCertDBHandle *ce
                     CERTCertificate **outCA, CERTCertificate **outCert)
 {
     *outCA = CERT_FindCertByNickname(certHandle, caNick);
     *outCert = CERT_FindCertByNickname(certHandle, eeNick);
     return *outCA && *outCert;
 }
 
 static SECItem *
-encode(PRArenaPool *arena, CERTOCSPCertID *cid,
-       CERTCertificate *ca, CERTCertificate *cert)
+encode(PRArenaPool *arena, CERTOCSPCertID *cid, CERTCertificate *ca)
 {
     SECItem *response;
     PRTime now = PR_Now();
     PRTime nextUpdate;
     CERTOCSPSingleResponse **responses;
     CERTOCSPSingleResponse *sr;
 
     if (!arena)
         return NULL;
 
     nextUpdate = now + 10 * PR_USEC_PER_SEC; /* in the future */
     
-    sr = OCSP_CreateSingleResponseGood(arena, cid, now, &nextUpdate);
+    sr = CERT_CreateOCSPSingleResponseGood(arena, cid, now, &nextUpdate);
 
     /* meaning of value 2: one entry + one end marker */
     responses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
     if (responses == NULL)
         return NULL;
     
     responses[0] = sr;
     responses[1] = NULL;
     
-    response = OCSP_CreateSuccessResponseEncodedBasicV1(
-        arena, ca, PR_TRUE, now, responses, &pwdata);
+    response = CERT_CreateEncodedOCSPSuccessResponse(
+        arena, ca, ocspResponderID_byName, now, responses, &pwdata);
 
     return response;
 }
 
 static SECItem *
-encodeRevoked(PRArenaPool *arena, CERTOCSPCertID *cid,
-       CERTCertificate *ca, CERTCertificate *cert)
+encodeRevoked(PRArenaPool *arena, CERTOCSPCertID *cid, CERTCertificate *ca)
 {
     SECItem *response;
     PRTime now = PR_Now();
     PRTime revocationTime;
     CERTOCSPSingleResponse **responses;
     CERTOCSPSingleResponse *sr;
 
     if (!arena)
         return NULL;
 
     revocationTime = now - 10 * PR_USEC_PER_SEC; /* in the past */
 
-    sr = OCSP_CreateSingleResponseRevoked(arena, cid, now, NULL,
-                                          revocationTime);
+    sr = CERT_CreateOCSPSingleResponseRevoked(arena, cid, now, NULL,
+                                              revocationTime, NULL);
 
     /* meaning of value 2: one entry + one end marker */
     responses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
     if (responses == NULL)
         return NULL;
 
     responses[0] = sr;
     responses[1] = NULL;
 
-    response = OCSP_CreateSuccessResponseEncodedBasicV1(
-        arena, ca, PR_TRUE, now, responses, &pwdata);
+    response = CERT_CreateEncodedOCSPSuccessResponse(
+        arena, ca, ocspResponderID_byName, now, responses, &pwdata);
 
     return response;
 }
 
-int Usage()
+int Usage(void)
 {
     PRFileDesc *pr_stderr = PR_STDERR;
     PR_fprintf (pr_stderr, "ocspresp runs an internal selftest for OCSP response creation");
     PR_fprintf (pr_stderr, "Usage:");
     PR_fprintf (pr_stderr,
                 "\tocspresp <dbdir> <CA-nick> <EE-nick> [-p <pass>] [-f <file>]\n");
     PR_fprintf (pr_stderr,
                 "\tdbdir:   Find security databases in \"dbdir\"\n");
@@ -175,46 +173,47 @@ main(int argc, char **argv)
 	goto loser;
 
     if (!getCaAndSubjectCert(certHandle, argv[2], argv[3], &caCert, &cert))
         goto loser;
 
     cid = CERT_CreateOCSPCertID(cert, now);
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    encoded = encode(arena, cid, caCert, cert);
+    encoded = encode(arena, cid, caCert);
     PORT_Assert(encoded);
     decoded = CERT_DecodeOCSPResponse(encoded);
     statusDecoded = CERT_GetOCSPResponseStatus(decoded);
     PORT_Assert(statusDecoded == SECSuccess);
 
     statusDecoded = CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
                                                 &obtainedSignerCert, caCert);
     PORT_Assert(statusDecoded == SECSuccess);
     statusDecoded = CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
                                                 obtainedSignerCert, now);
     PORT_Assert(statusDecoded == SECSuccess);
     CERT_DestroyCertificate(obtainedSignerCert);
 
