OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 | |
5 /* | |
6 * Implementation of OCSP services, for both client and server. | |
7 * (XXX, really, mostly just for client right now, but intended to do both.) | |
8 */ | |
9 | |
10 #include "prerror.h" | |
11 #include "prprf.h" | |
12 #include "plarena.h" | |
13 #include "prnetdb.h" | |
14 | |
15 #include "seccomon.h" | |
16 #include "secitem.h" | |
17 #include "secoidt.h" | |
18 #include "secasn1.h" | |
19 #include "secder.h" | |
20 #include "cert.h" | |
21 #include "certi.h" | |
22 #include "xconst.h" | |
23 #include "secerr.h" | |
24 #include "secoid.h" | |
25 #include "hasht.h" | |
26 #include "sechash.h" | |
27 #include "secasn1.h" | |
28 #include "plbase64.h" | |
29 #include "keyhi.h" | |
30 #include "cryptohi.h" | |
31 #include "ocsp.h" | |
32 #include "ocspti.h" | |
33 #include "ocspi.h" | |
34 #include "genname.h" | |
35 #include "certxutl.h" | |
36 #include "pk11func.h" /* for PK11_HashBuf */ | |
37 #include <stdarg.h> | |
38 #include <plhash.h> | |
39 | |
40 #define DEFAULT_OCSP_CACHE_SIZE 1000 | |
41 #define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1 * 60 * 60L | |
42 #define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24 * 60 * 60L | |
43 #define DEFAULT_OSCP_TIMEOUT_SECONDS 60 | |
44 #define MICROSECONDS_PER_SECOND 1000000L | |
45 | |
46 typedef struct OCSPCacheItemStr OCSPCacheItem; | |
47 typedef struct OCSPCacheDataStr OCSPCacheData; | |
48 | |
49 struct OCSPCacheItemStr { | |
50 /* LRU linking */ | |
51 OCSPCacheItem *moreRecent; | |
52 OCSPCacheItem *lessRecent; | |
53 | |
54 /* key */ | |
55 CERTOCSPCertID *certID; | |
56 /* CertID's arena also used to allocate "this" cache item */ | |
57 | |
58 /* cache control information */ | |
59 PRTime nextFetchAttemptTime; | |
60 | |
61 /* Cached contents. Use a separate arena, because lifetime is different */ | |
62 PLArenaPool *certStatusArena; /* NULL means: no cert status cached */ | |
63 ocspCertStatus certStatus; | |
64 | |
65 /* This may contain an error code when no OCSP response is available. */ | |
66 SECErrorCodes missingResponseError; | |
67 | |
68 PRPackedBool haveThisUpdate; | |
69 PRPackedBool haveNextUpdate; | |
70 PRTime thisUpdate; | |
71 PRTime nextUpdate; | |
72 }; | |
73 | |
74 struct OCSPCacheDataStr { | |
75 PLHashTable *entries; | |
76 PRUint32 numberOfEntries; | |
77 OCSPCacheItem *MRUitem; /* most recently used cache item */ | |
78 OCSPCacheItem *LRUitem; /* least recently used cache item */ | |
79 }; | |
80 | |
81 static struct OCSPGlobalStruct { | |
82 PRMonitor *monitor; | |
83 const SEC_HttpClientFcn *defaultHttpClientFcn; | |
84 PRInt32 maxCacheEntries; | |
85 PRUint32 minimumSecondsToNextFetchAttempt; | |
86 PRUint32 maximumSecondsToNextFetchAttempt; | |
87 PRUint32 timeoutSeconds; | |
88 OCSPCacheData cache; | |
89 SEC_OcspFailureMode ocspFailureMode; | |
90 CERT_StringFromCertFcn alternateOCSPAIAFcn; | |
91 PRBool forcePost; | |
92 } OCSP_Global = { NULL, | |
93 NULL, | |
94 DEFAULT_OCSP_CACHE_SIZE, | |
95 DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT, | |
96 DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT, | |
97 DEFAULT_OSCP_TIMEOUT_SECONDS, | |
98 { NULL, 0, NULL, NULL }, | |
99 ocspMode_FailureIsVerificationFailure, | |
100 NULL, | |
101 PR_FALSE }; | |
102 | |
103 /* Forward declarations */ | |
104 static SECItem * | |
105 ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, | |
106 CERTOCSPRequest *request, | |
107 const char *location, | |
108 const char *method, | |
109 PRTime time, | |
110 PRBool addServiceLocator, | |
111 void *pwArg, | |
112 CERTOCSPRequest **pRequest); | |
113 static SECStatus | |
114 ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, | |
115 CERTOCSPCertID *certID, | |
116 CERTCertificate *cert, | |
117 PRTime time, | |
118 void *pwArg, | |
119 PRBool *certIDWasConsumed, | |
120 SECStatus *rv_ocsp); | |
121 | |
122 static SECStatus | |
123 ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle, | |
124 CERTOCSPCertID *certID, | |
125 CERTCertificate *cert, | |
126 PRTime time, | |
127 void *pwArg, | |
128 const SECItem *encodedResponse, | |
129 CERTOCSPResponse **pDecodedResponse, | |
130 CERTOCSPSingleResponse **pSingle); | |
131 | |
132 static SECStatus | |
133 ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time); | |
134 | |
135 static CERTOCSPCertID * | |
136 cert_DupOCSPCertID(const CERTOCSPCertID *src); | |
137 | |
138 #ifndef DEBUG | |
139 #define OCSP_TRACE(msg) | |
140 #define OCSP_TRACE_TIME(msg, time) | |
141 #define OCSP_TRACE_CERT(cert) | |
142 #define OCSP_TRACE_CERTID(certid) | |
143 #else | |
144 #define OCSP_TRACE(msg) ocsp_Trace msg | |
145 #define OCSP_TRACE_TIME(msg, time) ocsp_dumpStringWithTime(msg, time) | |
146 #define OCSP_TRACE_CERT(cert) dumpCertificate(cert) | |
147 #define OCSP_TRACE_CERTID(certid) dumpCertID(certid) | |
148 | |
149 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) || \ | |
150 defined(XP_MACOSX) | |
151 #define NSS_HAVE_GETENV 1 | |
152 #endif | |
153 | |
154 static PRBool | |
155 wantOcspTrace(void) | |
156 { | |
157 static PRBool firstTime = PR_TRUE; | |
158 static PRBool wantTrace = PR_FALSE; | |
159 | |
160 #ifdef NSS_HAVE_GETENV | |
161 if (firstTime) { | |
162 char *ev = PR_GetEnvSecure("NSS_TRACE_OCSP"); | |
163 if (ev && ev[0]) { | |
164 wantTrace = PR_TRUE; | |
165 } | |
166 firstTime = PR_FALSE; | |
167 } | |
168 #endif | |
169 return wantTrace; | |
170 } | |
171 | |
172 static void | |
173 ocsp_Trace(const char *format, ...) | |
174 { | |
175 char buf[2000]; | |
176 va_list args; | |
177 | |
178 if (!wantOcspTrace()) | |
179 return; | |
180 va_start(args, format); | |
181 PR_vsnprintf(buf, sizeof(buf), format, args); | |
182 va_end(args); | |
183 PR_LogPrint("%s", buf); | |
184 } | |
185 | |
186 static void | |
187 ocsp_dumpStringWithTime(const char *str, PRTime time) | |
188 { | |
189 PRExplodedTime timePrintable; | |
190 char timestr[256]; | |
191 | |
192 if (!wantOcspTrace()) | |
193 return; | |
194 PR_ExplodeTime(time, PR_GMTParameters, &timePrintable); | |
195 if (PR_FormatTime(timestr, 256, "%a %b %d %H:%M:%S %Y", &timePrintable)) { | |
196 ocsp_Trace("OCSP %s %s\n", str, timestr); | |
197 } | |
198 } | |
199 | |
200 static void | |
201 printHexString(const char *prefix, SECItem *hexval) | |
202 { | |
203 unsigned int i; | |
204 char *hexbuf = NULL; | |
205 | |
206 for (i = 0; i < hexval->len; i++) { | |
207 if (i != hexval->len - 1) { | |
208 hexbuf = PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]); | |
209 } else { | |
210 hexbuf = PR_sprintf_append(hexbuf, "%02x", hexval->data[i]); | |
211 } | |
212 } | |
213 if (hexbuf) { | |
214 ocsp_Trace("%s %s\n", prefix, hexbuf); | |
215 PR_smprintf_free(hexbuf); | |
216 } | |
217 } | |
218 | |
219 static void | |
220 dumpCertificate(CERTCertificate *cert) | |
221 { | |
222 if (!wantOcspTrace()) | |
223 return; | |
224 | |
225 ocsp_Trace("OCSP ----------------\n"); | |
226 ocsp_Trace("OCSP ## SUBJECT: %s\n", cert->subjectName); | |
227 { | |
228 PRTime timeBefore, timeAfter; | |
229 PRExplodedTime beforePrintable, afterPrintable; | |
230 char beforestr[256], afterstr[256]; | |
231 PRStatus rv1, rv2; | |
232 DER_DecodeTimeChoice(&timeBefore, &cert->validity.notBefore); | |
233 DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter); | |
234 PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable); | |
235 PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable); | |
236 rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y", | |
237 &beforePrintable); | |
238 rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y", | |
239 &afterPrintable); | |
240 ocsp_Trace("OCSP ## VALIDITY: %s to %s\n", rv1 ? beforestr : "", | |
241 rv2 ? afterstr : ""); | |
242 } | |
243 ocsp_Trace("OCSP ## ISSUER: %s\n", cert->issuerName); | |
244 printHexString("OCSP ## SERIAL NUMBER:", &cert->serialNumber); | |
245 } | |
246 | |
247 static void | |
248 dumpCertID(CERTOCSPCertID *certID) | |
249 { | |
250 if (!wantOcspTrace()) | |
251 return; | |
252 | |
253 printHexString("OCSP certID issuer", &certID->issuerNameHash); | |
254 printHexString("OCSP certID serial", &certID->serialNumber); | |
255 } | |
256 #endif | |
257 | |
258 SECStatus | |
259 SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable) | |
260 { | |
261 if (!OCSP_Global.monitor) { | |
262 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | |
263 return SECFailure; | |
264 } | |
265 | |
266 PR_EnterMonitor(OCSP_Global.monitor); | |
267 OCSP_Global.defaultHttpClientFcn = fcnTable; | |
268 PR_ExitMonitor(OCSP_Global.monitor); | |
269 | |
270 return SECSuccess; | |
271 } | |
272 | |
273 SECStatus | |
274 CERT_RegisterAlternateOCSPAIAInfoCallBack( | |
275 CERT_StringFromCertFcn newCallback, | |
276 CERT_StringFromCertFcn *oldCallback) | |
277 { | |
278 CERT_StringFromCertFcn old; | |
279 | |
280 if (!OCSP_Global.monitor) { | |
281 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | |
282 return SECFailure; | |
283 } | |
284 | |
285 PR_EnterMonitor(OCSP_Global.monitor); | |
286 old = OCSP_Global.alternateOCSPAIAFcn; | |
287 OCSP_Global.alternateOCSPAIAFcn = newCallback; | |
288 PR_ExitMonitor(OCSP_Global.monitor); | |
289 if (oldCallback) | |
290 *oldCallback = old; | |
291 return SECSuccess; | |
292 } | |
293 | |
294 static PLHashNumber PR_CALLBACK | |
295 ocsp_CacheKeyHashFunction(const void *key) | |
296 { | |
297 CERTOCSPCertID *cid = (CERTOCSPCertID *)key; | |
298 PLHashNumber hash = 0; | |
299 unsigned int i; | |
300 unsigned char *walk; | |
301 | |
302 /* a very simple hash calculation for the initial coding phase */ | |
303 walk = (unsigned char *)cid->issuerNameHash.data; | |
304 for (i = 0; i < cid->issuerNameHash.len; ++i, ++walk) { | |
305 hash += *walk; | |
306 } | |
307 walk = (unsigned char *)cid->issuerKeyHash.data; | |
308 for (i = 0; i < cid->issuerKeyHash.len; ++i, ++walk) { | |
309 hash += *walk; | |
310 } | |
311 walk = (unsigned char *)cid->serialNumber.data; | |
312 for (i = 0; i < cid->serialNumber.len; ++i, ++walk) { | |
313 hash += *walk; | |
314 } | |
315 return hash; | |
316 } | |
317 | |
318 static PRIntn PR_CALLBACK | |
319 ocsp_CacheKeyCompareFunction(const void *v1, const void *v2) | |
320 { | |
321 CERTOCSPCertID *cid1 = (CERTOCSPCertID *)v1; | |
322 CERTOCSPCertID *cid2 = (CERTOCSPCertID *)v2; | |
323 | |
324 return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash, | |
325 &cid2->issuerNameHash) && | |
326 SECEqual == SECITEM_CompareItem(&cid1->issuerKeyHash, | |
327 &cid2->issuerKeyHash) && | |
328 SECEqual == SECITEM_CompareItem(&cid1->serialNumber, | |
329 &cid2->serialNumber)); | |
330 } | |
331 | |
332 static SECStatus | |
333 ocsp_CopyRevokedInfo(PLArenaPool *arena, ocspCertStatus *dest, | |
334 ocspRevokedInfo *src) | |
335 { | |
336 SECStatus rv = SECFailure; | |
337 void *mark; | |
338 | |
339 mark = PORT_ArenaMark(arena); | |
340 | |
341 dest->certStatusInfo.revokedInfo = | |
342 (ocspRevokedInfo *)PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo)); | |
343 if (!dest->certStatusInfo.revokedInfo) { | |
344 goto loser; | |
345 } | |
346 | |
347 rv = SECITEM_CopyItem(arena, | |
348 &dest->certStatusInfo.revokedInfo->revocationTime, | |
349 &src->revocationTime); | |
350 if (rv != SECSuccess) { | |
351 goto loser; | |
352 } | |
353 | |
354 if (src->revocationReason) { | |
355 dest->certStatusInfo.revokedInfo->revocationReason = | |
356 SECITEM_ArenaDupItem(arena, src->revocationReason); | |
357 if (!dest->certStatusInfo.revokedInfo->revocationReason) { | |
358 goto loser; | |
359 } | |
360 } else { | |
361 dest->certStatusInfo.revokedInfo->revocationReason = NULL; | |
362 } | |
363 | |
364 PORT_ArenaUnmark(arena, mark); | |
365 return SECSuccess; | |
366 | |
367 loser: | |
368 PORT_ArenaRelease(arena, mark); | |
369 return SECFailure; | |
370 } | |
371 | |
372 static SECStatus | |
373 ocsp_CopyCertStatus(PLArenaPool *arena, ocspCertStatus *dest, | |
374 ocspCertStatus *src) | |
375 { | |
376 SECStatus rv = SECFailure; | |
377 dest->certStatusType = src->certStatusType; | |
378 | |
379 switch (src->certStatusType) { | |
380 case ocspCertStatus_good: | |
381 dest->certStatusInfo.goodInfo = | |
382 SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo); | |
383 if (dest->certStatusInfo.goodInfo != NULL) { | |
384 rv = SECSuccess; | |
385 } | |
386 break; | |
387 case ocspCertStatus_revoked: | |
388 rv = ocsp_CopyRevokedInfo(arena, dest, | |
389 src->certStatusInfo.revokedInfo); | |
390 break; | |
391 case ocspCertStatus_unknown: | |
392 dest->certStatusInfo.unknownInfo = | |
393 SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo); | |
394 if (dest->certStatusInfo.unknownInfo != NULL) { | |
395 rv = SECSuccess; | |
396 } | |
397 break; | |
398 case ocspCertStatus_other: | |
399 default: | |
400 PORT_Assert(src->certStatusType == ocspCertStatus_other); | |
401 dest->certStatusInfo.otherInfo = | |
402 SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo); | |
403 if (dest->certStatusInfo.otherInfo != NULL) { | |
404 rv = SECSuccess; | |
405 } | |
406 break; | |
407 } | |
408 return rv; | |
409 } | |
410 | |
411 static void | |
412 ocsp_AddCacheItemToLinkedList(OCSPCacheData *cache, OCSPCacheItem *new_most_rece
nt) | |
413 { | |
414 PR_EnterMonitor(OCSP_Global.monitor); | |
415 | |
416 if (!cache->LRUitem) { | |
417 cache->LRUitem = new_most_recent; | |
418 } | |
419 new_most_recent->lessRecent = cache->MRUitem; | |
420 new_most_recent->moreRecent = NULL; | |
421 | |
422 if (cache->MRUitem) { | |
423 cache->MRUitem->moreRecent = new_most_recent; | |
424 } | |
425 cache->MRUitem = new_most_recent; | |
426 | |
427 PR_ExitMonitor(OCSP_Global.monitor); | |
428 } | |
429 | |
430 static void | |
431 ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item) | |
432 { | |
433 PR_EnterMonitor(OCSP_Global.monitor); | |
434 | |
435 if (!item->lessRecent && !item->moreRecent) { | |
436 /* | |
437 * Fail gracefully on attempts to remove an item from the list, | |
438 * which is currently not part of the list. | |
439 * But check for the edge case it is the single entry in the list. | |
440 */ | |
441 if (item == cache->LRUitem && | |
442 item == cache->MRUitem) { | |
443 /* remove the single entry */ | |
444 PORT_Assert(cache->numberOfEntries == 1); | |
445 PORT_Assert(item->moreRecent == NULL); | |
446 cache->MRUitem = NULL; | |
447 cache->LRUitem = NULL; | |
448 } | |
449 PR_ExitMonitor(OCSP_Global.monitor); | |
450 return; | |
451 } | |
452 | |
453 PORT_Assert(cache->numberOfEntries > 1); | |
454 | |
455 if (item == cache->LRUitem) { | |
456 PORT_Assert(item != cache->MRUitem); | |
457 PORT_Assert(item->lessRecent == NULL); | |
458 PORT_Assert(item->moreRecent != NULL); | |
459 PORT_Assert(item->moreRecent->lessRecent == item); | |
460 cache->LRUitem = item->moreRecent; | |
461 cache->LRUitem->lessRecent = NULL; | |
462 } else if (item == cache->MRUitem) { | |
463 PORT_Assert(item->moreRecent == NULL); | |
464 PORT_Assert(item->lessRecent != NULL); | |
465 PORT_Assert(item->lessRecent->moreRecent == item); | |
466 cache->MRUitem = item->lessRecent; | |
467 cache->MRUitem->moreRecent = NULL; | |
468 } else { | |
469 /* remove an entry in the middle of the list */ | |
470 PORT_Assert(item->moreRecent != NULL); | |
471 PORT_Assert(item->lessRecent != NULL); | |
472 PORT_Assert(item->lessRecent->moreRecent == item); | |
473 PORT_Assert(item->moreRecent->lessRecent == item); | |
474 item->moreRecent->lessRecent = item->lessRecent; | |
475 item->lessRecent->moreRecent = item->moreRecent; | |
476 } | |
477 | |
478 item->lessRecent = NULL; | |
479 item->moreRecent = NULL; | |
480 | |
481 PR_ExitMonitor(OCSP_Global.monitor); | |
482 } | |
483 | |
484 static void | |
485 ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, OCSPCacheItem *new_most_rece
nt) | |
486 { | |
487 OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n", | |
488 PR_GetCurrentThread())); | |
489 PR_EnterMonitor(OCSP_Global.monitor); | |
490 if (cache->MRUitem == new_most_recent) { | |
491 OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent ALREADY MOST\n")); | |
492 PR_ExitMonitor(OCSP_Global.monitor); | |
493 return; | |
494 } | |
495 OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent NEW entry\n")); | |
496 ocsp_RemoveCacheItemFromLinkedList(cache, new_most_recent); | |
497 ocsp_AddCacheItemToLinkedList(cache, new_most_recent); | |
498 PR_ExitMonitor(OCSP_Global.monitor); | |
499 } | |
500 | |
501 static PRBool | |
502 ocsp_IsCacheDisabled(void) | |
503 { | |
504 /* | |
505 * maxCacheEntries == 0 means unlimited cache entries | |
506 * maxCacheEntries < 0 means cache is disabled | |
507 */ | |
508 PRBool retval; | |
509 PR_EnterMonitor(OCSP_Global.monitor); | |
510 retval = (OCSP_Global.maxCacheEntries < 0); | |
511 PR_ExitMonitor(OCSP_Global.monitor); | |
512 return retval; | |
513 } | |
514 | |
515 static OCSPCacheItem * | |
516 ocsp_FindCacheEntry(OCSPCacheData *cache, CERTOCSPCertID *certID) | |
517 { | |
518 OCSPCacheItem *found_ocsp_item = NULL; | |
519 OCSP_TRACE(("OCSP ocsp_FindCacheEntry\n")); | |
520 OCSP_TRACE_CERTID(certID); | |
521 PR_EnterMonitor(OCSP_Global.monitor); | |
522 if (ocsp_IsCacheDisabled()) | |
523 goto loser; | |
524 | |
525 found_ocsp_item = (OCSPCacheItem *)PL_HashTableLookup( | |
526 cache->entries, certID); | |
527 if (!found_ocsp_item) | |
528 goto loser; | |
529 | |
530 OCSP_TRACE(("OCSP ocsp_FindCacheEntry FOUND!\n")); | |
531 ocsp_MakeCacheEntryMostRecent(cache, found_ocsp_item); | |
532 | |
533 loser: | |
534 PR_ExitMonitor(OCSP_Global.monitor); | |
535 return found_ocsp_item; | |
536 } | |
537 | |
538 static void | |
539 ocsp_FreeCacheItem(OCSPCacheItem *item) | |
540 { | |
541 OCSP_TRACE(("OCSP ocsp_FreeCacheItem\n")); | |
542 if (item->certStatusArena) { | |
543 PORT_FreeArena(item->certStatusArena, PR_FALSE); | |
544 } | |
545 if (item->certID->poolp) { | |
546 /* freeing this poolp arena will also free item */ | |
547 PORT_FreeArena(item->certID->poolp, PR_FALSE); | |
548 } | |
549 } | |
550 | |
551 static void | |
552 ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item) | |
553 { | |
554 /* The item we're removing could be either the least recently used item, | |
555 * or it could be an item that couldn't get updated with newer status info | |
556 * because of an allocation failure, or it could get removed because we're | |
557 * cleaning up. | |
558 */ | |
559 OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread(
))); | |
560 PR_EnterMonitor(OCSP_Global.monitor); | |
561 | |
562 ocsp_RemoveCacheItemFromLinkedList(cache, item); | |
563 #ifdef DEBUG | |
564 { | |
565 PRBool couldRemoveFromHashTable = PL_HashTableRemove(cache->entries, | |
566 item->certID); | |
567 PORT_Assert(couldRemoveFromHashTable); | |
568 } | |
569 #else | |
570 PL_HashTableRemove(cache->entries, item->certID); | |
571 #endif | |
572 --cache->numberOfEntries; | |
573 ocsp_FreeCacheItem(item); | |
574 PR_ExitMonitor(OCSP_Global.monitor); | |
575 } | |
576 | |
577 static void | |
578 ocsp_CheckCacheSize(OCSPCacheData *cache) | |
579 { | |
580 OCSP_TRACE(("OCSP ocsp_CheckCacheSize\n")); | |
581 PR_EnterMonitor(OCSP_Global.monitor); | |
582 if (OCSP_Global.maxCacheEntries > 0) { | |
583 /* Cache is not disabled. Number of cache entries is limited. | |
584 * The monitor ensures that maxCacheEntries remains positive. | |
585 */ | |
586 while (cache->numberOfEntries > | |
587 (PRUint32)OCSP_Global.maxCacheEntries) { | |
588 ocsp_RemoveCacheItem(cache, cache->LRUitem); | |
589 } | |
590 } | |
591 PR_ExitMonitor(OCSP_Global.monitor); | |
592 } | |
593 | |
594 SECStatus | |
595 CERT_ClearOCSPCache(void) | |
596 { | |
597 OCSP_TRACE(("OCSP CERT_ClearOCSPCache\n")); | |
598 PR_EnterMonitor(OCSP_Global.monitor); | |
599 while (OCSP_Global.cache.numberOfEntries > 0) { | |
600 ocsp_RemoveCacheItem(&OCSP_Global.cache, | |
601 OCSP_Global.cache.LRUitem); | |
602 } | |
603 PR_ExitMonitor(OCSP_Global.monitor); | |
604 return SECSuccess; | |
605 } | |
606 | |
607 static SECStatus | |
608 ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache, | |
609 CERTOCSPCertID *certID, | |
610 OCSPCacheItem **pCacheItem) | |
611 { | |
612 PLArenaPool *arena; | |
613 void *mark; | |
614 PLHashEntry *new_hash_entry; | |
615 OCSPCacheItem *item; | |
616 | |
617 PORT_Assert(pCacheItem != NULL); | |
618 *pCacheItem = NULL; | |
619 | |
620 PR_EnterMonitor(OCSP_Global.monitor); | |
621 arena = certID->poolp; | |
622 mark = PORT_ArenaMark(arena); | |
623 | |
624 /* ZAlloc will init all Bools to False and all Pointers to NULL | |
625 and all error codes to zero/good. */ | |
626 item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp, | |
627 sizeof(OCSPCacheItem)); | |
628 if (!item) { | |
629 goto loser; | |
630 } | |
631 item->certID = certID; | |
632 new_hash_entry = PL_HashTableAdd(cache->entries, item->certID, | |
633 item); | |
634 if (!new_hash_entry) { | |
635 goto loser; | |
636 } | |
637 ++cache->numberOfEntries; | |
638 PORT_ArenaUnmark(arena, mark); | |
639 ocsp_AddCacheItemToLinkedList(cache, item); | |
640 *pCacheItem = item; | |
641 | |
642 PR_ExitMonitor(OCSP_Global.monitor); | |
643 return SECSuccess; | |
644 | |
645 loser: | |
646 PORT_ArenaRelease(arena, mark); | |
647 PR_ExitMonitor(OCSP_Global.monitor); | |
648 return SECFailure; | |
649 } | |
650 | |
651 static SECStatus | |
652 ocsp_SetCacheItemResponse(OCSPCacheItem *item, | |
653 const CERTOCSPSingleResponse *response) | |
654 { | |
655 if (item->certStatusArena) { | |
656 PORT_FreeArena(item->certStatusArena, PR_FALSE); | |
657 item->certStatusArena = NULL; | |
658 } | |
659 item->haveThisUpdate = item->haveNextUpdate = PR_FALSE; | |
660 if (response) { | |
661 SECStatus rv; | |
662 item->certStatusArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
663 if (item->certStatusArena == NULL) { | |
664 return SECFailure; | |
665 } | |
666 rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus, | |
667 response->certStatus); | |
668 if (rv != SECSuccess) { | |
669 PORT_FreeArena(item->certStatusArena, PR_FALSE); | |
670 item->certStatusArena = NULL; | |
671 return rv; | |
672 } | |
673 item->missingResponseError = 0; | |
674 rv = DER_GeneralizedTimeToTime(&item->thisUpdate, | |
675 &response->thisUpdate); | |
676 item->haveThisUpdate = (rv == SECSuccess); | |
677 if (response->nextUpdate) { | |
678 rv = DER_GeneralizedTimeToTime(&item->nextUpdate, | |
679 response->nextUpdate); | |
680 item->haveNextUpdate = (rv == SECSuccess); | |
681 } else { | |
682 item->haveNextUpdate = PR_FALSE; | |
683 } | |
684 } | |
685 return SECSuccess; | |
686 } | |
687 | |
688 static void | |
689 ocsp_FreshenCacheItemNextFetchAttemptTime(OCSPCacheItem *cacheItem) | |
690 { | |
691 PRTime now; | |
692 PRTime earliestAllowedNextFetchAttemptTime; | |
693 PRTime latestTimeWhenResponseIsConsideredFresh; | |
694 | |
695 OCSP_TRACE(("OCSP ocsp_FreshenCacheItemNextFetchAttemptTime\n")); | |
696 | |
697 PR_EnterMonitor(OCSP_Global.monitor); | |
698 | |
699 now = PR_Now(); | |
700 OCSP_TRACE_TIME("now:", now); | |
701 | |
702 if (cacheItem->haveThisUpdate) { | |
703 OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate); | |
704 latestTimeWhenResponseIsConsideredFresh = cacheItem->thisUpdate + | |
705 OCSP_Global.maximumSecondsToNe
xtFetchAttempt * | |
706 MICROSECONDS_PER_SECOND; | |
707 OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:", | |
708 latestTimeWhenResponseIsConsideredFresh); | |
709 } else { | |
710 latestTimeWhenResponseIsConsideredFresh = now + | |
711 OCSP_Global.minimumSecondsToNe
xtFetchAttempt * | |
712 MICROSECONDS_PER_SECOND; | |
713 OCSP_TRACE_TIME("no thisUpdate, " | |
714 "latestTimeWhenResponseIsConsideredFresh:", | |
715 latestTimeWhenResponseIsConsideredFresh); | |
716 } | |
717 | |
718 if (cacheItem->haveNextUpdate) { | |
719 OCSP_TRACE_TIME("have nextUpdate:", cacheItem->nextUpdate); | |
720 } | |
721 | |
722 if (cacheItem->haveNextUpdate && | |
723 cacheItem->nextUpdate < latestTimeWhenResponseIsConsideredFresh) { | |
724 latestTimeWhenResponseIsConsideredFresh = cacheItem->nextUpdate; | |
725 OCSP_TRACE_TIME("nextUpdate is smaller than latestFresh, setting " | |
726 "latestTimeWhenResponseIsConsideredFresh:", | |
727 latestTimeWhenResponseIsConsideredFresh); | |
728 } | |
729 | |
730 earliestAllowedNextFetchAttemptTime = now + | |
731 OCSP_Global.minimumSecondsToNextFetchA
ttempt * | |
732 MICROSECONDS_PER_SECOND; | |
733 OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:", | |
734 earliestAllowedNextFetchAttemptTime); | |
735 | |
736 if (latestTimeWhenResponseIsConsideredFresh < | |
737 earliestAllowedNextFetchAttemptTime) { | |
738 latestTimeWhenResponseIsConsideredFresh = | |
739 earliestAllowedNextFetchAttemptTime; | |
740 OCSP_TRACE_TIME("latest < earliest, setting latest to:", | |
741 latestTimeWhenResponseIsConsideredFresh); | |
742 } | |
743 | |
744 cacheItem->nextFetchAttemptTime = | |
745 latestTimeWhenResponseIsConsideredFresh; | |
746 OCSP_TRACE_TIME("nextFetchAttemptTime", | |
747 latestTimeWhenResponseIsConsideredFresh); | |
748 | |
749 PR_ExitMonitor(OCSP_Global.monitor); | |
750 } | |
751 | |
752 static PRBool | |
753 ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem) | |
754 { | |
755 PRTime now; | |
756 PRBool fresh; | |
757 | |
758 now = PR_Now(); | |
759 | |
760 fresh = cacheItem->nextFetchAttemptTime > now; | |
761 | |
762 /* Work around broken OCSP responders that return unknown responses for | |
763 * certificates, especially certificates that were just recently issued. | |
764 */ | |
765 if (fresh && cacheItem->certStatusArena && | |
766 cacheItem->certStatus.certStatusType == ocspCertStatus_unknown) { | |
767 fresh = PR_FALSE; | |
768 } | |
769 | |
770 OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", fresh)); | |
771 | |
772 return fresh; | |
773 } | |
774 | |
775 /* | |
776 * Status in *certIDWasConsumed will always be correct, regardless of | |
777 * return value. | |
778 * If the caller is unable to transfer ownership of certID, | |
779 * then the caller must set certIDWasConsumed to NULL, | |
780 * and this function will potentially duplicate the certID object. | |
781 */ | |
782 static SECStatus | |
783 ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, | |
784 CERTOCSPCertID *certID, | |
785 CERTOCSPSingleResponse *single, | |
786 PRBool *certIDWasConsumed) | |
787 { | |
788 SECStatus rv; | |
789 OCSPCacheItem *cacheItem; | |
790 OCSP_TRACE(("OCSP ocsp_CreateOrUpdateCacheEntry\n")); | |
791 | |
792 if (certIDWasConsumed) | |
793 *certIDWasConsumed = PR_FALSE; | |
794 | |
795 PR_EnterMonitor(OCSP_Global.monitor); | |
796 PORT_Assert(OCSP_Global.maxCacheEntries >= 0); | |
