Bug 436414, support OCSP via HTTP GET. Part 4, enhance libPKIX portion of OCSP client code. r=rrelyea
authorKai Engert <kaie@kuix.de>
Tue, 08 Oct 2013 10:03:22 +0200
changeset 10864 a9ee920bd5cf67c60a04e7d678602f93aec2e16e
parent 10863 654082cbd7028c94110afcac7c9b71f3c1367b36
child 10865 4ebfd5d268679854f95bb10ee32cb387fcd5583c
push id167
push userkaie@kuix.de
push dateTue, 08 Oct 2013 08:07:55 +0000
reviewersrrelyea
bugs436414
Bug 436414, support OCSP via HTTP GET. Part 4, enhance libPKIX portion of OCSP client code. r=rrelyea
lib/certhigh/ocsp.c
lib/certhigh/ocspi.h
lib/libpkix/include/pkix_errorstrings.h
lib/libpkix/pkix/checker/pkix_ocspchecker.c
lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h
--- a/lib/certhigh/ocsp.c
+++ b/lib/certhigh/ocsp.c
@@ -114,40 +114,27 @@ static SECStatus
 ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, 
                               CERTOCSPCertID *certID, 
                               CERTCertificate *cert, 
                               PRTime time, 
                               void *pwArg,
                               PRBool *certIDWasConsumed,
                               SECStatus *rv_ocsp);
 
-static void
-ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
-			 CERTOCSPSingleResponse *single,
-			 PRBool *certIDWasConsumed);
-
 static SECStatus
 ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
 					   CERTOCSPCertID *certID,
 					   CERTCertificate *cert,
 					   PRTime time,
 					   void *pwArg,
 					   const SECItem *encodedResponse,
 					   CERTOCSPResponse **pDecodedResponse,
 					   CERTOCSPSingleResponse **pSingle);
 
 static SECStatus
-ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 
-                                        CERTOCSPResponse *response, 
-                                        CERTOCSPCertID   *certID,
-                                        CERTCertificate  *signerCert,
-                                        PRTime            time,
-                                        CERTOCSPSingleResponse **pSingleResponse);
-
-static SECStatus
 ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time);
 
 static CERTOCSPCertID *
 cert_DupOCSPCertID(const CERTOCSPCertID *src);
 
 #ifndef DEBUG
 #define OCSP_TRACE(msg)
 #define OCSP_TRACE_TIME(msg, time)
@@ -4877,17 +4864,17 @@ ocsp_CertRevokedAfter(ocspRevokedInfo *r
 
     return SECFailure;
 }
 
 /*
  * See if the cert represented in the single response had a good status
  * at the specified time.
  */
-static SECStatus
+SECStatus
 ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time)
 {
     SECStatus rv;
     switch (status->certStatusType) {
     case ocspCertStatus_good:
         rv = SECSuccess;
         break;
     case ocspCertStatus_revoked:
@@ -5449,33 +5436,33 @@ loser:
  *   The (positive or negative) valid response will be used to update the cache.
  * INPUTS:
  *   CERTOCSPCertID *certID
  *     the cert ID corresponding to |cert|
  *   PRBool *certIDWasConsumed
  *     (output) on return, this is true iff |certID| was consumed by this
  *     function.
  */
-static void
+void
 ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
 			 CERTOCSPSingleResponse *single,
 			 PRBool *certIDWasConsumed)
 {
     if (single != NULL) {
 	PR_EnterMonitor(OCSP_Global.monitor);
 	if (OCSP_Global.maxCacheEntries >= 0) {
 	    ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single,
 					  certIDWasConsumed);
 	    /* ignore cache update failures */
 	}
 	PR_ExitMonitor(OCSP_Global.monitor);
     }
 }
 
