408847 - pkix_OcspChecker_Check does not support specified responder (and given signercert). r=nelson
408847 - pkix_OcspChecker_Check does not support specified responder (and given signercert). r=nelson
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -4476,17 +4476,17 @@ loser:
* extension for OCSP, and return the value of that. Otherwise return NULL.
* We also let our caller know whether or not the responder chosen was
* a default responder or not through the output variable isDefault;
* its value has no meaning unless a good (non-null) value is returned
* for the location.
*
* The result needs to be freed (PORT_Free) when no longer in use.
*/
-static char *
+char *
ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
PRBool *isDefault)
{
ocspCheckingContext *ocspcx;
ocspcx = ocsp_GetCheckingContext(handle);
if (ocspcx != NULL && ocspcx->useDefaultResponder) {
/*
--- a/security/nss/lib/certhigh/ocspi.h
+++ b/security/nss/lib/certhigh/ocspi.h
@@ -133,9 +133,30 @@ cert_ProcessOCSPResponse(CERTCertDBHandl
* RETURN:
* Status of the cache update operation.
*/
SECStatus
cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
PRBool *certIDWasConsumed);
+/*
+ * FUNCTION: ocsp_GetResponderLocation
+ * Check ocspx context for user-designated responder URI first. If not
+ * found, checks cert AIA extension.
+ * INPUTS:
+ * CERTCertDBHandle *handle
+ * certificate DB of the cert that is being checked
+ * CERTCertificate *cert
+ * The certificate being examined.
+ * PRBool *certIDWasConsumed
+ * Out parameter, if set to true, URI of default responder is
+ * returned.
+ * RETURN:
+ * Responder URI.
+ */
+char *
+ocsp_GetResponderLocation(CERTCertDBHandle *handle,
+ CERTCertificate *cert,
+ PRBool *isDefault);
+
+
#endif /* _OCSPI_H_ */
--- a/security/nss/lib/libpkix/include/pkix_pl_pki.h
+++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h
@@ -2569,17 +2569,16 @@ typedef PKIX_Error *
PKIX_VerifyNode **pVerifyTree,
void *plContext);
PKIX_Error *
pkix_pl_OcspRequest_Create(
PKIX_PL_Cert *cert,
PKIX_PL_OcspCertID *cid,
PKIX_PL_Date *validity,
- PKIX_Boolean addServiceLocator,
PKIX_PL_Cert *signerCert,
PKIX_Boolean *pURIFound,
PKIX_PL_OcspRequest **pRequest,
void *plContext);
PKIX_Error *
pkix_pl_OcspResponse_Create(
PKIX_PL_OcspRequest *request,
--- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
@@ -208,17 +208,16 @@ pkix_OcspChecker_Check(
PKIX_DECREF(checker->cert);
checker->cert = cert;
/* create request */
PKIX_CHECK(pkix_pl_OcspRequest_Create
(cert,
cid,
validity,
- PKIX_FALSE, /* PKIX_Boolean addServiceLocator */
NULL, /* PKIX_PL_Cert *signerCert */
&uriFound,
&request,
plContext),
PKIX_OCSPREQUESTCREATEFAILED);
/* No uri to check is considered passing! */
if (uriFound == PKIX_FALSE) {
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
@@ -263,19 +263,16 @@ pkix_pl_OcspRequest_RegisterSelf(void *p
*
* PARAMETERS:
* "cert"
* Address of the Cert for which an OcspRequest is to be created. Must be
* non-NULL.
* "validity"
* Address of the Date for which the Cert's validity is to be determined.
* May be NULL.
- * "addServiceLocator"
- * Boolean value indicating whether the request should include the
- * AddServiceLocator extension
* "signerCert"
* Address of the Cert to be used, if present, in signing the request.
* May be NULL.
