Bug 436414: Rename "mechanism" to "method" in function or variable/argument NSS_3_15_4_BETA9
authorWan-Teh Chang <wtc@google.com>
Thu, 19 Dec 2013 13:57:07 -0800
changeset 10977 a3d86225543c74c2081cc6fc06d48055c2cb1b58
parent 10976 09ae2945caf78668e02cd18db8b468618b120e42
child 10978 89b0df2afc5a35aef03df66f5e84fc774702e30a
push id252
push userwtc@google.com
push dateThu, 19 Dec 2013 21:57:15 +0000
bugs436414
Bug 436414: Rename "mechanism" to "method" in function or variable/argument names that refer to the HTTP GET and POST methods. Do not export CERT_GetEncodedOCSPResponseByMethod because it is not declared in ocsp.h. Rename CERT_GetSPKIDigest to CERT_GetSubjectPublicKeyDigest. r=briansmith.
cmd/httpserv/httpserv.c
lib/certdb/cert.h
lib/certhigh/ocsp.c
lib/certhigh/ocspsig.c
lib/libpkix/pkix/checker/pkix_ocspchecker.c
lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
lib/nss/nss.def
--- a/cmd/httpserv/httpserv.c
+++ b/cmd/httpserv/httpserv.c
@@ -1065,29 +1065,29 @@ ocsp_CreateSelfCAID(PLArenaPool *arena, 
         goto loser;
     }
 
     if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_MD2,
                                   &(certID->issuerMD2NameHash)) == NULL) {
         goto loser;
     }
 
-    if (CERT_GetSPKIDigest(arena, cert, SEC_OID_SHA1,
-				   &(certID->issuerKeyHash)) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_SHA1,
+				       &certID->issuerKeyHash) == NULL) {
 	goto loser;
     }
     certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
     certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
     /* cache the other two hash algorithms as well */
-    if (CERT_GetSPKIDigest(arena, cert, SEC_OID_MD5,
-				   &(certID->issuerMD5KeyHash)) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD5,
+				       &certID->issuerMD5KeyHash) == NULL) {
 	goto loser;
     }
-    if (CERT_GetSPKIDigest(arena, cert, SEC_OID_MD2,
-				   &(certID->issuerMD2KeyHash)) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD2,
+				       &certID->issuerMD2KeyHash) == NULL) {
 	goto loser;
     }
 
     PORT_ArenaUnmark(arena, mark);
     return certID;
 
 loser:
     PORT_ArenaRelease(arena, mark);
--- a/lib/certdb/cert.h
+++ b/lib/certdb/cert.h
@@ -1499,24 +1499,28 @@ CERT_LockCertTrust(const CERTCertificate
 /*
  * Free the cert trust lock
  */
 void
 CERT_UnlockCertTrust(const CERTCertificate *cert);
 
 /*
  * Digest the cert's subject public key using the specified algorithm.
+ * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
+ * the tag, length, and number of unused bits) rather than the whole
+ * subjectPublicKeyInfo field.
+ *
  * The necessary storage for the digest data is allocated.  If "fill" is
  * non-null, the data is put there, otherwise a SECItem is allocated.
  * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
  * results in a NULL being returned (and an appropriate error set).
  */ 
 extern SECItem *
-CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
-                   SECOidTag digestAlg, SECItem *fill);
+CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
+                               SECOidTag digestAlg, SECItem *fill);
 
 /*
  * Digest the cert's subject name using the specified algorithm.
  */
 extern SECItem *
 CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
                           SECOidTag digestAlg, SECItem *fill);
 
--- a/lib/certhigh/ocsp.c
+++ b/lib/certhigh/ocsp.c
@@ -102,17 +102,17 @@ static struct OCSPGlobalStruct {
 
 
 
 /* Forward declarations */
 static SECItem *
 ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, 
                                        CERTOCSPRequest *request,
                                        const char *location,
-				       const char *mechanism,
+				       const char *method,
 				       PRTime time,
                                        PRBool addServiceLocator,
                                        void *pwArg,
                                        CERTOCSPRequest **pRequest);
 static SECStatus
 ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, 
                               CERTOCSPCertID *certID, 
                               CERTCertificate *cert, 
@@ -1624,18 +1624,18 @@ loser:
 /*
  * Digest the cert's subject public key using the specified algorithm.
  * The necessary storage for the digest data is allocated.  If "fill" is
  * non-null, the data is put there, otherwise a SECItem is allocated.
  * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
  * results in a NULL being returned (and an appropriate error set).
  */
 SECItem *
-CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
-                           SECOidTag digestAlg, SECItem *fill)
+CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
+                               SECOidTag digestAlg, SECItem *fill)
 {
     SECItem spk;
 