-static SECStatus
+SECStatus
 ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 
                                         CERTOCSPResponse *response, 
                                         CERTOCSPCertID   *certID,
                                         CERTCertificate  *signerCert,
                                         PRTime            time,
                                         CERTOCSPSingleResponse 
                                             **pSingleResponse)
 {
--- a/lib/certhigh/ocspi.h
+++ b/lib/certhigh/ocspi.h
@@ -137,9 +137,25 @@ ocsp_GetResponderLocation(CERTCertDBHand
  *   revoked cert status.
  */
 PRBool
 ocsp_FetchingFailureIsVerificationFailure(void);
 
 size_t
 ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);
 
+SECStatus
+ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 
+                                        CERTOCSPResponse *response, 
+                                        CERTOCSPCertID   *certID,
+                                        CERTCertificate  *signerCert,
+                                        PRTime            time,
+                                        CERTOCSPSingleResponse **pSingleResponse);
+
+SECStatus
+ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);
+
+void
+ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
+			 CERTOCSPSingleResponse *single,
+			 PRBool *certIDWasConsumed);
+
 #endif /* _OCSPI_H_ */
--- a/lib/libpkix/include/pkix_errorstrings.h
+++ b/lib/libpkix/include/pkix_errorstrings.h
@@ -1089,9 +1089,11 @@ PKIX_ERRORENTRY(X500NAMEEQUALSFAILED,PKI
 PKIX_ERRORENTRY(X500NAMEGETCOMMONNAMEFAILED,pkix_pl_X500Name_GetCommonName failed,0),
 PKIX_ERRORENTRY(X500NAMEGETCOUNTRYNAMEFAILED,pkix_pl_X500Name_GetCountryName failed,0),
 PKIX_ERRORENTRY(X500NAMEGETORGNAMEFAILED,pkix_pl_X500Name_GetOrgName failed,0),
 PKIX_ERRORENTRY(X500NAMEGETSECNAMEFAILED,pkix_pl_X500Name_GetSECName failed,0),
 PKIX_ERRORENTRY(X500NAMEHASHCODEFAILED,PKIX_PL_X500Name_Hashcode failed,0),
 PKIX_ERRORENTRY(X500NAMEMATCHFAILED,PKIX_PL_X500Name_Match failed,0),
 PKIX_ERRORENTRY(X500NAMETOSTRINGFAILED,PKIX_PL_X500Name_ToString failed,0),
 PKIX_ERRORENTRY(X500NAMETOSTRINGHELPERFAILED,pkix_pl_X500Name_ToString_Helper failed,0),
-PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding,0)
+PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding,0),
+PKIX_ERRORENTRY(INVALIDOCSPHTTPMETHOD,Unsupported HTTP Method for OCSP retrieval,0),
+PKIX_ERRORENTRY(OCSPGETREQUESTTOOBIG,OCSP request too big for HTTP GET method,0)
--- a/lib/libpkix/pkix/checker/pkix_ocspchecker.c
+++ b/lib/libpkix/pkix/checker/pkix_ocspchecker.c
@@ -195,22 +195,28 @@ cleanup:
 }
 
 
 /*
  * The OCSPChecker is created in an idle state, and remains in this state until
  * either (a) the default Responder has been set and enabled, and a Check
  * request is received with no responder specified, or (b) a Check request is
  * received with a specified responder. A request message is constructed and
- * given to the HttpClient. If non-blocking I/O is used the client may return
- * with WOULDBLOCK, in which case the OCSPChecker returns the WOULDBLOCK
- * condition to its caller in turn. On a subsequent call the I/O is resumed.
- * When a response is received it is decoded and the results provided to the
- * caller.
+ * given to the HttpClient. When a response is received it is decoded and the
+ * results provided to the caller.
  *
+ * During the most recent enhancement of this function, it has been found that
+ * it doesn't correctly implement non-blocking I/O.
+ * 
+ * The nbioContext is used in two places, for "response-obtaining" and
+ * for "response-verification".
+ * 
+ * However, if this function gets called to resume, it always
+ * repeats the "request creation" and "response fetching" steps!
+ * As a result, the earlier operation is never resumed.
  */
 PKIX_Error *
 pkix_OcspChecker_CheckExternal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
@@ -225,16 +231,18 @@ pkix_OcspChecker_CheckExternal(
         PKIX_Boolean passed = PKIX_TRUE;
         pkix_OcspChecker *checker = NULL;
         PKIX_PL_OcspCertID *cid = NULL;
         PKIX_PL_OcspRequest *request = NULL;
         PKIX_PL_OcspResponse *response = NULL;
         PKIX_PL_Date *validity = NULL;
         PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
         void *nbioContext = NULL;
+        enum { stageGET, stagePOST } currentStage = stageGET;
+        PRBool retry = PR_FALSE;
 
         PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_CheckExternal");
 
         PKIX_CHECK(
             pkix_CheckType((PKIX_PL_Object*)checkerObject,
                            PKIX_OCSPCHECKER_TYPE, plContext),
                 PKIX_OBJECTNOTOCSPCHECKER);
 
@@ -253,94 +261,156 @@ pkix_OcspChecker_CheckExternal(
             PKIX_OCSPREQUESTCREATEFAILED);
         
         if (uriFound == PKIX_FALSE) {
             /* no caching for certs lacking URI */
             resultCode = 0;
             goto cleanup;
         }
 
-        /* send request and create a response object */
-        PKIX_CHECK(
-            pkix_pl_OcspResponse_Create(request, NULL,
-                                        checker->certVerifyFcn,
-                                        &nbioContext,
-                                        &response,
-                                        plContext),
-            PKIX_OCSPRESPONSECREATEFAILED);
-        if (nbioContext != 0) {
-            *pNBIOContext = nbioContext;
-            goto cleanup;
-        }
-        
-        PKIX_CHECK(
-            pkix_pl_OcspResponse_Decode(response, &passed,
-                                        &resultCode, plContext),
-            PKIX_OCSPRESPONSEDECODEFAILED);
-        if (passed == PKIX_FALSE) {
-            goto cleanup;
-        }
-        
-        PKIX_CHECK(
-            pkix_pl_OcspResponse_GetStatus(response, &passed,
-                                           &resultCode, plContext),
-            PKIX_OCSPRESPONSEGETSTATUSRETURNEDANERROR);
-        if (passed == PKIX_FALSE) {
-            goto cleanup;
-        }
+        /* Try HTTP GET.
+         * Unless it's a valid response with good status: fall back to POST.
+         */
+
+        do {
+                const char *mechanism;
+                passed = PKIX_TRUE;
+
+                retry = PR_FALSE;
+                if (currentStage == stageGET) {
+                        mechanism = "GET";
+                } else if (currentStage == stagePOST) {
+                        mechanism = "POST";
+                } else {
+                        PORT_Assert(0); /* our code is flawed */
+                }
+
+                /* send request and create a response object */
+                PKIX_CHECK_NO_GOTO(
+                    pkix_pl_OcspResponse_Create(request, mechanism, NULL,
+                                                checker->certVerifyFcn,
+                                                &nbioContext,
+                                                &response,
+                                                plContext),
+                    PKIX_OCSPRESPONSECREATEFAILED);
+
+                if (pkixErrorResult) {
+                    passed = PKIX_FALSE;
+                }
+
+                if (passed && nbioContext != 0) {
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                }
+
+                if (passed){
+                        PKIX_CHECK_NO_GOTO(
+                            pkix_pl_OcspResponse_Decode(response, &passed,
+                                                        &resultCode, plContext),
+                            PKIX_OCSPRESPONSEDECODEFAILED);
+                        if (pkixErrorResult) {
+                            passed = PKIX_FALSE;
+                        }
+                }
+                
+                if (passed){
+                        PKIX_CHECK_NO_GOTO(
+                            pkix_pl_OcspResponse_GetStatus(response, &passed,
+                                                           &resultCode, plContext),
+                            PKIX_OCSPRESPONSEGETSTATUSRETURNEDANERROR);
+                        if (pkixErrorResult) {
+                            passed = PKIX_FALSE;
+                        }
+                }
 
