408847 - pkix_OcspChecker_Check does not support specified responder (and given signercert). r=nelson
authoralexei.volkov.bugs%sun.com
Tue, 08 Jul 2008 21:34:53 +0000
changeset 8662 0a98c641b697d9cc3b47af1b8b85bbd2863d21ce
parent 8659 d95fee52bd4b90c188992db69857782c46d1acf8
child 8663 53e2ff6da3ca2d08d8c945e8ee9393d6750c15d2
push idunknown
push userunknown
push dateunknown
reviewersnelson
bugs408847
408847 - pkix_OcspChecker_Check does not support specified responder (and given signercert). r=nelson
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocspi.h
security/nss/lib/libpkix/include/pkix_pl_pki.h
security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -4476,17 +4476,17 @@ loser:
  * extension for OCSP, and return the value of that.  Otherwise return NULL.
  * We also let our caller know whether or not the responder chosen was
  * a default responder or not through the output variable isDefault;
  * its value has no meaning unless a good (non-null) value is returned
  * for the location.
  *
  * The result needs to be freed (PORT_Free) when no longer in use.
  */
-static char *
+char *
 ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
 			  PRBool *isDefault)
 {
     ocspCheckingContext *ocspcx;
 
     ocspcx = ocsp_GetCheckingContext(handle);
     if (ocspcx != NULL && ocspcx->useDefaultResponder) {
 	/*
--- a/security/nss/lib/certhigh/ocspi.h
+++ b/security/nss/lib/certhigh/ocspi.h
@@ -133,9 +133,30 @@ cert_ProcessOCSPResponse(CERTCertDBHandl
  *  RETURN:
  *    Status of the cache update operation.
  */
 
 SECStatus
 cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
                                    PRBool         *certIDWasConsumed);
 
+/*
+ * FUNCTION: ocsp_GetResponderLocation
+ *  Check ocspx context for user-designated responder URI first. If not
+ *  found, checks cert AIA extension.
+ * INPUTS:
+ *  CERTCertDBHandle *handle
+ *    certificate DB of the cert that is being checked
+ *  CERTCertificate *cert
+ *     The certificate being examined.
+ *  PRBool *certIDWasConsumed
+ *    Out parameter, if set to true, URI of default responder is
+ *    returned.
+ *  RETURN:
+ *    Responder URI.
+ */
+char *
+ocsp_GetResponderLocation(CERTCertDBHandle *handle,
+                          CERTCertificate *cert,
+                          PRBool *isDefault);
+
+
 #endif /* _OCSPI_H_ */
--- a/security/nss/lib/libpkix/include/pkix_pl_pki.h
+++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h
@@ -2569,17 +2569,16 @@ typedef PKIX_Error *
         PKIX_VerifyNode **pVerifyTree,
         void *plContext);
 
 PKIX_Error *
 pkix_pl_OcspRequest_Create(
         PKIX_PL_Cert *cert,
         PKIX_PL_OcspCertID *cid,
         PKIX_PL_Date *validity,
-        PKIX_Boolean addServiceLocator,
         PKIX_PL_Cert *signerCert,
         PKIX_Boolean *pURIFound,
         PKIX_PL_OcspRequest **pRequest,
         void *plContext);
 
 PKIX_Error *
 pkix_pl_OcspResponse_Create(
         PKIX_PL_OcspRequest *request,
--- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
@@ -208,17 +208,16 @@ pkix_OcspChecker_Check(
                 PKIX_DECREF(checker->cert);
                 checker->cert = cert;
 
                 /* create request */
                 PKIX_CHECK(pkix_pl_OcspRequest_Create
                         (cert,
                         cid,
                         validity,
-                        PKIX_FALSE,     /* PKIX_Boolean addServiceLocator */
                         NULL,           /* PKIX_PL_Cert *signerCert */
                         &uriFound,
                         &request,
                         plContext),
                         PKIX_OCSPREQUESTCREATEFAILED);
                 
