Update third_party/nss to NSS 3.15.4.

nss/lib/certhigh/ocsp.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  */
 
 #include "prerror.h"
 #include "prprf.h"
 #include "plarena.h"
 #include "prnetdb.h"
 
 #include "seccomon.h"
 #include "secitem.h"
 #include "secoidt.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "cert.h"
 #include "xconst.h"
 #include "secerr.h"
 #include "secoid.h"
 #include "hasht.h"
 #include "sechash.h"
 #include "secasn1.h"
+#include "plbase64.h"
 #include "keyhi.h"
 #include "cryptohi.h"
 #include "ocsp.h"
 #include "ocspti.h"
 #include "ocspi.h"
 #include "genname.h"
 #include "certxutl.h"
 #include "pk11func.h"   /* for PK11_HashBuf */
 #include <stdarg.h>
 #include <plhash.h>
@@ skipping 42 matching lines @@
 static struct OCSPGlobalStruct {
     PRMonitor *monitor;
     const SEC_HttpClientFcn *defaultHttpClientFcn;
     PRInt32 maxCacheEntries;
     PRUint32 minimumSecondsToNextFetchAttempt;
     PRUint32 maximumSecondsToNextFetchAttempt;
     PRUint32 timeoutSeconds;
     OCSPCacheData cache;
     SEC_OcspFailureMode ocspFailureMode;
     CERT_StringFromCertFcn alternateOCSPAIAFcn;
+    PRBool forcePost;
 } OCSP_Global = { NULL, 
                   NULL, 
                   DEFAULT_OCSP_CACHE_SIZE, 
                   DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT,
                   DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT,
                   DEFAULT_OSCP_TIMEOUT_SECONDS,
                   {NULL, 0, NULL, NULL},
                   ocspMode_FailureIsVerificationFailure,
-                  NULL
+                  NULL,
+                  PR_FALSE
                 };
 
 
 
 /* Forward declarations */
 static SECItem *
 ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, 
                                        CERTOCSPRequest *request,
-                                       const char *location, PRTime time,
+                                       const char *location,
+                                       const char *method,
+                                       PRTime time,
                                        PRBool addServiceLocator,
                                        void *pwArg,
                                        CERTOCSPRequest **pRequest);
 static SECStatus
 ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, 
                               CERTOCSPCertID *certID, 
                               CERTCertificate *cert, 
                               PRTime time, 
                               void *pwArg,
                               PRBool *certIDWasConsumed,
                               SECStatus *rv_ocsp);
 
 static SECStatus
-ocsp_CacheEncodedOCSPResponse(CERTCertDBHandle *handle,
-                              CERTOCSPCertID *certID,
-                              CERTCertificate *cert,
-                              PRTime time,
-                              void *pwArg,
-                              const SECItem *encodedResponse,
-                              PRBool cacheInvalid,
-                              PRBool *certIDWasConsumed,
-                              SECStatus *rv_ocsp);
-
-static SECStatus
-ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 
-                                        CERTOCSPResponse *response, 
-                                        CERTOCSPCertID   *certID,
-                                        CERTCertificate  *signerCert,
-                                        PRTime            time,
-                                        CERTOCSPSingleResponse **pSingleResponse);
+ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
+                                           CERTOCSPCertID *certID,
+                                           CERTCertificate *cert,
+                                           PRTime time,
+                                           void *pwArg,
+                                           const SECItem *encodedResponse,
+                                           CERTOCSPResponse **pDecodedResponse,
+                                           CERTOCSPSingleResponse **pSingle);
 
 static SECStatus
 ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time);
 
 static CERTOCSPCertID *
 cert_DupOCSPCertID(const CERTOCSPCertID *src);
 
 #ifndef DEBUG
 #define OCSP_TRACE(msg)
 #define OCSP_TRACE_TIME(msg, time)
@@ skipping 600 matching lines @@
     OCSP_TRACE_TIME("nextFetchAttemptTime", 
         latestTimeWhenResponseIsConsideredFresh);
 
     PR_ExitMonitor(OCSP_Global.monitor);
 }
 
 static PRBool
 ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem)
 {
     PRTime now;
-    PRBool retval;
+    PRBool fresh;
 
-    PR_EnterMonitor(OCSP_Global.monitor);
     now = PR_Now();
-    retval = (cacheItem->nextFetchAttemptTime > now);
-    OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", retval));
-    PR_ExitMonitor(OCSP_Global.monitor);
-    return retval;
+
+    fresh = cacheItem->nextFetchAttemptTime > now;
+
+    /* Work around broken OCSP responders that return unknown responses for
+     * certificates, especially certificates that were just recently issued.
+     */
+    if (fresh && cacheItem->certStatusArena &&
+        cacheItem->certStatus.certStatusType == ocspCertStatus_unknown) {
+        fresh = PR_FALSE;
+    }
+
+    OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", fresh));
+
+    return fresh;
 }
 
 /*
  * Status in *certIDWasConsumed will always be correct, regardless of 
  * return value.
  * If the caller is unable to transfer ownership of certID,
  * then the caller must set certIDWasConsumed to NULL,
  * and this function will potentially duplicate the certID object.
  */
 static SECStatus
 ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, 
                               CERTOCSPCertID *certID,
                               CERTOCSPSingleResponse *single,
                               PRBool *certIDWasConsumed)
 {
     SECStatus rv;
     OCSPCacheItem *cacheItem;
     OCSP_TRACE(("OCSP ocsp_CreateOrUpdateCacheEntry\n"));
   
     if (certIDWasConsumed)
         *certIDWasConsumed = PR_FALSE;
   
     PR_EnterMonitor(OCSP_Global.monitor);
     PORT_Assert(OCSP_Global.maxCacheEntries >= 0);
   
     cacheItem = ocsp_FindCacheEntry(cache, certID);
+
+    /* Don't replace an unknown or revoked entry with an error entry, even if
+     * the existing entry is expired. Instead, we'll continue to use the
+     * existing (possibly expired) cache entry until we receive a valid signed
+     * response to replace it.
+     */
+    if (!single && cacheItem && cacheItem->certStatusArena &&
+        (cacheItem->certStatus.certStatusType == ocspCertStatus_revoked ||
+         cacheItem->certStatus.certStatusType == ocspCertStatus_unknown)) {
+        PR_ExitMonitor(OCSP_Global.monitor);
+        return SECSuccess;
+    }
+
     if (!cacheItem) {
         CERTOCSPCertID *myCertID;
         if (certIDWasConsumed) {
             myCertID = certID;
             *certIDWasConsumed = PR_TRUE;
         } else {
             myCertID = cert_DupOCSPCertID(certID);
             if (!myCertID) {
                 PR_ExitMonitor(OCSP_Global.monitor);
                 PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
@@ skipping 652 matching lines @@
  *     not needed if not signing.)
  * RETURN:
  *   Returns a NULL on error and a pointer to the SECItem with the
  *   encoded value otherwise.  Any error is likely to be low-level
  *   (e.g. no memory).
  */
 SECItem *
 CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
                        void *pwArg)
 {
-    ocspTBSRequest *tbsRequest;
     SECStatus rv;
 
