--- a/lib/certhigh/ocsp.c
+++ b/lib/certhigh/ocsp.c
@@ -102,17 +102,17 @@ static struct OCSPGlobalStruct {
/* Forward declarations */
static SECItem *
ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
CERTOCSPRequest *request,
const char *location,
- const char *mechanism,
+ const char *method,
PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest);
static SECStatus
ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
CERTOCSPCertID *certID,
CERTCertificate *cert,
@@ -1624,18 +1624,18 @@ loser:
/*
* Digest the cert's subject public key using the specified algorithm.
* The necessary storage for the digest data is allocated. If "fill" is
* non-null, the data is put there, otherwise a SECItem is allocated.
* Allocation from "arena" if it is non-null, heap otherwise. Any problem
* results in a NULL being returned (and an appropriate error set).
*/
SECItem *
-CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
- SECOidTag digestAlg, SECItem *fill)
+CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
+ SECOidTag digestAlg, SECItem *fill)
{
SECItem spk;
/*
* Copy just the length and data pointer (nothing needs to be freed)
* of the subject public key so we can convert the length from bits
* to bytes, which is what the digest function expects.
*/
@@ -1711,29 +1711,29 @@ ocsp_CreateCertID(PLArenaPool *arena, CE
goto loser;
}
if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2,
&(certID->issuerMD2NameHash)) == NULL) {
goto loser;
}
- if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_SHA1,
- &(certID->issuerKeyHash)) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1,
+ &certID->issuerKeyHash) == NULL) {
goto loser;
}
certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
/* cache the other two hash algorithms as well */
- if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD5,
- &(certID->issuerMD5KeyHash)) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5,
+ &certID->issuerMD5KeyHash) == NULL) {
goto loser;
}
- if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD2,
- &(certID->issuerMD2KeyHash)) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2,
+ &certID->issuerMD2KeyHash) == NULL) {
goto loser;
}
/* now we are done with issuerCert */
CERT_DestroyCertificate(issuerCert);
issuerCert = NULL;
@@ -3462,17 +3462,17 @@ loser:
PORT_Free(path);
if (hostname != NULL)
PORT_Free(hostname);
return encodedResponse;
}
/*
- * FUNCTION: CERT_GetEncodedOCSPResponseByMechanism
+ * FUNCTION: CERT_GetEncodedOCSPResponseByMethod
* Creates and sends a request to an OCSP responder, then reads and
* returns the (encoded) response.
* INPUTS:
* PLArenaPool *arena
* Pointer to arena from which return value will be allocated.
* If NULL, result will be allocated from the heap (and thus should
* be freed via SECITEM_FreeItem).
* CERTCertList *certList
@@ -3480,20 +3480,20 @@ loser:
* Note that all of these certificates should have the same issuer,
* or it's expected the response will be signed by a trusted responder.
* If the certs need to be broken up into multiple requests, that
* must be handled by the caller (and thus by having multiple calls
* to this routine), who knows about where the request(s) are being
* sent and whether there are any trusted responders in place.
* const char *location
* The location of the OCSP responder (a URL).
- * const char *mechanism
- * The protocol mechanisms used when retrieving the OCSP response.
+ * const char *method
+ * The protocol method used when retrieving the OCSP response.
* Currently support: "GET" (http GET) and "POST" (http POST).
- * Additionals mechanisms for http or other protocols might be added
+ * Additionals methods for http or other protocols might be added
* in the future.
* PRTime time
* Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* but has no other bearing on the operation.
* PRBool addServiceLocator
* If true, the Service Locator extension should be added to the
* single request(s) for each cert.
@@ -3513,50 +3513,50 @@ loser:
* Returns a pointer to the SECItem holding the response.
* On error, returns null with error set describing the reason:
* SEC_ERROR_UNKNOWN_ISSUER
* SEC_ERROR_CERT_BAD_ACCESS_LOCATION
* SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
* Other errors are low-level problems (no memory, bad database, etc.).