797 | |
798 cacheItem = ocsp_FindCacheEntry(cache, certID); | |
799 | |
800 /* Don't replace an unknown or revoked entry with an error entry, even if | |
801 * the existing entry is expired. Instead, we'll continue to use the | |
802 * existing (possibly expired) cache entry until we receive a valid signed | |
803 * response to replace it. | |
804 */ | |
805 if (!single && cacheItem && cacheItem->certStatusArena && | |
806 (cacheItem->certStatus.certStatusType == ocspCertStatus_revoked || | |
807 cacheItem->certStatus.certStatusType == ocspCertStatus_unknown)) { | |
808 PR_ExitMonitor(OCSP_Global.monitor); | |
809 return SECSuccess; | |
810 } | |
811 | |
812 if (!cacheItem) { | |
813 CERTOCSPCertID *myCertID; | |
814 if (certIDWasConsumed) { | |
815 myCertID = certID; | |
816 *certIDWasConsumed = PR_TRUE; | |
817 } else { | |
818 myCertID = cert_DupOCSPCertID(certID); | |
819 if (!myCertID) { | |
820 PR_ExitMonitor(OCSP_Global.monitor); | |
821 PORT_SetError(PR_OUT_OF_MEMORY_ERROR); | |
822 return SECFailure; | |
823 } | |
824 } | |
825 | |
826 rv = ocsp_CreateCacheItemAndConsumeCertID(cache, myCertID, | |
827 &cacheItem); | |
828 if (rv != SECSuccess) { | |
829 PR_ExitMonitor(OCSP_Global.monitor); | |
830 return rv; | |
831 } | |
832 } | |
833 if (single) { | |
834 PRTime thisUpdate; | |
835 rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate); | |
836 | |
837 if (!cacheItem->haveThisUpdate || | |
838 (rv == SECSuccess && cacheItem->thisUpdate < thisUpdate)) { | |
839 rv = ocsp_SetCacheItemResponse(cacheItem, single); | |
840 if (rv != SECSuccess) { | |
841 ocsp_RemoveCacheItem(cache, cacheItem); | |
842 PR_ExitMonitor(OCSP_Global.monitor); | |
843 return rv; | |
844 } | |
845 } else { | |
846 OCSP_TRACE(("Not caching response because the response is not " | |
847 "newer than the cache")); | |
848 } | |
849 } else { | |
850 cacheItem->missingResponseError = PORT_GetError(); | |
851 if (cacheItem->certStatusArena) { | |
852 PORT_FreeArena(cacheItem->certStatusArena, PR_FALSE); | |
853 cacheItem->certStatusArena = NULL; | |
854 } | |
855 } | |
856 ocsp_FreshenCacheItemNextFetchAttemptTime(cacheItem); | |
857 ocsp_CheckCacheSize(cache); | |
858 | |
859 PR_ExitMonitor(OCSP_Global.monitor); | |
860 return SECSuccess; | |
861 } | |
862 | |
863 extern SECStatus | |
864 CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode) | |
865 { | |
866 switch (ocspFailureMode) { | |
867 case ocspMode_FailureIsVerificationFailure: | |
868 case ocspMode_FailureIsNotAVerificationFailure: | |
869 break; | |
870 default: | |
871 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
872 return SECFailure; | |
873 } | |
874 | |
875 PR_EnterMonitor(OCSP_Global.monitor); | |
876 OCSP_Global.ocspFailureMode = ocspFailureMode; | |
877 PR_ExitMonitor(OCSP_Global.monitor); | |
878 return SECSuccess; | |
879 } | |
880 | |
881 SECStatus | |
882 CERT_OCSPCacheSettings(PRInt32 maxCacheEntries, | |
883 PRUint32 minimumSecondsToNextFetchAttempt, | |
884 PRUint32 maximumSecondsToNextFetchAttempt) | |
885 { | |
886 if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt || | |
887 maxCacheEntries < -1) { | |
888 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
889 return SECFailure; | |
890 } | |
891 | |
892 PR_EnterMonitor(OCSP_Global.monitor); | |
893 | |
894 if (maxCacheEntries < 0) { | |
895 OCSP_Global.maxCacheEntries = -1; /* disable cache */ | |
896 } else if (maxCacheEntries == 0) { | |
897 OCSP_Global.maxCacheEntries = 0; /* unlimited cache entries */ | |
898 } else { | |
899 OCSP_Global.maxCacheEntries = maxCacheEntries; | |
900 } | |
901 | |
902 if (minimumSecondsToNextFetchAttempt < | |
903 OCSP_Global.minimumSecondsToNextFetchAttempt || | |
904 maximumSecondsToNextFetchAttempt < | |
905 OCSP_Global.maximumSecondsToNextFetchAttempt) { | |
906 /* | |
907 * Ensure our existing cache entries are not used longer than the | |
908 * new settings allow, we're lazy and just clear the cache | |
909 */ | |
910 CERT_ClearOCSPCache(); | |
911 } | |
912 | |
913 OCSP_Global.minimumSecondsToNextFetchAttempt = | |
914 minimumSecondsToNextFetchAttempt; | |
915 OCSP_Global.maximumSecondsToNextFetchAttempt = | |
916 maximumSecondsToNextFetchAttempt; | |
917 ocsp_CheckCacheSize(&OCSP_Global.cache); | |
918 | |
919 PR_ExitMonitor(OCSP_Global.monitor); | |
920 return SECSuccess; | |
921 } | |
922 | |
923 SECStatus | |
924 CERT_SetOCSPTimeout(PRUint32 seconds) | |
925 { | |
926 /* no locking, see bug 406120 */ | |
927 OCSP_Global.timeoutSeconds = seconds; | |
928 return SECSuccess; | |
929 } | |
930 | |
931 /* this function is called at NSS initialization time */ | |
932 SECStatus | |
933 OCSP_InitGlobal(void) | |
934 { | |
935 SECStatus rv = SECFailure; | |
936 | |
937 if (OCSP_Global.monitor == NULL) { | |
938 OCSP_Global.monitor = PR_NewMonitor(); | |
939 } | |
940 if (!OCSP_Global.monitor) | |
941 return SECFailure; | |
942 | |
943 PR_EnterMonitor(OCSP_Global.monitor); | |
944 if (!OCSP_Global.cache.entries) { | |
945 OCSP_Global.cache.entries = | |
946 PL_NewHashTable(0, | |
947 ocsp_CacheKeyHashFunction, | |
948 ocsp_CacheKeyCompareFunction, | |
949 PL_CompareValues, | |
950 NULL, | |
951 NULL); | |
952 OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure; | |
953 OCSP_Global.cache.numberOfEntries = 0; | |
954 OCSP_Global.cache.MRUitem = NULL; | |
955 OCSP_Global.cache.LRUitem = NULL; | |
956 } else { | |
957 /* | |
958 * NSS might call this function twice while attempting to init. | |
959 * But it's not allowed to call this again after any activity. | |
960 */ | |
961 PORT_Assert(OCSP_Global.cache.numberOfEntries == 0); | |
962 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
963 } | |
964 if (OCSP_Global.cache.entries) | |
965 rv = SECSuccess; | |
966 PR_ExitMonitor(OCSP_Global.monitor); | |
967 return rv; | |
968 } | |
969 | |
970 SECStatus | |
971 OCSP_ShutdownGlobal(void) | |
972 { | |
973 if (!OCSP_Global.monitor) | |
974 return SECSuccess; | |
975 | |
976 PR_EnterMonitor(OCSP_Global.monitor); | |
977 if (OCSP_Global.cache.entries) { | |
978 CERT_ClearOCSPCache(); | |
979 PL_HashTableDestroy(OCSP_Global.cache.entries); | |
980 OCSP_Global.cache.entries = NULL; | |
981 } | |
982 PORT_Assert(OCSP_Global.cache.numberOfEntries == 0); | |
983 OCSP_Global.cache.MRUitem = NULL; | |
984 OCSP_Global.cache.LRUitem = NULL; | |
985 | |
986 OCSP_Global.defaultHttpClientFcn = NULL; | |
987 OCSP_Global.maxCacheEntries = DEFAULT_OCSP_CACHE_SIZE; | |
988 OCSP_Global.minimumSecondsToNextFetchAttempt = | |
989 DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; | |
990 OCSP_Global.maximumSecondsToNextFetchAttempt = | |
991 DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; | |
992 OCSP_Global.ocspFailureMode = | |
993 ocspMode_FailureIsVerificationFailure; | |
994 PR_ExitMonitor(OCSP_Global.monitor); | |
995 | |
996 PR_DestroyMonitor(OCSP_Global.monitor); | |
997 OCSP_Global.monitor = NULL; | |
998 return SECSuccess; | |
999 } | |
1000 | |
1001 /* | |
1002 * A return value of NULL means: | |
1003 * The application did not register it's own HTTP client. | |
1004 */ | |
1005 const SEC_HttpClientFcn * | |
1006 SEC_GetRegisteredHttpClient(void) | |
1007 { | |
1008 const SEC_HttpClientFcn *retval; | |
1009 | |
1010 if (!OCSP_Global.monitor) { | |
1011 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | |
1012 return NULL; | |
1013 } | |
1014 | |
1015 PR_EnterMonitor(OCSP_Global.monitor); | |
1016 retval = OCSP_Global.defaultHttpClientFcn; | |
1017 PR_ExitMonitor(OCSP_Global.monitor); | |
1018 | |
1019 return retval; | |
1020 } | |
1021 | |
1022 /* | |
1023 * The following structure is only used internally. It is allocated when | |
1024 * someone turns on OCSP checking, and hangs off of the status-configuration | |
1025 * structure in the certdb structure. We use it to keep configuration | |
1026 * information specific to OCSP checking. | |
1027 */ | |
1028 typedef struct ocspCheckingContextStr { | |
1029 PRBool useDefaultResponder; | |
1030 char *defaultResponderURI; | |
1031 char *defaultResponderNickname; | |
1032 CERTCertificate *defaultResponderCert; | |
1033 } ocspCheckingContext; | |
1034 | |
1035 SEC_ASN1_MKSUB(SEC_AnyTemplate) | |
1036 SEC_ASN1_MKSUB(SEC_IntegerTemplate) | |
1037 SEC_ASN1_MKSUB(SEC_NullTemplate) | |
1038 SEC_ASN1_MKSUB(SEC_OctetStringTemplate) | |
1039 SEC_ASN1_MKSUB(SEC_PointerToAnyTemplate) | |
1040 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) | |
1041 SEC_ASN1_MKSUB(SEC_SequenceOfAnyTemplate) | |
1042 SEC_ASN1_MKSUB(SEC_PointerToGeneralizedTimeTemplate) | |
1043 SEC_ASN1_MKSUB(SEC_PointerToEnumeratedTemplate) | |
1044 | |
1045 /* | |
1046 * Forward declarations of sub-types, so I can lay out the types in the | |
1047 * same order as the ASN.1 is laid out in the OCSP spec itself. | |
1048 * | |
1049 * These are in alphabetical order (case-insensitive); please keep it that way! | |
1050 */ | |
1051 extern const SEC_ASN1Template ocsp_CertIDTemplate[]; | |
1052 extern const SEC_ASN1Template ocsp_PointerToSignatureTemplate[]; | |
1053 extern const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[]; | |
1054 extern const SEC_ASN1Template ocsp_ResponseDataTemplate[]; | |
1055 extern const SEC_ASN1Template ocsp_RevokedInfoTemplate[]; | |
1056 extern const SEC_ASN1Template ocsp_SingleRequestTemplate[]; | |
1057 extern const SEC_ASN1Template ocsp_SingleResponseTemplate[]; | |
1058 extern const SEC_ASN1Template ocsp_TBSRequestTemplate[]; | |
1059 | |
1060 /* | |
1061 * Request-related templates... | |
1062 */ | |
1063 | |
1064 /* | |
1065 * OCSPRequest ::= SEQUENCE { | |
1066 * tbsRequest TBSRequest, | |
1067 * optionalSignature [0] EXPLICIT Signature OPTIONAL } | |
1068 */ | |
1069 static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = { | |
1070 { SEC_ASN1_SEQUENCE, | |
1071 0, NULL, sizeof(CERTOCSPRequest) }, | |
1072 { SEC_ASN1_POINTER, | |
1073 offsetof(CERTOCSPRequest, tbsRequest), | |
1074 ocsp_TBSRequestTemplate }, | |
1075 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1076 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, | |
1077 offsetof(CERTOCSPRequest, optionalSignature), | |
1078 ocsp_PointerToSignatureTemplate }, | |
1079 { 0 } | |
1080 }; | |
1081 | |
1082 /* | |
1083 * TBSRequest ::= SEQUENCE { | |
1084 * version [0] EXPLICIT Version DEFAULT v1, | |
1085 * requestorName [1] EXPLICIT GeneralName OPTIONAL, | |
1086 * requestList SEQUENCE OF Request, | |
1087 * requestExtensions [2] EXPLICIT Extensions OPTIONAL } | |
1088 * | |
1089 * Version ::= INTEGER { v1(0) } | |
1090 * | |
1091 * Note: this should be static but the AIX compiler doesn't like it (because it | |
1092 * was forward-declared above); it is not meant to be exported, but this | |
1093 * is the only way it will compile. | |
1094 */ | |
1095 const SEC_ASN1Template ocsp_TBSRequestTemplate[] = { | |
1096 { SEC_ASN1_SEQUENCE, | |
1097 0, NULL, sizeof(ocspTBSRequest) }, | |
1098 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ | |
1099 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | |
1100 offsetof(ocspTBSRequest, version), | |
1101 SEC_ASN1_SUB(SEC_IntegerTemplate) }, | |
1102 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1103 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, | |
1104 offsetof(ocspTBSRequest, derRequestorName), | |
1105 SEC_ASN1_SUB(SEC_PointerToAnyTemplate) }, | |
1106 { SEC_ASN1_SEQUENCE_OF, | |
1107 offsetof(ocspTBSRequest, requestList), | |
1108 ocsp_SingleRequestTemplate }, | |
1109 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1110 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2, | |
1111 offsetof(ocspTBSRequest, requestExtensions), | |
1112 CERT_SequenceOfCertExtensionTemplate }, | |
1113 { 0 } | |
1114 }; | |
1115 | |
1116 /* | |
1117 * Signature ::= SEQUENCE { | |
1118 * signatureAlgorithm AlgorithmIdentifier, | |
1119 * signature BIT STRING, | |
1120 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | |
1121 */ | |
1122 static const SEC_ASN1Template ocsp_SignatureTemplate[] = { | |
1123 { SEC_ASN1_SEQUENCE, | |
1124 0, NULL, sizeof(ocspSignature) }, | |
1125 { SEC_ASN1_INLINE | SEC_ASN1_XTRN, | |
1126 offsetof(ocspSignature, signatureAlgorithm), | |
1127 SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, | |
1128 { SEC_ASN1_BIT_STRING, | |
1129 offsetof(ocspSignature, signature) }, | |
1130 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1131 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | |
1132 offsetof(ocspSignature, derCerts), | |
1133 SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) }, | |
1134 { 0 } | |
1135 }; | |
1136 | |
1137 /* | |
1138 * This template is just an extra level to use in an explicitly-tagged | |
1139 * reference to a Signature. | |
1140 * | |
1141 * Note: this should be static but the AIX compiler doesn't like it (because it | |
1142 * was forward-declared above); it is not meant to be exported, but this | |
1143 * is the only way it will compile. | |
1144 */ | |
1145 const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = { | |
1146 { SEC_ASN1_POINTER, 0, ocsp_SignatureTemplate } | |
1147 }; | |
1148 | |
1149 /* | |
1150 * Request ::= SEQUENCE { | |
1151 * reqCert CertID, | |
1152 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } | |
1153 * | |
1154 * Note: this should be static but the AIX compiler doesn't like it (because it | |
1155 * was forward-declared above); it is not meant to be exported, but this | |
1156 * is the only way it will compile. | |
1157 */ | |
1158 const SEC_ASN1Template ocsp_SingleRequestTemplate[] = { | |
1159 { SEC_ASN1_SEQUENCE, | |
1160 0, NULL, sizeof(ocspSingleRequest) }, | |
1161 { SEC_ASN1_POINTER, | |
1162 offsetof(ocspSingleRequest, reqCert), | |
1163 ocsp_CertIDTemplate }, | |
1164 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1165 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, | |
1166 offsetof(ocspSingleRequest, singleRequestExtensions), | |
1167 CERT_SequenceOfCertExtensionTemplate }, | |
1168 { 0 } | |
1169 }; | |
1170 | |
1171 /* | |
1172 * This data structure and template (CertID) is used by both OCSP | |
1173 * requests and responses. It is the only one that is shared. | |
1174 * | |
1175 * CertID ::= SEQUENCE { | |
1176 * hashAlgorithm AlgorithmIdentifier, | |
1177 * issuerNameHash OCTET STRING, -- Hash of Issuer DN | |
1178 * issuerKeyHash OCTET STRING, -- Hash of Issuer public key | |
1179 * serialNumber CertificateSerialNumber } | |
1180 * | |
1181 * CertificateSerialNumber ::= INTEGER | |
1182 * | |
1183 * Note: this should be static but the AIX compiler doesn't like it (because it | |
1184 * was forward-declared above); it is not meant to be exported, but this | |
1185 * is the only way it will compile. | |
1186 */ | |
1187 const SEC_ASN1Template ocsp_CertIDTemplate[] = { | |
1188 { SEC_ASN1_SEQUENCE, | |
1189 0, NULL, sizeof(CERTOCSPCertID) }, | |
1190 { SEC_ASN1_INLINE | SEC_ASN1_XTRN, | |
1191 offsetof(CERTOCSPCertID, hashAlgorithm), | |
1192 SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, | |
1193 { SEC_ASN1_OCTET_STRING, | |
1194 offsetof(CERTOCSPCertID, issuerNameHash) }, | |
1195 { SEC_ASN1_OCTET_STRING, | |
1196 offsetof(CERTOCSPCertID, issuerKeyHash) }, | |
1197 { SEC_ASN1_INTEGER, | |
1198 offsetof(CERTOCSPCertID, serialNumber) }, | |
1199 { 0 } | |
1200 }; | |
1201 | |
1202 /* | |
1203 * Response-related templates... | |
1204 */ | |
1205 | |
1206 /* | |
1207 * OCSPResponse ::= SEQUENCE { | |
1208 * responseStatus OCSPResponseStatus, | |
1209 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | |
1210 */ | |
1211 const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = { | |
1212 { SEC_ASN1_SEQUENCE, | |
1213 0, NULL, sizeof(CERTOCSPResponse) }, | |
1214 { SEC_ASN1_ENUMERATED, | |
1215 offsetof(CERTOCSPResponse, responseStatus) }, | |
1216 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1217 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, | |
1218 offsetof(CERTOCSPResponse, responseBytes), | |
1219 ocsp_PointerToResponseBytesTemplate }, | |
1220 { 0 } | |
1221 }; | |
1222 | |
1223 /* | |
1224 * ResponseBytes ::= SEQUENCE { | |
1225 * responseType OBJECT IDENTIFIER, | |
1226 * response OCTET STRING } | |
1227 */ | |
1228 const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = { | |
1229 { SEC_ASN1_SEQUENCE, | |
1230 0, NULL, sizeof(ocspResponseBytes) }, | |
1231 { SEC_ASN1_OBJECT_ID, | |
1232 offsetof(ocspResponseBytes, responseType) }, | |
1233 { SEC_ASN1_OCTET_STRING, | |
1234 offsetof(ocspResponseBytes, response) }, | |
1235 { 0 } | |
1236 }; | |
1237 | |
1238 /* | |
1239 * This template is just an extra level to use in an explicitly-tagged | |
1240 * reference to a ResponseBytes. | |
1241 * | |
1242 * Note: this should be static but the AIX compiler doesn't like it (because it | |
1243 * was forward-declared above); it is not meant to be exported, but this | |
1244 * is the only way it will compile. | |
1245 */ | |
1246 const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = { | |
1247 { SEC_ASN1_POINTER, 0, ocsp_ResponseBytesTemplate } | |
1248 }; | |
1249 | |
1250 /* | |
1251 * BasicOCSPResponse ::= SEQUENCE { | |
1252 * tbsResponseData ResponseData, | |
1253 * signatureAlgorithm AlgorithmIdentifier, | |
1254 * signature BIT STRING, | |
1255 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | |
1256 */ | |
1257 static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = { | |
1258 { SEC_ASN1_SEQUENCE, | |
1259 0, NULL, sizeof(ocspBasicOCSPResponse) }, | |
1260 { SEC_ASN1_ANY | SEC_ASN1_SAVE, | |
1261 offsetof(ocspBasicOCSPResponse, tbsResponseDataDER) }, | |
1262 { SEC_ASN1_POINTER, | |
1263 offsetof(ocspBasicOCSPResponse, tbsResponseData), | |
1264 ocsp_ResponseDataTemplate }, | |
1265 { SEC_ASN1_INLINE | SEC_ASN1_XTRN, | |
1266 offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm), | |
1267 SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, | |
1268 { SEC_ASN1_BIT_STRING, | |
1269 offsetof(ocspBasicOCSPResponse, responseSignature.signature) }, | |
1270 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1271 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | |
1272 offsetof(ocspBasicOCSPResponse, responseSignature.derCerts), | |
1273 SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) }, | |
1274 { 0 } | |
1275 }; | |
1276 | |
1277 /* | |
1278 * ResponseData ::= SEQUENCE { | |
1279 * version [0] EXPLICIT Version DEFAULT v1, | |
1280 * responderID ResponderID, | |
1281 * producedAt GeneralizedTime, | |
1282 * responses SEQUENCE OF SingleResponse, | |
1283 * responseExtensions [1] EXPLICIT Extensions OPTIONAL } | |
1284 * | |
1285 * Note: this should be static but the AIX compiler doesn't like it (because it | |
1286 * was forward-declared above); it is not meant to be exported, but this | |
1287 * is the only way it will compile. | |
1288 */ | |
1289 const SEC_ASN1Template ocsp_ResponseDataTemplate[] = { | |
1290 { SEC_ASN1_SEQUENCE, | |
1291 0, NULL, sizeof(ocspResponseData) }, | |
1292 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ | |
1293 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | |
1294 offsetof(ocspResponseData, version), | |
1295 SEC_ASN1_SUB(SEC_IntegerTemplate) }, | |
1296 { SEC_ASN1_ANY, | |
1297 offsetof(ocspResponseData, derResponderID) }, | |
1298 { SEC_ASN1_GENERALIZED_TIME, | |
1299 offsetof(ocspResponseData, producedAt) }, | |
1300 { SEC_ASN1_SEQUENCE_OF, | |
1301 offsetof(ocspResponseData, responses), | |
1302 ocsp_SingleResponseTemplate }, | |
1303 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1304 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, | |
1305 offsetof(ocspResponseData, responseExtensions), | |
1306 CERT_SequenceOfCertExtensionTemplate }, | |
1307 { 0 } | |
1308 }; | |
1309 | |
1310 /* | |
1311 * ResponderID ::= CHOICE { | |
1312 * byName [1] EXPLICIT Name, | |
1313 * byKey [2] EXPLICIT KeyHash } | |
1314 * | |
1315 * KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key | |
1316 * (excluding the tag and length fields) | |
1317 * | |
1318 * XXX Because the ASN.1 encoder and decoder currently do not provide | |
1319 * a way to automatically handle a CHOICE, we need to do it in two | |
1320 * steps, looking at the type tag and feeding the exact choice back | |
1321 * to the ASN.1 code. Hopefully that will change someday and this | |
1322 * can all be simplified down into a single template. Anyway, for | |
1323 * now we list each choice as its own template: | |
1324 */ | |
1325 const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = { | |
1326 { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, | |
1327 offsetof(ocspResponderID, responderIDValue.name), | |
1328 CERT_NameTemplate } | |
1329 }; | |
1330 const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = { | |
1331 { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | | |
1332 SEC_ASN1_XTRN | 2, | |
1333 offsetof(ocspResponderID, responderIDValue.keyHash), | |
1334 SEC_ASN1_SUB(SEC_OctetStringTemplate) } | |
1335 }; | |
1336 static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = { | |
1337 { SEC_ASN1_ANY, | |
1338 offsetof(ocspResponderID, responderIDValue.other) } | |
1339 }; | |
1340 | |
1341 /* Decode choice container, but leave x509 name object encoded */ | |
1342 static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = { | |
1343 { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | | |
1344 SEC_ASN1_XTRN | 1, | |
1345 0, SEC_ASN1_SUB(SEC_AnyTemplate) } | |
1346 }; | |
1347 | |
1348 /* | |
1349 * SingleResponse ::= SEQUENCE { | |
1350 * certID CertID, | |
1351 * certStatus CertStatus, | |
1352 * thisUpdate GeneralizedTime, | |
1353 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | |
1354 * singleExtensions [1] EXPLICIT Extensions OPTIONAL } | |
1355 * | |
1356 * Note: this should be static but the AIX compiler doesn't like it (because it | |
1357 * was forward-declared above); it is not meant to be exported, but this | |
1358 * is the only way it will compile. | |
1359 */ | |
1360 const SEC_ASN1Template ocsp_SingleResponseTemplate[] = { | |
1361 { SEC_ASN1_SEQUENCE, | |
1362 0, NULL, sizeof(CERTOCSPSingleResponse) }, | |
1363 { SEC_ASN1_POINTER, | |
1364 offsetof(CERTOCSPSingleResponse, certID), | |
1365 ocsp_CertIDTemplate }, | |
1366 { SEC_ASN1_ANY, | |
1367 offsetof(CERTOCSPSingleResponse, derCertStatus) }, | |
1368 { SEC_ASN1_GENERALIZED_TIME, | |
1369 offsetof(CERTOCSPSingleResponse, thisUpdate) }, | |
1370 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1371 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | |
1372 offsetof(CERTOCSPSingleResponse, nextUpdate), | |
1373 SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate) }, | |
1374 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1375 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, | |
1376 offsetof(CERTOCSPSingleResponse, singleExtensions), | |
1377 CERT_SequenceOfCertExtensionTemplate }, | |
1378 { 0 } | |
1379 }; | |
1380 | |
1381 /* | |
1382 * CertStatus ::= CHOICE { | |
1383 * good [0] IMPLICIT NULL, | |
1384 * revoked [1] IMPLICIT RevokedInfo, | |
1385 * unknown [2] IMPLICIT UnknownInfo } | |
1386 * | |
1387 * Because the ASN.1 encoder and decoder currently do not provide | |
1388 * a way to automatically handle a CHOICE, we need to do it in two | |
1389 * steps, looking at the type tag and feeding the exact choice back | |
1390 * to the ASN.1 code. Hopefully that will change someday and this | |
1391 * can all be simplified down into a single template. Anyway, for | |
1392 * now we list each choice as its own template: | |
1393 */ | |
1394 static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = { | |
1395 { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | |
1396 offsetof(ocspCertStatus, certStatusInfo.goodInfo), | |
1397 SEC_ASN1_SUB(SEC_NullTemplate) } | |
1398 }; | |
1399 static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = { | |
1400 { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, | |
1401 offsetof(ocspCertStatus, certStatusInfo.revokedInfo), | |
1402 ocsp_RevokedInfoTemplate } | |
1403 }; | |
1404 static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = { | |
1405 { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2, | |
1406 offsetof(ocspCertStatus, certStatusInfo.unknownInfo), | |
1407 SEC_ASN1_SUB(SEC_NullTemplate) } | |
1408 }; | |
1409 static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = { | |
1410 { SEC_ASN1_POINTER | SEC_ASN1_XTRN, | |
1411 offsetof(ocspCertStatus, certStatusInfo.otherInfo), | |
1412 SEC_ASN1_SUB(SEC_AnyTemplate) } | |
1413 }; | |
1414 | |
1415 /* | |
1416 * RevokedInfo ::= SEQUENCE { | |
1417 * revocationTime GeneralizedTime, | |
1418 * revocationReason [0] EXPLICIT CRLReason OPTIONAL } | |
1419 * | |
1420 * Note: this should be static but the AIX compiler doesn't like it (because it | |
1421 * was forward-declared above); it is not meant to be exported, but this | |
1422 * is the only way it will compile. | |
1423 */ | |
1424 const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = { | |
1425 { SEC_ASN1_SEQUENCE, | |
1426 0, NULL, sizeof(ocspRevokedInfo) }, | |
1427 { SEC_ASN1_GENERALIZED_TIME, | |
1428 offsetof(ocspRevokedInfo, revocationTime) }, | |
1429 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1430 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | | |
1431 SEC_ASN1_XTRN | 0, | |
1432 offsetof(ocspRevokedInfo, revocationReason), | |
1433 SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate) }, | |
1434 { 0 } | |
1435 }; | |
1436 | |
1437 /* | |
1438 * OCSP-specific extension templates: | |
1439 */ | |
1440 | |
1441 /* | |
1442 * ServiceLocator ::= SEQUENCE { | |
1443 * issuer Name, | |
1444 * locator AuthorityInfoAccessSyntax OPTIONAL } | |
1445 */ | |
1446 static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = { | |
1447 { SEC_ASN1_SEQUENCE, | |
1448 0, NULL, sizeof(ocspServiceLocator) }, | |
1449 { SEC_ASN1_POINTER, | |
1450 offsetof(ocspServiceLocator, issuer), | |
1451 CERT_NameTemplate }, | |
1452 { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, | |
1453 offsetof(ocspServiceLocator, locator) }, | |
1454 { 0 } | |
1455 }; | |
1456 | |
1457 /* | |
1458 * REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy): | |
1459 */ | |
1460 | |
1461 /* | |
1462 * FUNCTION: CERT_EncodeOCSPRequest | |
1463 * DER encodes an OCSP Request, possibly adding a signature as well. | |
1464 * XXX Signing is not yet supported, however; see comments in code. | |
1465 * INPUTS: | |
1466 * PLArenaPool *arena | |
1467 * The return value is allocated from here. | |
1468 * If a NULL is passed in, allocation is done from the heap instead. | |
1469 * CERTOCSPRequest *request | |
1470 * The request to be encoded. | |