     /* XXX All of these should generate errors if they fail. */
     PORT_Assert(request);
     PORT_Assert(request->tbsRequest);
 
-    tbsRequest = request->tbsRequest;
-
     if (request->tbsRequest->extensionHandle != NULL) {
         rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
         request->tbsRequest->extensionHandle = NULL;
         if (rv != SECSuccess)
             return NULL;
     }
 
     /*
      * XXX When signed requests are supported and request->optionalSignature
      * is not NULL:
@@ skipping 147 matching lines @@
 }
 
 /*
  * Digest the cert's subject public key using the specified algorithm.
  * The necessary storage for the digest data is allocated.  If "fill" is
  * non-null, the data is put there, otherwise a SECItem is allocated.
  * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
  * results in a NULL being returned (and an appropriate error set).
  */
 SECItem *
-CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
-                           SECOidTag digestAlg, SECItem *fill)
+CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
+                               SECOidTag digestAlg, SECItem *fill)
 {
     SECItem spk;
 
     /*
      * Copy just the length and data pointer (nothing needs to be freed)
      * of the subject public key so we can convert the length from bits
      * to bytes, which is what the digest function expects.
      */
     spk = cert->subjectPublicKeyInfo.subjectPublicKey;
     DER_ConvertBitString(&spk);
 
     return ocsp_DigestValue(arena, digestAlg, fill, &spk);
 }
 
 /*
  * Digest the cert's subject name using the specified algorithm.
  */
-static SECItem *
-cert_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
-                           SECOidTag digestAlg, SECItem *fill)
+SECItem *
+CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
+                          SECOidTag digestAlg, SECItem *fill)
 {
     SECItem name;
 
     /*
      * Copy just the length and data pointer (nothing needs to be freed)
      * of the subject name
      */
     name = cert->derSubject;
 
     return ocsp_DigestValue(arena, digestAlg, fill, &name);
@@ skipping 28 matching lines @@
                                NULL);
     if (rv != SECSuccess) {
         goto loser; 
     }
 
     issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
     if (issuerCert == NULL) {
         goto loser;
     }
 
-    if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1,
+    if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1,
                                   &(certID->issuerNameHash)) == NULL) {
         goto loser;
     }
     certID->issuerSHA1NameHash.data = certID->issuerNameHash.data;
     certID->issuerSHA1NameHash.len = certID->issuerNameHash.len;
 
-    if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5,
+    if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5,
                                   &(certID->issuerMD5NameHash)) == NULL) {
         goto loser;
     }
 
-    if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2,
+    if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2,
                                   &(certID->issuerMD2NameHash)) == NULL) {
         goto loser;
     }
 
-    if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_SHA1,
-                                   &(certID->issuerKeyHash)) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1,
+                                       &certID->issuerKeyHash) == NULL) {
         goto loser;
     }
     certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
     certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
     /* cache the other two hash algorithms as well */
-    if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD5,
-                                   &(certID->issuerMD5KeyHash)) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5,
+                                       &certID->issuerMD5KeyHash) == NULL) {
         goto loser;
     }
-    if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD2,
-                                   &(certID->issuerMD2KeyHash)) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2,
+                                       &certID->issuerMD2KeyHash) == NULL) {
         goto loser;
     }
 
 
     /* now we are done with issuerCert */
     CERT_DestroyCertificate(issuerCert);
     issuerCert = NULL;
 
     rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber);
     if (rv != SECSuccess) {
@@ skipping 1224 matching lines @@
     return NULL;
 }
 
 /*
  * Sends an encoded OCSP request to the server identified by "location",
  * and returns the socket on which it was sent (so can listen for the reply).
  * "location" is expected to be a valid URL -- an error parsing it produces
  * SEC_ERROR_CERT_BAD_ACCESS_LOCATION.  Other errors are likely problems
  * connecting to it, or writing to it, or allocating memory, and the low-level
  * errors appropriate to the problem will be set.
+ * if (encodedRequest == NULL)
+ *   then location MUST already include the full request,
+ *        including base64 and urlencode,
+ *        and the request will be sent with GET
+ * if (encodedRequest != NULL)
+ *   then the request will be sent with POST
  */
 static PRFileDesc *
 ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
 {
     char *hostname = NULL;
     char *path = NULL;
     PRUint16 port;
     SECStatus rv;
     PRFileDesc *sock = NULL;
     PRFileDesc *returnSock = NULL;
@@ skipping 12 matching lines @@
 
     sock = ocsp_ConnectToHost(hostname, port);
     if (sock == NULL)
         goto loser;
 
     portstr[0] = '\0';
     if (port != 80) {
         PR_snprintf(portstr, sizeof(portstr), ":%d", port);
     }
 
-    header = PR_smprintf("POST %s HTTP/1.0\r\n"
-                         "Host: %s%s\r\n"
-                         "Content-Type: application/ocsp-request\r\n"
-                         "Content-Length: %u\r\n\r\n",
-                         path, hostname, portstr, encodedRequest->len);
-    if (header == NULL)
-        goto loser;
+    if (!encodedRequest) {
+      header = PR_smprintf("GET %s HTTP/1.0\r\n"
+                          "Host: %s%s\r\n\r\n",
+                          path, hostname, portstr);
+      if (header == NULL)
+          goto loser;
 
-    /*
-     * The NSPR documentation promises that if it can, it will write the full
-     * amount; this will not return a partial value expecting us to loop.
-     */
-    if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
-        goto loser;
+      /*
+      * The NSPR documentation promises that if it can, it will write the full
+      * amount; this will not return a partial value expecting us to loop.
+      */
+      if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
+          goto loser;
+    }
+    else {
+      header = PR_smprintf("POST %s HTTP/1.0\r\n"
+                          "Host: %s%s\r\n"
+                          "Content-Type: application/ocsp-request\r\n"
+                          "Content-Length: %u\r\n\r\n",
+                          path, hostname, portstr, encodedRequest->len);
+      if (header == NULL)
+          goto loser;
 
-    if (PR_Write(sock, encodedRequest->data,
-                 (PRInt32) encodedRequest->len) < 0)
-        goto loser;
+      /*
+      * The NSPR documentation promises that if it can, it will write the full
+      * amount; this will not return a partial value expecting us to loop.
+      */
+      if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
+          goto loser;
+
+      if (PR_Write(sock, encodedRequest->data,
+                  (PRInt32) encodedRequest->len) < 0)
+          goto loser;
+    }
 
     returnSock = sock;
     sock = NULL;
 
 loser:
     if (header != NULL)
         PORT_Free(header);
     if (sock != NULL)
         PR_Close(sock);
     if (path != NULL)
@@ skipping 288 matching lines @@
 CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
 {
     return ocsp_ParseURL(url, pHostname, pPort, pPath);
 }
 