*/
SECItem *
-CERT_GetEncodedOCSPResponseByMechanism(PLArenaPool *arena, CERTCertList *certList,
- const char *location, const char *mechanism,
- PRTime time, PRBool addServiceLocator,
- CERTCertificate *signerCert, void *pwArg,
- CERTOCSPRequest **pRequest)
+CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList,
+ const char *location, const char *method,
+ PRTime time, PRBool addServiceLocator,
+ CERTCertificate *signerCert, void *pwArg,
+ CERTOCSPRequest **pRequest)
{
CERTOCSPRequest *request;
request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
signerCert);
if (!request)
return NULL;
- return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
- mechanism, time, addServiceLocator,
+ return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+ method, time, addServiceLocator,
pwArg, pRequest);
}
/*
* FUNCTION: CERT_GetEncodedOCSPResponse
* Creates and sends a request to an OCSP responder, then reads and
* returns the (encoded) response.
*
* This is a legacy API that behaves identically to
- * CERT_GetEncodedOCSPResponseByMechanism using the "POST" mechanism.
+ * CERT_GetEncodedOCSPResponseByMethod using the "POST" method.
*/
SECItem *
CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
const char *location, PRTime time,
PRBool addServiceLocator,
CERTCertificate *signerCert, void *pwArg,
CERTOCSPRequest **pRequest)
{
- return CERT_GetEncodedOCSPResponseByMechanism(arena, certList, location,
- "POST", time, addServiceLocator,
- signerCert, pwArg, pRequest);
+ return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location,
+ "POST", time, addServiceLocator,
+ signerCert, pwArg, pRequest);
}
/* URL encode a buffer that consists of base64-characters, only,
* which means we can use a simple encoding logic.
*
* No output buffer size checking is performed.
* You should call the function twice, to calculate the required buffer size.
*
@@ -3619,17 +3619,17 @@ enum { max_get_request_size = 255 }; /*
static SECItem *
cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest);
static SECItem *
ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
CERTOCSPRequest *request,
const char *location,
- const char *mechanism,
+ const char *method,
PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest)
{
SECItem *encodedRequest = NULL;
SECItem *encodedResponse = NULL;
SECStatus rv;
@@ -3641,20 +3641,20 @@ ocsp_GetEncodedOCSPResponseFromRequest(P
SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
if (rv != SECSuccess)
goto loser;
encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
if (encodedRequest == NULL)
goto loser;
- if (!strcmp(mechanism, "GET")) {
+ if (!strcmp(method, "GET")) {
encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest);
}
- else if (!strcmp(mechanism, "POST")) {
+ else if (!strcmp(method, "POST")) {
encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
}
else {
goto loser;
}
if (encodedResponse != NULL && pRequest != NULL) {
*pRequest = request;
@@ -3668,17 +3668,17 @@ loser:
SECITEM_FreeItem(encodedRequest, PR_TRUE);
return encodedResponse;
}
static SECItem *
cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest);
-/* using HTTP GET mechanism */
+/* using HTTP GET method */
static SECItem *
cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest)
{
char *walkOutput = NULL;
char *fullGetPath = NULL;
size_t pathLength;
PRInt32 urlEncodedBufLength;
@@ -3773,29 +3773,29 @@ cert_FetchOCSPResponse(PLArenaPool *aren
return encodedResponse;
}
static SECItem *
ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena,
CERTOCSPCertID *certID,
CERTCertificate *singleCert,
const char *location,
- const char *mechanism,
+ const char *method,
PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest)
{
CERTOCSPRequest *request;
request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time,
addServiceLocator, NULL);
if (!request)
return NULL;
- return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
- mechanism, time, addServiceLocator,
+ return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+ method, time, addServiceLocator,
pwArg, pRequest);
}
/* Checks a certificate for the key usage extension of OCSP signer. */
static PRBool
ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert)
{
SECStatus rv;
@@ -3876,29 +3876,32 @@ static PRBool
ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
{
SECItem item;
unsigned char buf[HASH_LENGTH_MAX];
item.data = buf;
item.len = SHA1_LENGTH;
- if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_SHA1, &item) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1,
+ &item) == NULL) {
return PR_FALSE;
}
if (SECITEM_ItemsAreEqual(certIndex,&item)) {
return PR_TRUE;
}
- if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD5, &item) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5,
+ &item) == NULL) {
return PR_FALSE;
}
if (SECITEM_ItemsAreEqual(certIndex,&item)) {
return PR_TRUE;
}
- if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD2, &item) == NULL) {
+ if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2,
+ &item) == NULL) {
return PR_FALSE;
}
if (SECITEM_ItemsAreEqual(certIndex,&item)) {
return PR_TRUE;
}
return PR_FALSE;
}
@@ -4441,17 +4444,17 @@ ocsp_AuthorizedResponderForCertID(CERTCe
* of the cert. For that we will use signer cert key hash and cert subj
* name hash and will compare them with already calculated issuer key
* hash and issuer name hash. The hash algorithm is picked from response
* certID hash to avoid second hash calculation.