                 /* No uri to check is considered passing! */
                 if (uriFound == PKIX_FALSE) {
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
@@ -263,19 +263,16 @@ pkix_pl_OcspRequest_RegisterSelf(void *p
  *
  * PARAMETERS:
  *  "cert"
  *     Address of the Cert for which an OcspRequest is to be created. Must be
  *     non-NULL.
  *  "validity"
  *     Address of the Date for which the Cert's validity is to be determined.
  *     May be NULL.
- *  "addServiceLocator"
- *     Boolean value indicating whether the request should include the
- *     AddServiceLocator extension
  *  "signerCert"
  *     Address of the Cert to be used, if present, in signing the request.
  *     May be NULL.
  *  "pRequest"
  *     Address at which the result is stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
@@ -285,24 +282,24 @@ pkix_pl_OcspRequest_RegisterSelf(void *p
  *  Returns an OcspRequest Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 pkix_pl_OcspRequest_Create(
         PKIX_PL_Cert *cert,
         PKIX_PL_OcspCertID *cid,
         PKIX_PL_Date *validity,
-        PKIX_Boolean addServiceLocator,
         PKIX_PL_Cert *signerCert,
         PKIX_Boolean *pURIFound,
         PKIX_PL_OcspRequest **pRequest,
         void *plContext)
 {
         PKIX_PL_OcspRequest *ocspRequest = NULL;
 
+        CERTCertDBHandle *handle = NULL;
         SECStatus rv = SECFailure;
         SECItem *encoding = NULL;
         CERTOCSPRequest *certRequest = NULL;
         int64 time = 0;
         PRBool addServiceLocatorExtension = PR_FALSE;
         CERTCertificate *nssCert = NULL;
         CERTCertificate *nssSignerCert = NULL;
         char *location = NULL;
@@ -320,61 +317,58 @@ pkix_pl_OcspRequest_Create(
                     PKIX_COULDNOTCREATEOBJECT);
 
         PKIX_INCREF(cert);
         ocspRequest->cert = cert;
 
         PKIX_INCREF(validity);
         ocspRequest->validity = validity;
 
-        ocspRequest->addServiceLocator = addServiceLocator;
-
         PKIX_INCREF(signerCert);
         ocspRequest->signerCert = signerCert;
 
         ocspRequest->decoded = NULL;
         ocspRequest->encoded = NULL;
 
         ocspRequest->location = NULL;
 
         nssCert = cert->nssCert;
 
         /*
          * Does this Cert have an Authority Information Access extension with
          * the URI of an OCSP responder?
          */
-        location = CERT_GetOCSPAuthorityInfoAccessLocation(nssCert);
-
+        handle = CERT_GetDefaultCertDB();
+        location = ocsp_GetResponderLocation(handle, nssCert,
+                                             &addServiceLocatorExtension);
         if (location == NULL) {
                 locError = PORT_GetError();
-                if (locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
-                        *pURIFound = PKIX_FALSE;
-                        goto cleanup;
-                } else {
-                        PKIX_ERROR(PKIX_ERRORFINDINGORPROCESSINGURI);
+                if (locError == SEC_ERROR_EXTENSION_NOT_FOUND ||
+                    locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
+                    PORT_SetError(0);
+                    *pURIFound = PKIX_FALSE;
+                    goto cleanup;
                 }
-        } else {
-                ocspRequest->location = location;
-                *pURIFound = PKIX_TRUE;
+                PKIX_ERROR(PKIX_ERRORFINDINGORPROCESSINGURI);
         }
 
+        ocspRequest->location = location;
+        *pURIFound = PKIX_TRUE;
+
         if (signerCert != NULL) {
                 nssSignerCert = signerCert->nssCert;
         }
 
         if (validity != NULL) {
 		PKIX_CHECK(pkix_pl_Date_GetPRTime(validity, &time, plContext),
 			PKIX_DATEGETPRTIMEFAILED);
         } else {
                 time = PR_Now();
 	}
 
-        addServiceLocatorExtension = 
-                ((addServiceLocator == PKIX_TRUE)? PR_TRUE : PR_FALSE);
-
         certRequest = cert_CreateSingleCertOCSPRequest(
                 cid->certID, cert->nssCert, time, 
                 addServiceLocatorExtension, nssSignerCert);
 
         ocspRequest->decoded = certRequest;
 
         if (certRequest == NULL) {
                 PKIX_ERROR(PKIX_UNABLETOCREATECERTOCSPREQUEST);
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
@@ -62,17 +62,16 @@ struct PKIX_PL_OcspRequestStruct{
 
 /* see source file for function documentation */
 
 PKIX_Error *
 pkix_pl_OcspRequest_Create(
         PKIX_PL_Cert *cert,
         PKIX_PL_OcspCertID *cid,
         PKIX_PL_Date *validity,
-        PKIX_Boolean addServiceLocator,
         PKIX_PL_Cert *signerCert,
         PKIX_Boolean *pURIFound,
         PKIX_PL_OcspRequest **pRequest,
         void *plContext);
 
 PKIX_Error *
 pkix_pl_OcspRequest_GetEncoded(
         PKIX_PL_OcspRequest *request,