 /*
  * Limit the size of http responses we are willing to accept.
  */
 #define MAX_WANTED_OCSP_RESPONSE_LEN 64*1024
 
+/* if (encodedRequest == NULL)
+ *   then location MUST already include the full request,
+ *        including base64 and urlencode,
+ *        and the request will be sent with GET
+ * if (encodedRequest != NULL)
+ *   then the request will be sent with POST
+ */
 static SECItem *
 fetchOcspHttpClientV1(PLArenaPool *arena, 
                       const SEC_HttpClientFcnV1 *hcv1, 
                       const char *location, 
                       const SECItem *encodedRequest)
 {
     char *hostname = NULL;
     char *path = NULL;
     PRUint16 port;
     SECItem *encodedResponse = NULL;
@@ skipping 23 matching lines @@
        - the client will use blocking I/O
        - TryFcn will not return WOULD_BLOCK nor a poll descriptor
        - it's sufficient to call TryFcn once
        No lock for accessing OCSP_Global.timeoutSeconds, bug 406120
     */
 
     if ((*hcv1->createFcn)(
             pServerSession,
             "http",
             path,
-            "POST",
+            encodedRequest ? "POST" : "GET",
             PR_TicksPerSecond() * OCSP_Global.timeoutSeconds,
             &pRequestSession) != SECSuccess) {
         PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
         goto loser;
     }
 
-    if ((*hcv1->setPostDataFcn)(
+    if (encodedRequest &&
+        (*hcv1->setPostDataFcn)(
             pRequestSession, 
             (char*)encodedRequest->data,
             encodedRequest->len,
             "application/ocsp-request") != SECSuccess) {
         PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
         goto loser;
     }
 
     /* we don't want result objects larger than this: */
     myHttpResponseDataLen = MAX_WANTED_OCSP_RESPONSE_LEN;
@@ skipping 35 matching lines @@
         (*hcv1->freeSessionFcn)(pServerSession);
     if (path != NULL)
         PORT_Free(path);
     if (hostname != NULL)
         PORT_Free(hostname);
     
     return encodedResponse;
 }
 
 /*
- * FUNCTION: CERT_GetEncodedOCSPResponse
+ * FUNCTION: CERT_GetEncodedOCSPResponseByMethod
  *   Creates and sends a request to an OCSP responder, then reads and
  *   returns the (encoded) response.
  * INPUTS:
  *   PLArenaPool *arena
  *     Pointer to arena from which return value will be allocated.
  *     If NULL, result will be allocated from the heap (and thus should
  *     be freed via SECITEM_FreeItem).
  *   CERTCertList *certList
  *     A list of certs for which status will be requested.
  *     Note that all of these certificates should have the same issuer,
  *     or it's expected the response will be signed by a trusted responder.
  *     If the certs need to be broken up into multiple requests, that
  *     must be handled by the caller (and thus by having multiple calls
  *     to this routine), who knows about where the request(s) are being
  *     sent and whether there are any trusted responders in place.
  *   const char *location
  *     The location of the OCSP responder (a URL).
+ *   const char *method
+ *     The protocol method used when retrieving the OCSP response.
+ *     Currently support: "GET" (http GET) and "POST" (http POST).
+ *     Additionals methods for http or other protocols might be added
+ *     in the future.
  *   PRTime time
  *     Indicates the time for which the certificate status is to be 
  *     determined -- this may be used in the search for the cert's issuer
  *     but has no other bearing on the operation.
  *   PRBool addServiceLocator
  *     If true, the Service Locator extension should be added to the
  *     single request(s) for each cert.
  *   CERTCertificate *signerCert
  *     If non-NULL, means sign the request using this cert.  Otherwise,
  *     do not sign.
  *   void *pwArg
  *     Pointer to argument for password prompting, if needed.  (Definitely
  *     not needed if not signing.)
  * OUTPUTS:
  *   CERTOCSPRequest **pRequest
  *     Pointer in which to store the OCSP request created for the given
  *     list of certificates.  It is only filled in if the entire operation
  *     is successful and the pointer is not null -- and in that case the
  *     caller is then reponsible for destroying it.
  * RETURN:
  *   Returns a pointer to the SECItem holding the response.
  *   On error, returns null with error set describing the reason:
  *      SEC_ERROR_UNKNOWN_ISSUER
  *      SEC_ERROR_CERT_BAD_ACCESS_LOCATION
  *      SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
  *   Other errors are low-level problems (no memory, bad database, etc.).
  */
 SECItem *
+CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList,
+                                    const char *location, const char *method,
+                                    PRTime time, PRBool addServiceLocator,
+                                    CERTCertificate *signerCert, void *pwArg,
+                                    CERTOCSPRequest **pRequest)
+{
+    CERTOCSPRequest *request;
+    request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
+                                     signerCert);
+    if (!request)
+        return NULL;
+    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+                                                  method, time, addServiceLocator,
+                                                  pwArg, pRequest);
+}
+
+/*
+ * FUNCTION: CERT_GetEncodedOCSPResponse
+ *   Creates and sends a request to an OCSP responder, then reads and
+ *   returns the (encoded) response.
+ *
+ * This is a legacy API that behaves identically to
+ * CERT_GetEncodedOCSPResponseByMethod using the "POST" method.
+ */
+SECItem *
 CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
                             const char *location, PRTime time,
                             PRBool addServiceLocator,
                             CERTCertificate *signerCert, void *pwArg,
                             CERTOCSPRequest **pRequest)
 {
-    CERTOCSPRequest *request;
-    request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
-                                     signerCert);
-    if (!request)
-        return NULL;
-    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, 
-                                                  time, addServiceLocator, 
-                                                  pwArg, pRequest);
+    return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location,
+                                               "POST", time, addServiceLocator,
+                                               signerCert, pwArg, pRequest);
 }
 