-    encodedRev = encodeRevoked(arena, cid, caCert, cert);
+    encodedRev = encodeRevoked(arena, cid, caCert);
     PORT_Assert(encodedRev);
     decodedRev = CERT_DecodeOCSPResponse(encodedRev);
     statusDecodedRev = CERT_GetOCSPResponseStatus(decodedRev);
     PORT_Assert(statusDecodedRev == SECSuccess);
 
     statusDecodedRev = CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
                                                         &obtainedSignerCert, caCert);
     PORT_Assert(statusDecodedRev == SECSuccess);
     statusDecodedRev = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
                                                    obtainedSignerCert, now);
     PORT_Assert(statusDecodedRev == SECFailure);
     PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
     CERT_DestroyCertificate(obtainedSignerCert);
     
-    encodedFail = OCSP_CreateFailureResponse(arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
+    encodedFail = CERT_CreateEncodedOCSPErrorResponse(
+        arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
     PORT_Assert(encodedFail);
     decodedFail = CERT_DecodeOCSPResponse(encodedFail);
     statusDecodedFail = CERT_GetOCSPResponseStatus(decodedFail);
     PORT_Assert(statusDecodedFail == SECFailure);
     PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
 
     retval = 0;
 loser:
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -1,15 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * certi.h - private data structures for the certificate library
  *
- * $Id: certi.h,v 1.37 2012/04/25 14:49:26 gerv%gerv.net Exp $
+ * $Id: certi.h,v 1.38 2012/12/06 17:56:57 wtc%google.com Exp $
  */
 #ifndef _CERTI_H_
 #define _CERTI_H_
 
 #include "certt.h"
 #include "nssrwlkt.h"
 
 /*
@@ -286,17 +286,17 @@ extern SECStatus cert_GetCertType(CERTCe
 
 /*
  * compute and return the value of nsCertType for cert, but do not 
  * update the CERTCertificate.
  */
 extern PRUint32 cert_ComputeCertType(CERTCertificate *cert);
 
 void cert_AddToVerifyLog(CERTVerifyLog *log,CERTCertificate *cert,
-                         unsigned long errorCode, unsigned int depth,
+                         long errorCode, unsigned int depth,
                          void *arg);
 
 /* Insert a DER CRL into the CRL cache, and take ownership of it.
  *
  * cert_CacheCRLByGeneralName takes ownership of the memory in crl argument
  * completely.  crl must be freeable by SECITEM_FreeItem. It will be freed
  * immediately if it is rejected from the CRL cache, or later during cache
  * updates when a new crl is available, or at shutdown time.
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -224,17 +224,17 @@ CERT_TrustFlagsForCACertUsage(SECCertUsa
     }
     
     return(SECSuccess);
 loser:
     return(SECFailure);
 }
 
 void
-cert_AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, unsigned long error,
+cert_AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, long error,
 	       unsigned int depth, void *arg)
 {
     CERTVerifyLogNode *node, *tnode;
 
     PORT_Assert(log != NULL);
     
     node = (CERTVerifyLogNode *)PORT_ArenaAlloc(log->arena,
 						sizeof(CERTVerifyLogNode));
@@ -285,24 +285,26 @@ cert_AddToVerifyLog(CERTVerifyLog *log, 
 
 #define EXIT_IF_NOT_LOGGING(log) \
     if ( log == NULL ) { \
 	goto loser; \
     }
 
 #define LOG_ERROR_OR_EXIT(log,cert,depth,arg) \
     if ( log != NULL ) { \
-	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
+			    (void *)(PRWord)arg); \
     } else { \
 	goto loser; \
     }
 
 #define LOG_ERROR(log,cert,depth,arg) \
     if ( log != NULL ) { \
-	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
+			    (void *)(PRWord)arg); \
     }
 
 static SECStatus
 cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
 		     PRBool checkSig, PRBool* sigerror,
                      SECCertUsage certUsage, int64 t, void *wincx,
                      CERTVerifyLog *log, PRBool* revoked)
 {
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -1,17 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.74 2012/11/17 11:52:38 kaie%kuix.de Exp $
+ * $Id: ocsp.c,v 1.74.2.1 2012/12/12 16:38:39 wtc%google.com Exp $
  */
 
 #include "prerror.h"
 #include "prprf.h"
 #include "plarena.h"
 #include "prnetdb.h"
 
 #include "seccomon.h"
@@ -2221,17 +2221,17 @@ CERT_DestroyOCSPRequest(CERTOCSPRequest 
  * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy):
  */
 