     /*
      * Copy just the length and data pointer (nothing needs to be freed)
      * of the subject public key so we can convert the length from bits
      * to bytes, which is what the digest function expects.
      */
@@ -1711,29 +1711,29 @@ ocsp_CreateCertID(PLArenaPool *arena, CE
         goto loser;
     }
 
     if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2,
                                   &(certID->issuerMD2NameHash)) == NULL) {
         goto loser;
     }
 
-    if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_SHA1,
-				   &(certID->issuerKeyHash)) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1,
+				       &certID->issuerKeyHash) == NULL) {
 	goto loser;
     }
     certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
     certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
     /* cache the other two hash algorithms as well */
-    if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD5,
-				   &(certID->issuerMD5KeyHash)) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5,
+				       &certID->issuerMD5KeyHash) == NULL) {
 	goto loser;
     }
-    if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD2,
-				   &(certID->issuerMD2KeyHash)) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2,
+				       &certID->issuerMD2KeyHash) == NULL) {
 	goto loser;
     }
 
 
     /* now we are done with issuerCert */
     CERT_DestroyCertificate(issuerCert);
     issuerCert = NULL;
 
@@ -3462,17 +3462,17 @@ loser:
 	PORT_Free(path);
     if (hostname != NULL)
 	PORT_Free(hostname);
     
     return encodedResponse;
 }
 
 /*
- * FUNCTION: CERT_GetEncodedOCSPResponseByMechanism
+ * FUNCTION: CERT_GetEncodedOCSPResponseByMethod
  *   Creates and sends a request to an OCSP responder, then reads and
  *   returns the (encoded) response.
  * INPUTS:
  *   PLArenaPool *arena
  *     Pointer to arena from which return value will be allocated.
  *     If NULL, result will be allocated from the heap (and thus should
  *     be freed via SECITEM_FreeItem).
  *   CERTCertList *certList
@@ -3480,20 +3480,20 @@ loser:
  *     Note that all of these certificates should have the same issuer,
  *     or it's expected the response will be signed by a trusted responder.
  *     If the certs need to be broken up into multiple requests, that
  *     must be handled by the caller (and thus by having multiple calls
  *     to this routine), who knows about where the request(s) are being
  *     sent and whether there are any trusted responders in place.
  *   const char *location
  *     The location of the OCSP responder (a URL).
- *   const char *mechanism
- *     The protocol mechanisms used when retrieving the OCSP response.
+ *   const char *method
+ *     The protocol method used when retrieving the OCSP response.
  *     Currently support: "GET" (http GET) and "POST" (http POST).
- *     Additionals mechanisms for http or other protocols might be added
+ *     Additionals methods for http or other protocols might be added
  *     in the future.
  *   PRTime time
  *     Indicates the time for which the certificate status is to be 
  *     determined -- this may be used in the search for the cert's issuer
  *     but has no other bearing on the operation.
  *   PRBool addServiceLocator
  *     If true, the Service Locator extension should be added to the
  *     single request(s) for each cert.
@@ -3513,50 +3513,50 @@ loser:
  *   Returns a pointer to the SECItem holding the response.
  *   On error, returns null with error set describing the reason:
  *	SEC_ERROR_UNKNOWN_ISSUER
  *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
  *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
  *   Other errors are low-level problems (no memory, bad database, etc.).
  */
 SECItem *
-CERT_GetEncodedOCSPResponseByMechanism(PLArenaPool *arena, CERTCertList *certList,
-				       const char *location, const char *mechanism,
-				       PRTime time, PRBool addServiceLocator,
-				       CERTCertificate *signerCert, void *pwArg,
-				       CERTOCSPRequest **pRequest)
+CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList,
+				    const char *location, const char *method,
+				    PRTime time, PRBool addServiceLocator,
+				    CERTCertificate *signerCert, void *pwArg,
+				    CERTOCSPRequest **pRequest)
 {
     CERTOCSPRequest *request;
     request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
                                      signerCert);
     if (!request)
         return NULL;
-    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, 
-                                                  mechanism, time, addServiceLocator, 
+    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+                                                  method, time, addServiceLocator,
                                                   pwArg, pRequest);
 }
 