+/* URL encode a buffer that consists of base64-characters, only,
+ * which means we can use a simple encoding logic.
+ * 
+ * No output buffer size checking is performed.
+ * You should call the function twice, to calculate the required buffer size.
+ * 
+ * If the outpufBuf parameter is NULL, the function will calculate the 
+ * required size, including the trailing zero termination char.
+ * 
+ * The function returns the number of bytes calculated or produced.
+ */
+size_t
+ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf)
+{
+    const char *walkInput = NULL;
+    char *walkOutput = outputBuf;
+    size_t count = 0;
+    
+    for (walkInput=base64Buf; *walkInput; ++walkInput) {
+        char c = *walkInput;
+        if (isspace(c))
+            continue;
+        switch (c) {
+          case '+':
+            if (outputBuf) {
+                strcpy(walkOutput, "%2B");
+                walkOutput += 3;
+            }
+            count += 3;
+            break;
+          case '/':
+            if (outputBuf) {
+                strcpy(walkOutput, "%2F");
+                walkOutput += 3;
+            }
+            count += 3;
+            break;
+          case '=':
+            if (outputBuf) {
+                strcpy(walkOutput, "%3D");
+                walkOutput += 3;
+            }
+            count += 3;
+            break;
+          default:
+            if (outputBuf) {
+                *walkOutput = *walkInput;
+                ++walkOutput;
+            }
+            ++count;
+            break;
+        }
+    }
+    if (outputBuf) {
+        *walkOutput = 0;
+    }
+    ++count;
+    return count;
+}
+
+enum { max_get_request_size = 255 }; /* defined by RFC2560 */
+
+static SECItem *
+cert_GetOCSPResponse(PLArenaPool *arena, const char *location, 
+                     const SECItem *encodedRequest);
+
 static SECItem *
 ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
                                        CERTOCSPRequest *request,
-                                       const char *location, PRTime time,
+                                       const char *location,
+                                       const char *method,
+                                       PRTime time,
                                        PRBool addServiceLocator,
                                        void *pwArg,
                                        CERTOCSPRequest **pRequest)
 {
     SECItem *encodedRequest = NULL;
     SECItem *encodedResponse = NULL;
     SECStatus rv;
 
+    if (!location || !*location) /* location should be at least one byte */
+        goto loser;
+
     rv = CERT_AddOCSPAcceptableResponses(request,
                                          SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
     if (rv != SECSuccess)
         goto loser;
 
     encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
     if (encodedRequest == NULL)
         goto loser;
 
-    encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
+    if (!strcmp(method, "GET")) {
+        encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest);
+    }
+    else if (!strcmp(method, "POST")) {
+        encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
+    }
+    else {
+        goto loser;
+    }
 
     if (encodedResponse != NULL && pRequest != NULL) {
         *pRequest = request;
         request = NULL;                 /* avoid destroying below */
     }
 
 loser:
     if (request != NULL)
         CERT_DestroyOCSPRequest(request);
     if (encodedRequest != NULL)
         SECITEM_FreeItem(encodedRequest, PR_TRUE);
+    return encodedResponse;
+}
 
-    return encodedResponse;
+static SECItem *
+cert_FetchOCSPResponse(PLArenaPool *arena,  const char *location, 
+                       const SECItem *encodedRequest);
+
+/* using HTTP GET method */
+static SECItem *
+cert_GetOCSPResponse(PLArenaPool *arena, const char *location, 
+                     const SECItem *encodedRequest)
+{
+    char *walkOutput = NULL;
+    char *fullGetPath = NULL;
+    size_t pathLength;
+    PRInt32 urlEncodedBufLength;
+    size_t base64size;
+    char b64ReqBuf[max_get_request_size+1];
+    size_t slashLengthIfNeeded = 0;
+    size_t getURLLength;
+    SECItem *item;
+
+    if (!location || !*location) {
+        return NULL;
+    }
+    
+    pathLength = strlen(location);
+    if (location[pathLength-1] != '/') {
+        slashLengthIfNeeded = 1;
+    }
+    
+    /* Calculation as documented by PL_Base64Encode function.
+     * Use integer conversion to avoid having to use function ceil().
+     */
+    base64size = (((encodedRequest->len +2)/3) * 4);
+    if (base64size > max_get_request_size) {
+        return NULL;
+    }
+    memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
+    PL_Base64Encode((const char*)encodedRequest->data, encodedRequest->len,
+                    b64ReqBuf);
+
+    urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
+    getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
+    
+    /* urlEncodedBufLength already contains room for the zero terminator.
+     * Add another if we must add the '/' char.
+     */
+    if (arena) {
+        fullGetPath = (char*)PORT_ArenaAlloc(arena, getURLLength);
+    } else {
+        fullGetPath = (char*)PORT_Alloc(getURLLength);
+    }
+    if (!fullGetPath) {
+        return NULL;
+    }
+ 
+    strcpy(fullGetPath, location);
+    walkOutput = fullGetPath + pathLength;
+    
+    if (walkOutput > fullGetPath && slashLengthIfNeeded) {
+        strcpy(walkOutput, "/");
+        ++walkOutput;
+    }
+    ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput);
+
+    item = cert_FetchOCSPResponse(arena, fullGetPath, NULL);
+    if (!arena) {
+        PORT_Free(fullGetPath);
+    }
+    return item;
 }
 
 SECItem *
 CERT_PostOCSPRequest(PLArenaPool *arena,  const char *location, 
                      const SECItem *encodedRequest)
 {
+    return cert_FetchOCSPResponse(arena, location, encodedRequest);
+}
+
+SECItem *
+cert_FetchOCSPResponse(PLArenaPool *arena,  const char *location, 
+                       const SECItem *encodedRequest)
+{
     const SEC_HttpClientFcn *registeredHttpClient;
     SECItem *encodedResponse = NULL;
 
     registeredHttpClient = SEC_GetRegisteredHttpClient();
 
     if (registeredHttpClient && registeredHttpClient->version == 1) {
         encodedResponse = fetchOcspHttpClientV1(
                               arena,
                               &registeredHttpClient->fcnTable.ftable1,
                               location,
                               encodedRequest);
     } else {
         /* use internal http client */
         PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest);
         if (sock) {
             encodedResponse = ocsp_GetEncodedResponse(arena, sock);
             PR_Close(sock);
         }
     }
 
     return encodedResponse;
 }
 
 static SECItem *
 ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena, 
                                          CERTOCSPCertID *certID, 
                                          CERTCertificate *singleCert, 
-                                         const char *location, PRTime time,
+                                         const char *location,
+                                         const char *method,
+                                         PRTime time,
                                          PRBool addServiceLocator,
                                          void *pwArg,
                                          CERTOCSPRequest **pRequest)
 {
     CERTOCSPRequest *request;
     request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time, 
                                                addServiceLocator, NULL);
     if (!request)
         return NULL;
-    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, 
-                                                  time, addServiceLocator, 
+    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+                                                  method, time, addServiceLocator,
                                                   pwArg, pRequest);
 }
 
 /* Checks a certificate for the key usage extension of OCSP signer. */
 static PRBool
 ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert)
 {
     SECStatus rv;
     SECItem extItem;
     SECItem **oids;
@@ skipping 70 matching lines @@
 
 static PRBool
 ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
 {
     SECItem item;
     unsigned char buf[HASH_LENGTH_MAX];
 
     item.data = buf;
     item.len = SHA1_LENGTH;
 