1471 * void *pwArg | |
1472 * Pointer to argument for password prompting, if needed. (Definitely | |
1473 * not needed if not signing.) | |
1474 * RETURN: | |
1475 * Returns a NULL on error and a pointer to the SECItem with the | |
1476 * encoded value otherwise. Any error is likely to be low-level | |
1477 * (e.g. no memory). | |
1478 */ | |
1479 SECItem * | |
1480 CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, | |
1481 void *pwArg) | |
1482 { | |
1483 SECStatus rv; | |
1484 | |
1485 /* XXX All of these should generate errors if they fail. */ | |
1486 PORT_Assert(request); | |
1487 PORT_Assert(request->tbsRequest); | |
1488 | |
1489 if (request->tbsRequest->extensionHandle != NULL) { | |
1490 rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle); | |
1491 request->tbsRequest->extensionHandle = NULL; | |
1492 if (rv != SECSuccess) | |
1493 return NULL; | |
1494 } | |
1495 | |
1496 /* | |
1497 * XXX When signed requests are supported and request->optionalSignature | |
1498 * is not NULL: | |
1499 * - need to encode tbsRequest->requestorName | |
1500 * - need to encode tbsRequest | |
1501 * - need to sign that encoded result (using cert in sig), filling in the | |
1502 * request->optionalSignature structure with the result, the signing | |
1503 * algorithm and (perhaps?) the cert (and its chain?) in derCerts | |
1504 */ | |
1505 | |
1506 return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate); | |
1507 } | |
1508 | |
1509 /* | |
1510 * FUNCTION: CERT_DecodeOCSPRequest | |
1511 * Decode a DER encoded OCSP Request. | |
1512 * INPUTS: | |
1513 * SECItem *src | |
1514 * Pointer to a SECItem holding DER encoded OCSP Request. | |
1515 * RETURN: | |
1516 * Returns a pointer to a CERTOCSPRequest containing the decoded request. | |
1517 * On error, returns NULL. Most likely error is trouble decoding | |
1518 * (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory). | |
1519 */ | |
1520 CERTOCSPRequest * | |
1521 CERT_DecodeOCSPRequest(const SECItem *src) | |
1522 { | |
1523 PLArenaPool *arena = NULL; | |
1524 SECStatus rv = SECFailure; | |
1525 CERTOCSPRequest *dest = NULL; | |
1526 int i; | |
1527 SECItem newSrc; | |
1528 | |
1529 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
1530 if (arena == NULL) { | |
1531 goto loser; | |
1532 } | |
1533 dest = (CERTOCSPRequest *)PORT_ArenaZAlloc(arena, | |
1534 sizeof(CERTOCSPRequest)); | |
1535 if (dest == NULL) { | |
1536 goto loser; | |
1537 } | |
1538 dest->arena = arena; | |
1539 | |
1540 /* copy the DER into the arena, since Quick DER returns data that points | |
1541 into the DER input, which may get freed by the caller */ | |
1542 rv = SECITEM_CopyItem(arena, &newSrc, src); | |
1543 if (rv != SECSuccess) { | |
1544 goto loser; | |
1545 } | |
1546 | |
1547 rv = SEC_QuickDERDecodeItem(arena, dest, ocsp_OCSPRequestTemplate, &newSrc); | |
1548 if (rv != SECSuccess) { | |
1549 if (PORT_GetError() == SEC_ERROR_BAD_DER) | |
1550 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); | |
1551 goto loser; | |
1552 } | |
1553 | |
1554 /* | |
1555 * XXX I would like to find a way to get rid of the necessity | |
1556 * of doing this copying of the arena pointer. | |
1557 */ | |
1558 for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) { | |
1559 dest->tbsRequest->requestList[i]->arena = arena; | |
1560 } | |
1561 | |
1562 return dest; | |
1563 | |
1564 loser: | |
1565 if (arena != NULL) { | |
1566 PORT_FreeArena(arena, PR_FALSE); | |
1567 } | |
1568 return NULL; | |
1569 } | |
1570 | |
1571 SECStatus | |
1572 CERT_DestroyOCSPCertID(CERTOCSPCertID *certID) | |
1573 { | |
1574 if (certID && certID->poolp) { | |
1575 PORT_FreeArena(certID->poolp, PR_FALSE); | |
1576 return SECSuccess; | |
1577 } | |
1578 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1579 return SECFailure; | |
1580 } | |
1581 | |
1582 /* | |
1583 * Digest data using the specified algorithm. | |
1584 * The necessary storage for the digest data is allocated. If "fill" is | |
1585 * non-null, the data is put there, otherwise a SECItem is allocated. | |
1586 * Allocation from "arena" if it is non-null, heap otherwise. Any problem | |
1587 * results in a NULL being returned (and an appropriate error set). | |
1588 */ | |
1589 | |
1590 SECItem * | |
1591 ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, | |
1592 SECItem *fill, const SECItem *src) | |
1593 { | |
1594 const SECHashObject *digestObject; | |
1595 SECItem *result = NULL; | |
1596 void *mark = NULL; | |
1597 void *digestBuff = NULL; | |
1598 | |
1599 if (arena != NULL) { | |
1600 mark = PORT_ArenaMark(arena); | |
1601 } | |
1602 | |
1603 digestObject = HASH_GetHashObjectByOidTag(digestAlg); | |
1604 if (digestObject == NULL) { | |
1605 goto loser; | |
1606 } | |
1607 | |
1608 if (fill == NULL || fill->data == NULL) { | |
1609 result = SECITEM_AllocItem(arena, fill, digestObject->length); | |
1610 if (result == NULL) { | |
1611 goto loser; | |
1612 } | |
1613 digestBuff = result->data; | |
1614 } else { | |
1615 if (fill->len < digestObject->length) { | |
1616 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1617 goto loser; | |
1618 } | |
1619 digestBuff = fill->data; | |
1620 } | |
1621 | |
1622 if (PK11_HashBuf(digestAlg, digestBuff, | |
1623 src->data, src->len) != SECSuccess) { | |
1624 goto loser; | |
1625 } | |
1626 | |
1627 if (arena != NULL) { | |
1628 PORT_ArenaUnmark(arena, mark); | |
1629 } | |
1630 | |
1631 if (result == NULL) { | |
1632 result = fill; | |
1633 } | |
1634 return result; | |
1635 | |
1636 loser: | |
1637 if (arena != NULL) { | |
1638 PORT_ArenaRelease(arena, mark); | |
1639 } else { | |
1640 if (result != NULL) { | |
1641 SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE); | |
1642 } | |
1643 } | |
1644 return (NULL); | |
1645 } | |
1646 | |
1647 /* | |
1648 * Digest the cert's subject public key using the specified algorithm. | |
1649 * The necessary storage for the digest data is allocated. If "fill" is | |
1650 * non-null, the data is put there, otherwise a SECItem is allocated. | |
1651 * Allocation from "arena" if it is non-null, heap otherwise. Any problem | |
1652 * results in a NULL being returned (and an appropriate error set). | |
1653 */ | |
1654 SECItem * | |
1655 CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert, | |
1656 SECOidTag digestAlg, SECItem *fill) | |
1657 { | |
1658 SECItem spk; | |
1659 | |
1660 /* | |
1661 * Copy just the length and data pointer (nothing needs to be freed) | |
1662 * of the subject public key so we can convert the length from bits | |
1663 * to bytes, which is what the digest function expects. | |
1664 */ | |
1665 spk = cert->subjectPublicKeyInfo.subjectPublicKey; | |
1666 DER_ConvertBitString(&spk); | |
1667 | |
1668 return ocsp_DigestValue(arena, digestAlg, fill, &spk); | |
1669 } | |
1670 | |
1671 /* | |
1672 * Digest the cert's subject name using the specified algorithm. | |
1673 */ | |
1674 SECItem * | |
1675 CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert, | |
1676 SECOidTag digestAlg, SECItem *fill) | |
1677 { | |
1678 SECItem name; | |
1679 | |
1680 /* | |
1681 * Copy just the length and data pointer (nothing needs to be freed) | |
1682 * of the subject name | |
1683 */ | |
1684 name = cert->derSubject; | |
1685 | |
1686 return ocsp_DigestValue(arena, digestAlg, fill, &name); | |
1687 } | |
1688 | |
1689 /* | |
1690 * Create and fill-in a CertID. This function fills in the hash values | |
1691 * (issuerNameHash and issuerKeyHash), and is hardwired to use SHA1. | |
1692 * Someday it might need to be more flexible about hash algorithm, but | |
1693 * for now we have no intention/need to create anything else. | |
1694 * | |
1695 * Error causes a null to be returned; most likely cause is trouble | |
1696 * finding the certificate issuer (SEC_ERROR_UNKNOWN_ISSUER). | |
1697 * Other errors are low-level problems (no memory, bad database, etc.). | |
1698 */ | |
1699 static CERTOCSPCertID * | |
1700 ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time) | |
1701 { | |
1702 CERTOCSPCertID *certID; | |
1703 CERTCertificate *issuerCert = NULL; | |
1704 void *mark = PORT_ArenaMark(arena); | |
1705 SECStatus rv; | |
1706 | |
1707 PORT_Assert(arena != NULL); | |
1708 | |
1709 certID = PORT_ArenaZNew(arena, CERTOCSPCertID); | |
1710 if (certID == NULL) { | |
1711 goto loser; | |
1712 } | |
1713 | |
1714 rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1, | |
1715 NULL); | |
1716 if (rv != SECSuccess) { | |
1717 goto loser; | |
1718 } | |
1719 | |
1720 issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA); | |
1721 if (issuerCert == NULL) { | |
1722 goto loser; | |
1723 } | |
1724 | |
1725 if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1, | |
1726 &(certID->issuerNameHash)) == NULL) { | |
1727 goto loser; | |
1728 } | |
1729 certID->issuerSHA1NameHash.data = certID->issuerNameHash.data; | |
1730 certID->issuerSHA1NameHash.len = certID->issuerNameHash.len; | |
1731 | |
1732 if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5, | |
1733 &(certID->issuerMD5NameHash)) == NULL) { | |
1734 goto loser; | |
1735 } | |
1736 | |
1737 if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2, | |
1738 &(certID->issuerMD2NameHash)) == NULL) { | |
1739 goto loser; | |
1740 } | |
1741 | |
1742 if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1, | |
1743 &certID->issuerKeyHash) == NULL) { | |
1744 goto loser; | |
1745 } | |
1746 certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data; | |
1747 certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len; | |
1748 /* cache the other two hash algorithms as well */ | |
1749 if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5, | |
1750 &certID->issuerMD5KeyHash) == NULL) { | |
1751 goto loser; | |
1752 } | |
1753 if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2, | |
1754 &certID->issuerMD2KeyHash) == NULL) { | |
1755 goto loser; | |
1756 } | |
1757 | |
1758 /* now we are done with issuerCert */ | |
1759 CERT_DestroyCertificate(issuerCert); | |
1760 issuerCert = NULL; | |
1761 | |
1762 rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber); | |
1763 if (rv != SECSuccess) { | |
1764 goto loser; | |
1765 } | |
1766 | |
1767 PORT_ArenaUnmark(arena, mark); | |
1768 return certID; | |
1769 | |
1770 loser: | |
1771 if (issuerCert != NULL) { | |
1772 CERT_DestroyCertificate(issuerCert); | |
1773 } | |
1774 PORT_ArenaRelease(arena, mark); | |
1775 return NULL; | |
1776 } | |
1777 | |
1778 CERTOCSPCertID * | |
1779 CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time) | |
1780 { | |
1781 PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
1782 CERTOCSPCertID *certID; | |
1783 PORT_Assert(arena != NULL); | |
1784 if (!arena) | |
1785 return NULL; | |
1786 | |
1787 certID = ocsp_CreateCertID(arena, cert, time); | |
1788 if (!certID) { | |
1789 PORT_FreeArena(arena, PR_FALSE); | |
1790 return NULL; | |
1791 } | |
1792 certID->poolp = arena; | |
1793 return certID; | |
1794 } | |
1795 | |
1796 static CERTOCSPCertID * | |
1797 cert_DupOCSPCertID(const CERTOCSPCertID *src) | |
1798 { | |
1799 CERTOCSPCertID *dest; | |
1800 PLArenaPool *arena = NULL; | |
1801 | |
1802 if (!src) { | |
1803 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1804 return NULL; | |
1805 } | |
1806 | |
1807 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
1808 if (!arena) | |
1809 goto loser; | |
1810 | |
1811 dest = PORT_ArenaZNew(arena, CERTOCSPCertID); | |
1812 if (!dest) | |
1813 goto loser; | |
1814 | |
1815 #define DUPHELP(element) \ | |
1816 if (src->element.data && \ | |
1817 SECITEM_CopyItem(arena, &dest->element, &src->element) != \ | |
1818 SECSuccess) { \ | |
1819 goto loser; \ | |
1820 } | |
1821 | |
1822 DUPHELP(hashAlgorithm.algorithm) | |
1823 DUPHELP(hashAlgorithm.parameters) | |
1824 DUPHELP(issuerNameHash) | |
1825 DUPHELP(issuerKeyHash) | |
1826 DUPHELP(serialNumber) | |
1827 DUPHELP(issuerSHA1NameHash) | |
1828 DUPHELP(issuerMD5NameHash) | |
1829 DUPHELP(issuerMD2NameHash) | |
1830 DUPHELP(issuerSHA1KeyHash) | |
1831 DUPHELP(issuerMD5KeyHash) | |
1832 DUPHELP(issuerMD2KeyHash) | |
1833 | |
1834 dest->poolp = arena; | |
1835 return dest; | |
1836 | |
1837 loser: | |
1838 if (arena) | |
1839 PORT_FreeArena(arena, PR_FALSE); | |
1840 PORT_SetError(PR_OUT_OF_MEMORY_ERROR); | |
1841 return NULL; | |
1842 } | |
1843 | |
1844 /* | |
1845 * Callback to set Extensions in request object | |
1846 */ | |
1847 void | |
1848 SetSingleReqExts(void *object, CERTCertExtension **exts) | |
1849 { | |
1850 ocspSingleRequest *singleRequest = | |
1851 (ocspSingleRequest *)object; | |
1852 | |
1853 singleRequest->singleRequestExtensions = exts; | |
1854 } | |
1855 | |
1856 /* | |
1857 * Add the Service Locator extension to the singleRequestExtensions | |
1858 * for the given singleRequest. | |
1859 * | |
1860 * All errors are internal or low-level problems (e.g. no memory). | |
1861 */ | |
1862 static SECStatus | |
1863 ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest, | |
1864 CERTCertificate *cert) | |
1865 { | |
1866 ocspServiceLocator *serviceLocator = NULL; | |
1867 void *extensionHandle = NULL; | |
1868 SECStatus rv = SECFailure; | |
1869 | |
1870 serviceLocator = PORT_ZNew(ocspServiceLocator); | |
1871 if (serviceLocator == NULL) | |
1872 goto loser; | |
1873 | |
1874 /* | |
1875 * Normally it would be a bad idea to do a direct reference like | |
1876 * this rather than allocate and copy the name *or* at least dup | |
1877 * a reference of the cert. But all we need is to be able to read | |
1878 * the issuer name during the encoding we are about to do, so a | |
1879 * copy is just a waste of time. | |
1880 */ | |
1881 serviceLocator->issuer = &cert->issuer; | |
1882 | |
1883 rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS, | |
1884 &serviceLocator->locator); | |
1885 if (rv != SECSuccess) { | |
1886 if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) | |
1887 goto loser; | |
1888 } | |
1889 | |
1890 /* prepare for following loser gotos */ | |
1891 rv = SECFailure; | |
1892 PORT_SetError(0); | |
1893 | |
1894 extensionHandle = cert_StartExtensions(singleRequest, | |
1895 singleRequest->arena, SetSingleReqExt
s); | |
1896 if (extensionHandle == NULL) | |
1897 goto loser; | |
1898 | |
1899 rv = CERT_EncodeAndAddExtension(extensionHandle, | |
1900 SEC_OID_PKIX_OCSP_SERVICE_LOCATOR, | |
1901 serviceLocator, PR_FALSE, | |
1902 ocsp_ServiceLocatorTemplate); | |
1903 | |
1904 loser: | |
1905 if (extensionHandle != NULL) { | |
1906 /* | |
1907 * Either way we have to finish out the extension context (so it gets | |
1908 * freed). But careful not to override any already-set bad status. | |
1909 */ | |
1910 SECStatus tmprv = CERT_FinishExtensions(extensionHandle); | |
1911 if (rv == SECSuccess) | |
1912 rv = tmprv; | |
1913 } | |
1914 | |
1915 /* | |
1916 * Finally, free the serviceLocator structure itself and we are done. | |
1917 */ | |
1918 if (serviceLocator != NULL) { | |
1919 if (serviceLocator->locator.data != NULL) | |
1920 SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE); | |
1921 PORT_Free(serviceLocator); | |
1922 } | |
1923 | |
1924 return rv; | |
1925 } | |
1926 | |
1927 /* | |
1928 * Creates an array of ocspSingleRequest based on a list of certs. | |
1929 * Note that the code which later compares the request list with the | |
1930 * response expects this array to be in the exact same order as the | |
1931 * certs are found in the list. It would be harder to change that | |
1932 * order than preserve it, but since the requirement is not obvious, | |
1933 * it deserves to be mentioned. | |
1934 * | |
1935 * Any problem causes a null return and error set: | |
1936 * SEC_ERROR_UNKNOWN_ISSUER | |
1937 * Other errors are low-level problems (no memory, bad database, etc.). | |
1938 */ | |
1939 static ocspSingleRequest ** | |
1940 ocsp_CreateSingleRequestList(PLArenaPool *arena, CERTCertList *certList, | |
1941 PRTime time, PRBool includeLocator) | |
1942 { | |
1943 ocspSingleRequest **requestList = NULL; | |
1944 CERTCertListNode *node = NULL; | |
1945 int i, count; | |
1946 void *mark = PORT_ArenaMark(arena); | |
1947 | |
1948 node = CERT_LIST_HEAD(certList); | |
1949 for (count = 0; !CERT_LIST_END(node, certList); count++) { | |
1950 node = CERT_LIST_NEXT(node); | |
1951 } | |
1952 | |
1953 if (count == 0) | |
1954 goto loser; | |
1955 | |
1956 requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1); | |
1957 if (requestList == NULL) | |
1958 goto loser; | |
1959 | |
1960 node = CERT_LIST_HEAD(certList); | |
1961 for (i = 0; !CERT_LIST_END(node, certList); i++) { | |
1962 requestList[i] = PORT_ArenaZNew(arena, ocspSingleRequest); | |
1963 if (requestList[i] == NULL) | |
1964 goto loser; | |
1965 | |
1966 OCSP_TRACE(("OCSP CERT_CreateOCSPRequest %s\n", node->cert->subjectName)
); | |
1967 requestList[i]->arena = arena; | |
1968 requestList[i]->reqCert = ocsp_CreateCertID(arena, node->cert, time); | |
1969 if (requestList[i]->reqCert == NULL) | |
1970 goto loser; | |
1971 | |
1972 if (includeLocator == PR_TRUE) { | |
1973 SECStatus rv; | |
1974 | |
1975 rv = ocsp_AddServiceLocatorExtension(requestList[i], node->cert); | |
1976 if (rv != SECSuccess) | |
1977 goto loser; | |
1978 } | |
1979 | |
1980 node = CERT_LIST_NEXT(node); | |
1981 } | |
1982 | |
1983 PORT_Assert(i == count); | |
1984 | |
1985 PORT_ArenaUnmark(arena, mark); | |
1986 requestList[i] = NULL; | |
1987 return requestList; | |
1988 | |
1989 loser: | |
1990 PORT_ArenaRelease(arena, mark); | |
1991 return NULL; | |
1992 } | |
1993 | |
1994 static ocspSingleRequest ** | |
1995 ocsp_CreateRequestFromCert(PLArenaPool *arena, | |
1996 CERTOCSPCertID *certID, | |
1997 CERTCertificate *singleCert, | |
1998 PRTime time, | |
1999 PRBool includeLocator) | |
2000 { | |
2001 ocspSingleRequest **requestList = NULL; | |
2002 void *mark = PORT_ArenaMark(arena); | |
2003 PORT_Assert(certID != NULL && singleCert != NULL); | |
2004 | |
2005 /* meaning of value 2: one entry + one end marker */ | |
2006 requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, 2); | |
2007 if (requestList == NULL) | |
2008 goto loser; | |
2009 requestList[0] = PORT_ArenaZNew(arena, ocspSingleRequest); | |
2010 if (requestList[0] == NULL) | |
2011 goto loser; | |
2012 requestList[0]->arena = arena; | |
2013 /* certID will live longer than the request */ | |
2014 requestList[0]->reqCert = certID; | |
2015 | |
2016 if (includeLocator == PR_TRUE) { | |
2017 SECStatus rv; | |
2018 rv = ocsp_AddServiceLocatorExtension(requestList[0], singleCert); | |
2019 if (rv != SECSuccess) | |
2020 goto loser; | |
2021 } | |
2022 | |
2023 PORT_ArenaUnmark(arena, mark); | |
2024 requestList[1] = NULL; | |
2025 return requestList; | |
2026 | |
2027 loser: | |
2028 PORT_ArenaRelease(arena, mark); | |
2029 return NULL; | |
2030 } | |
2031 | |
2032 static CERTOCSPRequest * | |
2033 ocsp_prepareEmptyOCSPRequest(void) | |
2034 { | |
2035 PLArenaPool *arena = NULL; | |
2036 CERTOCSPRequest *request = NULL; | |
2037 ocspTBSRequest *tbsRequest = NULL; | |
2038 | |
2039 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
2040 if (arena == NULL) { | |
2041 goto loser; | |
2042 } | |
2043 request = PORT_ArenaZNew(arena, CERTOCSPRequest); | |
2044 if (request == NULL) { | |
2045 goto loser; | |
2046 } | |
2047 request->arena = arena; | |
2048 | |
2049 tbsRequest = PORT_ArenaZNew(arena, ocspTBSRequest); | |
2050 if (tbsRequest == NULL) { | |
2051 goto loser; | |
2052 } | |
2053 request->tbsRequest = tbsRequest; | |
2054 /* version 1 is the default, so we need not fill in a version number */ | |
2055 return request; | |
2056 | |
2057 loser: | |
2058 if (arena != NULL) { | |
2059 PORT_FreeArena(arena, PR_FALSE); | |
2060 } | |
2061 return NULL; | |
2062 } | |
2063 | |
2064 CERTOCSPRequest * | |
2065 cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, | |
2066 CERTCertificate *singleCert, | |
2067 PRTime time, | |
2068 PRBool addServiceLocator, | |
2069 CERTCertificate *signerCert) | |
2070 { | |
2071 CERTOCSPRequest *request; | |
2072 OCSP_TRACE(("OCSP cert_CreateSingleCertOCSPRequest %s\n", singleCert->subjec
tName)); | |
2073 | |
2074 /* XXX Support for signerCert may be implemented later, | |
2075 * see also the comment in CERT_CreateOCSPRequest. | |
2076 */ | |
2077 if (signerCert != NULL) { | |
2078 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | |
2079 return NULL; | |
2080 } | |
2081 | |
2082 request = ocsp_prepareEmptyOCSPRequest(); | |
2083 if (!request) | |
2084 return NULL; | |
2085 /* | |
2086 * Version 1 is the default, so we need not fill in a version number. | |
2087 * Now create the list of single requests, one for each cert. | |
2088 */ | |
2089 request->tbsRequest->requestList = | |
2090 ocsp_CreateRequestFromCert(request->arena, | |
2091 certID, | |
2092 singleCert, | |
2093 time, | |
2094 addServiceLocator); | |
2095 if (request->tbsRequest->requestList == NULL) { | |
2096 PORT_FreeArena(request->arena, PR_FALSE); | |
2097 return NULL; | |
2098 } | |
2099 return request; | |
2100 } | |
2101 | |
2102 /* | |
2103 * FUNCTION: CERT_CreateOCSPRequest | |
2104 * Creates a CERTOCSPRequest, requesting the status of the certs in | |
2105 * the given list. | |
2106 * INPUTS: | |
2107 * CERTCertList *certList | |
2108 * A list of certs for which status will be requested. | |
2109 * Note that all of these certificates should have the same issuer, | |
2110 * or it's expected the response will be signed by a trusted responder. | |
2111 * If the certs need to be broken up into multiple requests, that | |
2112 * must be handled by the caller (and thus by having multiple calls | |
2113 * to this routine), who knows about where the request(s) are being | |
2114 * sent and whether there are any trusted responders in place. | |
2115 * PRTime time | |
2116 * Indicates the time for which the certificate status is to be | |
2117 * determined -- this may be used in the search for the cert's issuer | |
2118 * but has no effect on the request itself. | |
2119 * PRBool addServiceLocator | |
2120 * If true, the Service Locator extension should be added to the | |
2121 * single request(s) for each cert. | |
2122 * CERTCertificate *signerCert | |
2123 * If non-NULL, means sign the request using this cert. Otherwise, | |
2124 * do not sign. | |
2125 * XXX note that request signing is not yet supported; see comment in code | |
2126 * RETURN: | |
2127 * A pointer to a CERTOCSPRequest structure containing an OCSP request | |
2128 * for the cert list. On error, null is returned, with an error set | |
2129 * indicating the reason. This is likely SEC_ERROR_UNKNOWN_ISSUER. | |
2130 * (The issuer is needed to create a request for the certificate.) | |
2131 * Other errors are low-level problems (no memory, bad database, etc.). | |
2132 */ | |
2133 CERTOCSPRequest * | |
2134 CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, | |
2135 PRBool addServiceLocator, | |
2136 CERTCertificate *signerCert) | |
2137 { | |
2138 CERTOCSPRequest *request = NULL; | |
2139 | |
2140 if (!certList) { | |
2141 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
2142 return NULL; | |
2143 } | |
2144 /* | |
2145 * XXX When we are prepared to put signing of requests back in, | |
2146 * we will need to allocate a signature | |
2147 * structure for the request, fill in the "derCerts" field in it, | |
2148 * save the signerCert there, as well as fill in the "requestorName" | |
2149 * field of the tbsRequest. | |
2150 */ | |
2151 if (signerCert != NULL) { | |
2152 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | |
2153 return NULL; | |
2154 } | |
2155 request = ocsp_prepareEmptyOCSPRequest(); | |
2156 if (!request) | |
2157 return NULL; | |
2158 /* | |
2159 * Now create the list of single requests, one for each cert. | |
2160 */ | |
2161 request->tbsRequest->requestList = | |
2162 ocsp_CreateSingleRequestList(request->arena, | |
2163 certList, | |
2164 time, | |
2165 addServiceLocator); | |
2166 if (request->tbsRequest->requestList == NULL) { | |
2167 PORT_FreeArena(request->arena, PR_FALSE); | |
2168 return NULL; | |
2169 } | |
2170 return request; | |
2171 } | |
2172 | |
2173 /* | |
2174 * FUNCTION: CERT_AddOCSPAcceptableResponses | |
2175 * Add the AcceptableResponses extension to an OCSP Request. | |
2176 * INPUTS: | |
2177 * CERTOCSPRequest *request | |
2178 * The request to which the extension should be added. | |
2179 * ... | |
2180 * A list (of one or more) of SECOidTag -- each of the response types | |
2181 * to be added. The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE. | |
2182 * (This marks the end of the list, and it must be specified because a | |
2183 * client conforming to the OCSP standard is required to handle the basic | |
2184 * response type.) The OIDs are not checked in any way. | |
2185 * RETURN: | |
2186 * SECSuccess if the extension is added; SECFailure if anything goes wrong. | |
2187 * All errors are internal or low-level problems (e.g. no memory). | |
2188 */ | |
2189 | |
2190 void | |
2191 SetRequestExts(void *object, CERTCertExtension **exts) | |
2192 { | |
2193 CERTOCSPRequest *request = (CERTOCSPRequest *)object; | |
2194 | |
2195 request->tbsRequest->requestExtensions = exts; | |
2196 } | |
2197 | |
2198 SECStatus | |
2199 CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, | |
2200 SECOidTag responseType0, ...) | |
2201 { | |
2202 void *extHandle; | |
2203 va_list ap; | |
2204 int i, count; | |
2205 SECOidTag responseType; | |
2206 SECOidData *responseOid; | |
2207 SECItem **acceptableResponses = NULL; | |
2208 SECStatus rv = SECFailure; | |
2209 | |
2210 extHandle = request->tbsRequest->extensionHandle; | |
2211 if (extHandle == NULL) { | |
2212 extHandle = cert_StartExtensions(request, request->arena, SetRequestExts
); | |
2213 if (extHandle == NULL) | |
2214 goto loser; | |
2215 } | |
2216 | |
2217 /* Count number of OIDS going into the extension value. */ | |
2218 count = 1; | |
2219 if (responseType0 != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { | |
2220 va_start(ap, responseType0); | |
2221 do { | |
2222 count++; | |
2223 responseType = va_arg(ap, SECOidTag); | |
2224 } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE); | |
2225 va_end(ap); | |
2226 } | |
2227 | |
2228 acceptableResponses = PORT_NewArray(SECItem *, count + 1); | |
2229 if (acceptableResponses == NULL) | |
2230 goto loser; | |
2231 | |
2232 i = 0; | |
2233 responseOid = SECOID_FindOIDByTag(responseType0); | |
2234 acceptableResponses[i++] = &(responseOid->oid); | |
2235 if (count > 1) { | |
2236 va_start(ap, responseType0); | |
2237 for (; i < count; i++) { | |
2238 responseType = va_arg(ap, SECOidTag); | |