*/
hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm);
- keyHash = CERT_GetSPKIDigest(NULL, signerCert, hashAlg, NULL);
+ keyHash = CERT_GetSubjectPublicKeyDigest(NULL, signerCert, hashAlg, NULL);
if (keyHash != NULL) {
keyHashEQ =
(SECITEM_CompareItem(keyHash,
&certID->issuerKeyHash) == SECEqual);
SECITEM_FreeItem(keyHash, PR_TRUE);
}
if (keyHashEQ &&
@@ -4488,17 +4491,17 @@ ocsp_AuthorizedResponderForCertID(CERTCe
* We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone,
* but the following will give slightly more information.
* Once we have an error stack, things will be much better.
*/
PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
return PR_FALSE;
}
- keyHash = CERT_GetSPKIDigest(NULL, issuerCert, hashAlg, NULL);
+ keyHash = CERT_GetSubjectPublicKeyDigest(NULL, issuerCert, hashAlg, NULL);
nameHash = CERT_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL);
CERT_DestroyCertificate(issuerCert);
if (keyHash != NULL && nameHash != NULL) {
keyHashEQ =
(SECITEM_CompareItem(keyHash,
&certID->issuerKeyHash) == SECEqual);
@@ -5274,47 +5277,48 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDB
/*
* XXX If/when signing of requests is supported, that second NULL
* should be changed to be the signer certificate. Not sure if that
* should be passed into this function or retrieved via some operation
* on the handle/context.
*/
do {
- const char *mechanism;
+ const char *method;
PRBool validResponseWithAccurateInfo = PR_FALSE;
retry = PR_FALSE;
*rv_ocsp = SECFailure;
if (currentStage == stageGET) {
- mechanism = "GET";
- } else if (currentStage == stagePOST) {
- mechanism = "POST";
+ method = "GET";
} else {
- PORT_Assert(0); /* our code is flawed */
+ PORT_Assert(currentStage == stagePOST);
+ method = "POST";
}
encodedResponse =
ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
- location, mechanism,
+ location, method,
time, locationIsDefault,
pwArg, &request);
if (encodedResponse) {
rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
time, pwArg,
encodedResponse,
&decodedResponse,
&singleResponse);
if (rv == SECSuccess) {
switch (singleResponse->certStatus->certStatusType) {
case ocspCertStatus_good:
case ocspCertStatus_revoked:
validResponseWithAccurateInfo = PR_TRUE;
break;
+ default:
+ break;
}
*rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
}
}
if (currentStage == stageGET) {
/* only accept GET response if good or revoked */
if (validResponseWithAccurateInfo) {
--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
@@ -336,17 +336,17 @@ pkix_pl_OcspResponse_RegisterSelf(void *
* supplied, the default verification function is used.
*
* The contents of "request" are ignored on calls subsequent to a WOULDBLOCK
* return, and the caller is permitted to supply NULL.
*
* PARAMETERS
* "request"
* Address of the OcspRequest for which a response is desired.
- * "httpMechanism"
+ * "httpMethod"
* GET or POST
* "responder"
* Address, if non-NULL, of the SEC_HttpClientFcn to be sent the OCSP
* query.
* "verifyFcn"
* Address, if non-NULL, of the OcspResponse_VerifyCallback function to be
* used to verify the Cert of the OCSP responder.