 /*
  * FUNCTION: CERT_GetEncodedOCSPResponse
  *   Creates and sends a request to an OCSP responder, then reads and
  *   returns the (encoded) response.
  *
  * This is a legacy API that behaves identically to
- * CERT_GetEncodedOCSPResponseByMechanism using the "POST" mechanism.
+ * CERT_GetEncodedOCSPResponseByMethod using the "POST" method.
  */
 SECItem *
 CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
 			    const char *location, PRTime time,
 			    PRBool addServiceLocator,
 			    CERTCertificate *signerCert, void *pwArg,
 			    CERTOCSPRequest **pRequest)
 {
-    return CERT_GetEncodedOCSPResponseByMechanism(arena, certList, location,
-                                                  "POST", time, addServiceLocator,
-						  signerCert, pwArg, pRequest);
+    return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location,
+					       "POST", time, addServiceLocator,
+					       signerCert, pwArg, pRequest);
 }
 
 /* URL encode a buffer that consists of base64-characters, only,
  * which means we can use a simple encoding logic.
  * 
  * No output buffer size checking is performed.
  * You should call the function twice, to calculate the required buffer size.
  * 
@@ -3619,17 +3619,17 @@ enum { max_get_request_size = 255 }; /* 
 static SECItem *
 cert_GetOCSPResponse(PLArenaPool *arena, const char *location, 
                      const SECItem *encodedRequest);
 
 static SECItem *
 ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
                                        CERTOCSPRequest *request,
                                        const char *location,
-				       const char *mechanism,
+				       const char *method,
 				       PRTime time,
                                        PRBool addServiceLocator,
                                        void *pwArg,
                                        CERTOCSPRequest **pRequest)
 {
     SECItem *encodedRequest = NULL;
     SECItem *encodedResponse = NULL;
     SECStatus rv;
@@ -3641,20 +3641,20 @@ ocsp_GetEncodedOCSPResponseFromRequest(P
 					 SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
     if (rv != SECSuccess)
 	goto loser;
 
     encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
     if (encodedRequest == NULL)
 	goto loser;
 
-    if (!strcmp(mechanism, "GET")) {
+    if (!strcmp(method, "GET")) {
         encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest);
     }
-    else if (!strcmp(mechanism, "POST")) {
+    else if (!strcmp(method, "POST")) {
         encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
     }
     else {
 	goto loser;
     }
 
     if (encodedResponse != NULL && pRequest != NULL) {
 	*pRequest = request;
@@ -3668,17 +3668,17 @@ loser:
 	SECITEM_FreeItem(encodedRequest, PR_TRUE);
     return encodedResponse;
 }
 
 static SECItem *
 cert_FetchOCSPResponse(PLArenaPool *arena,  const char *location, 
                        const SECItem *encodedRequest);
 
-/* using HTTP GET mechanism */
+/* using HTTP GET method */
 static SECItem *
 cert_GetOCSPResponse(PLArenaPool *arena, const char *location, 
                      const SECItem *encodedRequest)
 {
     char *walkOutput = NULL;
     char *fullGetPath = NULL;
     size_t pathLength;
     PRInt32 urlEncodedBufLength;
@@ -3773,29 +3773,29 @@ cert_FetchOCSPResponse(PLArenaPool *aren
     return encodedResponse;
 }
 
 static SECItem *
 ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena, 
                                          CERTOCSPCertID *certID, 
                                          CERTCertificate *singleCert, 
                                          const char *location,
-					 const char *mechanism,
+					 const char *method,
 					 PRTime time,
                                          PRBool addServiceLocator,
                                          void *pwArg,
                                          CERTOCSPRequest **pRequest)
 {
     CERTOCSPRequest *request;
     request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time, 
                                                addServiceLocator, NULL);
     if (!request)
         return NULL;
-    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, 
-                                                  mechanism, time, addServiceLocator, 
+    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+                                                  method, time, addServiceLocator,
                                                   pwArg, pRequest);
 }
 