2239 responseOid = SECOID_FindOIDByTag(responseType); | |
2240 acceptableResponses[i] = &(responseOid->oid); | |
2241 } | |
2242 va_end(ap); | |
2243 } | |
2244 acceptableResponses[i] = NULL; | |
2245 | |
2246 rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE, | |
2247 &acceptableResponses, PR_FALSE, | |
2248 SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate)
); | |
2249 if (rv != SECSuccess) | |
2250 goto loser; | |
2251 | |
2252 PORT_Free(acceptableResponses); | |
2253 if (request->tbsRequest->extensionHandle == NULL) | |
2254 request->tbsRequest->extensionHandle = extHandle; | |
2255 return SECSuccess; | |
2256 | |
2257 loser: | |
2258 if (acceptableResponses != NULL) | |
2259 PORT_Free(acceptableResponses); | |
2260 if (extHandle != NULL) | |
2261 (void)CERT_FinishExtensions(extHandle); | |
2262 return rv; | |
2263 } | |
2264 | |
2265 /* | |
2266 * FUNCTION: CERT_DestroyOCSPRequest | |
2267 * Frees an OCSP Request structure. | |
2268 * INPUTS: | |
2269 * CERTOCSPRequest *request | |
2270 * Pointer to CERTOCSPRequest to be freed. | |
2271 * RETURN: | |
2272 * No return value; no errors. | |
2273 */ | |
2274 void | |
2275 CERT_DestroyOCSPRequest(CERTOCSPRequest *request) | |
2276 { | |
2277 if (request == NULL) | |
2278 return; | |
2279 | |
2280 if (request->tbsRequest != NULL) { | |
2281 if (request->tbsRequest->requestorName != NULL) | |
2282 CERT_DestroyGeneralNameList(request->tbsRequest->requestorName); | |
2283 if (request->tbsRequest->extensionHandle != NULL) | |
2284 (void)CERT_FinishExtensions(request->tbsRequest->extensionHandle); | |
2285 } | |
2286 | |
2287 if (request->optionalSignature != NULL) { | |
2288 if (request->optionalSignature->cert != NULL) | |
2289 CERT_DestroyCertificate(request->optionalSignature->cert); | |
2290 | |
2291 /* | |
2292 * XXX Need to free derCerts? Or do they come out of arena? | |
2293 * (Currently we never fill in derCerts, which is why the | |
2294 * answer is not obvious. Once we do, add any necessary code | |
2295 * here and remove this comment.) | |
2296 */ | |
2297 } | |
2298 | |
2299 /* | |
2300 * We should actually never have a request without an arena, | |
2301 * but check just in case. (If there isn't one, there is not | |
2302 * much we can do about it...) | |
2303 */ | |
2304 PORT_Assert(request->arena != NULL); | |
2305 if (request->arena != NULL) | |
2306 PORT_FreeArena(request->arena, PR_FALSE); | |
2307 } | |
2308 | |
2309 /* | |
2310 * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy): | |
2311 */ | |
2312 | |
2313 /* | |
2314 * Helper function for encoding or decoding a ResponderID -- based on the | |
2315 * given type, return the associated template for that choice. | |
2316 */ | |
2317 static const SEC_ASN1Template * | |
2318 ocsp_ResponderIDTemplateByType(CERTOCSPResponderIDType responderIDType) | |
2319 { | |
2320 const SEC_ASN1Template *responderIDTemplate; | |
2321 | |
2322 switch (responderIDType) { | |
2323 case ocspResponderID_byName: | |
2324 responderIDTemplate = ocsp_ResponderIDByNameTemplate; | |
2325 break; | |
2326 case ocspResponderID_byKey: | |
2327 responderIDTemplate = ocsp_ResponderIDByKeyTemplate; | |
2328 break; | |
2329 case ocspResponderID_other: | |
2330 default: | |
2331 PORT_Assert(responderIDType == ocspResponderID_other); | |
2332 responderIDTemplate = ocsp_ResponderIDOtherTemplate; | |
2333 break; | |
2334 } | |
2335 | |
2336 return responderIDTemplate; | |
2337 } | |
2338 | |
2339 /* | |
2340 * Helper function for encoding or decoding a CertStatus -- based on the | |
2341 * given type, return the associated template for that choice. | |
2342 */ | |
2343 static const SEC_ASN1Template * | |
2344 ocsp_CertStatusTemplateByType(ocspCertStatusType certStatusType) | |
2345 { | |
2346 const SEC_ASN1Template *certStatusTemplate; | |
2347 | |
2348 switch (certStatusType) { | |
2349 case ocspCertStatus_good: | |
2350 certStatusTemplate = ocsp_CertStatusGoodTemplate; | |
2351 break; | |
2352 case ocspCertStatus_revoked: | |
2353 certStatusTemplate = ocsp_CertStatusRevokedTemplate; | |
2354 break; | |
2355 case ocspCertStatus_unknown: | |
2356 certStatusTemplate = ocsp_CertStatusUnknownTemplate; | |
2357 break; | |
2358 case ocspCertStatus_other: | |
2359 default: | |
2360 PORT_Assert(certStatusType == ocspCertStatus_other); | |
2361 certStatusTemplate = ocsp_CertStatusOtherTemplate; | |
2362 break; | |
2363 } | |
2364 | |
2365 return certStatusTemplate; | |
2366 } | |
2367 | |
2368 /* | |
2369 * Helper function for decoding a certStatus -- turn the actual DER tag | |
2370 * into our local translation. | |
2371 */ | |
2372 static ocspCertStatusType | |
2373 ocsp_CertStatusTypeByTag(int derTag) | |
2374 { | |
2375 ocspCertStatusType certStatusType; | |
2376 | |
2377 switch (derTag) { | |
2378 case 0: | |
2379 certStatusType = ocspCertStatus_good; | |
2380 break; | |
2381 case 1: | |
2382 certStatusType = ocspCertStatus_revoked; | |
2383 break; | |
2384 case 2: | |
2385 certStatusType = ocspCertStatus_unknown; | |
2386 break; | |
2387 default: | |
2388 certStatusType = ocspCertStatus_other; | |
2389 break; | |
2390 } | |
2391 | |
2392 return certStatusType; | |
2393 } | |
2394 | |
2395 /* | |
2396 * Helper function for decoding SingleResponses -- they each contain | |
2397 * a status which is encoded as CHOICE, which needs to be decoded "by hand". | |
2398 * | |
2399 * Note -- on error, this routine does not release the memory it may | |
2400 * have allocated; it expects its caller to do that. | |
2401 */ | |
2402 static SECStatus | |
2403 ocsp_FinishDecodingSingleResponses(PLArenaPool *reqArena, | |
2404 CERTOCSPSingleResponse **responses) | |
2405 { | |
2406 ocspCertStatus *certStatus; | |
2407 ocspCertStatusType certStatusType; | |
2408 const SEC_ASN1Template *certStatusTemplate; | |
2409 int derTag; | |
2410 int i; | |
2411 SECStatus rv = SECFailure; | |
2412 | |
2413 if (!reqArena) { | |
2414 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
2415 return SECFailure; | |
2416 } | |
2417 | |
2418 if (responses == NULL) /* nothing to do */ | |
2419 return SECSuccess; | |
2420 | |
2421 for (i = 0; responses[i] != NULL; i++) { | |
2422 SECItem *newStatus; | |
2423 /* | |
2424 * The following assert points out internal errors (problems in | |
2425 * the template definitions or in the ASN.1 decoder itself, etc.). | |
2426 */ | |
2427 PORT_Assert(responses[i]->derCertStatus.data != NULL); | |
2428 | |
2429 derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK; | |
2430 certStatusType = ocsp_CertStatusTypeByTag(derTag); | |
2431 certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType); | |
2432 | |
2433 certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus)); | |
2434 if (certStatus == NULL) { | |
2435 goto loser; | |
2436 } | |
2437 newStatus = SECITEM_ArenaDupItem(reqArena, &responses[i]->derCertStatus)
; | |
2438 if (!newStatus) { | |
2439 goto loser; | |
2440 } | |
2441 rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate, | |
2442 newStatus); | |
2443 if (rv != SECSuccess) { | |
2444 if (PORT_GetError() == SEC_ERROR_BAD_DER) | |
2445 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | |
2446 goto loser; | |
2447 } | |
2448 | |
2449 certStatus->certStatusType = certStatusType; | |
2450 responses[i]->certStatus = certStatus; | |
2451 } | |
2452 | |
2453 return SECSuccess; | |
2454 | |
2455 loser: | |
2456 return rv; | |
2457 } | |
2458 | |
2459 /* | |
2460 * Helper function for decoding a responderID -- turn the actual DER tag | |
2461 * into our local translation. | |
2462 */ | |
2463 static CERTOCSPResponderIDType | |
2464 ocsp_ResponderIDTypeByTag(int derTag) | |
2465 { | |
2466 CERTOCSPResponderIDType responderIDType; | |
2467 | |
2468 switch (derTag) { | |
2469 case 1: | |
2470 responderIDType = ocspResponderID_byName; | |
2471 break; | |
2472 case 2: | |
2473 responderIDType = ocspResponderID_byKey; | |
2474 break; | |
2475 default: | |
2476 responderIDType = ocspResponderID_other; | |
2477 break; | |
2478 } | |
2479 | |
2480 return responderIDType; | |
2481 } | |
2482 | |
2483 /* | |
2484 * Decode "src" as a BasicOCSPResponse, returning the result. | |
2485 */ | |
2486 static ocspBasicOCSPResponse * | |
2487 ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src) | |
2488 { | |
2489 void *mark; | |
2490 ocspBasicOCSPResponse *basicResponse; | |
2491 ocspResponseData *responseData; | |
2492 ocspResponderID *responderID; | |
2493 CERTOCSPResponderIDType responderIDType; | |
2494 const SEC_ASN1Template *responderIDTemplate; | |
2495 int derTag; | |
2496 SECStatus rv; | |
2497 SECItem newsrc; | |
2498 | |
2499 mark = PORT_ArenaMark(arena); | |
2500 | |
2501 basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse)); | |
2502 if (basicResponse == NULL) { | |
2503 goto loser; | |
2504 } | |
2505 | |
2506 /* copy the DER into the arena, since Quick DER returns data that points | |
2507 into the DER input, which may get freed by the caller */ | |
2508 rv = SECITEM_CopyItem(arena, &newsrc, src); | |
2509 if (rv != SECSuccess) { | |
2510 goto loser; | |
2511 } | |
2512 | |
2513 rv = SEC_QuickDERDecodeItem(arena, basicResponse, | |
2514 ocsp_BasicOCSPResponseTemplate, &newsrc); | |
2515 if (rv != SECSuccess) { | |
2516 if (PORT_GetError() == SEC_ERROR_BAD_DER) | |
2517 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | |
2518 goto loser; | |
2519 } | |
2520 | |
2521 responseData = basicResponse->tbsResponseData; | |
2522 | |
2523 /* | |
2524 * The following asserts point out internal errors (problems in | |
2525 * the template definitions or in the ASN.1 decoder itself, etc.). | |
2526 */ | |
2527 PORT_Assert(responseData != NULL); | |
2528 PORT_Assert(responseData->derResponderID.data != NULL); | |
2529 | |
2530 /* | |
2531 * XXX Because responderID is a CHOICE, which is not currently handled | |
2532 * by our ASN.1 decoder, we have to decode it "by hand". | |
2533 */ | |
2534 derTag = responseData->derResponderID.data[0] & SEC_ASN1_TAGNUM_MASK; | |
2535 responderIDType = ocsp_ResponderIDTypeByTag(derTag); | |
2536 responderIDTemplate = ocsp_ResponderIDTemplateByType(responderIDType); | |
2537 | |
2538 responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID)); | |
2539 if (responderID == NULL) { | |
2540 goto loser; | |
2541 } | |
2542 | |
2543 rv = SEC_QuickDERDecodeItem(arena, responderID, responderIDTemplate, | |
2544 &responseData->derResponderID); | |
2545 if (rv != SECSuccess) { | |
2546 if (PORT_GetError() == SEC_ERROR_BAD_DER) | |
2547 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | |
2548 goto loser; | |
2549 } | |
2550 | |
2551 responderID->responderIDType = responderIDType; | |
2552 responseData->responderID = responderID; | |
2553 | |
2554 /* | |
2555 * XXX Each SingleResponse also contains a CHOICE, which has to be | |
2556 * fixed up by hand. | |
2557 */ | |
2558 rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses); | |
2559 if (rv != SECSuccess) { | |
2560 goto loser; | |
2561 } | |
2562 | |
2563 PORT_ArenaUnmark(arena, mark); | |
2564 return basicResponse; | |
2565 | |
2566 loser: | |
2567 PORT_ArenaRelease(arena, mark); | |
2568 return NULL; | |
2569 } | |
2570 | |
2571 /* | |
2572 * Decode the responseBytes based on the responseType found in "rbytes", | |
2573 * leaving the resulting translated/decoded information in there as well. | |
2574 */ | |
2575 static SECStatus | |
2576 ocsp_DecodeResponseBytes(PLArenaPool *arena, ocspResponseBytes *rbytes) | |
2577 { | |
2578 if (rbytes == NULL) { | |
2579 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); | |
2580 return SECFailure; | |
2581 } | |
2582 | |
2583 rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType); | |
2584 switch (rbytes->responseTypeTag) { | |
2585 case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: { | |
2586 ocspBasicOCSPResponse *basicResponse; | |
2587 | |
2588 basicResponse = ocsp_DecodeBasicOCSPResponse(arena, | |
2589 &rbytes->response); | |
2590 if (basicResponse == NULL) | |
2591 return SECFailure; | |
2592 | |
2593 rbytes->decodedResponse.basic = basicResponse; | |
2594 } break; | |
2595 | |
2596 /* | |
2597 * Add new/future response types here. | |
2598 */ | |
2599 | |
2600 default: | |
2601 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); | |
2602 return SECFailure; | |
2603 } | |
2604 | |
2605 return SECSuccess; | |
2606 } | |
2607 | |
2608 /* | |
2609 * FUNCTION: CERT_DecodeOCSPResponse | |
2610 * Decode a DER encoded OCSP Response. | |
2611 * INPUTS: | |
2612 * SECItem *src | |
2613 * Pointer to a SECItem holding DER encoded OCSP Response. | |
2614 * RETURN: | |
2615 * Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response); | |
2616 * the caller is responsible for destroying it. Or NULL if error (either | |
2617 * response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE), | |
2618 * it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE), | |
2619 * or a low-level or internal error occurred). | |
2620 */ | |
2621 CERTOCSPResponse * | |
2622 CERT_DecodeOCSPResponse(const SECItem *src) | |
2623 { | |
2624 PLArenaPool *arena = NULL; | |
2625 CERTOCSPResponse *response = NULL; | |
2626 SECStatus rv = SECFailure; | |
2627 ocspResponseStatus sv; | |
2628 SECItem newSrc; | |
2629 | |
2630 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
2631 if (arena == NULL) { | |
2632 goto loser; | |
2633 } | |
2634 response = (CERTOCSPResponse *)PORT_ArenaZAlloc(arena, | |
2635 sizeof(CERTOCSPResponse)); | |
2636 if (response == NULL) { | |
2637 goto loser; | |
2638 } | |
2639 response->arena = arena; | |
2640 | |
2641 /* copy the DER into the arena, since Quick DER returns data that points | |
2642 into the DER input, which may get freed by the caller */ | |
2643 rv = SECITEM_CopyItem(arena, &newSrc, src); | |
2644 if (rv != SECSuccess) { | |
2645 goto loser; | |
2646 } | |
2647 | |
2648 rv = SEC_QuickDERDecodeItem(arena, response, ocsp_OCSPResponseTemplate, &new
Src); | |
2649 if (rv != SECSuccess) { | |
2650 if (PORT_GetError() == SEC_ERROR_BAD_DER) | |
2651 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | |
2652 goto loser; | |
2653 } | |
2654 | |
2655 sv = (ocspResponseStatus)DER_GetInteger(&response->responseStatus); | |
2656 response->statusValue = sv; | |
2657 if (sv != ocspResponse_successful) { | |
2658 /* | |
2659 * If the response status is anything but successful, then we | |
2660 * are all done with decoding; the status is all there is. | |
2661 */ | |
2662 return response; | |
2663 } | |
2664 | |
2665 /* | |
2666 * A successful response contains much more information, still encoded. | |
2667 * Now we need to decode that. | |
2668 */ | |
2669 rv = ocsp_DecodeResponseBytes(arena, response->responseBytes); | |
2670 if (rv != SECSuccess) { | |
2671 goto loser; | |
2672 } | |
2673 | |
2674 return response; | |
2675 | |
2676 loser: | |
2677 if (arena != NULL) { | |
2678 PORT_FreeArena(arena, PR_FALSE); | |
2679 } | |
2680 return NULL; | |
2681 } | |
2682 | |
2683 /* | |
2684 * The way an OCSPResponse is defined, there are many levels to descend | |
2685 * before getting to the actual response information. And along the way | |
2686 * we need to check that the response *type* is recognizable, which for | |
2687 * now means that it is a BasicOCSPResponse, because that is the only | |
2688 * type currently defined. Rather than force all routines to perform | |
2689 * a bunch of sanity checking every time they want to work on a response, | |
2690 * this function isolates that and gives back the interesting part. | |
2691 * Note that no copying is done, this just returns a pointer into the | |
2692 * substructure of the response which is passed in. | |
2693 * | |
2694 * XXX This routine only works when a valid response structure is passed | |
2695 * into it; this is checked with many assertions. Assuming the response | |
2696 * was creating by decoding, it wouldn't make it this far without being | |
2697 * okay. That is a sufficient assumption since the entire OCSP interface | |
2698 * is only used internally. When this interface is officially exported, | |
2699 * each assertion below will need to be followed-up with setting an error | |
2700 * and returning (null). | |
2701 * | |
2702 * FUNCTION: ocsp_GetResponseData | |
2703 * Returns ocspResponseData structure and a pointer to tbs response | |
2704 * data DER from a valid ocsp response. | |
2705 * INPUTS: | |
2706 * CERTOCSPResponse *response | |
2707 * structure of a valid ocsp response | |
2708 * RETURN: | |
2709 * Returns a pointer to ocspResponseData structure: decoded OCSP response | |
2710 * data, and a pointer(tbsResponseDataDER) to its undecoded data DER. | |
2711 */ | |
2712 ocspResponseData * | |
2713 ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER) | |
2714 { | |
2715 ocspBasicOCSPResponse *basic; | |
2716 ocspResponseData *responseData; | |
2717 | |
2718 PORT_Assert(response != NULL); | |
2719 | |
2720 PORT_Assert(response->responseBytes != NULL); | |
2721 | |
2722 PORT_Assert(response->responseBytes->responseTypeTag == | |
2723 SEC_OID_PKIX_OCSP_BASIC_RESPONSE); | |
2724 | |
2725 basic = response->responseBytes->decodedResponse.basic; | |
2726 PORT_Assert(basic != NULL); | |
2727 | |
2728 responseData = basic->tbsResponseData; | |
2729 PORT_Assert(responseData != NULL); | |
2730 | |
2731 if (tbsResponseDataDER) { | |
2732 *tbsResponseDataDER = &basic->tbsResponseDataDER; | |
2733 | |
2734 PORT_Assert((*tbsResponseDataDER)->data != NULL); | |
2735 PORT_Assert((*tbsResponseDataDER)->len != 0); | |
2736 } | |
2737 | |
2738 return responseData; | |
2739 } | |
2740 | |
2741 /* | |
2742 * Much like the routine above, except it returns the response signature. | |
2743 * Again, no copy is done. | |
2744 */ | |
2745 ocspSignature * | |
2746 ocsp_GetResponseSignature(CERTOCSPResponse *response) | |
2747 { | |
2748 ocspBasicOCSPResponse *basic; | |
2749 | |
2750 PORT_Assert(response != NULL); | |
2751 if (NULL == response->responseBytes) { | |
2752 return NULL; | |
2753 } | |
2754 if (response->responseBytes->responseTypeTag != | |
2755 SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { | |
2756 return NULL; | |
2757 } | |
2758 basic = response->responseBytes->decodedResponse.basic; | |
2759 PORT_Assert(basic != NULL); | |
2760 | |
2761 return &(basic->responseSignature); | |
2762 } | |
2763 | |
2764 /* | |
2765 * FUNCTION: CERT_DestroyOCSPResponse | |
2766 * Frees an OCSP Response structure. | |
2767 * INPUTS: | |
2768 * CERTOCSPResponse *request | |
2769 * Pointer to CERTOCSPResponse to be freed. | |
2770 * RETURN: | |
2771 * No return value; no errors. | |
2772 */ | |
2773 void | |
2774 CERT_DestroyOCSPResponse(CERTOCSPResponse *response) | |
2775 { | |
2776 if (response != NULL) { | |
2777 ocspSignature *signature = ocsp_GetResponseSignature(response); | |
2778 if (signature && signature->cert != NULL) | |
2779 CERT_DestroyCertificate(signature->cert); | |
2780 | |
2781 /* | |
2782 * We should actually never have a response without an arena, | |
2783 * but check just in case. (If there isn't one, there is not | |
2784 * much we can do about it...) | |
2785 */ | |
2786 PORT_Assert(response->arena != NULL); | |
2787 if (response->arena != NULL) { | |
2788 PORT_FreeArena(response->arena, PR_FALSE); | |
2789 } | |
2790 } | |
2791 } | |
2792 | |
2793 /* | |
2794 * OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response): | |
2795 */ | |
2796 | |
2797 /* | |
2798 * Pick apart a URL, saving the important things in the passed-in pointers. | |
2799 * | |
2800 * We expect to find "http://<hostname>[:<port>]/[path]", though we will | |
2801 * tolerate that final slash character missing, as well as beginning and | |
2802 * trailing whitespace, and any-case-characters for "http". All of that | |
2803 * tolerance is what complicates this routine. What we want is just to | |
2804 * pick out the hostname, the port, and the path. | |
2805 * | |
2806 * On a successful return, the caller will need to free the output pieces | |
2807 * of hostname and path, which are copies of the values found in the url. | |
2808 */ | |
2809 static SECStatus | |
2810 ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) | |
2811 { | |
2812 unsigned short port = 80; /* default, in case not in url */ | |
2813 char *hostname = NULL; | |
2814 char *path = NULL; | |
2815 const char *save; | |
2816 char c; | |
2817 int len; | |
2818 | |
2819 if (url == NULL) | |
2820 goto loser; | |
2821 | |
2822 /* | |
2823 * Skip beginning whitespace. | |
2824 */ | |
2825 c = *url; | |
2826 while ((c == ' ' || c == '\t') && c != '\0') { | |
2827 url++; | |
2828 c = *url; | |
2829 } | |
2830 if (c == '\0') | |
2831 goto loser; | |
2832 | |
2833 /* | |
2834 * Confirm, then skip, protocol. (Since we only know how to do http, | |
2835 * that is all we will accept). | |
2836 */ | |
2837 if (PORT_Strncasecmp(url, "http://", 7) != 0) | |
2838 goto loser; | |
2839 url += 7; | |
2840 | |
2841 /* | |
2842 * Whatever comes next is the hostname (or host IP address). We just | |
2843 * save it aside and then search for its end so we can determine its | |
2844 * length and copy it. | |
2845 * | |
2846 * XXX Note that because we treat a ':' as a terminator character | |
2847 * (and below, we expect that to mean there is a port specification | |
2848 * immediately following), we will not handle IPv6 addresses. That is | |
2849 * apparently an acceptable limitation, for the time being. Some day, | |
2850 * when there is a clear way to specify a URL with an IPv6 address that | |
2851 * can be parsed unambiguously, this code should be made to do that. | |
2852 */ | |
2853 save = url; | |
2854 c = *url; | |
2855 while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') { | |
2856 url++; | |
2857 c = *url; | |
2858 } | |
2859 len = url - save; | |
2860 hostname = PORT_Alloc(len + 1); | |
2861 if (hostname == NULL) | |
2862 goto loser; | |
2863 PORT_Memcpy(hostname, save, len); | |
2864 hostname[len] = '\0'; | |
2865 | |
2866 /* | |
2867 * Now we figure out if there was a port specified or not. | |
2868 * If so, we need to parse it (as a number) and skip it. | |
2869 */ | |
2870 if (c == ':') { | |
2871 url++; | |
2872 port = (unsigned short)PORT_Atoi(url); | |
2873 c = *url; | |
2874 while (c != '/' && c != '\0' && c != ' ' && c != '\t') { | |
2875 if (c < '0' || c > '9') | |
2876 goto loser; | |
2877 url++; | |
2878 c = *url; | |
2879 } | |
2880 } | |
2881 | |
2882 /* | |
2883 * Last thing to find is a path. There *should* be a slash, | |
2884 * if nothing else -- but if there is not we provide one. | |
2885 */ | |
2886 if (c == '/') { | |
2887 save = url; | |
2888 while (c != '\0' && c != ' ' && c != '\t') { | |
2889 url++; | |
2890 c = *url; | |
2891 } | |
2892 len = url - save; | |
2893 path = PORT_Alloc(len + 1); | |
2894 if (path == NULL) | |
2895 goto loser; | |
2896 PORT_Memcpy(path, save, len); | |
2897 path[len] = '\0'; | |
2898 } else { | |
2899 path = PORT_Strdup("/"); | |
2900 if (path == NULL) | |
2901 goto loser; | |
2902 } | |
2903 | |
2904 *pHostname = hostname; | |
2905 *pPort = port; | |
2906 *pPath = path; | |
2907 return SECSuccess; | |
2908 | |
2909 loser: | |
2910 if (hostname != NULL) | |
2911 PORT_Free(hostname); | |
2912 PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); | |
2913 return SECFailure; | |
2914 } | |
2915 | |
2916 /* | |
2917 * Open a socket to the specified host on the specified port, and return it. | |
2918 * The host is either a hostname or an IP address. | |
2919 */ | |
2920 static PRFileDesc * | |
2921 ocsp_ConnectToHost(const char *host, PRUint16 port) | |
2922 { | |
2923 PRFileDesc *sock = NULL; | |
2924 PRIntervalTime timeout; | |
2925 PRNetAddr addr; | |
2926 char *netdbbuf = NULL; | |
2927 | |
2928 sock = PR_NewTCPSocket(); | |
2929 if (sock == NULL) | |
2930 goto loser; | |
2931 | |
2932 /* XXX Some day need a way to set (and get?) the following value */ | |
2933 timeout = PR_SecondsToInterval(30); | |
2934 | |
2935 /* | |
2936 * If the following converts an IP address string in "dot notation" | |
2937 * into a PRNetAddr. If it fails, we assume that is because we do not | |
2938 * have such an address, but instead a host *name*. In that case we | |
2939 * then lookup the host by name. Using the NSPR function this way | |
2940 * means we do not have to have our own logic for distinguishing a | |
2941 * valid numerical IP address from a hostname. | |
2942 */ | |
2943 if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) { | |
2944 PRIntn hostIndex; | |
2945 PRHostEnt hostEntry; | |
2946 | |
2947 netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE); | |
2948 if (netdbbuf == NULL) | |
2949 goto loser; | |
2950 | |
2951 if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE, | |
2952 &hostEntry) != PR_SUCCESS) | |
2953 goto loser; | |
2954 | |
2955 hostIndex = 0; | |
2956 do { | |
2957 hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr); | |
2958 if (hostIndex <= 0) | |
2959 goto loser; | |
2960 } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS); | |
2961 | |
2962 PORT_Free(netdbbuf); | |
2963 } else { | |
2964 /* | |
2965 * First put the port into the address, then connect. | |
2966 */ | |
2967 if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS) | |
2968 goto loser; | |
2969 if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS) | |
2970 goto loser; | |
2971 } | |
2972 | |
2973 return sock; | |
2974 | |
2975 loser: | |
2976 if (sock != NULL) | |
2977 PR_Close(sock); | |
2978 if (netdbbuf != NULL) | |
2979 PORT_Free(netdbbuf); | |
2980 return NULL; | |
2981 } | |
2982 | |
2983 /* | |
2984 * Sends an encoded OCSP request to the server identified by "location", | |
2985 * and returns the socket on which it was sent (so can listen for the reply). | |
2986 * "location" is expected to be a valid URL -- an error parsing it produces | |
2987 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION. Other errors are likely problems | |
2988 * connecting to it, or writing to it, or allocating memory, and the low-level | |
2989 * errors appropriate to the problem will be set. | |
2990 * if (encodedRequest == NULL) | |
2991 * then location MUST already include the full request, | |
2992 * including base64 and urlencode, | |
2993 * and the request will be sent with GET | |
2994 * if (encodedRequest != NULL) | |
2995 * then the request will be sent with POST | |
2996 */ | |
2997 static PRFileDesc * | |
2998 ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest) | |
2999 { | |
3000 char *hostname = NULL; | |
3001 char *path = NULL; | |
3002 PRUint16 port; | |
3003 SECStatus rv; | |
3004 PRFileDesc *sock = NULL; | |
3005 PRFileDesc *returnSock = NULL; | |