 /*
  * Helper function for encoding or decoding a ResponderID -- based on the
  * given type, return the associated template for that choice.
  */
 static const SEC_ASN1Template *
-ocsp_ResponderIDTemplateByType(ocspResponderIDType responderIDType)
+ocsp_ResponderIDTemplateByType(CERTOCSPResponderIDType responderIDType)
 {
     const SEC_ASN1Template *responderIDTemplate;
 
     switch (responderIDType) {
 	case ocspResponderID_byName:
 	    responderIDTemplate = ocsp_ResponderIDByNameTemplate;
 	    break;
 	case ocspResponderID_byKey:
@@ -2366,20 +2366,20 @@ ocsp_FinishDecodingSingleResponses(PRAre
 loser:
     return rv;
 }
 
 /*
  * Helper function for decoding a responderID -- turn the actual DER tag
  * into our local translation.
  */
-static ocspResponderIDType
+static CERTOCSPResponderIDType
 ocsp_ResponderIDTypeByTag(int derTag)
 {
-    ocspResponderIDType responderIDType;
+    CERTOCSPResponderIDType responderIDType;
 
     switch (derTag) {
 	case 1:
 	    responderIDType = ocspResponderID_byName;
 	    break;
 	case 2:
 	    responderIDType = ocspResponderID_byKey;
 	    break;
@@ -2396,17 +2396,17 @@ ocsp_ResponderIDTypeByTag(int derTag)
  */
 static ocspBasicOCSPResponse *
 ocsp_DecodeBasicOCSPResponse(PRArenaPool *arena, SECItem *src)
 {
     void *mark;
     ocspBasicOCSPResponse *basicResponse;
     ocspResponseData *responseData;
     ocspResponderID *responderID;
-    ocspResponderIDType responderIDType;
+    CERTOCSPResponderIDType responderIDType;
     const SEC_ASN1Template *responderIDTemplate;
     int derTag;
     SECStatus rv;
     SECItem newsrc;
 
     mark = PORT_ArenaMark(arena);
 
     basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse));
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -1,29 +1,28 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Interface to the OCSP implementation.
  *
- * $Id: ocsp.h,v 1.23 2012/11/17 11:52:38 kaie%kuix.de Exp $
+ * $Id: ocsp.h,v 1.23.2.1 2012/12/12 16:38:39 wtc%google.com Exp $
  */
 
 #ifndef _OCSP_H_
 #define _OCSP_H_
 
 
 #include "plarena.h"
 #include "seccomon.h"
 #include "secoidt.h"
 #include "keyt.h"
 #include "certt.h"
 #include "ocspt.h"
-#include "prerror.h"
 
 
 /************************************************************************/
 SEC_BEGIN_PROTOS
 
 /*
  * This function registers the HttpClient with whose functions the
  * HttpClientFcn structure has been populated as the default Http
@@ -631,38 +630,76 @@ CERT_CreateOCSPCertID(CERTCertificate *c
  *  SECFailure if the memory passed in was not allocated with
  *  a call to CERT_CreateOCSPCertID.
  */
 extern SECStatus
 CERT_DestroyOCSPCertID(CERTOCSPCertID* certID);
 
 
 extern CERTOCSPSingleResponse*
-OCSP_CreateSingleResponseGood(PLArenaPool *arena,
-                              CERTOCSPCertID *id, 
-                              PRTime thisUpdate, PRTime *nextUpdate);
+CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
+                                  CERTOCSPCertID *id,
+                                  PRTime thisUpdate,
+                                  const PRTime *nextUpdate);
 
 extern CERTOCSPSingleResponse*
-OCSP_CreateSingleResponseUnknown(PLArenaPool *arena,
-                                 CERTOCSPCertID *id, 
-                                 PRTime thisUpdate, PRTime *nextUpdate);
+CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
+                                     CERTOCSPCertID *id,
+                                     PRTime thisUpdate,
+                                     const PRTime *nextUpdate);
 
 extern CERTOCSPSingleResponse*
-OCSP_CreateSingleResponseRevoked(PLArenaPool *arena,
-                                 CERTOCSPCertID *id,
-                                 PRTime thisUpdate, PRTime *nextUpdate,
-                                 PRTime revocationTime);
+CERT_CreateOCSPSingleResponseRevoked(
+    PLArenaPool *arena,
+    CERTOCSPCertID *id,
+    PRTime thisUpdate,
+    const PRTime *nextUpdate,
+    PRTime revocationTime,
+    const CERTCRLEntryReasonCode* revocationReason);
 
 extern SECItem*
-OCSP_CreateSuccessResponseEncodedBasicV1(PLArenaPool *arena,
-                                         CERTCertificate *responderCert,
-                                         PRBool idByName, /* false: by key */
-                                         PRTime producedAt,
-                                         CERTOCSPSingleResponse **responses,
-                                         void *wincx);
+CERT_CreateEncodedOCSPSuccessResponse(
+    PLArenaPool *arena,
+    CERTCertificate *responderCert,
+    CERTOCSPResponderIDType responderIDType,
+    PRTime producedAt,
+    CERTOCSPSingleResponse **responses,
+    void *wincx);
 