 /* Checks a certificate for the key usage extension of OCSP signer. */
 static PRBool
 ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert)
 {
     SECStatus rv;
@@ -3876,29 +3876,32 @@ static PRBool
 ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
 {
     SECItem item;
     unsigned char buf[HASH_LENGTH_MAX];
 
     item.data = buf;
     item.len = SHA1_LENGTH;
 
-    if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_SHA1, &item) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1,
+				       &item) == NULL) {
 	return PR_FALSE;
     }
     if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
 	return PR_TRUE;
     }
-    if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD5, &item) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5,
+				       &item) == NULL) {
 	return PR_FALSE;
     }
     if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
 	return PR_TRUE;
     }
-    if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD2, &item) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2,
+				       &item) == NULL) {
 	return PR_FALSE;
     }
     if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
 	return PR_TRUE;
     }
 
     return PR_FALSE;
 }
@@ -4441,17 +4444,17 @@ ocsp_AuthorizedResponderForCertID(CERTCe
      * of the cert. For that we will use signer cert key hash and cert subj
      * name hash and will compare them with already calculated issuer key
      * hash and issuer name hash. The hash algorithm is picked from response
      * certID hash to avoid second hash calculation.
      */
 
     hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm);
 
-    keyHash = CERT_GetSPKIDigest(NULL, signerCert, hashAlg, NULL);
+    keyHash = CERT_GetSubjectPublicKeyDigest(NULL, signerCert, hashAlg, NULL);
     if (keyHash != NULL) {
 
         keyHashEQ =
             (SECITEM_CompareItem(keyHash,
                                  &certID->issuerKeyHash) == SECEqual);
         SECITEM_FreeItem(keyHash, PR_TRUE);
     }
     if (keyHashEQ &&
@@ -4488,17 +4491,17 @@ ocsp_AuthorizedResponderForCertID(CERTCe
          * We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone,
          * but the following will give slightly more information.
          * Once we have an error stack, things will be much better.
          */
         PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
         return PR_FALSE;
     }
 
-    keyHash = CERT_GetSPKIDigest(NULL, issuerCert, hashAlg, NULL);
+    keyHash = CERT_GetSubjectPublicKeyDigest(NULL, issuerCert, hashAlg, NULL);
     nameHash = CERT_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL);
 
     CERT_DestroyCertificate(issuerCert);
 
     if (keyHash != NULL && nameHash != NULL) {
         keyHashEQ = 
             (SECITEM_CompareItem(keyHash,
                                  &certID->issuerKeyHash) == SECEqual);
@@ -5274,47 +5277,48 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDB
     /*
      * XXX If/when signing of requests is supported, that second NULL
      * should be changed to be the signer certificate.  Not sure if that
      * should be passed into this function or retrieved via some operation
      * on the handle/context.
      */
 
     do {
-	const char *mechanism;
+	const char *method;
 	PRBool validResponseWithAccurateInfo = PR_FALSE;
 	retry = PR_FALSE;
 	*rv_ocsp = SECFailure;
 
 	if (currentStage == stageGET) {
-	    mechanism = "GET";
-	} else if (currentStage == stagePOST) {
-	    mechanism = "POST";
+	    method = "GET";
 	} else {
-	    PORT_Assert(0); /* our code is flawed */
+	    PORT_Assert(currentStage == stagePOST);
+	    method = "POST";
 	}
 
 	encodedResponse = 
 	    ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
-						     location, mechanism,
+						     location, method,
 						     time, locationIsDefault,
 						     pwArg, &request);
 
 	if (encodedResponse) {
 	    rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
 							    time, pwArg,
 							    encodedResponse,
 							    &decodedResponse,
 							    &singleResponse);
 	    if (rv == SECSuccess) {
 		switch (singleResponse->certStatus->certStatusType) {
 		    case ocspCertStatus_good:
 		    case ocspCertStatus_revoked:
 			validResponseWithAccurateInfo = PR_TRUE;
 			break;
+		    default:
+			break;
 		}
 		*rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
 	    }
 	}
 