3006 char *header = NULL; | |
3007 char portstr[16]; | |
3008 | |
3009 /* | |
3010 * Take apart the location, getting the hostname, port, and path. | |
3011 */ | |
3012 rv = ocsp_ParseURL(location, &hostname, &port, &path); | |
3013 if (rv != SECSuccess) | |
3014 goto loser; | |
3015 | |
3016 PORT_Assert(hostname != NULL); | |
3017 PORT_Assert(path != NULL); | |
3018 | |
3019 sock = ocsp_ConnectToHost(hostname, port); | |
3020 if (sock == NULL) | |
3021 goto loser; | |
3022 | |
3023 portstr[0] = '\0'; | |
3024 if (port != 80) { | |
3025 PR_snprintf(portstr, sizeof(portstr), ":%d", port); | |
3026 } | |
3027 | |
3028 if (!encodedRequest) { | |
3029 header = PR_smprintf("GET %s HTTP/1.0\r\n" | |
3030 "Host: %s%s\r\n\r\n", | |
3031 path, hostname, portstr); | |
3032 if (header == NULL) | |
3033 goto loser; | |
3034 | |
3035 /* | |
3036 * The NSPR documentation promises that if it can, it will write the ful
l | |
3037 * amount; this will not return a partial value expecting us to loop. | |
3038 */ | |
3039 if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0) | |
3040 goto loser; | |
3041 } else { | |
3042 header = PR_smprintf("POST %s HTTP/1.0\r\n" | |
3043 "Host: %s%s\r\n" | |
3044 "Content-Type: application/ocsp-request\r\n" | |
3045 "Content-Length: %u\r\n\r\n", | |
3046 path, hostname, portstr, encodedRequest->len); | |
3047 if (header == NULL) | |
3048 goto loser; | |
3049 | |
3050 /* | |
3051 * The NSPR documentation promises that if it can, it will write the ful
l | |
3052 * amount; this will not return a partial value expecting us to loop. | |
3053 */ | |
3054 if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0) | |
3055 goto loser; | |
3056 | |
3057 if (PR_Write(sock, encodedRequest->data, | |
3058 (PRInt32)encodedRequest->len) < 0) | |
3059 goto loser; | |
3060 } | |
3061 | |
3062 returnSock = sock; | |
3063 sock = NULL; | |
3064 | |
3065 loser: | |
3066 if (header != NULL) | |
3067 PORT_Free(header); | |
3068 if (sock != NULL) | |
3069 PR_Close(sock); | |
3070 if (path != NULL) | |
3071 PORT_Free(path); | |
3072 if (hostname != NULL) | |
3073 PORT_Free(hostname); | |
3074 | |
3075 return returnSock; | |
3076 } | |
3077 | |
3078 /* | |
3079 * Read from "fd" into "buf" -- expect/attempt to read a given number of bytes | |
3080 * Obviously, stop if hit end-of-stream. Timeout is passed in. | |
3081 */ | |
3082 | |
3083 static int | |
3084 ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout) | |
3085 { | |
3086 int total = 0; | |
3087 | |
3088 while (total < toread) { | |
3089 PRInt32 got; | |
3090 | |
3091 got = PR_Recv(fd, buf + total, (PRInt32)(toread - total), 0, timeout); | |
3092 if (got < 0) { | |
3093 if (0 == total) { | |
3094 total = -1; /* report the error if we didn't read anything yet *
/ | |
3095 } | |
3096 break; | |
3097 } else if (got == 0) { /* EOS */ | |
3098 break; | |
3099 } | |
3100 | |
3101 total += got; | |
3102 } | |
3103 | |
3104 return total; | |
3105 } | |
3106 | |
3107 #define OCSP_BUFSIZE 1024 | |
3108 | |
3109 #define AbortHttpDecode(error) \ | |
3110 { \ | |
3111 if (inBuffer) \ | |
3112 PORT_Free(inBuffer); \ | |
3113 PORT_SetError(error); \ | |
3114 return NULL; \ | |
3115 } | |
3116 | |
3117 /* | |
3118 * Reads on the given socket and returns an encoded response when received. | |
3119 * Properly formatted HTTP/1.0 response headers are expected to be read | |
3120 * from the socket, preceding a binary-encoded OCSP response. Problems | |
3121 * with parsing cause the error SEC_ERROR_OCSP_BAD_HTTP_RESPONSE to be | |
3122 * set; any other problems are likely low-level i/o or memory allocation | |
3123 * errors. | |
3124 */ | |
3125 static SECItem * | |
3126 ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock) | |
3127 { | |
3128 /* first read HTTP status line and headers */ | |
3129 | |
3130 char *inBuffer = NULL; | |
3131 PRInt32 offset = 0; | |
3132 PRInt32 inBufsize = 0; | |
3133 const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */ | |
3134 const PRInt32 maxBufSize = 8 * bufSizeIncrement; /* 8 KB max */ | |
3135 const char *CRLF = "\r\n"; | |
3136 const PRInt32 CRLFlen = strlen(CRLF); | |
3137 const char *headerEndMark = "\r\n\r\n"; | |
3138 const PRInt32 markLen = strlen(headerEndMark); | |
3139 const PRIntervalTime ocsptimeout = | |
3140 PR_SecondsToInterval(30); /* hardcoded to 30s for now */ | |
3141 char *headerEnd = NULL; | |
3142 PRBool EOS = PR_FALSE; | |
3143 const char *httpprotocol = "HTTP/"; | |
3144 const PRInt32 httplen = strlen(httpprotocol); | |
3145 const char *httpcode = NULL; | |
3146 const char *contenttype = NULL; | |
3147 PRInt32 contentlength = 0; | |
3148 PRInt32 bytesRead = 0; | |
3149 char *statusLineEnd = NULL; | |
3150 char *space = NULL; | |
3151 char *nextHeader = NULL; | |
3152 SECItem *result = NULL; | |
3153 | |
3154 /* read up to at least the end of the HTTP headers */ | |
3155 do { | |
3156 inBufsize += bufSizeIncrement; | |
3157 inBuffer = PORT_Realloc(inBuffer, inBufsize + 1); | |
3158 if (NULL == inBuffer) { | |
3159 AbortHttpDecode(SEC_ERROR_NO_MEMORY); | |
3160 } | |
3161 bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement, | |
3162 ocsptimeout); | |
3163 if (bytesRead > 0) { | |
3164 PRInt32 searchOffset = (offset - markLen) > 0 ? offset - markLen : 0
; | |
3165 offset += bytesRead; | |
3166 *(inBuffer + offset) = '\0'; /* NULL termination */ | |
3167 headerEnd = strstr((const char *)inBuffer + searchOffset, headerEndM
ark); | |
3168 if (bytesRead < bufSizeIncrement) { | |
3169 /* we read less data than requested, therefore we are at | |
3170 EOS or there was a read error */ | |
3171 EOS = PR_TRUE; | |
3172 } | |
3173 } else { | |
3174 /* recv error or EOS */ | |
3175 EOS = PR_TRUE; | |
3176 } | |
3177 } while ((!headerEnd) && (PR_FALSE == EOS) && | |
3178 (inBufsize < maxBufSize)); | |
3179 | |
3180 if (!headerEnd) { | |
3181 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3182 } | |
3183 | |
3184 /* parse the HTTP status line */ | |
3185 statusLineEnd = strstr((const char *)inBuffer, CRLF); | |
3186 if (!statusLineEnd) { | |
3187 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3188 } | |
3189 *statusLineEnd = '\0'; | |
3190 | |
3191 /* check for HTTP/ response */ | |
3192 space = strchr((const char *)inBuffer, ' '); | |
3193 if (!space || PORT_Strncasecmp((const char *)inBuffer, httpprotocol, httplen
) != 0) { | |
3194 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3195 } | |
3196 | |
3197 /* check the HTTP status code of 200 */ | |
3198 httpcode = space + 1; | |
3199 space = strchr(httpcode, ' '); | |
3200 if (!space) { | |
3201 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3202 } | |
3203 *space = 0; | |
3204 if (0 != strcmp(httpcode, "200")) { | |
3205 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3206 } | |
3207 | |
3208 /* parse the HTTP headers in the buffer . We only care about | |
3209 content-type and content-length | |
3210 */ | |
3211 | |
3212 nextHeader = statusLineEnd + CRLFlen; | |
3213 *headerEnd = '\0'; /* terminate */ | |
3214 do { | |
3215 char *thisHeaderEnd = NULL; | |
3216 char *value = NULL; | |
3217 char *colon = strchr(nextHeader, ':'); | |
3218 | |
3219 if (!colon) { | |
3220 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3221 } | |
3222 | |
3223 *colon = '\0'; | |
3224 value = colon + 1; | |
3225 | |
3226 /* jpierre - note : the following code will only handle the basic form | |
3227 of HTTP/1.0 response headers, of the form "name: value" . Headers | |
3228 split among multiple lines are not supported. This is not common | |
3229 and should not be an issue, but it could become one in the | |
3230 future */ | |
3231 | |
3232 if (*value != ' ') { | |
3233 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3234 } | |
3235 | |
3236 value++; | |
3237 thisHeaderEnd = strstr(value, CRLF); | |
3238 if (thisHeaderEnd) { | |
3239 *thisHeaderEnd = '\0'; | |
3240 } | |
3241 | |
3242 if (0 == PORT_Strcasecmp(nextHeader, "content-type")) { | |
3243 contenttype = value; | |
3244 } else if (0 == PORT_Strcasecmp(nextHeader, "content-length")) { | |
3245 contentlength = atoi(value); | |
3246 } | |
3247 | |
3248 if (thisHeaderEnd) { | |
3249 nextHeader = thisHeaderEnd + CRLFlen; | |
3250 } else { | |
3251 nextHeader = NULL; | |
3252 } | |
3253 | |
3254 } while (nextHeader && (nextHeader < (headerEnd + CRLFlen))); | |
3255 | |
3256 /* check content-type */ | |
3257 if (!contenttype || | |
3258 (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response"))) { | |
3259 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3260 } | |
3261 | |
3262 /* read the body of the OCSP response */ | |
3263 offset = offset - (PRInt32)(headerEnd - (const char *)inBuffer) - markLen; | |
3264 if (offset) { | |
3265 /* move all data to the beginning of the buffer */ | |
3266 PORT_Memmove(inBuffer, headerEnd + markLen, offset); | |
3267 } | |
3268 | |
3269 /* resize buffer to only what's needed to hold the current response */ | |
3270 inBufsize = (1 + (offset - 1) / bufSizeIncrement) * bufSizeIncrement; | |
3271 | |
3272 while ((PR_FALSE == EOS) && | |
3273 ((contentlength == 0) || (offset < contentlength)) && | |
3274 (inBufsize < maxBufSize)) { | |
3275 /* we still need to receive more body data */ | |
3276 inBufsize += bufSizeIncrement; | |
3277 inBuffer = PORT_Realloc(inBuffer, inBufsize + 1); | |
3278 if (NULL == inBuffer) { | |
3279 AbortHttpDecode(SEC_ERROR_NO_MEMORY); | |
3280 } | |
3281 bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement, | |
3282 ocsptimeout); | |
3283 if (bytesRead > 0) { | |
3284 offset += bytesRead; | |
3285 if (bytesRead < bufSizeIncrement) { | |
3286 /* we read less data than requested, therefore we are at | |
3287 EOS or there was a read error */ | |
3288 EOS = PR_TRUE; | |
3289 } | |
3290 } else { | |
3291 /* recv error or EOS */ | |
3292 EOS = PR_TRUE; | |
3293 } | |
3294 } | |
3295 | |
3296 if (0 == offset) { | |
3297 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3298 } | |
3299 | |
3300 /* | |
3301 * Now allocate the item to hold the data. | |
3302 */ | |
3303 result = SECITEM_AllocItem(arena, NULL, offset); | |
3304 if (NULL == result) { | |
3305 AbortHttpDecode(SEC_ERROR_NO_MEMORY); | |
3306 } | |
3307 | |
3308 /* | |
3309 * And copy the data left in the buffer. | |
3310 */ | |
3311 PORT_Memcpy(result->data, inBuffer, offset); | |
3312 | |
3313 /* and free the temporary buffer */ | |
3314 PORT_Free(inBuffer); | |
3315 return result; | |
3316 } | |
3317 | |
3318 SECStatus | |
3319 CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) | |
3320 { | |
3321 return ocsp_ParseURL(url, pHostname, pPort, pPath); | |
3322 } | |
3323 | |
3324 /* | |
3325 * Limit the size of http responses we are willing to accept. | |
3326 */ | |
3327 #define MAX_WANTED_OCSP_RESPONSE_LEN 64 * 1024 | |
3328 | |
3329 /* if (encodedRequest == NULL) | |
3330 * then location MUST already include the full request, | |
3331 * including base64 and urlencode, | |
3332 * and the request will be sent with GET | |
3333 * if (encodedRequest != NULL) | |
3334 * then the request will be sent with POST | |
3335 */ | |
3336 static SECItem * | |
3337 fetchOcspHttpClientV1(PLArenaPool *arena, | |
3338 const SEC_HttpClientFcnV1 *hcv1, | |
3339 const char *location, | |
3340 const SECItem *encodedRequest) | |
3341 { | |
3342 char *hostname = NULL; | |
3343 char *path = NULL; | |
3344 PRUint16 port; | |
3345 SECItem *encodedResponse = NULL; | |
3346 SEC_HTTP_SERVER_SESSION pServerSession = NULL; | |
3347 SEC_HTTP_REQUEST_SESSION pRequestSession = NULL; | |
3348 PRUint16 myHttpResponseCode; | |
3349 const char *myHttpResponseData; | |
3350 PRUint32 myHttpResponseDataLen; | |
3351 | |
3352 if (ocsp_ParseURL(location, &hostname, &port, &path) == SECFailure) { | |
3353 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); | |
3354 goto loser; | |
3355 } | |
3356 | |
3357 PORT_Assert(hostname != NULL); | |
3358 PORT_Assert(path != NULL); | |
3359 | |
3360 if ((*hcv1->createSessionFcn)( | |
3361 hostname, | |
3362 port, | |
3363 &pServerSession) != SECSuccess) { | |
3364 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | |
3365 goto loser; | |
3366 } | |
3367 | |
3368 /* We use a non-zero timeout, which means: | |
3369 - the client will use blocking I/O | |
3370 - TryFcn will not return WOULD_BLOCK nor a poll descriptor | |
3371 - it's sufficient to call TryFcn once | |
3372 No lock for accessing OCSP_Global.timeoutSeconds, bug 406120 | |
3373 */ | |
3374 | |
3375 if ((*hcv1->createFcn)( | |
3376 pServerSession, | |
3377 "http", | |
3378 path, | |
3379 encodedRequest ? "POST" : "GET", | |
3380 PR_TicksPerSecond() * OCSP_Global.timeoutSeconds, | |
3381 &pRequestSession) != SECSuccess) { | |
3382 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | |
3383 goto loser; | |
3384 } | |
3385 | |
3386 if (encodedRequest && | |
3387 (*hcv1->setPostDataFcn)( | |
3388 pRequestSession, | |
3389 (char *)encodedRequest->data, | |
3390 encodedRequest->len, | |
3391 "application/ocsp-request") != SECSuccess) { | |
3392 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | |
3393 goto loser; | |
3394 } | |
3395 | |
3396 /* we don't want result objects larger than this: */ | |
3397 myHttpResponseDataLen = MAX_WANTED_OCSP_RESPONSE_LEN; | |
3398 | |
3399 OCSP_TRACE(("OCSP trySendAndReceive %s\n", location)); | |
3400 | |
3401 if ((*hcv1->trySendAndReceiveFcn)( | |
3402 pRequestSession, | |
3403 NULL, | |
3404 &myHttpResponseCode, | |
3405 NULL, | |
3406 NULL, | |
3407 &myHttpResponseData, | |
3408 &myHttpResponseDataLen) != SECSuccess) { | |
3409 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | |
3410 goto loser; | |
3411 } | |
3412 | |
3413 OCSP_TRACE(("OCSP trySendAndReceive result http %d\n", myHttpResponseCode)); | |
3414 | |
3415 if (myHttpResponseCode != 200) { | |
3416 PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3417 goto loser; | |
3418 } | |
3419 | |
3420 encodedResponse = SECITEM_AllocItem(arena, NULL, myHttpResponseDataLen); | |
3421 | |
3422 if (!encodedResponse) { | |
3423 PORT_SetError(SEC_ERROR_NO_MEMORY); | |
3424 goto loser; | |
3425 } | |
3426 | |
3427 PORT_Memcpy(encodedResponse->data, myHttpResponseData, myHttpResponseDataLen
); | |
3428 | |
3429 loser: | |
3430 if (pRequestSession != NULL) | |
3431 (*hcv1->freeFcn)(pRequestSession); | |
3432 if (pServerSession != NULL) | |
3433 (*hcv1->freeSessionFcn)(pServerSession); | |
3434 if (path != NULL) | |
3435 PORT_Free(path); | |
3436 if (hostname != NULL) | |
3437 PORT_Free(hostname); | |
3438 | |
3439 return encodedResponse; | |
3440 } | |
3441 | |
3442 /* | |
3443 * FUNCTION: CERT_GetEncodedOCSPResponseByMethod | |
3444 * Creates and sends a request to an OCSP responder, then reads and | |
3445 * returns the (encoded) response. | |
3446 * INPUTS: | |
3447 * PLArenaPool *arena | |
3448 * Pointer to arena from which return value will be allocated. | |
3449 * If NULL, result will be allocated from the heap (and thus should | |
3450 * be freed via SECITEM_FreeItem). | |
3451 * CERTCertList *certList | |
3452 * A list of certs for which status will be requested. | |
3453 * Note that all of these certificates should have the same issuer, | |
3454 * or it's expected the response will be signed by a trusted responder. | |
3455 * If the certs need to be broken up into multiple requests, that | |
3456 * must be handled by the caller (and thus by having multiple calls | |
3457 * to this routine), who knows about where the request(s) are being | |
3458 * sent and whether there are any trusted responders in place. | |
3459 * const char *location | |
3460 * The location of the OCSP responder (a URL). | |
3461 * const char *method | |
3462 * The protocol method used when retrieving the OCSP response. | |
3463 * Currently support: "GET" (http GET) and "POST" (http POST). | |
3464 * Additionals methods for http or other protocols might be added | |
3465 * in the future. | |
3466 * PRTime time | |
3467 * Indicates the time for which the certificate status is to be | |
3468 * determined -- this may be used in the search for the cert's issuer | |
3469 * but has no other bearing on the operation. | |
3470 * PRBool addServiceLocator | |
3471 * If true, the Service Locator extension should be added to the | |
3472 * single request(s) for each cert. | |
3473 * CERTCertificate *signerCert | |
3474 * If non-NULL, means sign the request using this cert. Otherwise, | |
3475 * do not sign. | |
3476 * void *pwArg | |
3477 * Pointer to argument for password prompting, if needed. (Definitely | |
3478 * not needed if not signing.) | |
3479 * OUTPUTS: | |
3480 * CERTOCSPRequest **pRequest | |
3481 * Pointer in which to store the OCSP request created for the given | |
3482 * list of certificates. It is only filled in if the entire operation | |
3483 * is successful and the pointer is not null -- and in that case the | |
3484 * caller is then reponsible for destroying it. | |
3485 * RETURN: | |
3486 * Returns a pointer to the SECItem holding the response. | |
3487 * On error, returns null with error set describing the reason: | |
3488 * SEC_ERROR_UNKNOWN_ISSUER | |
3489 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION | |
3490 * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE | |
3491 * Other errors are low-level problems (no memory, bad database, etc.). | |
3492 */ | |
3493 SECItem * | |
3494 CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList, | |
3495 const char *location, const char *method, | |
3496 PRTime time, PRBool addServiceLocator, | |
3497 CERTCertificate *signerCert, void *pwArg, | |
3498 CERTOCSPRequest **pRequest) | |
3499 { | |
3500 CERTOCSPRequest *request; | |
3501 request = CERT_CreateOCSPRequest(certList, time, addServiceLocator, | |
3502 signerCert); | |
3503 if (!request) | |
3504 return NULL; | |
3505 return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, | |
3506 method, time, addServiceLocato
r, | |
3507 pwArg, pRequest); | |
3508 } | |
3509 | |
3510 /* | |
3511 * FUNCTION: CERT_GetEncodedOCSPResponse | |
3512 * Creates and sends a request to an OCSP responder, then reads and | |
3513 * returns the (encoded) response. | |
3514 * | |
3515 * This is a legacy API that behaves identically to | |
3516 * CERT_GetEncodedOCSPResponseByMethod using the "POST" method. | |
3517 */ | |
3518 SECItem * | |
3519 CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, | |
3520 const char *location, PRTime time, | |
3521 PRBool addServiceLocator, | |
3522 CERTCertificate *signerCert, void *pwArg, | |
3523 CERTOCSPRequest **pRequest) | |
3524 { | |
3525 return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location, | |
3526 "POST", time, addServiceLocator, | |
3527 signerCert, pwArg, pRequest); | |
3528 } | |
3529 | |
3530 /* URL encode a buffer that consists of base64-characters, only, | |
3531 * which means we can use a simple encoding logic. | |
3532 * | |
3533 * No output buffer size checking is performed. | |
3534 * You should call the function twice, to calculate the required buffer size. | |
3535 * | |
3536 * If the outpufBuf parameter is NULL, the function will calculate the | |
3537 * required size, including the trailing zero termination char. | |
3538 * | |
3539 * The function returns the number of bytes calculated or produced. | |
3540 */ | |
3541 size_t | |
3542 ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf) | |
3543 { | |
3544 const char *walkInput = NULL; | |
3545 char *walkOutput = outputBuf; | |
3546 size_t count = 0; | |
3547 | |
3548 for (walkInput = base64Buf; *walkInput; ++walkInput) { | |
3549 char c = *walkInput; | |
3550 if (isspace(c)) | |
3551 continue; | |
3552 switch (c) { | |
3553 case '+': | |
3554 if (outputBuf) { | |
3555 strcpy(walkOutput, "%2B"); | |
3556 walkOutput += 3; | |
3557 } | |
3558 count += 3; | |
3559 break; | |
3560 case '/': | |
3561 if (outputBuf) { | |
3562 strcpy(walkOutput, "%2F"); | |
3563 walkOutput += 3; | |
3564 } | |
3565 count += 3; | |
3566 break; | |
3567 case '=': | |
3568 if (outputBuf) { | |
3569 strcpy(walkOutput, "%3D"); | |
3570 walkOutput += 3; | |
3571 } | |
3572 count += 3; | |
3573 break; | |
3574 default: | |
3575 if (outputBuf) { | |
3576 *walkOutput = *walkInput; | |
3577 ++walkOutput; | |
3578 } | |
3579 ++count; | |
3580 break; | |
3581 } | |
3582 } | |
3583 if (outputBuf) { | |
3584 *walkOutput = 0; | |
3585 } | |
3586 ++count; | |
3587 return count; | |
3588 } | |
3589 | |
3590 enum { max_get_request_size = 255 }; /* defined by RFC2560 */ | |
3591 | |
3592 static SECItem * | |
3593 cert_GetOCSPResponse(PLArenaPool *arena, const char *location, | |
3594 const SECItem *encodedRequest); | |
3595 | |
3596 static SECItem * | |
3597 ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, | |
3598 CERTOCSPRequest *request, | |
3599 const char *location, | |
3600 const char *method, | |
3601 PRTime time, | |
3602 PRBool addServiceLocator, | |
3603 void *pwArg, | |
3604 CERTOCSPRequest **pRequest) | |
3605 { | |
3606 SECItem *encodedRequest = NULL; | |
3607 SECItem *encodedResponse = NULL; | |
3608 SECStatus rv; | |
3609 | |
3610 if (!location || !*location) /* location should be at least one byte */ | |
3611 goto loser; | |
3612 | |
3613 rv = CERT_AddOCSPAcceptableResponses(request, | |
3614 SEC_OID_PKIX_OCSP_BASIC_RESPONSE); | |
3615 if (rv != SECSuccess) | |
3616 goto loser; | |
3617 | |
3618 encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg); | |
3619 if (encodedRequest == NULL) | |
3620 goto loser; | |
3621 | |
3622 if (!strcmp(method, "GET")) { | |
3623 encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest); | |
3624 } else if (!strcmp(method, "POST")) { | |
3625 encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest); | |
3626 } else { | |
3627 goto loser; | |
3628 } | |
3629 | |
3630 if (encodedResponse != NULL && pRequest != NULL) { | |
3631 *pRequest = request; | |
3632 request = NULL; /* avoid destroying below */ | |
3633 } | |
3634 | |
3635 loser: | |
3636 if (request != NULL) | |
3637 CERT_DestroyOCSPRequest(request); | |
3638 if (encodedRequest != NULL) | |
3639 SECITEM_FreeItem(encodedRequest, PR_TRUE); | |
3640 return encodedResponse; | |
3641 } | |
3642 | |
3643 static SECItem * | |
3644 cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, | |
3645 const SECItem *encodedRequest); | |
3646 | |
3647 /* using HTTP GET method */ | |
3648 static SECItem * | |
3649 cert_GetOCSPResponse(PLArenaPool *arena, const char *location, | |
3650 const SECItem *encodedRequest) | |
3651 { | |
3652 char *walkOutput = NULL; | |
3653 char *fullGetPath = NULL; | |
3654 size_t pathLength; | |
3655 PRInt32 urlEncodedBufLength; | |
3656 size_t base64size; | |
3657 char b64ReqBuf[max_get_request_size + 1]; | |
3658 size_t slashLengthIfNeeded = 0; | |
3659 size_t getURLLength; | |
3660 SECItem *item; | |
3661 | |
3662 if (!location || !*location) { | |
3663 return NULL; | |
3664 } | |
3665 | |
3666 pathLength = strlen(location); | |
3667 if (location[pathLength - 1] != '/') { | |
3668 slashLengthIfNeeded = 1; | |
3669 } | |
3670 | |
3671 /* Calculation as documented by PL_Base64Encode function. | |
3672 * Use integer conversion to avoid having to use function ceil(). | |
3673 */ | |
3674 base64size = (((encodedRequest->len + 2) / 3) * 4); | |
3675 if (base64size > max_get_request_size) { | |
3676 return NULL; | |
3677 } | |
3678 memset(b64ReqBuf, 0, sizeof(b64ReqBuf)); | |
3679 PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len, | |
3680 b64ReqBuf); | |
3681 | |
3682 urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL); | |
3683 getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded; | |
3684 | |
3685 /* urlEncodedBufLength already contains room for the zero terminator. | |
3686 * Add another if we must add the '/' char. | |
3687 */ | |
3688 if (arena) { | |
3689 fullGetPath = (char *)PORT_ArenaAlloc(arena, getURLLength); | |
3690 } else { | |
3691 fullGetPath = (char *)PORT_Alloc(getURLLength); | |
3692 } | |
3693 if (!fullGetPath) { | |
3694 return NULL; | |
3695 } | |
3696 | |
3697 strcpy(fullGetPath, location); | |
3698 walkOutput = fullGetPath + pathLength; | |
3699 | |
3700 if (walkOutput > fullGetPath && slashLengthIfNeeded) { | |
3701 strcpy(walkOutput, "/"); | |
3702 ++walkOutput; | |
3703 } | |
3704 ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput); | |
3705 | |
3706 item = cert_FetchOCSPResponse(arena, fullGetPath, NULL); | |
3707 if (!arena) { | |
3708 PORT_Free(fullGetPath); | |
3709 } | |
3710 return item; | |
3711 } | |
3712 | |
3713 SECItem * | |
3714 CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, | |
3715 const SECItem *encodedRequest) | |
3716 { | |
3717 return cert_FetchOCSPResponse(arena, location, encodedRequest); | |
3718 } | |
3719 | |
3720 SECItem * | |
3721 cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, | |
3722 const SECItem *encodedRequest) | |
3723 { | |
3724 const SEC_HttpClientFcn *registeredHttpClient; | |
3725 SECItem *encodedResponse = NULL; | |
3726 | |
3727 registeredHttpClient = SEC_GetRegisteredHttpClient(); | |
3728 | |
3729 if (registeredHttpClient && registeredHttpClient->version == 1) { | |
3730 encodedResponse = fetchOcspHttpClientV1( | |
3731 arena, | |
3732 ®isteredHttpClient->fcnTable.ftable1, | |
3733 location, | |
3734 encodedRequest); | |
3735 } else { | |
3736 /* use internal http client */ | |
3737 PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest); | |
3738 if (sock) { | |
3739 encodedResponse = ocsp_GetEncodedResponse(arena, sock); | |
3740 PR_Close(sock); | |
3741 } | |
3742 } | |
3743 | |
3744 return encodedResponse; | |
3745 } | |
3746 | |
3747 static SECItem * | |
3748 ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena, | |
3749 CERTOCSPCertID *certID, | |
3750 CERTCertificate *singleCert, | |
3751 const char *location, | |
3752 const char *method, | |
3753 PRTime time, | |
3754 PRBool addServiceLocator, | |
3755 void *pwArg, | |
3756 CERTOCSPRequest **pRequest) | |
3757 { | |
3758 CERTOCSPRequest *request; | |
3759 request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time, | |
3760 addServiceLocator, NULL); | |
3761 if (!request) | |
3762 return NULL; | |
3763 return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, | |
3764 method, time, addServiceLocato
r, | |
3765 pwArg, pRequest); | |
3766 } | |
3767 | |
3768 /* Checks a certificate for the key usage extension of OCSP signer. */ | |
3769 static PRBool | |
3770 ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert) | |
3771 { | |
3772 SECStatus rv; | |
3773 SECItem extItem; | |
3774 SECItem **oids; | |
3775 SECItem *oid; | |
3776 SECOidTag oidTag; | |
3777 PRBool retval; | |
3778 CERTOidSequence *oidSeq = NULL; | |
3779 | |