-    if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_SHA1, &item) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1,
+                                       &item) == NULL) {
         return PR_FALSE;
     }
     if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
         return PR_TRUE;
     }
-    if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD5, &item) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5,
+                                       &item) == NULL) {
         return PR_FALSE;
     }
     if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
         return PR_TRUE;
     }
-    if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD2, &item) == NULL) {
+    if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2,
+                                       &item) == NULL) {
         return PR_FALSE;
     }
     if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
         return PR_TRUE;
     }
 
     return PR_FALSE;
 }
 
 static CERTCertificate *
@@ skipping 80 matching lines @@
         if (responder && ocsp_matchcert(certIndex,responder)) {
             signerCert = CERT_DupCertificate(responder);
         } else if (issuer && ocsp_matchcert(certIndex,issuer)) {
             signerCert = CERT_DupCertificate(issuer);
         } 
         for (i=0; (signerCert == NULL) && (i < certCount); i++) {
             if (ocsp_matchcert(certIndex,certs[i])) {
                 signerCert = CERT_DupCertificate(certs[i]);
             }
         }
+        if (signerCert == NULL) {
+            PORT_SetError(SEC_ERROR_UNKNOWN_CERT);
+        }
     }
 
 finish:
     if (certs != NULL) {
         CERT_DestroyCertArray(certs, certCount);
     }
 
     return signerCert;
 }
 
@@ skipping 429 matching lines @@
      *
      * First, lets check if signer of the response is the actual issuer
      * of the cert. For that we will use signer cert key hash and cert subj
      * name hash and will compare them with already calculated issuer key
      * hash and issuer name hash. The hash algorithm is picked from response
      * certID hash to avoid second hash calculation.
      */
 
     hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm);
 
-    keyHash = CERT_GetSPKIDigest(NULL, signerCert, hashAlg, NULL);
+    keyHash = CERT_GetSubjectPublicKeyDigest(NULL, signerCert, hashAlg, NULL);
     if (keyHash != NULL) {
 
         keyHashEQ =
             (SECITEM_CompareItem(keyHash,
                                  &certID->issuerKeyHash) == SECEqual);
         SECITEM_FreeItem(keyHash, PR_TRUE);
     }
     if (keyHashEQ &&
-        (nameHash = cert_GetSubjectNameDigest(NULL, signerCert,
+        (nameHash = CERT_GetSubjectNameDigest(NULL, signerCert,
                                               hashAlg, NULL))) {
         nameHashEQ =
             (SECITEM_CompareItem(nameHash,
                                  &certID->issuerNameHash) == SECEqual);
             
         SECITEM_FreeItem(nameHash, PR_TRUE);
         if (nameHashEQ) {
             /* The issuer of the cert is the the signer of the response */
             return PR_TRUE;
         }
@@ skipping 17 matching lines @@
     if (issuerCert == NULL) {
         /*
          * We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone,
          * but the following will give slightly more information.
          * Once we have an error stack, things will be much better.
          */
         PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
         return PR_FALSE;
     }
 
-    keyHash = CERT_GetSPKIDigest(NULL, issuerCert, hashAlg, NULL);
-    nameHash = cert_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL);
+    keyHash = CERT_GetSubjectPublicKeyDigest(NULL, issuerCert, hashAlg, NULL);
+    nameHash = CERT_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL);
 
     CERT_DestroyCertificate(issuerCert);
 
     if (keyHash != NULL && nameHash != NULL) {
         keyHashEQ = 
             (SECITEM_CompareItem(keyHash,
                                  &certID->issuerKeyHash) == SECEqual);
 
         nameHashEQ =
             (SECITEM_CompareItem(nameHash,
@@ skipping 365 matching lines @@
     if (LL_CMP(revokedTime, >, time))
         return SECSuccess;
 
     return SECFailure;
 }
 
 /*
  * See if the cert represented in the single response had a good status
  * at the specified time.
  */
-static SECStatus
+SECStatus
 ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time)
 {
     SECStatus rv;
     switch (status->certStatusType) {
     case ocspCertStatus_good:
         rv = SECSuccess;
         break;
     case ocspCertStatus_revoked:
         rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time);
         break;
@@ skipping 11 matching lines @@
     return rv;
 }
 
 static SECStatus
 ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single, 
                                      PRTime time)
 {
     return ocsp_CertHasGoodStatus(single->certStatus, time);
 }
 
-/* Return value SECFailure means: not found or not fresh.
+/* SECFailure means the arguments were invalid.
  * On SECSuccess, the out parameters contain the OCSP status.
  * rvOcsp contains the overall result of the OCSP operation.
  * Depending on input parameter ignoreGlobalOcspFailureSetting,
  * a soft failure might be converted into *rvOcsp=SECSuccess.
  * If the cached attempt to obtain OCSP information had resulted
  * in a failure, missingResponseError shows the error code of
  * that failure.
+ * cacheFreshness is ocspMissing if no entry was found,
+ *                   ocspFresh if a fresh entry was found, or
+ *                   ocspStale if a stale entry was found.
  */
 SECStatus
-ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, 
-                                        PRTime time,
-                                        PRBool ignoreGlobalOcspFailureSetting,
-                                        SECStatus *rvOcsp,
-                                        SECErrorCodes *missingResponseError)
+ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
+                                 PRTime time,
+                                 PRBool ignoreGlobalOcspFailureSetting,
+                                 SECStatus *rvOcsp,
+                                 SECErrorCodes *missingResponseError,
+                                 OCSPFreshness *cacheFreshness)
 {
     OCSPCacheItem *cacheItem = NULL;
-    SECStatus rv = SECFailure;
   
-    if (!certID || !missingResponseError || !rvOcsp) {
+    if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     *rvOcsp = SECFailure;
     *missingResponseError = 0;
+    *cacheFreshness = ocspMissing;
   
     PR_EnterMonitor(OCSP_Global.monitor);
     cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID);
-    if (cacheItem && ocsp_IsCacheItemFresh(cacheItem)) {
+    if (cacheItem) {
+        *cacheFreshness = ocsp_IsCacheItemFresh(cacheItem) ? ocspFresh
+                                                           : ocspStale;
         /* having an arena means, we have a cached certStatus */
         if (cacheItem->certStatusArena) {
             *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time);
             if (*rvOcsp != SECSuccess) {
                 *missingResponseError = PORT_GetError();
             }
-            rv = SECSuccess;
         } else {
             /*
              * No status cached, the previous attempt failed.
              * If OCSP is required, we never decide based on a failed attempt 
              * However, if OCSP is optional, a recent OCSP failure is
              * an allowed good state.
              */
-            if (!ignoreGlobalOcspFailureSetting &&
+            if (*cacheFreshness == ocspFresh &&
+                !ignoreGlobalOcspFailureSetting &&
                 OCSP_Global.ocspFailureMode == 
                     ocspMode_FailureIsNotAVerificationFailure) {
-                rv = SECSuccess;
                 *rvOcsp = SECSuccess;
             }
             *missingResponseError = cacheItem->missingResponseError;
         }
     }
     PR_ExitMonitor(OCSP_Global.monitor);
-    return rv;
+    return SECSuccess;
 }
 