 	if (currentStage == stageGET) {
 	    /* only accept GET response if good or revoked */
 	    if (validResponseWithAccurateInfo) {
--- a/lib/certhigh/ocspsig.c
+++ b/lib/certhigh/ocspsig.c
@@ -467,18 +467,18 @@ CERT_CreateEncodedOCSPSuccessResponse(
 	if (responderIDType == ocspResponderID_byName) {
 	    responderIDTemplate = ocsp_ResponderIDByNameTemplate;
 	    if (CERT_CopyName(tmpArena, &rid->responderIDValue.name,
 			    &responderCert->subject) != SECSuccess)
 		goto done;
 	}
 	else {
 	    responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
-	    if (!CERT_GetSPKIDigest(tmpArena, responderCert, SEC_OID_SHA1,
-					&rid->responderIDValue.keyHash))
+	    if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert,
+				SEC_OID_SHA1, &rid->responderIDValue.keyHash))
 		goto done;
 	}
 
 	if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
 		responderIDTemplate))
 	    goto done;
 
 	br->tbsResponseData = rd;
--- a/lib/libpkix/pkix/checker/pkix_ocspchecker.c
+++ b/lib/libpkix/pkix/checker/pkix_ocspchecker.c
@@ -270,31 +270,30 @@ pkix_OcspChecker_CheckExternal(
             /* Do not try HTTP GET, only HTTP POST */
             currentStage = stagePOST;
         } else {
             /* Try HTTP GET first, falling back to POST */
             currentStage = stageGET;
         }
 
         do {
-                const char *mechanism;
+                const char *method;
                 passed = PKIX_TRUE;
 
                 retry = PR_FALSE;
                 if (currentStage == stageGET) {
-                        mechanism = "GET";
-                } else if (currentStage == stagePOST) {
-                        mechanism = "POST";
+                        method = "GET";
                 } else {
-                        PORT_Assert(0); /* our code is flawed */
+                        PORT_Assert(currentStage == stagePOST);
+                        method = "POST";
                 }
 
                 /* send request and create a response object */
                 PKIX_CHECK_NO_GOTO(
-                    pkix_pl_OcspResponse_Create(request, mechanism, NULL,
+                    pkix_pl_OcspResponse_Create(request, method, NULL,
                                                 checker->certVerifyFcn,
                                                 &nbioContext,
                                                 &response,
                                                 plContext),
                     PKIX_OCSPRESPONSECREATEFAILED);
 
                 if (pkixErrorResult) {
                     passed = PKIX_FALSE;
--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
@@ -336,17 +336,17 @@ pkix_pl_OcspResponse_RegisterSelf(void *
  *  supplied, the default verification function is used.
  *
  *  The contents of "request" are ignored on calls subsequent to a WOULDBLOCK
  *  return, and the caller is permitted to supply NULL.
  *
  * PARAMETERS
  *  "request"
  *      Address of the OcspRequest for which a response is desired.
- *  "httpMechanism"
+ *  "httpMethod"
  *      GET or POST
  *  "responder"
  *      Address, if non-NULL, of the SEC_HttpClientFcn to be sent the OCSP
  *      query.
  *  "verifyFcn"
  *      Address, if non-NULL, of the OcspResponse_VerifyCallback function to be
  *      used to verify the Cert of the OCSP responder.
  *  "pNBIOContext"
@@ -361,17 +361,17 @@ pkix_pl_OcspResponse_RegisterSelf(void *
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns an OcspResponse Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 pkix_pl_OcspResponse_Create(
         PKIX_PL_OcspRequest *request,
-        const char *httpMechanism,
+        const char *httpMethod,
         void *responder,
         PKIX_PL_VerifyCallback verifyFcn,
         void **pNBIOContext,
         PKIX_PL_OcspResponse **pResponse,
         void *plContext)
 {
         void *nbioContext = NULL;
         PKIX_PL_OcspResponse *ocspResponse = NULL;
@@ -387,17 +387,17 @@ pkix_pl_OcspResponse_Create(
         SEC_HTTP_REQUEST_SESSION sessionRequest = NULL;
         SECItem *encodedRequest = NULL;
         PRUint16 responseCode = 0;
         char *responseData = NULL;
  
         PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Create");
         PKIX_NULLCHECK_TWO(pNBIOContext, pResponse);
 