3780 extItem.data = NULL; | |
3781 rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem); | |
3782 if (rv != SECSuccess) { | |
3783 goto loser; | |
3784 } | |
3785 | |
3786 oidSeq = CERT_DecodeOidSequence(&extItem); | |
3787 if (oidSeq == NULL) { | |
3788 goto loser; | |
3789 } | |
3790 | |
3791 oids = oidSeq->oids; | |
3792 while (*oids != NULL) { | |
3793 oid = *oids; | |
3794 | |
3795 oidTag = SECOID_FindOIDTag(oid); | |
3796 | |
3797 if (oidTag == SEC_OID_OCSP_RESPONDER) { | |
3798 goto success; | |
3799 } | |
3800 | |
3801 oids++; | |
3802 } | |
3803 | |
3804 loser: | |
3805 retval = PR_FALSE; | |
3806 PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); | |
3807 goto done; | |
3808 success: | |
3809 retval = PR_TRUE; | |
3810 done: | |
3811 if (extItem.data != NULL) { | |
3812 PORT_Free(extItem.data); | |
3813 } | |
3814 if (oidSeq != NULL) { | |
3815 CERT_DestroyOidSequence(oidSeq); | |
3816 } | |
3817 | |
3818 return (retval); | |
3819 } | |
3820 | |
3821 #ifdef LATER /* | |
3822 * XXX This function is not currently used, but will | |
3823 * be needed later when we do revocation checking of | |
3824 * the responder certificate. Of course, it may need | |
3825 * revising then, if the cert extension interface has | |
3826 * changed. (Hopefully it will!) | |
3827 */ | |
3828 | |
3829 /* Checks a certificate to see if it has the OCSP no check extension. */ | |
3830 static PRBool | |
3831 ocsp_CertHasNoCheckExtension(CERTCertificate *cert) | |
3832 { | |
3833 SECStatus rv; | |
3834 | |
3835 rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK, | |
3836 NULL); | |
3837 if (rv == SECSuccess) { | |
3838 return PR_TRUE; | |
3839 } | |
3840 return PR_FALSE; | |
3841 } | |
3842 #endif /* LATER */ | |
3843 | |
3844 static PRBool | |
3845 ocsp_matchcert(SECItem *certIndex, CERTCertificate *testCert) | |
3846 { | |
3847 SECItem item; | |
3848 unsigned char buf[HASH_LENGTH_MAX]; | |
3849 | |
3850 item.data = buf; | |
3851 item.len = SHA1_LENGTH; | |
3852 | |
3853 if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_SHA1, | |
3854 &item) == NULL) { | |
3855 return PR_FALSE; | |
3856 } | |
3857 if (SECITEM_ItemsAreEqual(certIndex, &item)) { | |
3858 return PR_TRUE; | |
3859 } | |
3860 if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD5, | |
3861 &item) == NULL) { | |
3862 return PR_FALSE; | |
3863 } | |
3864 if (SECITEM_ItemsAreEqual(certIndex, &item)) { | |
3865 return PR_TRUE; | |
3866 } | |
3867 if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD2, | |
3868 &item) == NULL) { | |
3869 return PR_FALSE; | |
3870 } | |
3871 if (SECITEM_ItemsAreEqual(certIndex, &item)) { | |
3872 return PR_TRUE; | |
3873 } | |
3874 | |
3875 return PR_FALSE; | |
3876 } | |
3877 | |
3878 static CERTCertificate * | |
3879 ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID); | |
3880 | |
3881 CERTCertificate * | |
3882 ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, | |
3883 ocspSignature *signature, CERTCertificate *issuer) | |
3884 { | |
3885 CERTCertificate **certs = NULL; | |
3886 CERTCertificate *signerCert = NULL; | |
3887 SECStatus rv = SECFailure; | |
3888 PRBool lookupByName = PR_TRUE; | |
3889 void *certIndex = NULL; | |
3890 int certCount = 0; | |
3891 | |
3892 PORT_Assert(tbsData->responderID != NULL); | |
3893 switch (tbsData->responderID->responderIDType) { | |
3894 case ocspResponderID_byName: | |
3895 lookupByName = PR_TRUE; | |
3896 certIndex = &tbsData->derResponderID; | |
3897 break; | |
3898 case ocspResponderID_byKey: | |
3899 lookupByName = PR_FALSE; | |
3900 certIndex = &tbsData->responderID->responderIDValue.keyHash; | |
3901 break; | |
3902 case ocspResponderID_other: | |
3903 default: | |
3904 PORT_Assert(0); | |
3905 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | |
3906 return NULL; | |
3907 } | |
3908 | |
3909 /* | |
3910 * If the signature contains some certificates as well, temporarily | |
3911 * import them in case they are needed for verification. | |
3912 * | |
3913 * Note that the result of this is that each cert in "certs" needs | |
3914 * to be destroyed. | |
3915 */ | |
3916 if (signature->derCerts != NULL) { | |
3917 for (; signature->derCerts[certCount] != NULL; certCount++) { | |
3918 /* just counting */ | |
3919 } | |
3920 rv = CERT_ImportCerts(handle, certUsageStatusResponder, certCount, | |
3921 signature->derCerts, &certs, | |
3922 PR_FALSE, PR_FALSE, NULL); | |
3923 if (rv != SECSuccess) | |
3924 goto finish; | |
3925 } | |
3926 | |
3927 /* | |
3928 * Now look up the certificate that did the signing. | |
3929 * The signer can be specified either by name or by key hash. | |
3930 */ | |
3931 if (lookupByName) { | |
3932 SECItem *crIndex = (SECItem *)certIndex; | |
3933 SECItem encodedName; | |
3934 PLArenaPool *arena; | |
3935 | |
3936 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
3937 if (arena != NULL) { | |
3938 | |
3939 rv = SEC_QuickDERDecodeItem(arena, &encodedName, | |
3940 ocsp_ResponderIDDerNameTemplate, | |
3941 crIndex); | |
3942 if (rv != SECSuccess) { | |
3943 if (PORT_GetError() == SEC_ERROR_BAD_DER) | |
3944 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | |
3945 } else { | |
3946 signerCert = CERT_FindCertByName(handle, &encodedName); | |
3947 } | |
3948 PORT_FreeArena(arena, PR_FALSE); | |
3949 } | |
3950 } else { | |
3951 /* | |
3952 * The signer is either 1) a known issuer CA we passed in, | |
3953 * 2) the default OCSP responder, or 3) an intermediate CA | |
3954 * passed in the cert list to use. Figure out which it is. | |
3955 */ | |
3956 int i; | |
3957 CERTCertificate *responder = | |
3958 ocsp_CertGetDefaultResponder(handle, NULL); | |
3959 if (responder && ocsp_matchcert(certIndex, responder)) { | |
3960 signerCert = CERT_DupCertificate(responder); | |
3961 } else if (issuer && ocsp_matchcert(certIndex, issuer)) { | |
3962 signerCert = CERT_DupCertificate(issuer); | |
3963 } | |
3964 for (i = 0; (signerCert == NULL) && (i < certCount); i++) { | |
3965 if (ocsp_matchcert(certIndex, certs[i])) { | |
3966 signerCert = CERT_DupCertificate(certs[i]); | |
3967 } | |
3968 } | |
3969 if (signerCert == NULL) { | |
3970 PORT_SetError(SEC_ERROR_UNKNOWN_CERT); | |
3971 } | |
3972 } | |
3973 | |
3974 finish: | |
3975 if (certs != NULL) { | |
3976 CERT_DestroyCertArray(certs, certCount); | |
3977 } | |
3978 | |
3979 return signerCert; | |
3980 } | |
3981 | |
3982 SECStatus | |
3983 ocsp_VerifyResponseSignature(CERTCertificate *signerCert, | |
3984 ocspSignature *signature, | |
3985 SECItem *tbsResponseDataDER, | |
3986 void *pwArg) | |
3987 { | |
3988 SECKEYPublicKey *signerKey = NULL; | |
3989 SECStatus rv = SECFailure; | |
3990 CERTSignedData signedData; | |
3991 | |
3992 /* | |
3993 * Now get the public key from the signer's certificate; we need | |
3994 * it to perform the verification. | |
3995 */ | |
3996 signerKey = CERT_ExtractPublicKey(signerCert); | |
3997 if (signerKey == NULL) { | |
3998 return SECFailure; | |
3999 } | |
4000 | |
4001 /* | |
4002 * We copy the signature data *pointer* and length, so that we can | |
4003 * modify the length without damaging the original copy. This is a | |
4004 * simple copy, not a dup, so no destroy/free is necessary. | |
4005 */ | |
4006 signedData.signature = signature->signature; | |
4007 signedData.signatureAlgorithm = signature->signatureAlgorithm; | |
4008 signedData.data = *tbsResponseDataDER; | |
4009 | |
4010 rv = CERT_VerifySignedDataWithPublicKey(&signedData, signerKey, pwArg); | |
4011 if (rv != SECSuccess && | |
4012 (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE || | |
4013 PORT_GetError() == SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)) { | |
4014 PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); | |
4015 } | |
4016 | |
4017 if (signerKey != NULL) { | |
4018 SECKEY_DestroyPublicKey(signerKey); | |
4019 } | |
4020 | |
4021 return rv; | |
4022 } | |
4023 | |
4024 /* | |
4025 * FUNCTION: CERT_VerifyOCSPResponseSignature | |
4026 * Check the signature on an OCSP Response. Will also perform a | |
4027 * verification of the signer's certificate. Note, however, that a | |
4028 * successful verification does not make any statement about the | |
4029 * signer's *authority* to provide status for the certificate(s), | |
4030 * that must be checked individually for each certificate. | |
4031 * INPUTS: | |
4032 * CERTOCSPResponse *response | |
4033 * Pointer to response structure with signature to be checked. | |
4034 * CERTCertDBHandle *handle | |
4035 * Pointer to CERTCertDBHandle for certificate DB to use for verification. | |
4036 * void *pwArg | |
4037 * Pointer to argument for password prompting, if needed. | |
4038 * OUTPUTS: | |
4039 * CERTCertificate **pSignerCert | |
4040 * Pointer in which to store signer's certificate; only filled-in if | |
4041 * non-null. | |
4042 * RETURN: | |
4043 * Returns SECSuccess when signature is valid, anything else means invalid. | |
4044 * Possible errors set: | |
4045 * SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID | |
4046 * SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time | |
4047 * SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found | |
4048 * SEC_ERROR_BAD_SIGNATURE - the signature did not verify | |
4049 * Other errors are any of the many possible failures in cert verification | |
4050 * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when | |
4051 * verifying the signer's cert, or low-level problems (no memory, etc.) | |
4052 */ | |
4053 SECStatus | |
4054 CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, | |
4055 CERTCertDBHandle *handle, void *pwArg, | |
4056 CERTCertificate **pSignerCert, | |
4057 CERTCertificate *issuer) | |
4058 { | |
4059 SECItem *tbsResponseDataDER; | |
4060 CERTCertificate *signerCert = NULL; | |
4061 SECStatus rv = SECFailure; | |
4062 PRTime producedAt; | |
4063 | |
4064 /* ocsp_DecodeBasicOCSPResponse will fail if asn1 decoder is unable | |
4065 * to properly decode tbsData (see the function and | |
4066 * ocsp_BasicOCSPResponseTemplate). Thus, tbsData can not be | |
4067 * equal to null */ | |
4068 ocspResponseData *tbsData = ocsp_GetResponseData(response, | |
4069 &tbsResponseDataDER); | |
4070 ocspSignature *signature = ocsp_GetResponseSignature(response); | |
4071 | |
4072 if (!signature) { | |
4073 PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); | |
4074 return SECFailure; | |
4075 } | |
4076 | |
4077 /* | |
4078 * If this signature has already gone through verification, just | |
4079 * return the cached result. | |
4080 */ | |
4081 if (signature->wasChecked) { | |
4082 if (signature->status == SECSuccess) { | |
4083 if (pSignerCert != NULL) | |
4084 *pSignerCert = CERT_DupCertificate(signature->cert); | |
4085 } else { | |
4086 PORT_SetError(signature->failureReason); | |
4087 } | |
4088 return signature->status; | |
4089 } | |
4090 | |
4091 signerCert = ocsp_GetSignerCertificate(handle, tbsData, | |
4092 signature, issuer); | |
4093 if (signerCert == NULL) { | |
4094 rv = SECFailure; | |
4095 if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) { | |
4096 /* Make the error a little more specific. */ | |
4097 PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); | |
4098 } | |
4099 goto finish; | |
4100 } | |
4101 | |
4102 /* | |
4103 * We could mark this true at the top of this function, or always | |
4104 * below at "finish", but if the problem was just that we could not | |
4105 * find the signer's cert, leave that as if the signature hasn't | |
4106 * been checked in case a subsequent call might have better luck. | |
4107 */ | |
4108 signature->wasChecked = PR_TRUE; | |
4109 | |
4110 /* | |
4111 * The function will also verify the signer certificate; we | |
4112 * need to tell it *when* that certificate must be valid -- for our | |
4113 * purposes we expect it to be valid when the response was signed. | |
4114 * The value of "producedAt" is the signing time. | |
4115 */ | |
4116 rv = DER_GeneralizedTimeToTime(&producedAt, &tbsData->producedAt); | |
4117 if (rv != SECSuccess) | |
4118 goto finish; | |
4119 | |
4120 /* | |
4121 * Just because we have a cert does not mean it is any good; check | |
4122 * it for validity, trust and usage. | |
4123 */ | |
4124 if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) { | |
4125 rv = SECSuccess; | |
4126 } else { | |
4127 SECCertUsage certUsage; | |
4128 if (CERT_IsCACert(signerCert, NULL)) { | |
4129 certUsage = certUsageAnyCA; | |
4130 } else { | |
4131 certUsage = certUsageStatusResponder; | |
4132 } | |
4133 rv = cert_VerifyCertWithFlags(handle, signerCert, PR_TRUE, certUsage, | |
4134 producedAt, CERT_VERIFYCERT_SKIP_OCSP, | |
4135 pwArg, NULL); | |
4136 if (rv != SECSuccess) { | |
4137 PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); | |
4138 goto finish; | |
4139 } | |
4140 } | |
4141 | |
4142 rv = ocsp_VerifyResponseSignature(signerCert, signature, | |
4143 tbsResponseDataDER, | |
4144 pwArg); | |
4145 | |
4146 finish: | |
4147 if (signature->wasChecked) | |
4148 signature->status = rv; | |
4149 | |
4150 if (rv != SECSuccess) { | |
4151 signature->failureReason = PORT_GetError(); | |
4152 if (signerCert != NULL) | |
4153 CERT_DestroyCertificate(signerCert); | |
4154 } else { | |
4155 /* | |
4156 * Save signer's certificate in signature. | |
4157 */ | |
4158 signature->cert = signerCert; | |
4159 if (pSignerCert != NULL) { | |
4160 /* | |
4161 * Pass pointer to signer's certificate back to our caller, | |
4162 * who is also now responsible for destroying it. | |
4163 */ | |
4164 *pSignerCert = CERT_DupCertificate(signerCert); | |
4165 } | |
4166 } | |
4167 | |
4168 return rv; | |
4169 } | |
4170 | |
4171 /* | |
4172 * See if the request's certID and the single response's certID match. | |
4173 * This can be easy or difficult, depending on whether the same hash | |
4174 * algorithm was used. | |
4175 */ | |
4176 static PRBool | |
4177 ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID, | |
4178 CERTOCSPCertID *responseCertID) | |
4179 { | |
4180 PRBool match = PR_FALSE; | |
4181 SECOidTag hashAlg; | |
4182 SECItem *keyHash = NULL; | |
4183 SECItem *nameHash = NULL; | |
4184 | |
4185 /* | |
4186 * In order to match, they must have the same issuer and the same | |
4187 * serial number. | |
4188 * | |
4189 * We just compare the easier things first. | |
4190 */ | |
4191 if (SECITEM_CompareItem(&requestCertID->serialNumber, | |
4192 &responseCertID->serialNumber) != SECEqual) { | |
4193 goto done; | |
4194 } | |
4195 | |
4196 /* | |
4197 * Make sure the "parameters" are not too bogus. Since we encoded | |
4198 * requestCertID->hashAlgorithm, we don't need to check it. | |
4199 */ | |
4200 if (responseCertID->hashAlgorithm.parameters.len > 2) { | |
4201 goto done; | |
4202 } | |
4203 if (SECITEM_CompareItem(&requestCertID->hashAlgorithm.algorithm, | |
4204 &responseCertID->hashAlgorithm.algorithm) == | |
4205 SECEqual) { | |
4206 /* | |
4207 * If the hash algorithms match then we can do a simple compare | |
4208 * of the hash values themselves. | |
4209 */ | |
4210 if ((SECITEM_CompareItem(&requestCertID->issuerNameHash, | |
4211 &responseCertID->issuerNameHash) == SECEqual) &
& | |
4212 (SECITEM_CompareItem(&requestCertID->issuerKeyHash, | |
4213 &responseCertID->issuerKeyHash) == SECEqual)) { | |
4214 match = PR_TRUE; | |
4215 } | |
4216 goto done; | |
4217 } | |
4218 | |
4219 hashAlg = SECOID_FindOIDTag(&responseCertID->hashAlgorithm.algorithm); | |
4220 switch (hashAlg) { | |
4221 case SEC_OID_SHA1: | |
4222 keyHash = &requestCertID->issuerSHA1KeyHash; | |
4223 nameHash = &requestCertID->issuerSHA1NameHash; | |
4224 break; | |
4225 case SEC_OID_MD5: | |
4226 keyHash = &requestCertID->issuerMD5KeyHash; | |
4227 nameHash = &requestCertID->issuerMD5NameHash; | |
4228 break; | |
4229 case SEC_OID_MD2: | |
4230 keyHash = &requestCertID->issuerMD2KeyHash; | |
4231 nameHash = &requestCertID->issuerMD2NameHash; | |
4232 break; | |
4233 default: | |
4234 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); | |
4235 return PR_FALSE; | |
4236 } | |
4237 | |
4238 if ((keyHash != NULL) && | |
4239 (SECITEM_CompareItem(nameHash, | |
4240 &responseCertID->issuerNameHash) == SECEqual) && | |
4241 (SECITEM_CompareItem(keyHash, | |
4242 &responseCertID->issuerKeyHash) == SECEqual)) { | |
4243 match = PR_TRUE; | |
4244 } | |
4245 | |
4246 done: | |
4247 return match; | |
4248 } | |
4249 | |
4250 /* | |
4251 * Find the single response for the cert specified by certID. | |
4252 * No copying is done; this just returns a pointer to the appropriate | |
4253 * response within responses, if it is found (and null otherwise). | |
4254 * This is fine, of course, since this function is internal-use only. | |
4255 */ | |
4256 static CERTOCSPSingleResponse * | |
4257 ocsp_GetSingleResponseForCertID(CERTOCSPSingleResponse **responses, | |
4258 CERTCertDBHandle *handle, | |
4259 CERTOCSPCertID *certID) | |
4260 { | |
4261 CERTOCSPSingleResponse *single; | |
4262 int i; | |
4263 | |
4264 if (responses == NULL) | |
4265 return NULL; | |
4266 | |
4267 for (i = 0; responses[i] != NULL; i++) { | |
4268 single = responses[i]; | |
4269 if (ocsp_CertIDsMatch(certID, single->certID)) { | |
4270 return single; | |
4271 } | |
4272 } | |
4273 | |
4274 /* | |
4275 * The OCSP server should have included a response even if it knew | |
4276 * nothing about the certificate in question. Since it did not, | |
4277 * this will make it look as if it had. | |
4278 * | |
4279 * XXX Should we make this a separate error to notice the server's | |
4280 * bad behavior? | |
4281 */ | |
4282 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT); | |
4283 return NULL; | |
4284 } | |
4285 | |
4286 static ocspCheckingContext * | |
4287 ocsp_GetCheckingContext(CERTCertDBHandle *handle) | |
4288 { | |
4289 CERTStatusConfig *statusConfig; | |
4290 ocspCheckingContext *ocspcx = NULL; | |
4291 | |
4292 statusConfig = CERT_GetStatusConfig(handle); | |
4293 if (statusConfig != NULL) { | |
4294 ocspcx = statusConfig->statusContext; | |
4295 | |
4296 /* | |
4297 * This is actually an internal error, because we should never | |
4298 * have a good statusConfig without a good statusContext, too. | |
4299 * For lack of anything better, though, we just assert and use | |
4300 * the same error as if there were no statusConfig (set below). | |
4301 */ | |
4302 PORT_Assert(ocspcx != NULL); | |
4303 } | |
4304 | |
4305 if (ocspcx == NULL) | |
4306 PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); | |
4307 | |
4308 return ocspcx; | |
4309 } | |
4310 | |
4311 /* | |
4312 * Return cert reference if the given signerCert is the default responder for | |
4313 * the given certID. If not, or if any error, return NULL. | |
4314 */ | |
4315 static CERTCertificate * | |
4316 ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID) | |
4317 { | |
4318 ocspCheckingContext *ocspcx; | |
4319 | |
4320 ocspcx = ocsp_GetCheckingContext(handle); | |
4321 if (ocspcx == NULL) | |
4322 goto loser; | |
4323 | |
4324 /* | |
4325 * Right now we have only one default responder. It applies to | |
4326 * all certs when it is used, so the check is simple and certID | |
4327 * has no bearing on the answer. Someday in the future we may | |
4328 * allow configuration of different responders for different | |
4329 * issuers, and then we would have to use the issuer specified | |
4330 * in certID to determine if signerCert is the right one. | |
4331 */ | |
4332 if (ocspcx->useDefaultResponder) { | |
4333 PORT_Assert(ocspcx->defaultResponderCert != NULL); | |
4334 return ocspcx->defaultResponderCert; | |
4335 } | |
4336 | |
4337 loser: | |
4338 return NULL; | |
4339 } | |
4340 | |
4341 /* | |
4342 * Return true if the cert is one of the default responders configured for | |
4343 * ocsp context. If not, or if any error, return false. | |
4344 */ | |
4345 PRBool | |
4346 ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert) | |
4347 { | |
4348 ocspCheckingContext *ocspcx; | |
4349 | |
4350 ocspcx = ocsp_GetCheckingContext(handle); | |
4351 if (ocspcx == NULL) | |
4352 return PR_FALSE; | |
4353 | |
4354 /* | |
4355 * Right now we have only one default responder. It applies to | |
4356 * all certs when it is used, so the check is simple and certID | |
4357 * has no bearing on the answer. Someday in the future we may | |
4358 * allow configuration of different responders for different | |
4359 * issuers, and then we would have to use the issuer specified | |
4360 * in certID to determine if signerCert is the right one. | |
4361 */ | |
4362 if (ocspcx->useDefaultResponder && | |
4363 CERT_CompareCerts(ocspcx->defaultResponderCert, cert)) { | |
4364 return PR_TRUE; | |
4365 } | |
4366 | |
4367 return PR_FALSE; | |
4368 } | |
4369 | |
4370 /* | |
4371 * Check that the given signer certificate is authorized to sign status | |
4372 * information for the given certID. Return true if it is, false if not | |
4373 * (or if there is any error along the way). If false is returned because | |
4374 * the signer is not authorized, the following error will be set: | |
4375 * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE | |
4376 * Other errors are low-level problems (no memory, bad database, etc.). | |
4377 * | |
4378 * There are three ways to be authorized. In the order in which we check, | |
4379 * using the terms used in the OCSP spec, the signer must be one of: | |
4380 * 1. A "trusted responder" -- it matches a local configuration | |
4381 * of OCSP signing authority for the certificate in question. | |
4382 * 2. The CA who issued the certificate in question. | |
4383 * 3. A "CA designated responder", aka an "authorized responder" -- it | |
4384 * must be represented by a special cert issued by the CA who issued | |
4385 * the certificate in question. | |
4386 */ | |
4387 static PRBool | |
4388 ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, | |
4389 CERTCertificate *signerCert, | |
4390 CERTOCSPCertID *certID, | |
4391 PRTime thisUpdate) | |
4392 { | |
4393 CERTCertificate *issuerCert = NULL, *defRespCert; | |
4394 SECItem *keyHash = NULL; | |
4395 SECItem *nameHash = NULL; | |
4396 SECOidTag hashAlg; | |
4397 PRBool keyHashEQ = PR_FALSE, nameHashEQ = PR_FALSE; | |
4398 | |
4399 /* | |
4400 * Check first for a trusted responder, which overrides everything else. | |
4401 */ | |
4402 if ((defRespCert = ocsp_CertGetDefaultResponder(handle, certID)) && | |
4403 CERT_CompareCerts(defRespCert, signerCert)) { | |
4404 return PR_TRUE; | |
4405 } | |
4406 | |
4407 /* | |
4408 * In the other two cases, we need to do an issuer comparison. | |
4409 * How we do it depends on whether the signer certificate has the | |
4410 * special extension (for a designated responder) or not. | |
4411 * | |
4412 * First, lets check if signer of the response is the actual issuer | |
4413 * of the cert. For that we will use signer cert key hash and cert subj | |
4414 * name hash and will compare them with already calculated issuer key | |
4415 * hash and issuer name hash. The hash algorithm is picked from response | |
4416 * certID hash to avoid second hash calculation. | |
4417 */ | |
4418 | |
4419 hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm); | |
4420 | |
4421 keyHash = CERT_GetSubjectPublicKeyDigest(NULL, signerCert, hashAlg, NULL); | |
4422 if (keyHash != NULL) { | |
4423 | |
4424 keyHashEQ = | |
4425 (SECITEM_CompareItem(keyHash, | |
4426 &certID->issuerKeyHash) == SECEqual); | |
4427 SECITEM_FreeItem(keyHash, PR_TRUE); | |
4428 } | |
4429 if (keyHashEQ && | |
4430 (nameHash = CERT_GetSubjectNameDigest(NULL, signerCert, | |
4431 hashAlg, NULL))) { | |
4432 nameHashEQ = | |
4433 (SECITEM_CompareItem(nameHash, | |
4434 &certID->issuerNameHash) == SECEqual); | |
4435 | |
4436 SECITEM_FreeItem(nameHash, PR_TRUE); | |
4437 if (nameHashEQ) { | |
4438 /* The issuer of the cert is the the signer of the response */ | |
4439 return PR_TRUE; | |
4440 } | |
4441 } | |
4442 | |
4443 keyHashEQ = PR_FALSE; | |
4444 nameHashEQ = PR_FALSE; | |
4445 | |
4446 if (!ocsp_CertIsOCSPDesignatedResponder(signerCert)) { | |
4447 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE); | |
4448 return PR_FALSE; | |
4449 } | |
4450 | |
4451 /* | |
4452 * The signer is a designated responder. Its issuer must match | |
4453 * the issuer of the cert being checked. | |
4454 */ | |
4455 issuerCert = CERT_FindCertIssuer(signerCert, thisUpdate, | |
4456 certUsageAnyCA); | |
4457 if (issuerCert == NULL) { | |
4458 /* | |
4459 * We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone, | |
4460 * but the following will give slightly more information. | |
4461 * Once we have an error stack, things will be much better. | |
4462 */ | |
4463 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE); | |
4464 return PR_FALSE; | |
4465 } | |
4466 | |
4467 keyHash = CERT_GetSubjectPublicKeyDigest(NULL, issuerCert, hashAlg, NULL); | |
4468 nameHash = CERT_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL); | |
4469 | |
4470 CERT_DestroyCertificate(issuerCert); | |
4471 | |
4472 if (keyHash != NULL && nameHash != NULL) { | |
4473 keyHashEQ = | |
4474 (SECITEM_CompareItem(keyHash, | |
4475 &certID->issuerKeyHash) == SECEqual); | |
4476 | |
4477 nameHashEQ = | |
4478 (SECITEM_CompareItem(nameHash, | |
4479 &certID->issuerNameHash) == SECEqual); | |
4480 } | |
4481 | |
4482 if (keyHash) { | |
4483 SECITEM_FreeItem(keyHash, PR_TRUE); | |
4484 } | |
4485 if (nameHash) { | |
4486 SECITEM_FreeItem(nameHash, PR_TRUE); | |
4487 } | |
4488 | |
4489 if (keyHashEQ && nameHashEQ) { | |
4490 return PR_TRUE; | |
4491 } | |
4492 | |
4493 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE); | |
4494 return PR_FALSE; | |
4495 } | |
4496 | |
4497 /* | |
4498 * We need to check that a responder gives us "recent" information. | |
4499 * Since a responder can pre-package responses, we need to pick an amount | |
4500 * of time that is acceptable to us, and reject any response that is | |
4501 * older than that. | |
4502 * | |
4503 * XXX This *should* be based on some configuration parameter, so that | |
4504 * different usages could specify exactly what constitutes "sufficiently | |
4505 * recent". But that is not going to happen right away. For now, we | |
4506 * want something from within the last 24 hours. This macro defines that | |
4507 * number in seconds. | |
4508 */ | |
4509 #define OCSP_ALLOWABLE_LAPSE_SECONDS (24L * 60L * 60L) | |
4510 | |
4511 static PRBool | |
4512 ocsp_TimeIsRecent(PRTime checkTime) | |
4513 { | |
4514 PRTime now = PR_Now(); | |
4515 PRTime lapse, tmp; | |
4516 | |
4517 LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS); | |
4518 LL_I2L(tmp, PR_USEC_PER_SEC); | |