+/*
+ * FUNCTION: CERT_CreateEncodedOCSPErrorResponse
+ *  Creates an encoded OCSP response with an error response status.
+ * INPUTS:
+ *  PLArenaPool *arena
+ *    The return value is allocated from here.
+ *    If a NULL is passed in, allocation is done from the heap instead.
+ *  int error
+ *    An NSS error code indicating an error response status. The error
+ *    code is mapped to an OCSP response status as follows:
+ *        SEC_ERROR_OCSP_MALFORMED_REQUEST -> malformedRequest
+ *        SEC_ERROR_OCSP_SERVER_ERROR -> internalError
+ *        SEC_ERROR_OCSP_TRY_SERVER_LATER -> tryLater
+ *        SEC_ERROR_OCSP_REQUEST_NEEDS_SIG -> sigRequired
+ *        SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST -> unauthorized
+ *    where the OCSP response status is an enumerated type defined in
+ *    RFC 2560:
+ *    OCSPResponseStatus ::= ENUMERATED {
+ *        successful           (0),     --Response has valid confirmations
+ *        malformedRequest     (1),     --Illegal confirmation request
+ *        internalError        (2),     --Internal error in issuer
+ *        tryLater             (3),     --Try again later
+ *                                      --(4) is not used
+ *        sigRequired          (5),     --Must sign the request
+ *        unauthorized         (6)      --Request unauthorized
+ *    }
+ * RETURN:
+ *   Returns a pointer to the SECItem holding the response.
+ *   On error, returns null with error set describing the reason:
+ *	SEC_ERROR_INVALID_ARGS
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
 extern SECItem*
-OCSP_CreateFailureResponse(PLArenaPool *arena, PRErrorCode reason);
+CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error);
 
 /************************************************************************/
 SEC_END_PROTOS
 
 #endif /* _OCSP_H_ */
--- a/security/nss/lib/certhigh/ocspsig.c
+++ b/security/nss/lib/certhigh/ocspsig.c
@@ -1,39 +1,28 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "prerror.h"
-#include "prprf.h"
 #include "plarena.h"
-#include "prnetdb.h"
 
 #include "seccomon.h"
 #include "secitem.h"
-#include "secoidt.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "cert.h"
-#include "xconst.h"
 #include "secerr.h"
 #include "secoid.h"
-#include "hasht.h"
 #include "sechash.h"
-#include "secasn1.h"
 #include "keyhi.h"
 #include "cryptohi.h"
 #include "ocsp.h"
 #include "ocspti.h"
 #include "ocspi.h"
-#include "genname.h"
-#include "certxutl.h"
-#include "pk11func.h"   /* for PK11_HashBuf */
-#include <stdarg.h>
-#include <plhash.h>
+#include "pk11pub.h"
 
 
 extern const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[];
 extern const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[];
 extern const SEC_ASN1Template ocsp_OCSPResponseTemplate[];
 
 ocspCertStatus*
 ocsp_CreateCertStatus(PLArenaPool *arena,
@@ -265,17 +254,17 @@ static const SEC_ASN1Template ocsp_Encod
         offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
         mySEC_PointerToSequenceOfAnyTemplate },
     { 0 }
 };
 
 static CERTOCSPSingleResponse*
 ocsp_CreateSingleResponse(PLArenaPool *arena,
                           CERTOCSPCertID *id, ocspCertStatus *status,
-                          PRTime thisUpdate, PRTime *nextUpdate)
+                          PRTime thisUpdate, const PRTime *nextUpdate)
 {
     CERTOCSPSingleResponse *sr;
 
     if (!arena || !id || !status) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
 
@@ -307,88 +296,101 @@ ocsp_CreateSingleResponse(PLArenaPool *a
     if (!SEC_ASN1EncodeItem(arena, &sr->derCertStatus,
                             status, ocsp_CertStatusTemplate))
         return NULL;
 
     return sr;
 }
 
 CERTOCSPSingleResponse*
-OCSP_CreateSingleResponseGood(PLArenaPool *arena,
-                              CERTOCSPCertID *id,
-                              PRTime thisUpdate, PRTime *nextUpdate)
+CERT_CreateOCSPSingleResponseGood(PLArenaPool *arena,
+                                  CERTOCSPCertID *id,
+                                  PRTime thisUpdate,
+                                  const PRTime *nextUpdate)
 {
     ocspCertStatus * cs;
     if (!arena) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     cs = ocsp_CreateCertStatus(arena, ocspCertStatus_good, 0);
     if (!cs)
         return NULL;
     return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate);
 }
 