 PRBool
 ocsp_FetchingFailureIsVerificationFailure(void)
 {
     PRBool isFailure;
 
     PR_EnterMonitor(OCSP_Global.monitor);
     isFailure =
         OCSP_Global.ocspFailureMode == ocspMode_FailureIsVerificationFailure;
@@ skipping 50 matching lines @@
  *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
  *   verifying the signer's cert, or low-level problems (error allocating
  *   memory, error performing ASN.1 decoding, etc.).
  */    
 SECStatus 
 CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
                      PRTime time, void *pwArg)
 {
     CERTOCSPCertID *certID;
     PRBool certIDWasConsumed = PR_FALSE;
-    SECStatus rv = SECFailure;
+    SECStatus rv;
     SECStatus rvOcsp;
-    SECErrorCodes dummy_error_code; /* we ignore this */
+    SECErrorCodes cachedErrorCode;
+    OCSPFreshness cachedResponseFreshness;
   
     OCSP_TRACE_CERT(cert);
     OCSP_TRACE_TIME("## requested validity time:", time);
   
     certID = CERT_CreateOCSPCertID(cert, time);
     if (!certID)
         return SECFailure;
-    rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
+    rv = ocsp_GetCachedOCSPResponseStatus(
         certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
-        &rvOcsp, &dummy_error_code);
-    if (rv == SECSuccess) {
+        &rvOcsp, &cachedErrorCode, &cachedResponseFreshness);
+    if (rv != SECSuccess) {
+        CERT_DestroyOCSPCertID(certID);
+        return SECFailure;
+    }
+    if (cachedResponseFreshness == ocspFresh) {
         CERT_DestroyOCSPCertID(certID);
         return rvOcsp;
     }
-    rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg, 
+
+    rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg,
                                        &certIDWasConsumed, 
                                        &rvOcsp);
     if (rv != SECSuccess) {
-        /* we were unable to obtain ocsp status. Check if we should
-         * return cert status revoked. */
-        rvOcsp = ocsp_FetchingFailureIsVerificationFailure() ?
-            SECFailure : SECSuccess;
+        PRErrorCode err = PORT_GetError();
+        if (ocsp_FetchingFailureIsVerificationFailure()) {
+            PORT_SetError(err);
+            rvOcsp = SECFailure;
+        } else if (cachedResponseFreshness == ocspStale &&
+                   (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
+                    cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
+            /* If we couldn't get a response for a certificate that the OCSP
+             * responder previously told us was bad, then assume it is still
+             * bad until we hear otherwise, as it is very unlikely that the
+             * certificate status has changed from "revoked" to "good" and it
+             * is also unlikely that the certificate status has changed from
+             * "unknown" to "good", except for some buggy OCSP responders.
+             */
+            PORT_SetError(cachedErrorCode);
+            rvOcsp = SECFailure;
+        } else {
+            rvOcsp = SECSuccess;
+        }
     }
     if (!certIDWasConsumed) {
         CERT_DestroyOCSPCertID(certID);
     }
     return rvOcsp;
 }
 
 /*
  * FUNCTION: CERT_CacheOCSPResponseFromSideChannel
  *   First, this function checks the OCSP cache to see if a good response
@@ skipping 25 matching lines @@
 SECStatus
 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
                                       CERTCertificate *cert,
                                       PRTime time,
                                       const SECItem *encodedResponse,
                                       void *pwArg)
 {
     CERTOCSPCertID *certID = NULL;
     PRBool certIDWasConsumed = PR_FALSE;
     SECStatus rv = SECFailure;
-    SECStatus rvOcsp;
+    SECStatus rvOcsp = SECFailure;
     SECErrorCodes dummy_error_code; /* we ignore this */
+    CERTOCSPResponse *decodedResponse = NULL;
+    CERTOCSPSingleResponse *singleResponse = NULL;
+    OCSPFreshness freshness;
 
     /* The OCSP cache can be in three states regarding this certificate:
      *    + Good (cached, timely, 'good' response, or revoked in the future)
      *    + Revoked (cached, timely, but doesn't fit in the last category)
      *    + Miss (no knowledge)
      *
      * Likewise, the side-channel information can be
      *    + Good (timely, 'good' response, or revoked in the future)
      *    + Revoked (timely, but doesn't fit in the last category)
      *    + Invalid (bad syntax, bad signature, not timely etc)
@@ skipping 20 matching lines @@
      * e    |
      * l    |
      *
      * When we fetch from the network we might choose to cache a negative
      * result when the response is invalid. This saves us hammering, uselessly,
      * at a broken responder. However, side channels are commonly attacker
      * controlled and so we must not cache a negative result for an Invalid
      * side channel.
      */
 
-    if (!cert) {
+    if (!cert || !encodedResponse) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     certID = CERT_CreateOCSPCertID(cert, time);
     if (!certID)
         return SECFailure;
-    rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
-        certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
-        &rvOcsp, &dummy_error_code);
-    if (rv == SECSuccess && rvOcsp == SECSuccess) {
+
+    /* We pass PR_TRUE for ignoreGlobalOcspFailureSetting so that a cached
+     * error entry is not interpreted as being a 'Good' entry here.
+     */
+    rv = ocsp_GetCachedOCSPResponseStatus(
+        certID, time, PR_TRUE, /* ignoreGlobalOcspFailureSetting */
+        &rvOcsp, &dummy_error_code, &freshness);
+    if (rv == SECSuccess && rvOcsp == SECSuccess && freshness == ocspFresh) {
         /* The cached value is good. We don't want to waste time validating
          * this OCSP response. This is the first column in the table above. */
         CERT_DestroyOCSPCertID(certID);
         return rv;
     }
 
     /* The logic for caching the more recent response is handled in
-     * ocsp_CreateOrUpdateCacheEntry, which is called by this function. */
-    rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time,
-                                       pwArg, encodedResponse,
-                                       PR_FALSE /* don't cache if invalid */,
-                                       &certIDWasConsumed,
-                                       &rvOcsp);
+     * ocsp_CacheSingleResponse. */
+
+    rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
+                                                    time, pwArg,
+                                                    encodedResponse,
+                                                    &decodedResponse,
+                                                    &singleResponse);
+    if (rv == SECSuccess) {
+        rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
+        /* Cache any valid singleResponse, regardless of status. */
+        ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed);
+    }
+    if (decodedResponse) {
+        CERT_DestroyOCSPResponse(decodedResponse);
+    }
     if (!certIDWasConsumed) {
         CERT_DestroyOCSPCertID(certID);
     }
     return rv == SECSuccess ? rvOcsp : rv;
 }
 