* "pRequest"
* Address at which the result is stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
@@ -285,24 +282,24 @@ pkix_pl_OcspRequest_RegisterSelf(void *p
* Returns an OcspRequest Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_OcspRequest_Create(
PKIX_PL_Cert *cert,
PKIX_PL_OcspCertID *cid,
PKIX_PL_Date *validity,
- PKIX_Boolean addServiceLocator,
PKIX_PL_Cert *signerCert,
PKIX_Boolean *pURIFound,
PKIX_PL_OcspRequest **pRequest,
void *plContext)
{
PKIX_PL_OcspRequest *ocspRequest = NULL;
+ CERTCertDBHandle *handle = NULL;
SECStatus rv = SECFailure;
SECItem *encoding = NULL;
CERTOCSPRequest *certRequest = NULL;
int64 time = 0;
PRBool addServiceLocatorExtension = PR_FALSE;
CERTCertificate *nssCert = NULL;
CERTCertificate *nssSignerCert = NULL;
char *location = NULL;
@@ -320,61 +317,58 @@ pkix_pl_OcspRequest_Create(
PKIX_COULDNOTCREATEOBJECT);
PKIX_INCREF(cert);
ocspRequest->cert = cert;
PKIX_INCREF(validity);
ocspRequest->validity = validity;
- ocspRequest->addServiceLocator = addServiceLocator;
-
PKIX_INCREF(signerCert);
ocspRequest->signerCert = signerCert;
ocspRequest->decoded = NULL;
ocspRequest->encoded = NULL;
ocspRequest->location = NULL;
nssCert = cert->nssCert;
/*
* Does this Cert have an Authority Information Access extension with
* the URI of an OCSP responder?
*/
- location = CERT_GetOCSPAuthorityInfoAccessLocation(nssCert);
-
+ handle = CERT_GetDefaultCertDB();
+ location = ocsp_GetResponderLocation(handle, nssCert,
+ &addServiceLocatorExtension);
if (location == NULL) {
locError = PORT_GetError();
- if (locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
- *pURIFound = PKIX_FALSE;
- goto cleanup;
- } else {
- PKIX_ERROR(PKIX_ERRORFINDINGORPROCESSINGURI);
+ if (locError == SEC_ERROR_EXTENSION_NOT_FOUND ||
+ locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
+ PORT_SetError(0);
+ *pURIFound = PKIX_FALSE;
+ goto cleanup;
}
- } else {
- ocspRequest->location = location;
- *pURIFound = PKIX_TRUE;
+ PKIX_ERROR(PKIX_ERRORFINDINGORPROCESSINGURI);
}
+ ocspRequest->location = location;
+ *pURIFound = PKIX_TRUE;
+
if (signerCert != NULL) {
nssSignerCert = signerCert->nssCert;
}
if (validity != NULL) {
PKIX_CHECK(pkix_pl_Date_GetPRTime(validity, &time, plContext),
PKIX_DATEGETPRTIMEFAILED);
} else {
time = PR_Now();
}
- addServiceLocatorExtension =
- ((addServiceLocator == PKIX_TRUE)? PR_TRUE : PR_FALSE);
-
certRequest = cert_CreateSingleCertOCSPRequest(
cid->certID, cert->nssCert, time,
addServiceLocatorExtension, nssSignerCert);
ocspRequest->decoded = certRequest;
if (certRequest == NULL) {
PKIX_ERROR(PKIX_UNABLETOCREATECERTOCSPREQUEST);
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
@@ -62,17 +62,16 @@ struct PKIX_PL_OcspRequestStruct{
/* see source file for function documentation */
PKIX_Error *
pkix_pl_OcspRequest_Create(
PKIX_PL_Cert *cert,
PKIX_PL_OcspCertID *cid,
PKIX_PL_Date *validity,
- PKIX_Boolean addServiceLocator,
PKIX_PL_Cert *signerCert,
PKIX_Boolean *pURIFound,
PKIX_PL_OcspRequest **pRequest,
void *plContext);
PKIX_Error *
pkix_pl_OcspRequest_GetEncoded(
PKIX_PL_OcspRequest *request,