 CERTOCSPSingleResponse*
-OCSP_CreateSingleResponseUnknown(PLArenaPool *arena,
-                                 CERTOCSPCertID *id,
-                                 PRTime thisUpdate, PRTime *nextUpdate)
+CERT_CreateOCSPSingleResponseUnknown(PLArenaPool *arena,
+                                     CERTOCSPCertID *id,
+                                     PRTime thisUpdate,
+                                     const PRTime *nextUpdate)
 {
     ocspCertStatus * cs;
     if (!arena) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     cs = ocsp_CreateCertStatus(arena, ocspCertStatus_unknown, 0);
     if (!cs)
         return NULL;
     return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate);
 }
 
 CERTOCSPSingleResponse*
-OCSP_CreateSingleResponseRevoked(PLArenaPool *arena,
-                                 CERTOCSPCertID *id,
-                                 PRTime thisUpdate, PRTime *nextUpdate,
-                                 PRTime revocationTime)
+CERT_CreateOCSPSingleResponseRevoked(
+    PLArenaPool *arena,
+    CERTOCSPCertID *id,
+    PRTime thisUpdate,
+    const PRTime *nextUpdate,
+    PRTime revocationTime,
+    const CERTCRLEntryReasonCode* revocationReason)
 {
     ocspCertStatus * cs;
-    if (!arena) {
+    /* revocationReason is not yet supported, so it must be NULL. */
+    if (!arena || revocationReason) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     cs = ocsp_CreateCertStatus(arena, ocspCertStatus_revoked, revocationTime);
     if (!cs)
         return NULL;
     return ocsp_CreateSingleResponse(arena, id, cs, thisUpdate, nextUpdate);
 }
 
 SECItem*
-OCSP_CreateSuccessResponseEncodedBasicV1(PLArenaPool *arena,
-                                         CERTCertificate *responderCert,
-                                         PRBool idByName, /* false: by key */
-                                         PRTime producedAt,
-                                         CERTOCSPSingleResponse **responses,
-                                         void *wincx)
+CERT_CreateEncodedOCSPSuccessResponse(
+    PLArenaPool *arena,
+    CERTCertificate *responderCert,
+    CERTOCSPResponderIDType responderIDType,
+    PRTime producedAt,
+    CERTOCSPSingleResponse **responses,
+    void *wincx)
 {
     PLArenaPool *tmpArena;
     ocspResponseData *rd = NULL;
     ocspResponderID *rid = NULL;
+    const SEC_ASN1Template *responderIDTemplate = NULL;
     ocspBasicOCSPResponse *br = NULL;
     ocspResponseBytes *rb = NULL;
     CERTOCSPResponse *response = NULL;
     
     SECOidTag algID;
     SECOidData *od = NULL;
     SECKEYPrivateKey *privKey = NULL;
     SECItem *result = NULL;
   
     if (!arena || !responderCert || !responses) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
+    if (responderIDType != ocspResponderID_byName &&
+        responderIDType != ocspResponderID_byKey) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
 
     tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (!tmpArena)
         return NULL;
 
     rd = PORT_ArenaZNew(tmpArena, ocspResponseData);
     if (!rd)
         goto done;
@@ -407,31 +409,32 @@ OCSP_CreateSuccessResponseEncodedBasicV1
     
     rd->version.data=NULL;
     rd->version.len=0;
     rd->responseExtensions = NULL;
     rd->responses = responses;
     if (DER_TimeToGeneralizedTimeArena(tmpArena, &rd->producedAt, producedAt)
             != SECSuccess)
         goto done;
-    if (idByName) {
-        rid->responderIDType = ocspResponderID_byName;
+    rid->responderIDType = responderIDType;
+    if (responderIDType == ocspResponderID_byName) {
+        responderIDTemplate = ocsp_ResponderIDByNameTemplate;
         if (CERT_CopyName(tmpArena, &rid->responderIDValue.name,
                            &responderCert->subject) != SECSuccess)
             goto done;
     }
     else {
-        rid->responderIDType = ocspResponderID_byKey;
+        responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
         if (!CERT_GetSPKIDigest(tmpArena, responderCert, SEC_OID_SHA1,
                                       &rid->responderIDValue.keyHash))
             goto done;
     }
 
     if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
-            idByName ? ocsp_ResponderIDByNameTemplate : ocsp_ResponderIDByKeyTemplate))
+            responderIDTemplate))
         goto done;
 
     br->tbsResponseData = rd;
     
     if (!SEC_ASN1EncodeItem(tmpArena, &br->tbsResponseDataDER, br->tbsResponseData,
             ocsp_myResponseDataTemplate))
         goto done;
 