 /*
  * Status in *certIDWasConsumed will always be correct, regardless of 
  * return value.
  */
 static SECStatus
 ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, 
                               CERTOCSPCertID *certID, 
                               CERTCertificate *cert, 
                               PRTime time,
                               void *pwArg,
                               PRBool *certIDWasConsumed,
                               SECStatus *rv_ocsp)
 {
     char *location = NULL;
     PRBool locationIsDefault;
     SECItem *encodedResponse = NULL;
     CERTOCSPRequest *request = NULL;
     SECStatus rv = SECFailure;
 
+    CERTOCSPResponse *decodedResponse = NULL;
+    CERTOCSPSingleResponse *singleResponse = NULL;
+    enum { stageGET, stagePOST } currentStage;
+    PRBool retry = PR_FALSE;
+
     if (!certIDWasConsumed || !rv_ocsp) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     *certIDWasConsumed = PR_FALSE;
     *rv_ocsp = SECFailure;
 
+    if (!OCSP_Global.monitor) {
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
+    }
+    PR_EnterMonitor(OCSP_Global.monitor);
+    if (OCSP_Global.forcePost) {
+        currentStage = stagePOST;
+    } else {
+        currentStage = stageGET;
+    }
+    PR_ExitMonitor(OCSP_Global.monitor);
+
     /*
      * The first thing we need to do is find the location of the responder.
      * This will be the value of the default responder (if enabled), else
      * it will come out of the AIA extension in the cert (if present).
      * If we have no such location, then this cert does not "deserve" to
      * be checked -- that is, we consider it a success and just return.
      * The way we tell that is by looking at the error number to see if
      * the problem was no AIA extension was found; any other error was
      * a true failure that we unfortunately have to treat as an overall
      * failure here.
@@ skipping 25 matching lines @@
      * because each issuer is different.  Carefully read the OCSP spec
      * if you do not understand this.)
      */
 
     /*
      * XXX If/when signing of requests is supported, that second NULL
      * should be changed to be the signer certificate.  Not sure if that
      * should be passed into this function or retrieved via some operation
      * on the handle/context.
      */
-    encodedResponse = 
-        ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert, location,
-                                                 time, locationIsDefault,
-                                                 pwArg, &request);
-    if (encodedResponse == NULL) {
-        goto loser;
-    }
 
-    rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time, pwArg,
-                                       encodedResponse,
-                                       PR_TRUE /* cache if invalid */,
-                                       certIDWasConsumed, rv_ocsp);
+    do {
+        const char *method;
+        PRBool validResponseWithAccurateInfo = PR_FALSE;
+        retry = PR_FALSE;
+        *rv_ocsp = SECFailure;
 
-loser:
-    if (request != NULL)
-        CERT_DestroyOCSPRequest(request);
-    if (encodedResponse != NULL)
-        SECITEM_FreeItem(encodedResponse, PR_TRUE);
-    if (location != NULL)
-        PORT_Free(location);
+        if (currentStage == stageGET) {
+            method = "GET";
+        } else {
+            PORT_Assert(currentStage == stagePOST);
+            method = "POST";
+        }
 
+        encodedResponse = 
+            ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
+                                                     location, method,
+                                                     time, locationIsDefault,
+                                                     pwArg, &request);
+
+        if (encodedResponse) {
+            rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
+                                                            time, pwArg,
+                                                            encodedResponse,
+                                                            &decodedResponse,
+                                                            &singleResponse);
+            if (rv == SECSuccess) {
+                switch (singleResponse->certStatus->certStatusType) {
+                    case ocspCertStatus_good:
+                    case ocspCertStatus_revoked:
+                        validResponseWithAccurateInfo = PR_TRUE;
+                        break;
+                    default:
+                        break;
+                }
+                *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
+            }
+        }
+
+        if (currentStage == stageGET) {
+            /* only accept GET response if good or revoked */
+            if (validResponseWithAccurateInfo) {
+                ocsp_CacheSingleResponse(certID, singleResponse, 
+                                         certIDWasConsumed);
+            } else {
+                retry = PR_TRUE;
+                currentStage = stagePOST;
+            }
+        } else {
+            /* cache the POST respone, regardless of status */
+            if (!singleResponse) {
+                cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed);
+            } else {
+                ocsp_CacheSingleResponse(certID, singleResponse, 
+                                         certIDWasConsumed);
+            }
+        }
+
+        if (encodedResponse) {
+            SECITEM_FreeItem(encodedResponse, PR_TRUE);
+            encodedResponse = NULL;
+        }
+        if (request) {
+            CERT_DestroyOCSPRequest(request);
+            request = NULL;
+        }
+        if (decodedResponse) {
+            CERT_DestroyOCSPResponse(decodedResponse);
+            decodedResponse = NULL;
+        }
+        singleResponse = NULL;
+
+    } while (retry);
+
+    PORT_Free(location);
     return rv;
 }
 
 /*
- * FUNCTION: ocsp_CacheEncodedOCSPResponse
+ * FUNCTION: ocsp_GetDecodedVerifiedSingleResponseForID
  *   This function decodes an OCSP response and checks for a valid response
- *   concerning the given certificate. If such a response is not found
- *   then nothing is cached. Otherwise, if it is a good response, or if
- *   cacheNegative is true, the results are stored in the OCSP cache.
+ *   concerning the given certificate.
  *
  *   Note: a 'valid' response is one that parses successfully, is not an OCSP
  *   exception (see RFC 2560 Section 2.3), is correctly signed and is current.
  *   A 'good' response is a valid response that attests that the certificate
  *   is not currently revoked (see RFC 2560 Section 2.2).
  *
  * INPUTS:
  *   CERTCertDBHandle *handle
  *     certificate DB of the cert that is being checked
  *   CERTOCSPCertID *certID
  *     the cert ID corresponding to |cert|
  *   CERTCertificate *cert
  *     the certificate being checked
  *   PRTime time
  *     time for which status is to be determined
  *   void *pwArg
  *     the opaque argument to the password prompting function.
  *   SECItem *encodedResponse
  *     the DER encoded bytes of the OCSP response
- *   PRBool cacheInvalid
- *     If true then invalid responses will cause a negative cache entry to be
- *     created. (Invalid means bad syntax, bad signature etc)
- *   PRBool *certIDWasConsumed
- *     (output) on return, this is true iff |certID| was consumed by this
- *     function.
- *   SECStatus *rv_ocsp
- *     (output) on return, this is SECSuccess iff the response is good (see
- *     definition of 'good' above).
+ *   CERTOCSPResponse **pDecodedResponse
+ *     (output) The caller must ALWAYS check for this output parameter,
+ *     and if it's non-null, must destroy it using CERT_DestroyOCSPResponse.
+ *   CERTOCSPSingleResponse **pSingle
+ *     (output) on success, this points to the single response that corresponds
+ *     to the certID parameter. Points to the inside of pDecodedResponse.
+ *     It isn't a copy, don't free it.
  * RETURN:
  *   SECSuccess iff the response is valid.
  */
 static SECStatus
-ocsp_CacheEncodedOCSPResponse(CERTCertDBHandle *handle,
-                              CERTOCSPCertID *certID,
-                              CERTCertificate *cert,
-                              PRTime time,
-                              void *pwArg,
-                              const SECItem *encodedResponse,
-                              PRBool cacheInvalid,
-                              PRBool *certIDWasConsumed,
-                              SECStatus *rv_ocsp)
+ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
+                                           CERTOCSPCertID *certID,
+                                           CERTCertificate *cert,
+                                           PRTime time,
+                                           void *pwArg,
+                                           const SECItem *encodedResponse,
+                                           CERTOCSPResponse **pDecodedResponse,
+                                           CERTOCSPSingleResponse **pSingle)
 {
-    CERTOCSPResponse *response = NULL;
     CERTCertificate *signerCert = NULL;
     CERTCertificate *issuerCert = NULL;
-    CERTOCSPSingleResponse *single = NULL;
     SECStatus rv = SECFailure;
 