-        PKIX_CHECK(
-            pkix_pl_OcspResponse_VerifySignature(response, cert,
-                                                 procParams, &passed, 
-                                                 &nbioContext, plContext),
-            PKIX_OCSPRESPONSEVERIFYSIGNATUREFAILED);
-       	if (nbioContext != 0) {
-               	*pNBIOContext = nbioContext;
-                goto cleanup;
-        }
-        if (passed == PKIX_FALSE) {
-                goto cleanup;
-        }
+                if (passed){
+                        PKIX_CHECK_NO_GOTO(
+                            pkix_pl_OcspResponse_VerifySignature(response, cert,
+                                                                 procParams, &passed, 
+                                                                 &nbioContext, plContext),
+                            PKIX_OCSPRESPONSEVERIFYSIGNATUREFAILED);
+                        if (pkixErrorResult) {
+                            passed = PKIX_FALSE;
+                        } else {
+                                if (nbioContext != 0) {
+                                        *pNBIOContext = nbioContext;
+                                        goto cleanup;
+                                }
+                        }
+                }
 
-        PKIX_CHECK(
-            pkix_pl_OcspResponse_GetStatusForCert(cid, response, date,
-                                                  &passed, &resultCode,
-                                                  plContext),
-            PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED);
-        if (passed == PKIX_FALSE) {
-            revStatus = pkix_OcspChecker_MapResultCodeToRevStatus(resultCode);
-        } else {
-            revStatus = PKIX_RevStatus_Success;
-        }
+                if (!passed && currentStage == stagePOST) {
+                        /* We won't retry a POST failure, so it's final.
+                         * Because the following block with its call to
+                         *   pkix_pl_OcspResponse_GetStatusForCert
+                         * will take care of caching good or bad state,
+                         * but we only execute that next block if there hasn't
+                         * been a failure yet, we must cache the POST
+                         * failure now.
+                         */
+                         
+                        if (cid && cid->certID) {
+                                /* Caching MIGHT consume the cid. */
+                                PKIX_Error *err;
+                                err = PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
+                                        cid, plContext);
+                                if (err) {
+                                        PKIX_PL_Object_DecRef((PKIX_PL_Object*)err, plContext);
+                                }
+                        }
+                }
+
+                if (passed){
+                        PKIX_Boolean allowCachingOfFailures =
+                                (currentStage == stagePOST) ? PKIX_TRUE : PKIX_FALSE;
+                        
+                        PKIX_CHECK_NO_GOTO(
+                            pkix_pl_OcspResponse_GetStatusForCert(cid, response,
+                                                                  allowCachingOfFailures,
+                                                                  date,
+                                                                  &passed, &resultCode,
+                                                                  plContext),
+                            PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED);
+                        if (pkixErrorResult) {
+                            passed = PKIX_FALSE;
+                        } else if (passed == PKIX_FALSE) {
+                                revStatus = pkix_OcspChecker_MapResultCodeToRevStatus(resultCode);
+                        } else {
+                                revStatus = PKIX_RevStatus_Success;
+                        }
+                }
+
+                if (currentStage == stageGET && revStatus != PKIX_RevStatus_Success &&
+                                                revStatus != PKIX_RevStatus_Revoked) {
+                        /* we'll retry */
+                        PKIX_DECREF(response);
+                        retry = PR_TRUE;
+                        currentStage = stagePOST;
+                        revStatus = PKIX_RevStatus_NoInfo;
+                        if (pkixErrorResult) {
+                                PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
+                                                      plContext);
+                                pkixErrorResult = NULL;
+                        }
+                }
+        } while (retry);
 
 cleanup:
         if (revStatus == PKIX_RevStatus_NoInfo && (uriFound || 
 	    methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE) &&
             methodFlags & PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
             revStatus = PKIX_RevStatus_Revoked;
         }
         *pRevStatus = revStatus;
 
-        /* ocsp carries only tree statuses: good, bad, and unknown.
+        /* ocsp carries only three statuses: good, bad, and unknown.
          * revStatus is used to pass them. reasonCode is always set
          * to be unknown. */
         *pReasonCode = crlEntryReasonUnspecified;
 