@@ -492,33 +495,33 @@ done:
         SECKEY_DestroyPrivateKey(privKey);
     if (br->responseSignature.signature.data)
         SECITEM_FreeItem(&br->responseSignature.signature, PR_FALSE);
     PORT_FreeArena(tmpArena, PR_FALSE);
 
     return result;
 }
 
-static const SEC_ASN1Template ocsp_OCSPFailureResponseTemplate[] = {
+static const SEC_ASN1Template ocsp_OCSPErrorResponseTemplate[] = {
     { SEC_ASN1_SEQUENCE,
         0, NULL, sizeof(CERTOCSPResponse) },
     { SEC_ASN1_ENUMERATED,
         offsetof(CERTOCSPResponse, responseStatus) },
     { 0, 0,
         mySEC_NullTemplate },
     { 0 }
 };
 
 SECItem*
-OCSP_CreateFailureResponse(PLArenaPool *arena, PRErrorCode reason)
+CERT_CreateEncodedOCSPErrorResponse(PLArenaPool *arena, int error)
 {
     CERTOCSPResponse response;
     SECItem *result = NULL;
 
-    switch (reason) {
+    switch (error) {
         case SEC_ERROR_OCSP_MALFORMED_REQUEST:
             response.statusValue = ocspResponse_malformedRequest;
             break;
         case SEC_ERROR_OCSP_SERVER_ERROR:
             response.statusValue = ocspResponse_internalError;
             break;
         case SEC_ERROR_OCSP_TRY_SERVER_LATER:
             response.statusValue = ocspResponse_tryLater;
@@ -533,14 +536,15 @@ OCSP_CreateFailureResponse(PLArenaPool *
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             return NULL;
     }
 
     if (!SEC_ASN1EncodeInteger(NULL, &response.responseStatus,
                                response.statusValue))
         return NULL;
 
-    result = SEC_ASN1EncodeItem(arena, NULL, &response, ocsp_OCSPFailureResponseTemplate);
+    result = SEC_ASN1EncodeItem(arena, NULL, &response,
+                                ocsp_OCSPErrorResponseTemplate);
 
     SECITEM_FreeItem(&response.responseStatus, PR_FALSE);
 
     return result;
 }
--- a/security/nss/lib/certhigh/ocspt.h
+++ b/security/nss/lib/certhigh/ocspt.h
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Public header for exported OCSP types.
  *
- * $Id: ocspt.h,v 1.11 2012/11/17 11:52:38 kaie%kuix.de Exp $
+ * $Id: ocspt.h,v 1.11.2.1 2012/12/12 16:38:39 wtc%google.com Exp $
  */
 
 #ifndef _OCSPT_H_
 #define _OCSPT_H_
 
 /*
  * The following are all opaque types.  If someone needs to get at
  * a field within, then we need to fix the API.  Try very hard not
@@ -275,9 +275,29 @@ typedef struct SEC_HttpClientFcnStruct {
  *
  * Additional failure modes might be added in the future.
  */
 typedef enum {
     ocspMode_FailureIsVerificationFailure = 0,
     ocspMode_FailureIsNotAVerificationFailure = 1
 } SEC_OcspFailureMode;
 
+/*
+ * A ResponderID identifies the responder -- or more correctly, the
+ * signer of the response.  The ASN.1 definition of a ResponderID is:
+ *
+ * ResponderID	::=	CHOICE {
+ *	byName			[1] EXPLICIT Name,
+ *	byKey			[2] EXPLICIT KeyHash }
+ *
+ * Because it is CHOICE, the type of identification used and the
+ * identification itself are actually encoded together.  To represent
+ * this same information internally, we explicitly define a type and
+ * save it, along with the value, into a data structure.
+ */
+
+typedef enum {
+    ocspResponderID_other = -1,		/* unknown kind of responderID */
+    ocspResponderID_byName = 1,
+    ocspResponderID_byKey = 2
+} CERTOCSPResponderIDType;
+
 #endif /* _OCSPT_H_ */
--- a/security/nss/lib/certhigh/ocspti.h
+++ b/security/nss/lib/certhigh/ocspti.h
@@ -1,16 +1,16 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Private header defining OCSP types.
  *
- * $Id: ocspti.h,v 1.8 2012/04/25 14:49:27 gerv%gerv.net Exp $
+ * $Id: ocspti.h,v 1.8.2.1 2012/12/12 16:38:39 wtc%google.com Exp $
  */
 
 #ifndef _OCSPTI_H_
 #define _OCSPTI_H_
 
 #include "ocspt.h"
 