-    *certIDWasConsumed = PR_FALSE;
-    *rv_ocsp = SECFailure;
-
-    response = CERT_DecodeOCSPResponse(encodedResponse);
-    if (response == NULL) {
-        goto loser;
+    if (!pSingle || !pDecodedResponse) {
+        return SECFailure;
+    }
+    *pSingle = NULL;
+    *pDecodedResponse = CERT_DecodeOCSPResponse(encodedResponse);
+    if (!*pDecodedResponse) {
+        return SECFailure;
     }
 
     /*
      * Okay, we at least have a response that *looks* like a response!
      * Now see if the overall response status value is good or not.
      * If not, we set an error and give up.  (It means that either the
      * server had a problem, or it didn't like something about our
      * request.  Either way there is nothing to do but give up.)
      * Otherwise, we continue to find the actual per-cert status
      * in the response.
      */
-    if (CERT_GetOCSPResponseStatus(response) != SECSuccess) {
+    if (CERT_GetOCSPResponseStatus(*pDecodedResponse) != SECSuccess) {
         goto loser;
     }
 
     /*
      * If we've made it this far, we expect a response with a good signature.
      * So, check for that.
      */
     issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
-    rv = CERT_VerifyOCSPResponseSignature(response, handle, pwArg, &signerCert,
-                        issuerCert);
-    if (rv != SECSuccess)
+    rv = CERT_VerifyOCSPResponseSignature(*pDecodedResponse, handle, pwArg,
+                                          &signerCert, issuerCert);
+    if (rv != SECSuccess) {
         goto loser;
+    }
 
     PORT_Assert(signerCert != NULL);    /* internal consistency check */
     /* XXX probably should set error, return failure if signerCert is null */
 
-
     /*
      * Again, we are only doing one request for one cert.
      * XXX When we handle cert chains, the following code will obviously
      * have to be modified, in coordation with the code above that will
      * have to determine how to make multiple requests, etc. 
      */
+    rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, certID, 
+                                                 signerCert, time, pSingle);
+loser:
+    if (issuerCert != NULL)
+        CERT_DestroyCertificate(issuerCert);
+    if (signerCert != NULL)
+        CERT_DestroyCertificate(signerCert);
+    return rv;
+}
 
-    rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID, 
-                                                 signerCert, time, &single);
-    if (rv != SECSuccess)
-        goto loser;
-
-    *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(single, time);
-
-loser:
-    /* If single == NULL here then the response was invalid. */
-    if (single != NULL || cacheInvalid) {
+/*
+ * FUNCTION: ocsp_CacheSingleResponse
+ *   This function requires that the caller has checked that the response
+ *   is valid and verified. 
+ *   The (positive or negative) valid response will be used to update the cache.
+ * INPUTS:
+ *   CERTOCSPCertID *certID
+ *     the cert ID corresponding to |cert|
+ *   PRBool *certIDWasConsumed
+ *     (output) on return, this is true iff |certID| was consumed by this
+ *     function.
+ */
+void
+ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
+                         CERTOCSPSingleResponse *single,
+                         PRBool *certIDWasConsumed)
+{
+    if (single != NULL) {
         PR_EnterMonitor(OCSP_Global.monitor);
         if (OCSP_Global.maxCacheEntries >= 0) {
-            /* single == NULL means: remember response failure */
             ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single,
                                           certIDWasConsumed);
             /* ignore cache update failures */
         }
         PR_ExitMonitor(OCSP_Global.monitor);
     }
-
-    /* 'single' points within the response so there's no need to free it. */
-
-    if (issuerCert != NULL)
-        CERT_DestroyCertificate(issuerCert);
-    if (signerCert != NULL)
-        CERT_DestroyCertificate(signerCert);
-    if (response != NULL)
-        CERT_DestroyOCSPResponse(response);
-    return rv;
 }
 
-static SECStatus
+SECStatus
 ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 
                                         CERTOCSPResponse *response, 
                                         CERTOCSPCertID   *certID,
                                         CERTCertificate  *signerCert,
                                         PRTime            time,
                                         CERTOCSPSingleResponse 
                                             **pSingleResponse)
 {
     SECStatus rv;
     ocspResponseData *responseData;
@@ skipping 572 matching lines @@
         CERT_ClearOCSPCache();
     }
 
     /*
      * Finally, record the fact.
      */
     statusContext->useDefaultResponder = PR_FALSE;
     return SECSuccess;
 }
 
+SECStatus
+CERT_ForcePostMethodForOCSP(PRBool forcePost)
+{
+    if (!OCSP_Global.monitor) {
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
+    }
+
+    PR_EnterMonitor(OCSP_Global.monitor);
+    OCSP_Global.forcePost = forcePost;
+    PR_ExitMonitor(OCSP_Global.monitor);
+
+    return SECSuccess;
+}
 
 SECStatus
 CERT_GetOCSPResponseStatus(CERTOCSPResponse *response)
 {
     PORT_Assert(response);
     if (response->statusValue == ocspResponse_successful)
         return SECSuccess;
 
     switch (response->statusValue) {
       case ocspResponse_malformedRequest:
@@ skipping 12 matching lines @@
       case ocspResponse_unauthorized:
         PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
         break;
       case ocspResponse_unused:
       default:
         PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
         break;
     }
     return SECFailure;
 }