-        if (!passed && cid && cid->certID) {
-                /* We still own the certID object, which means that 
-                 * it did not get consumed to create a cache entry.
-                 * Let's make sure there is one.
-                 */
-                PKIX_Error *err;
-                err = PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
-                        cid, plContext);
-                if (err) {
-                        PKIX_PL_Object_DecRef((PKIX_PL_Object*)err, plContext);
-                }
-        }
         PKIX_DECREF(cid);
         PKIX_DECREF(request);
         PKIX_DECREF(response);
 
         PKIX_RETURN(OCSPCHECKER);
 }
 
 
--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
@@ -336,16 +336,18 @@ pkix_pl_OcspResponse_RegisterSelf(void *
  *  supplied, the default verification function is used.
  *
  *  The contents of "request" are ignored on calls subsequent to a WOULDBLOCK
  *  return, and the caller is permitted to supply NULL.
  *
  * PARAMETERS
  *  "request"
  *      Address of the OcspRequest for which a response is desired.
+ *  "httpMechanism"
+ *      GET or POST
  *  "responder"
  *      Address, if non-NULL, of the SEC_HttpClientFcn to be sent the OCSP
  *      query.
  *  "verifyFcn"
  *      Address, if non-NULL, of the OcspResponse_VerifyCallback function to be
  *      used to verify the Cert of the OCSP responder.
  *  "pNBIOContext"
  *      Address at which platform-dependent information is stored for handling
@@ -359,16 +361,17 @@ pkix_pl_OcspResponse_RegisterSelf(void *
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns an OcspResponse Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 pkix_pl_OcspResponse_Create(
         PKIX_PL_OcspRequest *request,
+        const char *httpMechanism,
         void *responder,
         PKIX_PL_VerifyCallback verifyFcn,
         void **pNBIOContext,
         PKIX_PL_OcspResponse **pResponse,
         void *plContext)
 {
         void *nbioContext = NULL;
         PKIX_PL_OcspResponse *ocspResponse = NULL;
@@ -384,16 +387,20 @@ pkix_pl_OcspResponse_Create(
         SEC_HTTP_REQUEST_SESSION sessionRequest = NULL;
         SECItem *encodedRequest = NULL;
         PRUint16 responseCode = 0;
         char *responseData = NULL;
  
         PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Create");
         PKIX_NULLCHECK_TWO(pNBIOContext, pResponse);
 
+	if (!strcmp(httpMechanism, "GET") && !strcmp(httpMechanism, "POST")) {
+		PKIX_ERROR(PKIX_INVALIDOCSPHTTPMETHOD);
+	}
+
         nbioContext = *pNBIOContext;
         *pNBIOContext = NULL;
 
         if (nbioContext != NULL) {
 
                 ocspResponse = *pResponse;
                 PKIX_NULLCHECK_ONE(ocspResponse);
 
@@ -417,16 +424,19 @@ pkix_pl_OcspResponse_Create(
                 /* Is there a default responder and is it enabled? */
                 if (responder) {
                     httpClient = (const SEC_HttpClientFcn *)responder;
                 } else {
                     httpClient = SEC_GetRegisteredHttpClient();
                 }
 
                 if (httpClient && (httpClient->version == 1)) {
+			char *fullGetPath = NULL;
+			const char *sessionPath = NULL;
+			PRBool usePOST = !strcmp(httpMechanism, "POST");
 
                         hcv1 = &(httpClient->fcnTable.ftable1);
 
                         PKIX_CHECK(pkix_pl_OcspRequest_GetLocation
                                 (request, &location, plContext),
                                 PKIX_OCSPREQUESTGETLOCATIONFAILED);
 
                         /* parse location -> hostname, port, path */    
@@ -436,31 +446,78 @@ pkix_pl_OcspResponse_Create(
                         }
 
                         rv = (*hcv1->createSessionFcn)(hostname, port,
                                                        &serverSession);
                         if (rv != SECSuccess) {
                                 PKIX_ERROR(PKIX_OCSPSERVERERROR);
                         }       
 