 #include "certt.h"
@@ -184,24 +184,24 @@ struct CERTOCSPCertIDStr {
  *	internalError		(2),	--Internal error in issuer
  *	tryLater		(3),	--Try again later
  *					--(4) is not used
  *	sigRequired		(5),	--Must sign the request
  *	unauthorized		(6),	--Request unauthorized
  * }
  */
 typedef enum {
+    ocspResponse_other = -1,		/* unknown/unrecognized value */
     ocspResponse_successful = 0,
     ocspResponse_malformedRequest = 1,
     ocspResponse_internalError = 2,
     ocspResponse_tryLater = 3,
     ocspResponse_unused = 4,
     ocspResponse_sigRequired = 5,
-    ocspResponse_unauthorized = 6,
-    ocspResponse_other			/* unknown/unrecognized value */
+    ocspResponse_unauthorized = 6
 } ocspResponseStatus;
 
 /*
  * An OCSPResponse is what is sent (encoded) by an OCSP responder.
  *
  * The field "responseStatus" is the ASN.1 encoded value; the field
  * "statusValue" is simply that same value translated into our local
  * type ocspResponseStatus.
@@ -261,38 +261,18 @@ struct ocspResponseDataStr {
     SECItem version;			/* an INTEGER */
     SECItem derResponderID;
     ocspResponderID *responderID;	/* local; not part of encoding */
     SECItem producedAt;			/* a GeneralizedTime */
     CERTOCSPSingleResponse **responses;
     CERTCertExtension **responseExtensions;
 };
 
-/*
- * A ResponderID identifies the responder -- or more correctly, the
- * signer of the response.  The ASN.1 definition of a ResponderID is:
- *
- * ResponderID	::=	CHOICE {
- *	byName			[1] EXPLICIT Name,
- *	byKey			[2] EXPLICIT KeyHash }
- *
- * Because it is CHOICE, the type of identification used and the
- * identification itself are actually encoded together.  To represent
- * this same information internally, we explicitly define a type and
- * save it, along with the value, into a data structure.
- */
-
-typedef enum {
-    ocspResponderID_byName,
-    ocspResponderID_byKey,
-    ocspResponderID_other		/* unknown kind of responderID */
-} ocspResponderIDType;
-
 struct ocspResponderIDStr {
-    ocspResponderIDType responderIDType;/* local; not part of encoding */
+    CERTOCSPResponderIDType responderIDType;/* local; not part of encoding */
     union {
 	CERTName name;			/* when ocspResponderID_byName */
 	SECItem keyHash;		/* when ocspResponderID_byKey */
 	SECItem other;			/* when ocspResponderID_other */
     } responderIDValue;
 };
 
 /*
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1008,16 +1008,16 @@ CERT_GetEncodedOCSPResponse;
 PK11_GetBestSlotWithAttributes;
 PK11_GetBestSlotMultipleWithAttributes;
 PK11_PQG_ParamGenV2;
 ;+    local:
 ;+       *;
 ;+};
 ;+NSS_3.14.1 {    # NSS 3.14.1 release
 ;+    global:
-OCSP_CreateFailureResponse;
-OCSP_CreateSingleResponseGood;
-OCSP_CreateSingleResponseUnknown;
-OCSP_CreateSingleResponseRevoked;
-OCSP_CreateSuccessResponseEncodedBasicV1;
+CERT_CreateEncodedOCSPErrorResponse;
+CERT_CreateEncodedOCSPSuccessResponse;
+CERT_CreateOCSPSingleResponseGood;
+CERT_CreateOCSPSingleResponseUnknown;
+CERT_CreateOCSPSingleResponseRevoked;
 ;+    local:
 ;+       *;
 ;+};
--- a/security/nss/lib/util/utilmod.c
+++ b/security/nss/lib/util/utilmod.c
@@ -127,17 +127,17 @@ char *_NSSUTIL_GetOldSecmodName(const ch
 	file = PR_smprintf("%s"NSSUTIL_PATH_SEPARATOR"%s", dirPath, filename);
     } else {
 	file = PR_smprintf("%s", filename);
     }
     PORT_Free(dirPath);
     return file;
 }
 
-static SECStatus nssutil_AddSecmodDB(NSSDBType dbType, const char *appName, 
+static SECStatus nssutil_AddSecmodDB(const char *appName, 
 		   const char *filename, const char *dbname, 
 		   char *module, PRBool rw);
 