4519 LL_MUL(lapse, lapse, tmp); /* allowable lapse in microseconds */ | |
4520 | |
4521 LL_ADD(checkTime, checkTime, lapse); | |
4522 if (LL_CMP(now, >, checkTime)) | |
4523 return PR_FALSE; | |
4524 | |
4525 return PR_TRUE; | |
4526 } | |
4527 | |
4528 #define OCSP_SLOP (5L * 60L) /* OCSP responses are allowed to be 5 minutes \ | |
4529 in the future by default */ | |
4530 | |
4531 static PRUint32 ocspsloptime = OCSP_SLOP; /* seconds */ | |
4532 | |
4533 /* | |
4534 * If an old response contains the revoked certificate status, we want | |
4535 * to return SECSuccess so the response will be used. | |
4536 */ | |
4537 static SECStatus | |
4538 ocsp_HandleOldSingleResponse(CERTOCSPSingleResponse *single, PRTime time) | |
4539 { | |
4540 SECStatus rv; | |
4541 ocspCertStatus *status = single->certStatus; | |
4542 if (status->certStatusType == ocspCertStatus_revoked) { | |
4543 rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time); | |
4544 if (rv != SECSuccess && | |
4545 PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE) { | |
4546 /* | |
4547 * Return SECSuccess now. The subsequent ocsp_CertRevokedAfter | |
4548 * call in ocsp_CertHasGoodStatus will cause | |
4549 * ocsp_CertHasGoodStatus to fail with | |
4550 * SEC_ERROR_REVOKED_CERTIFICATE. | |
4551 */ | |
4552 return SECSuccess; | |
4553 } | |
4554 } | |
4555 PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE); | |
4556 return SECFailure; | |
4557 } | |
4558 | |
4559 /* | |
4560 * Check that this single response is okay. A return of SECSuccess means: | |
4561 * 1. The signer (represented by "signerCert") is authorized to give status | |
4562 * for the cert represented by the individual response in "single". | |
4563 * 2. The value of thisUpdate is earlier than now. | |
4564 * 3. The value of producedAt is later than or the same as thisUpdate. | |
4565 * 4. If nextUpdate is given: | |
4566 * - The value of nextUpdate is later than now. | |
4567 * - The value of producedAt is earlier than nextUpdate. | |
4568 * Else if no nextUpdate: | |
4569 * - The value of thisUpdate is fairly recent. | |
4570 * - The value of producedAt is fairly recent. | |
4571 * However we do not need to perform an explicit check for this last | |
4572 * constraint because it is already guaranteed by checking that | |
4573 * producedAt is later than thisUpdate and thisUpdate is recent. | |
4574 * Oh, and any responder is "authorized" to say that a cert is unknown to it. | |
4575 * | |
4576 * If any of those checks fail, SECFailure is returned and an error is set: | |
4577 * SEC_ERROR_OCSP_FUTURE_RESPONSE | |
4578 * SEC_ERROR_OCSP_OLD_RESPONSE | |
4579 * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE | |
4580 * Other errors are low-level problems (no memory, bad database, etc.). | |
4581 */ | |
4582 static SECStatus | |
4583 ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, | |
4584 CERTCertDBHandle *handle, | |
4585 CERTCertificate *signerCert, | |
4586 PRTime producedAt) | |
4587 { | |
4588 CERTOCSPCertID *certID = single->certID; | |
4589 PRTime now, thisUpdate, nextUpdate, tmstamp, tmp; | |
4590 SECStatus rv; | |
4591 | |
4592 OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n", | |
4593 ((single->nextUpdate) != 0))); | |
4594 /* | |
4595 * If all the responder said was that the given cert was unknown to it, | |
4596 * that is a valid response. Not very interesting to us, of course, | |
4597 * but all this function is concerned with is validity of the response, | |
4598 * not the status of the cert. | |
4599 */ | |
4600 PORT_Assert(single->certStatus != NULL); | |
4601 if (single->certStatus->certStatusType == ocspCertStatus_unknown) | |
4602 return SECSuccess; | |
4603 | |
4604 /* | |
4605 * We need to extract "thisUpdate" for use below and to pass along | |
4606 * to AuthorizedResponderForCertID in case it needs it for doing an | |
4607 * issuer look-up. | |
4608 */ | |
4609 rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate); | |
4610 if (rv != SECSuccess) | |
4611 return rv; | |
4612 | |
4613 /* | |
4614 * First confirm that signerCert is authorized to give this status. | |
4615 */ | |
4616 if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID, | |
4617 thisUpdate) != PR_TRUE) | |
4618 return SECFailure; | |
4619 | |
4620 /* | |
4621 * Now check the time stuff, as described above. | |
4622 */ | |
4623 now = PR_Now(); | |
4624 /* allow slop time for future response */ | |
4625 LL_UI2L(tmstamp, ocspsloptime); /* get slop time in seconds */ | |
4626 LL_UI2L(tmp, PR_USEC_PER_SEC); | |
4627 LL_MUL(tmp, tmstamp, tmp); /* convert the slop time to PRTime */ | |
4628 LL_ADD(tmstamp, tmp, now); /* add current time to it */ | |
4629 | |
4630 if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) { | |
4631 PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE); | |
4632 return SECFailure; | |
4633 } | |
4634 if (single->nextUpdate != NULL) { | |
4635 rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate); | |
4636 if (rv != SECSuccess) | |
4637 return rv; | |
4638 | |
4639 LL_ADD(tmp, tmp, nextUpdate); | |
4640 if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate)) | |
4641 return ocsp_HandleOldSingleResponse(single, now); | |
4642 } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) { | |
4643 return ocsp_HandleOldSingleResponse(single, now); | |
4644 } | |
4645 | |
4646 return SECSuccess; | |
4647 } | |
4648 | |
4649 /* | |
4650 * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation | |
4651 * Get the value of the URI of the OCSP responder for the given cert. | |
4652 * This is found in the (optional) Authority Information Access extension | |
4653 * in the cert. | |
4654 * INPUTS: | |
4655 * CERTCertificate *cert | |
4656 * The certificate being examined. | |
4657 * RETURN: | |
4658 * char * | |
4659 * A copy of the URI for the OCSP method, if found. If either the | |
4660 * extension is not present or it does not contain an entry for OCSP, | |
4661 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION will be set and a NULL returned. | |
4662 * Any other error will also result in a NULL being returned. | |
4663 * | |
4664 * This result should be freed (via PORT_Free) when no longer in use. | |
4665 */ | |
4666 char * | |
4667 CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert) | |
4668 { | |
4669 CERTGeneralName *locname = NULL; | |
4670 SECItem *location = NULL; | |
4671 SECItem *encodedAuthInfoAccess = NULL; | |
4672 CERTAuthInfoAccess **authInfoAccess = NULL; | |
4673 char *locURI = NULL; | |
4674 PLArenaPool *arena = NULL; | |
4675 SECStatus rv; | |
4676 int i; | |
4677 | |
4678 /* | |
4679 * Allocate this one from the heap because it will get filled in | |
4680 * by CERT_FindCertExtension which will also allocate from the heap, | |
4681 * and we can free the entire thing on our way out. | |
4682 */ | |
4683 encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0); | |
4684 if (encodedAuthInfoAccess == NULL) | |
4685 goto loser; | |
4686 | |
4687 rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS, | |
4688 encodedAuthInfoAccess); | |
4689 if (rv == SECFailure) { | |
4690 PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); | |
4691 goto loser; | |
4692 } | |
4693 | |
4694 /* | |
4695 * The rest of the things allocated in the routine will come out of | |
4696 * this arena, which is temporary just for us to decode and get at the | |
4697 * AIA extension. The whole thing will be destroyed on our way out, | |
4698 * after we have copied the location string (url) itself (if found). | |
4699 */ | |
4700 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
4701 if (arena == NULL) | |
4702 goto loser; | |
4703 | |
4704 authInfoAccess = CERT_DecodeAuthInfoAccessExtension(arena, | |
4705 encodedAuthInfoAccess); | |
4706 if (authInfoAccess == NULL) | |
4707 goto loser; | |
4708 | |
4709 for (i = 0; authInfoAccess[i] != NULL; i++) { | |
4710 if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP) | |
4711 locname = authInfoAccess[i]->location; | |
4712 } | |
4713 | |
4714 /* | |
4715 * If we found an AIA extension, but it did not include an OCSP method, | |
4716 * that should look to our caller as if we did not find the extension | |
4717 * at all, because it is only an OCSP method that we care about. | |
4718 * So set the same error that would be set if the AIA extension was | |
4719 * not there at all. | |
4720 */ | |
4721 if (locname == NULL) { | |
4722 PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); | |
4723 goto loser; | |
4724 } | |
4725 | |
4726 /* | |
4727 * The following is just a pointer back into locname (i.e. not a copy); | |
4728 * thus it should not be freed. | |
4729 */ | |
4730 location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE); | |
4731 if (location == NULL) { | |
4732 /* | |
4733 * XXX Appears that CERT_GetGeneralNameByType does not set an | |
4734 * error if there is no name by that type. For lack of anything | |
4735 * better, act as if the extension was not found. In the future | |
4736 * this should probably be something more like the extension was | |
4737 * badly formed. | |
4738 */ | |
4739 PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); | |
4740 goto loser; | |
4741 } | |
4742 | |
4743 /* | |
4744 * That location is really a string, but it has a specified length | |
4745 * without a null-terminator. We need a real string that does have | |
4746 * a null-terminator, and we need a copy of it anyway to return to | |
4747 * our caller -- so allocate and copy. | |
4748 */ | |
4749 locURI = PORT_Alloc(location->len + 1); | |
4750 if (locURI == NULL) { | |
4751 goto loser; | |
4752 } | |
4753 PORT_Memcpy(locURI, location->data, location->len); | |
4754 locURI[location->len] = '\0'; | |
4755 | |
4756 loser: | |
4757 if (arena != NULL) | |
4758 PORT_FreeArena(arena, PR_FALSE); | |
4759 | |
4760 if (encodedAuthInfoAccess != NULL) | |
4761 SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE); | |
4762 | |
4763 return locURI; | |
4764 } | |
4765 | |
4766 /* | |
4767 * Figure out where we should go to find out the status of the given cert | |
4768 * via OCSP. If allowed to use a default responder uri and a default | |
4769 * responder is set up, then that is our answer. | |
4770 * If not, see if the certificate has an Authority Information Access (AIA) | |
4771 * extension for OCSP, and return the value of that. Otherwise return NULL. | |
4772 * We also let our caller know whether or not the responder chosen was | |
4773 * a default responder or not through the output variable isDefault; | |
4774 * its value has no meaning unless a good (non-null) value is returned | |
4775 * for the location. | |
4776 * | |
4777 * The result needs to be freed (PORT_Free) when no longer in use. | |
4778 */ | |
4779 char * | |
4780 ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert, | |
4781 PRBool canUseDefault, PRBool *isDefault) | |
4782 { | |
4783 ocspCheckingContext *ocspcx = NULL; | |
4784 char *ocspUrl = NULL; | |
4785 | |
4786 if (canUseDefault) { | |
4787 ocspcx = ocsp_GetCheckingContext(handle); | |
4788 } | |
4789 if (ocspcx != NULL && ocspcx->useDefaultResponder) { | |
4790 /* | |
4791 * A default responder wins out, if specified. | |
4792 * XXX Someday this may be a more complicated determination based | |
4793 * on the cert's issuer. (That is, we could have different default | |
4794 * responders configured for different issuers.) | |
4795 */ | |
4796 PORT_Assert(ocspcx->defaultResponderURI != NULL); | |
4797 *isDefault = PR_TRUE; | |
4798 return (PORT_Strdup(ocspcx->defaultResponderURI)); | |
4799 } | |
4800 | |
4801 /* | |
4802 * No default responder set up, so go see if we can find an AIA | |
4803 * extension that has a value for OCSP, and get the url from that. | |
4804 */ | |
4805 *isDefault = PR_FALSE; | |
4806 ocspUrl = CERT_GetOCSPAuthorityInfoAccessLocation(cert); | |
4807 if (!ocspUrl) { | |
4808 CERT_StringFromCertFcn altFcn; | |
4809 | |
4810 PR_EnterMonitor(OCSP_Global.monitor); | |
4811 altFcn = OCSP_Global.alternateOCSPAIAFcn; | |
4812 PR_ExitMonitor(OCSP_Global.monitor); | |
4813 if (altFcn) { | |
4814 ocspUrl = (*altFcn)(cert); | |
4815 if (ocspUrl) | |
4816 *isDefault = PR_TRUE; | |
4817 } | |
4818 } | |
4819 return ocspUrl; | |
4820 } | |
4821 | |
4822 /* | |
4823 * Return SECSuccess if the cert was revoked *after* "time", | |
4824 * SECFailure otherwise. | |
4825 */ | |
4826 static SECStatus | |
4827 ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time) | |
4828 { | |
4829 PRTime revokedTime; | |
4830 SECStatus rv; | |
4831 | |
4832 rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime); | |
4833 if (rv != SECSuccess) | |
4834 return rv; | |
4835 | |
4836 /* | |
4837 * Set the error even if we will return success; someone might care. | |
4838 */ | |
4839 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); | |
4840 | |
4841 if (LL_CMP(revokedTime, >, time)) | |
4842 return SECSuccess; | |
4843 | |
4844 return SECFailure; | |
4845 } | |
4846 | |
4847 /* | |
4848 * See if the cert represented in the single response had a good status | |
4849 * at the specified time. | |
4850 */ | |
4851 SECStatus | |
4852 ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time) | |
4853 { | |
4854 SECStatus rv; | |
4855 switch (status->certStatusType) { | |
4856 case ocspCertStatus_good: | |
4857 rv = SECSuccess; | |
4858 break; | |
4859 case ocspCertStatus_revoked: | |
4860 rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time)
; | |
4861 break; | |
4862 case ocspCertStatus_unknown: | |
4863 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT); | |
4864 rv = SECFailure; | |
4865 break; | |
4866 case ocspCertStatus_other: | |
4867 default: | |
4868 PORT_Assert(0); | |
4869 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | |
4870 rv = SECFailure; | |
4871 break; | |
4872 } | |
4873 return rv; | |
4874 } | |
4875 | |
4876 static SECStatus | |
4877 ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single, | |
4878 PRTime time) | |
4879 { | |
4880 return ocsp_CertHasGoodStatus(single->certStatus, time); | |
4881 } | |
4882 | |
4883 /* SECFailure means the arguments were invalid. | |
4884 * On SECSuccess, the out parameters contain the OCSP status. | |
4885 * rvOcsp contains the overall result of the OCSP operation. | |
4886 * Depending on input parameter ignoreGlobalOcspFailureSetting, | |
4887 * a soft failure might be converted into *rvOcsp=SECSuccess. | |
4888 * If the cached attempt to obtain OCSP information had resulted | |
4889 * in a failure, missingResponseError shows the error code of | |
4890 * that failure. | |
4891 * cacheFreshness is ocspMissing if no entry was found, | |
4892 * ocspFresh if a fresh entry was found, or | |
4893 * ocspStale if a stale entry was found. | |
4894 */ | |
4895 SECStatus | |
4896 ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, | |
4897 PRTime time, | |
4898 PRBool ignoreGlobalOcspFailureSetting, | |
4899 SECStatus *rvOcsp, | |
4900 SECErrorCodes *missingResponseError, | |
4901 OCSPFreshness *cacheFreshness) | |
4902 { | |
4903 OCSPCacheItem *cacheItem = NULL; | |
4904 | |
4905 if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) { | |
4906 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
4907 return SECFailure; | |
4908 } | |
4909 *rvOcsp = SECFailure; | |
4910 *missingResponseError = 0; | |
4911 *cacheFreshness = ocspMissing; | |
4912 | |
4913 PR_EnterMonitor(OCSP_Global.monitor); | |
4914 cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID); | |
4915 if (cacheItem) { | |
4916 *cacheFreshness = ocsp_IsCacheItemFresh(cacheItem) ? ocspFresh | |
4917 : ocspStale; | |
4918 /* having an arena means, we have a cached certStatus */ | |
4919 if (cacheItem->certStatusArena) { | |
4920 *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time); | |
4921 if (*rvOcsp != SECSuccess) { | |
4922 *missingResponseError = PORT_GetError(); | |
4923 } | |
4924 } else { | |
4925 /* | |
4926 * No status cached, the previous attempt failed. | |
4927 * If OCSP is required, we never decide based on a failed attempt | |
4928 * However, if OCSP is optional, a recent OCSP failure is | |
4929 * an allowed good state. | |
4930 */ | |
4931 if (*cacheFreshness == ocspFresh && | |
4932 !ignoreGlobalOcspFailureSetting && | |
4933 OCSP_Global.ocspFailureMode == | |
4934 ocspMode_FailureIsNotAVerificationFailure) { | |
4935 *rvOcsp = SECSuccess; | |
4936 } | |
4937 *missingResponseError = cacheItem->missingResponseError; | |
4938 } | |
4939 } | |
4940 PR_ExitMonitor(OCSP_Global.monitor); | |
4941 return SECSuccess; | |
4942 } | |
4943 | |
4944 PRBool | |
4945 ocsp_FetchingFailureIsVerificationFailure(void) | |
4946 { | |
4947 PRBool isFailure; | |
4948 | |
4949 PR_EnterMonitor(OCSP_Global.monitor); | |
4950 isFailure = | |
4951 OCSP_Global.ocspFailureMode == ocspMode_FailureIsVerificationFailure; | |
4952 PR_ExitMonitor(OCSP_Global.monitor); | |
4953 return isFailure; | |
4954 } | |
4955 | |
4956 /* | |
4957 * FUNCTION: CERT_CheckOCSPStatus | |
4958 * Checks the status of a certificate via OCSP. Will only check status for | |
4959 * a certificate that has an AIA (Authority Information Access) extension | |
4960 * for OCSP *or* when a "default responder" is specified and enabled. | |
4961 * (If no AIA extension for OCSP and no default responder in place, the | |
4962 * cert is considered to have a good status and SECSuccess is returned.) | |
4963 * INPUTS: | |
4964 * CERTCertDBHandle *handle | |
4965 * certificate DB of the cert that is being checked | |
4966 * CERTCertificate *cert | |
4967 * the certificate being checked | |
4968 * XXX in the long term also need a boolean parameter that specifies | |
4969 * whether to check the cert chain, as well; for now we check only | |
4970 * the leaf (the specified certificate) | |
4971 * PRTime time | |
4972 * time for which status is to be determined | |
4973 * void *pwArg | |
4974 * argument for password prompting, if needed | |
4975 * RETURN: | |
4976 * Returns SECSuccess if an approved OCSP responder "knows" the cert | |
4977 * *and* returns a non-revoked status for it; SECFailure otherwise, | |
4978 * with an error set describing the reason: | |
4979 * | |
4980 * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE | |
4981 * SEC_ERROR_OCSP_FUTURE_RESPONSE | |
4982 * SEC_ERROR_OCSP_MALFORMED_REQUEST | |
4983 * SEC_ERROR_OCSP_MALFORMED_RESPONSE | |
4984 * SEC_ERROR_OCSP_OLD_RESPONSE | |
4985 * SEC_ERROR_OCSP_REQUEST_NEEDS_SIG | |
4986 * SEC_ERROR_OCSP_SERVER_ERROR | |
4987 * SEC_ERROR_OCSP_TRY_SERVER_LATER | |
4988 * SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST | |
4989 * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE | |
4990 * SEC_ERROR_OCSP_UNKNOWN_CERT | |
4991 * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS | |
4992 * SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE | |
4993 * | |
4994 * SEC_ERROR_BAD_SIGNATURE | |
4995 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION | |
4996 * SEC_ERROR_INVALID_TIME | |
4997 * SEC_ERROR_REVOKED_CERTIFICATE | |
4998 * SEC_ERROR_UNKNOWN_ISSUER | |
4999 * SEC_ERROR_UNKNOWN_SIGNER | |
5000 * | |
5001 * Other errors are any of the many possible failures in cert verification | |
5002 * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when | |
5003 * verifying the signer's cert, or low-level problems (error allocating | |
5004 * memory, error performing ASN.1 decoding, etc.). | |
5005 */ | |
5006 SECStatus | |
5007 CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, | |
5008 PRTime time, void *pwArg) | |
5009 { | |
5010 CERTOCSPCertID *certID; | |
5011 PRBool certIDWasConsumed = PR_FALSE; | |
5012 SECStatus rv; | |
5013 SECStatus rvOcsp; | |
5014 SECErrorCodes cachedErrorCode; | |
5015 OCSPFreshness cachedResponseFreshness; | |
5016 | |
5017 OCSP_TRACE_CERT(cert); | |
5018 OCSP_TRACE_TIME("## requested validity time:", time); | |
5019 | |
5020 certID = CERT_CreateOCSPCertID(cert, time); | |
5021 if (!certID) | |
5022 return SECFailure; | |
5023 rv = ocsp_GetCachedOCSPResponseStatus( | |
5024 certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */ | |
5025 &rvOcsp, &cachedErrorCode, &cachedResponseFreshness); | |
5026 if (rv != SECSuccess) { | |
5027 CERT_DestroyOCSPCertID(certID); | |
5028 return SECFailure; | |
5029 } | |
5030 if (cachedResponseFreshness == ocspFresh) { | |
5031 CERT_DestroyOCSPCertID(certID); | |
5032 if (rvOcsp != SECSuccess) { | |
5033 PORT_SetError(cachedErrorCode); | |
5034 } | |
5035 return rvOcsp; | |
5036 } | |
5037 | |
5038 rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg, | |
5039 &certIDWasConsumed, | |
5040 &rvOcsp); | |
5041 if (rv != SECSuccess) { | |
5042 PRErrorCode err = PORT_GetError(); | |
5043 if (ocsp_FetchingFailureIsVerificationFailure()) { | |
5044 PORT_SetError(err); | |
5045 rvOcsp = SECFailure; | |
5046 } else if (cachedResponseFreshness == ocspStale && | |
5047 (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT || | |
5048 cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) { | |
5049 /* If we couldn't get a response for a certificate that the OCSP | |
5050 * responder previously told us was bad, then assume it is still | |
5051 * bad until we hear otherwise, as it is very unlikely that the | |
5052 * certificate status has changed from "revoked" to "good" and it | |
5053 * is also unlikely that the certificate status has changed from | |
5054 * "unknown" to "good", except for some buggy OCSP responders. | |
5055 */ | |
5056 PORT_SetError(cachedErrorCode); | |
5057 rvOcsp = SECFailure; | |
5058 } else { | |
5059 rvOcsp = SECSuccess; | |
5060 } | |
5061 } | |
5062 if (!certIDWasConsumed) { | |
5063 CERT_DestroyOCSPCertID(certID); | |
5064 } | |
5065 return rvOcsp; | |
5066 } | |
5067 | |
5068 /* | |
5069 * FUNCTION: CERT_CacheOCSPResponseFromSideChannel | |
5070 * First, this function checks the OCSP cache to see if a good response | |
5071 * for the given certificate already exists. If it does, then the function | |
5072 * returns successfully. | |
5073 * | |
5074 * If not, then it validates that the given OCSP response is a valid, | |
5075 * good response for the given certificate and inserts it into the | |
5076 * cache. | |
5077 * | |
5078 * This function is intended for use when OCSP responses are provided via a | |
5079 * side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension). | |
5080 * | |
5081 * INPUTS: | |
5082 * CERTCertDBHandle *handle | |
5083 * certificate DB of the cert that is being checked | |
5084 * CERTCertificate *cert | |
5085 * the certificate being checked | |
5086 * PRTime time | |
5087 * time for which status is to be determined | |
5088 * SECItem *encodedResponse | |
5089 * the DER encoded bytes of the OCSP response | |
5090 * void *pwArg | |
5091 * argument for password prompting, if needed | |
5092 * RETURN: | |
5093 * SECSuccess if the cert was found in the cache, or if the OCSP response was | |
5094 * found to be valid and inserted into the cache. SECFailure otherwise. | |
5095 */ | |
5096 SECStatus | |
5097 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, | |
5098 CERTCertificate *cert, | |
5099 PRTime time, | |
5100 const SECItem *encodedResponse, | |
5101 void *pwArg) | |
5102 { | |
5103 CERTOCSPCertID *certID = NULL; | |
5104 PRBool certIDWasConsumed = PR_FALSE; | |
5105 SECStatus rv = SECFailure; | |
5106 SECStatus rvOcsp = SECFailure; | |
5107 SECErrorCodes dummy_error_code; /* we ignore this */ | |
5108 CERTOCSPResponse *decodedResponse = NULL; | |
5109 CERTOCSPSingleResponse *singleResponse = NULL; | |
5110 OCSPFreshness freshness; | |
5111 | |
5112 /* The OCSP cache can be in three states regarding this certificate: | |
5113 * + Good (cached, timely, 'good' response, or revoked in the future) | |
5114 * + Revoked (cached, timely, but doesn't fit in the last category) | |
5115 * + Miss (no knowledge) | |
5116 * | |
5117 * Likewise, the side-channel information can be | |
5118 * + Good (timely, 'good' response, or revoked in the future) | |
5119 * + Revoked (timely, but doesn't fit in the last category) | |
5120 * + Invalid (bad syntax, bad signature, not timely etc) | |
5121 * | |
5122 * The common case is that the cache result is Good and so is the | |
5123 * side-channel information. We want to save processing time in this case | |
5124 * so we say that any time we see a Good result from the cache we return | |
5125 * early. | |
5126 * | |
5127 * Cache result | |
5128 * | Good Revoked Miss | |
5129 * ---+-------------------------------------------- | |
5130 * G | noop Cache more Cache it | |
5131 * S | recent result | |
5132 * i | | |
5133 * d | | |
5134 * e | | |
5135 * R | noop Cache more Cache it | |
5136 * C | recent result | |
5137 * h | | |
5138 * a | | |
5139 * n | | |
5140 * n I | noop Noop Noop | |
5141 * e | | |
5142 * l | | |
5143 * | |
5144 * When we fetch from the network we might choose to cache a negative | |
5145 * result when the response is invalid. This saves us hammering, uselessly, | |
5146 * at a broken responder. However, side channels are commonly attacker | |
5147 * controlled and so we must not cache a negative result for an Invalid | |
5148 * side channel. | |
5149 */ | |
5150 | |
5151 if (!cert || !encodedResponse) { | |
5152 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
5153 return SECFailure; | |
5154 } | |
5155 certID = CERT_CreateOCSPCertID(cert, time); | |
5156 if (!certID) | |
5157 return SECFailure; | |
5158 | |
5159 /* We pass PR_TRUE for ignoreGlobalOcspFailureSetting so that a cached | |
5160 * error entry is not interpreted as being a 'Good' entry here. | |
5161 */ | |
5162 rv = ocsp_GetCachedOCSPResponseStatus( | |
5163 certID, time, PR_TRUE, /* ignoreGlobalOcspFailureSetting */ | |
5164 &rvOcsp, &dummy_error_code, &freshness); | |
5165 if (rv == SECSuccess && rvOcsp == SECSuccess && freshness == ocspFresh) { | |
5166 /* The cached value is good. We don't want to waste time validating | |
5167 * this OCSP response. This is the first column in the table above. */ | |
5168 CERT_DestroyOCSPCertID(certID); | |
5169 return rv; | |
5170 } | |
5171 | |
5172 /* The logic for caching the more recent response is handled in | |
5173 * ocsp_CacheSingleResponse. */ | |
5174 | |
5175 rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert, | |
5176 time, pwArg, | |
5177 encodedResponse, | |
5178 &decodedResponse, | |
5179 &singleResponse); | |
5180 if (rv == SECSuccess) { | |
5181 rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time); | |
5182 /* Cache any valid singleResponse, regardless of status. */ | |
5183 ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed); | |
5184 } | |
5185 if (decodedResponse) { | |