-                        rv = (*hcv1->createFcn)(serverSession, "http", path,
-                                                "POST",
+			if (usePOST) {
+				sessionPath = path;
+			} else {
+				/* calculate, are we allowed to use GET? */
+				enum { max_get_request_size = 255 }; /* defined by RFC2560 */
+				unsigned char b64ReqBuf[max_get_request_size+1];
+				size_t base64size;
+				size_t slashLengthIfNeeded = 0;
+				size_t pathLength;
+				PRInt32 urlEncodedBufLength;
+				size_t getURLLength;
+				char *walkOutput = NULL;
+
+				pathLength = strlen(path);
+				if (path[pathLength-1] != '/') {
+					slashLengthIfNeeded = 1;
+				}
+				base64size = (((encodedRequest->len +2)/3) * 4);
+				if (base64size > max_get_request_size) {
+					PKIX_ERROR(PKIX_OCSPGETREQUESTTOOBIG);
+				}
+				memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
+				PL_Base64Encode(encodedRequest->data, encodedRequest->len, b64ReqBuf);
+				urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
+				getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
+				fullGetPath = (char*)PORT_Alloc(getURLLength);
+				if (!fullGetPath) {
+					PKIX_ERROR(PKIX_OUTOFMEMORY);
+				}
+				strcpy(fullGetPath, path);
+				walkOutput = fullGetPath + pathLength;
+				if (walkOutput > fullGetPath && slashLengthIfNeeded) {
+					strcpy(walkOutput, "/");
+					++walkOutput;
+				}
+				ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput);
+				sessionPath = fullGetPath;
+			}
+
+                        rv = (*hcv1->createFcn)(serverSession, "http",
+                                                sessionPath, httpMechanism,
                                                 PR_SecondsToInterval(timeout),
                                                 &sessionRequest);
+			sessionPath = NULL;
+			if (fullGetPath) {
+				PORT_Free(fullGetPath);
+				fullGetPath = NULL;
+			}
+			
                         if (rv != SECSuccess) {
                                 PKIX_ERROR(PKIX_OCSPSERVERERROR);
                         }       
 
-                        rv = (*hcv1->setPostDataFcn)(sessionRequest,
-                                                  (char *)encodedRequest->data,
-                                                  encodedRequest->len,
-                                                  "application/ocsp-request");
-                        if (rv != SECSuccess) {
-                                PKIX_ERROR(PKIX_OCSPSERVERERROR);
-                        }       
+			if (usePOST) {
+				rv = (*hcv1->setPostDataFcn)(sessionRequest,
+							  (char *)encodedRequest->data,
+							  encodedRequest->len,
+							  "application/ocsp-request");
+				if (rv != SECSuccess) {
+					PKIX_ERROR(PKIX_OCSPSERVERERROR);
+				}
+			}
 
                         /* create a PKIX_PL_OcspResponse object */
                         PKIX_CHECK(PKIX_PL_Object_Alloc
                                     (PKIX_OCSPRESPONSE_TYPE,
                                     sizeof (PKIX_PL_OcspResponse),
                                     (PKIX_PL_Object **)&ocspResponse,
                                     plContext),
                                     PKIX_COULDNOTCREATEOBJECT);
@@ -932,25 +989,25 @@ cleanup:
  *  Returns NULL if the function succeeds.
  *  Returns an OcspResponse Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 pkix_pl_OcspResponse_GetStatusForCert(
         PKIX_PL_OcspCertID *cid,
         PKIX_PL_OcspResponse *response,
+        PKIX_Boolean allowCachingOfFailures,
         PKIX_PL_Date *validity,
         PKIX_Boolean *pPassed,
         SECErrorCodes *pReturnCode,
         void *plContext)
 {
         PRTime time = 0;
         SECStatus rv = SECFailure;
-        SECStatus rvCache;
-        PRBool certIDWasConsumed = PR_FALSE;
+        CERTOCSPSingleResponse *single = NULL;
 
         PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_GetStatusForCert");
         PKIX_NULLCHECK_THREE(response, pPassed, pReturnCode);
 