 #ifdef XP_UNIX
 #include <unistd.h>
 #endif
 #include <fcntl.h>
 
@@ -161,17 +161,17 @@ lfopen(const char *name, const char *mod
 }
 
 #define MAX_LINE_LENGTH 2048
 
 /*
  * Read all the existing modules in out of the file.
  */
 static char **
-nssutil_ReadSecmodDB(NSSDBType dbType, const char *appName, 
+nssutil_ReadSecmodDB(const char *appName, 
 		    const char *filename, const char *dbname, 
 		    char *params, PRBool rw)
 {
     FILE *fd = NULL;
     char **moduleList = NULL;
     int moduleCount = 1;
     int useCount = SECMOD_STEP;
     char line[MAX_LINE_LENGTH];
@@ -410,38 +410,38 @@ loser:
 	nssutil_releaseSpecList(moduleList);
 	moduleList = NULL;
 	failed = PR_TRUE;
     }
     if (fd != NULL) {
 	fclose(fd);
     } else if (!failed && rw) {
 	/* update our internal module */
-	nssutil_AddSecmodDB(dbType,appName,filename,dbname,moduleList[0],rw);
+	nssutil_AddSecmodDB(appName,filename,dbname,moduleList[0],rw);
     }
     return moduleList;
 }
 
 static SECStatus
-nssutil_ReleaseSecmodDBData(NSSDBType dbType, const char *appName, 
+nssutil_ReleaseSecmodDBData(const char *appName, 
 			const char *filename, const char *dbname, 
 			char **moduleSpecList, PRBool rw)
 {
     if (moduleSpecList) {
 	nssutil_releaseSpecList(moduleSpecList);
     }
     return SECSuccess;
 }
 
 
 /*
  * Delete a module from the Data Base
  */
 static SECStatus
-nssutil_DeleteSecmodDB(NSSDBType dbType, const char *appName, 
+nssutil_DeleteSecmodDB(const char *appName, 
 		      const char *filename, const char *dbname, 
 		      char *args, PRBool rw)
 {
     /* SHDB_FIXME implement */
     FILE *fd = NULL;
     FILE *fd2 = NULL;
     char line[MAX_LINE_LENGTH];
     char *dbname2 = NULL;
@@ -560,17 +560,17 @@ loser:
     PORT_Free(name);
     return SECFailure;
 }
 
 /*
  * Add a module to the Data base 
  */
 static SECStatus
-nssutil_AddSecmodDB(NSSDBType dbType, const char *appName, 
+nssutil_AddSecmodDB(const char *appName, 
 		   const char *filename, const char *dbname, 
 		   char *module, PRBool rw)
 {
     FILE *fd = NULL;
     char *block = NULL;
     PRBool libFound = PR_FALSE;
 
     if (dbname == NULL) {
@@ -580,17 +580,17 @@ nssutil_AddSecmodDB(NSSDBType dbType, co
 
     /* can't write to a read only module */
     if (!rw) {
 	PORT_SetError(SEC_ERROR_READ_ONLY);
 	return SECFailure;
     }
 
     /* remove the previous version if it exists */
-    (void) nssutil_DeleteSecmodDB(dbType, appName, filename, 
+    (void) nssutil_DeleteSecmodDB(appName, filename, 
 				  dbname, module, rw);
 
     fd = lfopen(dbname, "a+", O_CREAT|O_RDWR|O_APPEND);
     if (fd == NULL) {
 	return SECFailure;
     }
     module = NSSUTIL_ArgStrip(module);
     while (*module) {
@@ -655,29 +655,29 @@ NSSUTIL_DoModuleDBFunction(unsigned long
 	/* we can't handle the old database, only softoken can */
 	PORT_SetError(SEC_ERROR_LEGACY_DATABASE);
 	rvstr =  NULL;
 	goto done;
     }
 
     switch (function) {
     case SECMOD_MODULE_DB_FUNCTION_FIND:
-        rvstr = nssutil_ReadSecmodDB(dbType,appName,filename,
+        rvstr = nssutil_ReadSecmodDB(appName,filename,
 				     secmod,(char *)parameters,rw);
         break;
     case SECMOD_MODULE_DB_FUNCTION_ADD:
-        rvstr = (nssutil_AddSecmodDB(dbType,appName,filename,
+        rvstr = (nssutil_AddSecmodDB(appName,filename,
 		secmod,(char *)args,rw) == SECSuccess) ? &success: NULL;
         break;
     case SECMOD_MODULE_DB_FUNCTION_DEL:
-        rvstr = (nssutil_DeleteSecmodDB(dbType,appName,filename,
+        rvstr = (nssutil_DeleteSecmodDB(appName,filename,
 		secmod,(char *)args,rw) == SECSuccess) ? &success: NULL;
         break;
     case SECMOD_MODULE_DB_FUNCTION_RELEASE:
-        rvstr = (nssutil_ReleaseSecmodDBData(dbType, appName,filename,
+        rvstr = (nssutil_ReleaseSecmodDBData(appName,filename,
 		secmod, (char **)args,rw) == SECSuccess) ? &success: NULL;
         break;
     }
 done:
     if (secmod) PR_smprintf_free(secmod);
     if (appName) PORT_Free(appName);
     if (filename) PORT_Free(filename);
     return rvstr;