-	if (!strcmp(httpMechanism, "GET") && !strcmp(httpMechanism, "POST")) {
+	if (!strcmp(httpMethod, "GET") && !strcmp(httpMethod, "POST")) {
 		PKIX_ERROR(PKIX_INVALIDOCSPHTTPMETHOD);
 	}
 
         nbioContext = *pNBIOContext;
         *pNBIOContext = NULL;
 
         if (nbioContext != NULL) {
 
@@ -426,17 +426,17 @@ pkix_pl_OcspResponse_Create(
                     httpClient = (const SEC_HttpClientFcn *)responder;
                 } else {
                     httpClient = SEC_GetRegisteredHttpClient();
                 }
 
                 if (httpClient && (httpClient->version == 1)) {
 			char *fullGetPath = NULL;
 			const char *sessionPath = NULL;
-			PRBool usePOST = !strcmp(httpMechanism, "POST");
+			PRBool usePOST = !strcmp(httpMethod, "POST");
 
                         hcv1 = &(httpClient->fcnTable.ftable1);
 
                         PKIX_CHECK(pkix_pl_OcspRequest_GetLocation
                                 (request, &location, plContext),
                                 PKIX_OCSPREQUESTGETLOCATIONFAILED);
 
                         /* parse location -> hostname, port, path */    
@@ -451,34 +451,34 @@ pkix_pl_OcspResponse_Create(
                                 PKIX_ERROR(PKIX_OCSPSERVERERROR);
                         }       
 
 			if (usePOST) {
 				sessionPath = path;
 			} else {
 				/* calculate, are we allowed to use GET? */
 				enum { max_get_request_size = 255 }; /* defined by RFC2560 */
-				unsigned char b64ReqBuf[max_get_request_size+1];
+				char b64ReqBuf[max_get_request_size+1];
 				size_t base64size;
 				size_t slashLengthIfNeeded = 0;
 				size_t pathLength;
 				PRInt32 urlEncodedBufLength;
 				size_t getURLLength;
 				char *walkOutput = NULL;
 
 				pathLength = strlen(path);
 				if (path[pathLength-1] != '/') {
 					slashLengthIfNeeded = 1;
 				}
 				base64size = (((encodedRequest->len +2)/3) * 4);
 				if (base64size > max_get_request_size) {
 					PKIX_ERROR(PKIX_OCSPGETREQUESTTOOBIG);
 				}
 				memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
-				PL_Base64Encode(encodedRequest->data, encodedRequest->len, b64ReqBuf);
+				PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len, b64ReqBuf);
 				urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
 				getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
 				fullGetPath = (char*)PORT_Alloc(getURLLength);
 				if (!fullGetPath) {
 					PKIX_ERROR(PKIX_OUTOFMEMORY);
 				}
 				strcpy(fullGetPath, path);
 				walkOutput = fullGetPath + pathLength;
@@ -486,17 +486,17 @@ pkix_pl_OcspResponse_Create(
 					strcpy(walkOutput, "/");
 					++walkOutput;
 				}
 				ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput);
 				sessionPath = fullGetPath;
 			}
 
                         rv = (*hcv1->createFcn)(serverSession, "http",
-                                                sessionPath, httpMechanism,
+                                                sessionPath, httpMethod,
                                                 PR_SecondsToInterval(timeout),
                                                 &sessionRequest);
 			sessionPath = NULL;
 			if (fullGetPath) {
 				PORT_Free(fullGetPath);
 				fullGetPath = NULL;
 			}
 			
--- a/lib/nss/nss.def
+++ b/lib/nss/nss.def
@@ -1035,14 +1035,13 @@ PK11_Encrypt;
 CERT_PostOCSPRequest;
 CERT_AddCertToListHead;
 ;+    local:
 ;+       *;
 ;+};
 ;+NSS_3.15.4 { 	# NSS 3.15.4 release
 ;+    global:
 CERT_ForcePostMethodForOCSP;
-CERT_GetEncodedOCSPResponseByMechanism;
-CERT_GetSPKIDigest;
 CERT_GetSubjectNameDigest;
+CERT_GetSubjectPublicKeyDigest;
 ;+    local:
 ;+       *;
 ;+};