         /*
          * It is an error to call this function except following a successful
          * return from pkix_pl_OcspResponse_VerifySignature, which would have
          * set response->signerCert.
@@ -961,25 +1018,44 @@ pkix_pl_OcspResponse_GetStatusForCert(
         if (validity != NULL) {
             PKIX_Error *er = pkix_pl_Date_GetPRTime(validity, &time, plContext);
             PKIX_DECREF(er);
         }
         if (!time) {
             time = PR_Now();
         }
 
-        rv = cert_ProcessOCSPResponse(response->handle,
-                                      response->nssOCSPResponse,
-                                      cid->certID,
-                                      response->signerCert,
-                                      time,
-                                      &certIDWasConsumed,
-                                      &rvCache);
-        if (certIDWasConsumed) {
-                cid->certID = NULL;
+        rv = ocsp_GetVerifiedSingleResponseForCertID(response->handle,
+                                                     response->nssOCSPResponse,
+                                                     cid->certID, 
+                                                     response->signerCert,
+                                                     time, &single);
+        if (rv == SECSuccess) {
+                /*
+                 * Check whether the status says revoked, and if so 
+                 * how that compares to the time value passed into this routine.
+                 */
+                rv = ocsp_CertHasGoodStatus(single->certStatus, time);
+        }
+
+        if (rv == SECSuccess || allowCachingOfFailures) {
+                /* allowed to update the cache */
+                PRBool certIDWasConsumed = PR_FALSE;
+
+                if (single) {
+                        ocsp_CacheSingleResponse(cid->certID,single,
+                                                 &certIDWasConsumed);
+                } else {
+                        cert_RememberOCSPProcessingFailure(cid->certID,
+                                                           &certIDWasConsumed);
+                }
+
+                if (certIDWasConsumed) {
+                        cid->certID = NULL;
+                }
         }
 
 	if (rv == SECSuccess) {
                 *pPassed = PKIX_TRUE;
                 *pReturnCode = 0;
         } else {
                 *pPassed = PKIX_FALSE;
                 *pReturnCode = PORT_GetError();
--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h
+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h
@@ -12,16 +12,17 @@
 #define _PKIX_PL_OCSPRESPONSE_H
 
 #include "pkix_pl_common.h"
 #include "pkix_pl_ocspcertid.h"
 #include "hasht.h"
 #include "cryptohi.h"
 #include "ocspti.h"
 #include "ocspi.h"
+#include "plbase64.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 #define MAX_OCSP_RESPONSE_LEN (64*1024)
 
 struct PKIX_PL_OcspResponseStruct{
@@ -42,16 +43,17 @@ struct PKIX_PL_OcspResponseStruct{
 
 /* see source file for function documentation */
 
 PKIX_Error *pkix_pl_OcspResponse_RegisterSelf(void *plContext);
 
 PKIX_Error *
 pkix_pl_OcspResponse_Create(
         PKIX_PL_OcspRequest *request,
+        const char *httpMechanism,
         void *responder,
         PKIX_PL_VerifyCallback verifyFcn,
         void **pNBIOContext,
         PKIX_PL_OcspResponse **pResponse,
         void *plContext);
 
 PKIX_Error *
 pkix_pl_OcspResponse_Decode(
@@ -75,16 +77,17 @@ pkix_pl_OcspResponse_VerifySignature(
         PKIX_Boolean *pPassed,
         void **pNBIOContext,
         void *plContext);
 
 PKIX_Error *
 pkix_pl_OcspResponse_GetStatusForCert(
         PKIX_PL_OcspCertID *cid,
         PKIX_PL_OcspResponse *response,
+        PKIX_Boolean allowCachingOfFailures,
         PKIX_PL_Date *validity,
         PKIX_Boolean *pPassed,
         SECErrorCodes *pReturnCode,
         void *plContext);
 
 PKIX_Error *
 PKIX_PL_OcspResponse_UseBuildChain(
         PKIX_PL_Cert *signerCert,