* "pNBIOContext"
@@ -361,17 +361,17 @@ pkix_pl_OcspResponse_RegisterSelf(void *
* RETURNS:
* Returns NULL if the function succeeds.
* Returns an OcspResponse Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_OcspResponse_Create(
PKIX_PL_OcspRequest *request,
- const char *httpMechanism,
+ const char *httpMethod,
void *responder,
PKIX_PL_VerifyCallback verifyFcn,
void **pNBIOContext,
PKIX_PL_OcspResponse **pResponse,
void *plContext)
{
void *nbioContext = NULL;
PKIX_PL_OcspResponse *ocspResponse = NULL;
@@ -387,17 +387,17 @@ pkix_pl_OcspResponse_Create(
SEC_HTTP_REQUEST_SESSION sessionRequest = NULL;
SECItem *encodedRequest = NULL;
PRUint16 responseCode = 0;
char *responseData = NULL;
PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Create");
PKIX_NULLCHECK_TWO(pNBIOContext, pResponse);
- if (!strcmp(httpMechanism, "GET") && !strcmp(httpMechanism, "POST")) {
+ if (!strcmp(httpMethod, "GET") && !strcmp(httpMethod, "POST")) {
PKIX_ERROR(PKIX_INVALIDOCSPHTTPMETHOD);
}
nbioContext = *pNBIOContext;
*pNBIOContext = NULL;
if (nbioContext != NULL) {
@@ -426,17 +426,17 @@ pkix_pl_OcspResponse_Create(
httpClient = (const SEC_HttpClientFcn *)responder;
} else {
httpClient = SEC_GetRegisteredHttpClient();
}
if (httpClient && (httpClient->version == 1)) {
char *fullGetPath = NULL;
const char *sessionPath = NULL;
- PRBool usePOST = !strcmp(httpMechanism, "POST");
+ PRBool usePOST = !strcmp(httpMethod, "POST");
hcv1 = &(httpClient->fcnTable.ftable1);
PKIX_CHECK(pkix_pl_OcspRequest_GetLocation
(request, &location, plContext),
PKIX_OCSPREQUESTGETLOCATIONFAILED);
/* parse location -> hostname, port, path */
@@ -451,34 +451,34 @@ pkix_pl_OcspResponse_Create(
PKIX_ERROR(PKIX_OCSPSERVERERROR);
}
if (usePOST) {
sessionPath = path;
} else {
/* calculate, are we allowed to use GET? */
enum { max_get_request_size = 255 }; /* defined by RFC2560 */
- unsigned char b64ReqBuf[max_get_request_size+1];
+ char b64ReqBuf[max_get_request_size+1];
size_t base64size;
size_t slashLengthIfNeeded = 0;
size_t pathLength;
PRInt32 urlEncodedBufLength;
size_t getURLLength;
char *walkOutput = NULL;
pathLength = strlen(path);
if (path[pathLength-1] != '/') {
slashLengthIfNeeded = 1;
}
base64size = (((encodedRequest->len +2)/3) * 4);
if (base64size > max_get_request_size) {
PKIX_ERROR(PKIX_OCSPGETREQUESTTOOBIG);
}
memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
- PL_Base64Encode(encodedRequest->data, encodedRequest->len, b64ReqBuf);
+ PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len, b64ReqBuf);
urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
fullGetPath = (char*)PORT_Alloc(getURLLength);
if (!fullGetPath) {
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
strcpy(fullGetPath, path);
walkOutput = fullGetPath + pathLength;
@@ -486,17 +486,17 @@ pkix_pl_OcspResponse_Create(
strcpy(walkOutput, "/");
++walkOutput;
}
ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput);
sessionPath = fullGetPath;
}
rv = (*hcv1->createFcn)(serverSession, "http",
- sessionPath, httpMechanism,
+ sessionPath, httpMethod,
PR_SecondsToInterval(timeout),
&sessionRequest);
sessionPath = NULL;
if (fullGetPath) {
PORT_Free(fullGetPath);
fullGetPath = NULL;
}