5186 CERT_DestroyOCSPResponse(decodedResponse); | |
5187 } | |
5188 if (!certIDWasConsumed) { | |
5189 CERT_DestroyOCSPCertID(certID); | |
5190 } | |
5191 return rv == SECSuccess ? rvOcsp : rv; | |
5192 } | |
5193 | |
5194 /* | |
5195 * Status in *certIDWasConsumed will always be correct, regardless of | |
5196 * return value. | |
5197 */ | |
5198 static SECStatus | |
5199 ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, | |
5200 CERTOCSPCertID *certID, | |
5201 CERTCertificate *cert, | |
5202 PRTime time, | |
5203 void *pwArg, | |
5204 PRBool *certIDWasConsumed, | |
5205 SECStatus *rv_ocsp) | |
5206 { | |
5207 char *location = NULL; | |
5208 PRBool locationIsDefault; | |
5209 SECItem *encodedResponse = NULL; | |
5210 CERTOCSPRequest *request = NULL; | |
5211 SECStatus rv = SECFailure; | |
5212 | |
5213 CERTOCSPResponse *decodedResponse = NULL; | |
5214 CERTOCSPSingleResponse *singleResponse = NULL; | |
5215 enum { stageGET, | |
5216 stagePOST } currentStage; | |
5217 PRBool retry = PR_FALSE; | |
5218 | |
5219 if (!certIDWasConsumed || !rv_ocsp) { | |
5220 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
5221 return SECFailure; | |
5222 } | |
5223 *certIDWasConsumed = PR_FALSE; | |
5224 *rv_ocsp = SECFailure; | |
5225 | |
5226 if (!OCSP_Global.monitor) { | |
5227 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | |
5228 return SECFailure; | |
5229 } | |
5230 PR_EnterMonitor(OCSP_Global.monitor); | |
5231 if (OCSP_Global.forcePost) { | |
5232 currentStage = stagePOST; | |
5233 } else { | |
5234 currentStage = stageGET; | |
5235 } | |
5236 PR_ExitMonitor(OCSP_Global.monitor); | |
5237 | |
5238 /* | |
5239 * The first thing we need to do is find the location of the responder. | |
5240 * This will be the value of the default responder (if enabled), else | |
5241 * it will come out of the AIA extension in the cert (if present). | |
5242 * If we have no such location, then this cert does not "deserve" to | |
5243 * be checked -- that is, we consider it a success and just return. | |
5244 * The way we tell that is by looking at the error number to see if | |
5245 * the problem was no AIA extension was found; any other error was | |
5246 * a true failure that we unfortunately have to treat as an overall | |
5247 * failure here. | |
5248 */ | |
5249 location = ocsp_GetResponderLocation(handle, cert, PR_TRUE, | |
5250 &locationIsDefault); | |
5251 if (location == NULL) { | |
5252 int err = PORT_GetError(); | |
5253 if (err == SEC_ERROR_EXTENSION_NOT_FOUND || | |
5254 err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) { | |
5255 PORT_SetError(0); | |
5256 *rv_ocsp = SECSuccess; | |
5257 return SECSuccess; | |
5258 } | |
5259 return SECFailure; | |
5260 } | |
5261 | |
5262 /* | |
5263 * XXX In the fullness of time, we will want/need to handle a | |
5264 * certificate chain. This will be done either when a new parameter | |
5265 * tells us to, or some configuration variable tells us to. In any | |
5266 * case, handling it is complicated because we may need to send as | |
5267 * many requests (and receive as many responses) as we have certs | |
5268 * in the chain. If we are going to talk to a default responder, | |
5269 * and we only support one default responder, we can put all of the | |
5270 * certs together into one request. Otherwise, we must break them up | |
5271 * into multiple requests. (Even if all of the requests will go to | |
5272 * the same location, the signature on each response will be different, | |
5273 * because each issuer is different. Carefully read the OCSP spec | |
5274 * if you do not understand this.) | |
5275 */ | |
5276 | |
5277 /* | |
5278 * XXX If/when signing of requests is supported, that second NULL | |
5279 * should be changed to be the signer certificate. Not sure if that | |
5280 * should be passed into this function or retrieved via some operation | |
5281 * on the handle/context. | |
5282 */ | |
5283 | |
5284 do { | |
5285 const char *method; | |
5286 PRBool validResponseWithAccurateInfo = PR_FALSE; | |
5287 retry = PR_FALSE; | |
5288 *rv_ocsp = SECFailure; | |
5289 | |
5290 if (currentStage == stageGET) { | |
5291 method = "GET"; | |
5292 } else { | |
5293 PORT_Assert(currentStage == stagePOST); | |
5294 method = "POST"; | |
5295 } | |
5296 | |
5297 encodedResponse = | |
5298 ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert, | |
5299 location, method, | |
5300 time, locationIsDefault, | |
5301 pwArg, &request); | |
5302 | |
5303 if (encodedResponse) { | |
5304 rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert
, | |
5305 time, pwArg, | |
5306 encodedResponse, | |
5307 &decodedResponse, | |
5308 &singleResponse); | |
5309 if (rv == SECSuccess) { | |
5310 switch (singleResponse->certStatus->certStatusType) { | |
5311 case ocspCertStatus_good: | |
5312 case ocspCertStatus_revoked: | |
5313 validResponseWithAccurateInfo = PR_TRUE; | |
5314 break; | |
5315 default: | |
5316 break; | |
5317 } | |
5318 *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse,
time); | |
5319 } | |
5320 } | |
5321 | |
5322 if (currentStage == stageGET) { | |
5323 /* only accept GET response if good or revoked */ | |
5324 if (validResponseWithAccurateInfo) { | |
5325 ocsp_CacheSingleResponse(certID, singleResponse, | |
5326 certIDWasConsumed); | |
5327 } else { | |
5328 retry = PR_TRUE; | |
5329 currentStage = stagePOST; | |
5330 } | |
5331 } else { | |
5332 /* cache the POST respone, regardless of status */ | |
5333 if (!singleResponse) { | |
5334 cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed); | |
5335 } else { | |
5336 ocsp_CacheSingleResponse(certID, singleResponse, | |
5337 certIDWasConsumed); | |
5338 } | |
5339 } | |
5340 | |
5341 if (encodedResponse) { | |
5342 SECITEM_FreeItem(encodedResponse, PR_TRUE); | |
5343 encodedResponse = NULL; | |
5344 } | |
5345 if (request) { | |
5346 CERT_DestroyOCSPRequest(request); | |
5347 request = NULL; | |
5348 } | |
5349 if (decodedResponse) { | |
5350 CERT_DestroyOCSPResponse(decodedResponse); | |
5351 decodedResponse = NULL; | |
5352 } | |
5353 singleResponse = NULL; | |
5354 | |
5355 } while (retry); | |
5356 | |
5357 PORT_Free(location); | |
5358 return rv; | |
5359 } | |
5360 | |
5361 /* | |
5362 * FUNCTION: ocsp_GetDecodedVerifiedSingleResponseForID | |
5363 * This function decodes an OCSP response and checks for a valid response | |
5364 * concerning the given certificate. | |
5365 * | |
5366 * Note: a 'valid' response is one that parses successfully, is not an OCSP | |
5367 * exception (see RFC 2560 Section 2.3), is correctly signed and is current. | |
5368 * A 'good' response is a valid response that attests that the certificate | |
5369 * is not currently revoked (see RFC 2560 Section 2.2). | |
5370 * | |
5371 * INPUTS: | |
5372 * CERTCertDBHandle *handle | |
5373 * certificate DB of the cert that is being checked | |
5374 * CERTOCSPCertID *certID | |
5375 * the cert ID corresponding to |cert| | |
5376 * CERTCertificate *cert | |
5377 * the certificate being checked | |
5378 * PRTime time | |
5379 * time for which status is to be determined | |
5380 * void *pwArg | |
5381 * the opaque argument to the password prompting function. | |
5382 * SECItem *encodedResponse | |
5383 * the DER encoded bytes of the OCSP response | |
5384 * CERTOCSPResponse **pDecodedResponse | |
5385 * (output) The caller must ALWAYS check for this output parameter, | |
5386 * and if it's non-null, must destroy it using CERT_DestroyOCSPResponse. | |
5387 * CERTOCSPSingleResponse **pSingle | |
5388 * (output) on success, this points to the single response that corresponds | |
5389 * to the certID parameter. Points to the inside of pDecodedResponse. | |
5390 * It isn't a copy, don't free it. | |
5391 * RETURN: | |
5392 * SECSuccess iff the response is valid. | |
5393 */ | |
5394 static SECStatus | |
5395 ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle, | |
5396 CERTOCSPCertID *certID, | |
5397 CERTCertificate *cert, | |
5398 PRTime time, | |
5399 void *pwArg, | |
5400 const SECItem *encodedResponse, | |
5401 CERTOCSPResponse **pDecodedResponse, | |
5402 CERTOCSPSingleResponse **pSingle) | |
5403 { | |
5404 CERTCertificate *signerCert = NULL; | |
5405 CERTCertificate *issuerCert = NULL; | |
5406 SECStatus rv = SECFailure; | |
5407 | |
5408 if (!pSingle || !pDecodedResponse) { | |
5409 return SECFailure; | |
5410 } | |
5411 *pSingle = NULL; | |
5412 *pDecodedResponse = CERT_DecodeOCSPResponse(encodedResponse); | |
5413 if (!*pDecodedResponse) { | |
5414 return SECFailure; | |
5415 } | |
5416 | |
5417 /* | |
5418 * Okay, we at least have a response that *looks* like a response! | |
5419 * Now see if the overall response status value is good or not. | |
5420 * If not, we set an error and give up. (It means that either the | |
5421 * server had a problem, or it didn't like something about our | |
5422 * request. Either way there is nothing to do but give up.) | |
5423 * Otherwise, we continue to find the actual per-cert status | |
5424 * in the response. | |
5425 */ | |
5426 if (CERT_GetOCSPResponseStatus(*pDecodedResponse) != SECSuccess) { | |
5427 goto loser; | |
5428 } | |
5429 | |
5430 /* | |
5431 * If we've made it this far, we expect a response with a good signature. | |
5432 * So, check for that. | |
5433 */ | |
5434 issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA); | |
5435 rv = CERT_VerifyOCSPResponseSignature(*pDecodedResponse, handle, pwArg, | |
5436 &signerCert, issuerCert); | |
5437 if (rv != SECSuccess) { | |
5438 goto loser; | |
5439 } | |
5440 | |
5441 PORT_Assert(signerCert != NULL); /* internal consistency check */ | |
5442 /* XXX probably should set error, return failure if signerCert is null */ | |
5443 | |
5444 /* | |
5445 * Again, we are only doing one request for one cert. | |
5446 * XXX When we handle cert chains, the following code will obviously | |
5447 * have to be modified, in coordation with the code above that will | |
5448 * have to determine how to make multiple requests, etc. | |
5449 */ | |
5450 rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, cert
ID, | |
5451 signerCert, time, pSingle); | |
5452 loser: | |
5453 if (issuerCert != NULL) | |
5454 CERT_DestroyCertificate(issuerCert); | |
5455 if (signerCert != NULL) | |
5456 CERT_DestroyCertificate(signerCert); | |
5457 return rv; | |
5458 } | |
5459 | |
5460 /* | |
5461 * FUNCTION: ocsp_CacheSingleResponse | |
5462 * This function requires that the caller has checked that the response | |
5463 * is valid and verified. | |
5464 * The (positive or negative) valid response will be used to update the cache. | |
5465 * INPUTS: | |
5466 * CERTOCSPCertID *certID | |
5467 * the cert ID corresponding to |cert| | |
5468 * PRBool *certIDWasConsumed | |
5469 * (output) on return, this is true iff |certID| was consumed by this | |
5470 * function. | |
5471 */ | |
5472 void | |
5473 ocsp_CacheSingleResponse(CERTOCSPCertID *certID, | |
5474 CERTOCSPSingleResponse *single, | |
5475 PRBool *certIDWasConsumed) | |
5476 { | |
5477 if (single != NULL) { | |
5478 PR_EnterMonitor(OCSP_Global.monitor); | |
5479 if (OCSP_Global.maxCacheEntries >= 0) { | |
5480 ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single, | |
5481 certIDWasConsumed); | |
5482 /* ignore cache update failures */ | |
5483 } | |
5484 PR_ExitMonitor(OCSP_Global.monitor); | |
5485 } | |
5486 } | |
5487 | |
5488 SECStatus | |
5489 ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, | |
5490 CERTOCSPResponse *response, | |
5491 CERTOCSPCertID *certID, | |
5492 CERTCertificate *signerCert, | |
5493 PRTime time, | |
5494 CERTOCSPSingleResponse | |
5495 **pSingleResponse) | |
5496 { | |
5497 SECStatus rv; | |
5498 ocspResponseData *responseData; | |
5499 PRTime producedAt; | |
5500 CERTOCSPSingleResponse *single; | |
5501 | |
5502 /* | |
5503 * The ResponseData part is the real guts of the response. | |
5504 */ | |
5505 responseData = ocsp_GetResponseData(response, NULL); | |
5506 if (responseData == NULL) { | |
5507 rv = SECFailure; | |
5508 goto loser; | |
5509 } | |
5510 | |
5511 /* | |
5512 * There is one producedAt time for the entire response (and a separate | |
5513 * thisUpdate time for each individual single response). We need to | |
5514 * compare them, so get the overall time to pass into the check of each | |
5515 * single response. | |
5516 */ | |
5517 rv = DER_GeneralizedTimeToTime(&producedAt, &responseData->producedAt); | |
5518 if (rv != SECSuccess) | |
5519 goto loser; | |
5520 | |
5521 single = ocsp_GetSingleResponseForCertID(responseData->responses, | |
5522 handle, certID); | |
5523 if (single == NULL) { | |
5524 rv = SECFailure; | |
5525 goto loser; | |
5526 } | |
5527 | |
5528 rv = ocsp_VerifySingleResponse(single, handle, signerCert, producedAt); | |
5529 if (rv != SECSuccess) | |
5530 goto loser; | |
5531 *pSingleResponse = single; | |
5532 | |
5533 loser: | |
5534 return rv; | |
5535 } | |
5536 | |
5537 SECStatus | |
5538 CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, | |
5539 CERTOCSPResponse *response, | |
5540 CERTOCSPCertID *certID, | |
5541 CERTCertificate *signerCert, | |
5542 PRTime time) | |
5543 { | |
5544 /* | |
5545 * We do not update the cache, because: | |
5546 * | |
5547 * CERT_GetOCSPStatusForCertID is an old exported API that was introduced | |
5548 * before the OCSP cache got implemented. | |
5549 * | |
5550 * The implementation of helper function cert_ProcessOCSPResponse | |
5551 * requires the ability to transfer ownership of the the given certID to | |
5552 * the cache. The external API doesn't allow us to prevent the caller from | |
5553 * destroying the certID. We don't have the original certificate available, | |
5554 * therefore we are unable to produce another certID object (that could | |
5555 * be stored in the cache). | |
5556 * | |
5557 * Should we ever implement code to produce a deep copy of certID, | |
5558 * then this could be changed to allow updating the cache. | |
5559 * The duplication would have to be done in | |
5560 * cert_ProcessOCSPResponse, if the out parameter to indicate | |
5561 * a transfer of ownership is NULL. | |
5562 */ | |
5563 return cert_ProcessOCSPResponse(handle, response, certID, | |
5564 signerCert, time, | |
5565 NULL, NULL); | |
5566 } | |
5567 | |
5568 /* | |
5569 * The first 5 parameters match the definition of CERT_GetOCSPStatusForCertID. | |
5570 */ | |
5571 SECStatus | |
5572 cert_ProcessOCSPResponse(CERTCertDBHandle *handle, | |
5573 CERTOCSPResponse *response, | |
5574 CERTOCSPCertID *certID, | |
5575 CERTCertificate *signerCert, | |
5576 PRTime time, | |
5577 PRBool *certIDWasConsumed, | |
5578 SECStatus *cacheUpdateStatus) | |
5579 { | |
5580 SECStatus rv; | |
5581 SECStatus rv_cache = SECSuccess; | |
5582 CERTOCSPSingleResponse *single = NULL; | |
5583 | |
5584 rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID, | |
5585 signerCert, time, &single); | |
5586 if (rv == SECSuccess) { | |
5587 /* | |
5588 * Check whether the status says revoked, and if so | |
5589 * how that compares to the time value passed into this routine. | |
5590 */ | |
5591 rv = ocsp_SingleResponseCertHasGoodStatus(single, time); | |
5592 } | |
5593 | |
5594 if (certIDWasConsumed) { | |
5595 /* | |
5596 * We don't have copy-of-certid implemented. In order to update | |
5597 * the cache, the caller must supply an out variable | |
5598 * certIDWasConsumed, allowing us to return ownership status. | |
5599 */ | |
5600 | |
5601 PR_EnterMonitor(OCSP_Global.monitor); | |
5602 if (OCSP_Global.maxCacheEntries >= 0) { | |
5603 /* single == NULL means: remember response failure */ | |
5604 rv_cache = | |
5605 ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, | |
5606 single, certIDWasConsumed); | |
5607 } | |
5608 PR_ExitMonitor(OCSP_Global.monitor); | |
5609 if (cacheUpdateStatus) { | |
5610 *cacheUpdateStatus = rv_cache; | |
5611 } | |
5612 } | |
5613 | |
5614 return rv; | |
5615 } | |
5616 | |
5617 SECStatus | |
5618 cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, | |
5619 PRBool *certIDWasConsumed) | |
5620 { | |
5621 SECStatus rv = SECSuccess; | |
5622 PR_EnterMonitor(OCSP_Global.monitor); | |
5623 if (OCSP_Global.maxCacheEntries >= 0) { | |
5624 rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL, | |
5625 certIDWasConsumed); | |
5626 } | |
5627 PR_ExitMonitor(OCSP_Global.monitor); | |
5628 return rv; | |
5629 } | |
5630 | |
5631 /* | |
5632 * Disable status checking and destroy related structures/data. | |
5633 */ | |
5634 static SECStatus | |
5635 ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig) | |
5636 { | |
5637 ocspCheckingContext *statusContext; | |
5638 | |
5639 /* | |
5640 * Disable OCSP checking | |
5641 */ | |
5642 statusConfig->statusChecker = NULL; | |
5643 | |
5644 statusContext = statusConfig->statusContext; | |
5645 PORT_Assert(statusContext != NULL); | |
5646 if (statusContext == NULL) | |
5647 return SECFailure; | |
5648 | |
5649 if (statusContext->defaultResponderURI != NULL) | |
5650 PORT_Free(statusContext->defaultResponderURI); | |
5651 if (statusContext->defaultResponderNickname != NULL) | |
5652 PORT_Free(statusContext->defaultResponderNickname); | |
5653 | |
5654 PORT_Free(statusContext); | |
5655 statusConfig->statusContext = NULL; | |
5656 | |
5657 PORT_Free(statusConfig); | |
5658 | |
5659 return SECSuccess; | |
5660 } | |
5661 | |
5662 /* | |
5663 * FUNCTION: CERT_DisableOCSPChecking | |
5664 * Turns off OCSP checking for the given certificate database. | |
5665 * This routine disables OCSP checking. Though it will return | |
5666 * SECFailure if OCSP checking is not enabled, it is "safe" to | |
5667 * call it that way and just ignore the return value, if it is | |
5668 * easier to just call it than to "remember" whether it is enabled. | |
5669 * INPUTS: | |
5670 * CERTCertDBHandle *handle | |
5671 * Certificate database for which OCSP checking will be disabled. | |
5672 * RETURN: | |
5673 * Returns SECFailure if an error occurred (usually means that OCSP | |
5674 * checking was not enabled or status contexts were not initialized -- | |
5675 * error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise. | |
5676 */ | |
5677 SECStatus | |
5678 CERT_DisableOCSPChecking(CERTCertDBHandle *handle) | |
5679 { | |
5680 CERTStatusConfig *statusConfig; | |
5681 ocspCheckingContext *statusContext; | |
5682 | |
5683 if (handle == NULL) { | |
5684 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
5685 return SECFailure; | |
5686 } | |
5687 | |
5688 statusConfig = CERT_GetStatusConfig(handle); | |
5689 statusContext = ocsp_GetCheckingContext(handle); | |
5690 if (statusContext == NULL) | |
5691 return SECFailure; | |
5692 | |
5693 if (statusConfig->statusChecker != CERT_CheckOCSPStatus) { | |
5694 /* | |
5695 * Status configuration is present, but either not currently | |
5696 * enabled or not for OCSP. | |
5697 */ | |
5698 PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); | |
5699 return SECFailure; | |
5700 } | |
5701 | |
5702 /* cache no longer necessary */ | |
5703 CERT_ClearOCSPCache(); | |
5704 | |
5705 /* | |
5706 * This is how we disable status checking. Everything else remains | |
5707 * in place in case we are enabled again. | |
5708 */ | |
5709 statusConfig->statusChecker = NULL; | |
5710 | |
5711 return SECSuccess; | |
5712 } | |
5713 | |
5714 /* | |
5715 * Allocate and initialize the informational structures for status checking. | |
5716 * This is done when some configuration of OCSP is being done or when OCSP | |
5717 * checking is being turned on, whichever comes first. | |
5718 */ | |
5719 static SECStatus | |
5720 ocsp_InitStatusChecking(CERTCertDBHandle *handle) | |
5721 { | |
5722 CERTStatusConfig *statusConfig = NULL; | |
5723 ocspCheckingContext *statusContext = NULL; | |
5724 | |
5725 PORT_Assert(CERT_GetStatusConfig(handle) == NULL); | |
5726 if (CERT_GetStatusConfig(handle) != NULL) { | |
5727 /* XXX or call statusConfig->statusDestroy and continue? */ | |
5728 return SECFailure; | |
5729 } | |
5730 | |
5731 statusConfig = PORT_ZNew(CERTStatusConfig); | |
5732 if (statusConfig == NULL) | |
5733 goto loser; | |
5734 | |
5735 statusContext = PORT_ZNew(ocspCheckingContext); | |
5736 if (statusContext == NULL) | |
5737 goto loser; | |
5738 | |
5739 statusConfig->statusDestroy = ocsp_DestroyStatusChecking; | |
5740 statusConfig->statusContext = statusContext; | |
5741 | |
5742 CERT_SetStatusConfig(handle, statusConfig); | |
5743 | |
5744 return SECSuccess; | |
5745 | |
5746 loser: | |
5747 if (statusConfig != NULL) | |
5748 PORT_Free(statusConfig); | |
5749 return SECFailure; | |
5750 } | |
5751 | |
5752 /* | |
5753 * FUNCTION: CERT_EnableOCSPChecking | |
5754 * Turns on OCSP checking for the given certificate database. | |
5755 * INPUTS: | |
5756 * CERTCertDBHandle *handle | |
5757 * Certificate database for which OCSP checking will be enabled. | |
5758 * RETURN: | |
5759 * Returns SECFailure if an error occurred (likely only problem | |
5760 * allocating memory); SECSuccess otherwise. | |
5761 */ | |
5762 SECStatus | |
5763 CERT_EnableOCSPChecking(CERTCertDBHandle *handle) | |
5764 { | |
5765 CERTStatusConfig *statusConfig; | |
5766 | |
5767 SECStatus rv; | |
5768 | |
5769 if (handle == NULL) { | |
5770 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
5771 return SECFailure; | |
5772 } | |
5773 | |
5774 statusConfig = CERT_GetStatusConfig(handle); | |
5775 if (statusConfig == NULL) { | |
5776 rv = ocsp_InitStatusChecking(handle); | |
5777 if (rv != SECSuccess) | |
5778 return rv; | |
5779 | |
5780 /* Get newly established value */ | |
5781 statusConfig = CERT_GetStatusConfig(handle); | |
5782 PORT_Assert(statusConfig != NULL); | |
5783 } | |
5784 | |
5785 /* | |
5786 * Setting the checker function is what really enables the checking | |
5787 * when each cert verification is done. | |
5788 */ | |
5789 statusConfig->statusChecker = CERT_CheckOCSPStatus; | |
5790 | |
5791 return SECSuccess; | |
5792 } | |
5793 | |
5794 /* | |
5795 * FUNCTION: CERT_SetOCSPDefaultResponder | |
5796 * Specify the location and cert of the default responder. | |
5797 * If OCSP checking is already enabled *and* use of a default responder | |
5798 * is also already enabled, all OCSP checking from now on will go directly | |
5799 * to the specified responder. If OCSP checking is not enabled, or if | |
5800 * it is but use of a default responder is not enabled, the information | |
5801 * will be recorded and take effect whenever both are enabled. | |
5802 * INPUTS: | |
5803 * CERTCertDBHandle *handle | |
5804 * Cert database on which OCSP checking should use the default responder. | |
5805 * char *url | |
5806 * The location of the default responder (e.g. "http://foo.com:80/ocsp") | |
5807 * Note that the location will not be tested until the first attempt | |
5808 * to send a request there. | |
5809 * char *name | |
5810 * The nickname of the cert to trust (expected) to sign the OCSP responses. | |
5811 * If the corresponding cert cannot be found, SECFailure is returned. | |
5812 * RETURN: | |
5813 * Returns SECFailure if an error occurred; SECSuccess otherwise. | |
5814 * The most likely error is that the cert for "name" could not be found | |
5815 * (probably SEC_ERROR_UNKNOWN_CERT). Other errors are low-level (no memory, | |
5816 * bad database, etc.). | |
5817 */ | |
5818 SECStatus | |
5819 CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, | |
5820 const char *url, const char *name) | |
5821 { | |
5822 CERTCertificate *cert; | |
5823 ocspCheckingContext *statusContext; | |
5824 char *url_copy = NULL; | |
5825 char *name_copy = NULL; | |
5826 SECStatus rv; | |
5827 | |
5828 if (handle == NULL || url == NULL || name == NULL) { | |
5829 /* | |
5830 * XXX When interface is exported, probably want better errors; | |
5831 * perhaps different one for each parameter. | |
5832 */ | |
5833 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
5834 return SECFailure; | |
5835 } | |
5836 | |
5837 /* | |
5838 * Find the certificate for the specified nickname. Do this first | |
5839 * because it seems the most likely to fail. | |
5840 * | |
5841 * XXX Shouldn't need that cast if the FindCertByNickname interface | |
5842 * used const to convey that it does not modify the name. Maybe someday. | |
5843 */ | |
5844 cert = CERT_FindCertByNickname(handle, (char *)name); | |
5845 if (cert == NULL) { | |
5846 /* | |
5847 * look for the cert on an external token. | |
5848 */ | |
5849 cert = PK11_FindCertFromNickname((char *)name, NULL); | |
5850 } | |
5851 if (cert == NULL) | |
5852 return SECFailure; | |
5853 | |
5854 /* | |
5855 * Make a copy of the url and nickname. | |
5856 */ | |
5857 url_copy = PORT_Strdup(url); | |
5858 name_copy = PORT_Strdup(name); | |
5859 if (url_copy == NULL || name_copy == NULL) { | |
5860 rv = SECFailure; | |
5861 goto loser; | |
5862 } | |
5863 | |
5864 statusContext = ocsp_GetCheckingContext(handle); | |
5865 | |
5866 /* | |
5867 * Allocate and init the context if it doesn't already exist. | |
5868 */ | |
5869 if (statusContext == NULL) { | |
5870 rv = ocsp_InitStatusChecking(handle); | |
5871 if (rv != SECSuccess) | |
5872 goto loser; | |
5873 | |
5874 statusContext = ocsp_GetCheckingContext(handle); | |
5875 PORT_Assert(statusContext != NULL); /* extreme paranoia */ | |
5876 } | |
5877 | |
5878 /* | |
5879 * Note -- we do not touch the status context until after all of | |
5880 * the steps which could cause errors. If something goes wrong, | |
5881 * we want to leave things as they were. | |
5882 */ | |
5883 | |
5884 /* | |
5885 * Get rid of old url and name if there. | |
5886 */ | |
5887 if (statusContext->defaultResponderNickname != NULL) | |
5888 PORT_Free(statusContext->defaultResponderNickname); | |
5889 if (statusContext->defaultResponderURI != NULL) | |
5890 PORT_Free(statusContext->defaultResponderURI); | |
5891 | |
5892 /* | |
5893 * And replace them with the new ones. | |
5894 */ | |
5895 statusContext->defaultResponderURI = url_copy; | |
5896 statusContext->defaultResponderNickname = name_copy; | |
5897 | |
5898 /* | |
5899 * If there was already a cert in place, get rid of it and replace it. | |
5900 * Otherwise, we are not currently enabled, so we don't want to save it; | |
5901 * it will get re-found and set whenever use of a default responder is | |
5902 * enabled. | |
5903 */ | |
5904 if (statusContext->defaultResponderCert != NULL) { | |
5905 CERT_DestroyCertificate(statusContext->defaultResponderCert); | |
5906 statusContext->defaultResponderCert = cert; | |
5907 /*OCSP enabled, switching responder: clear cache*/ | |
5908 CERT_ClearOCSPCache(); | |
5909 } else { | |
5910 PORT_Assert(statusContext->useDefaultResponder == PR_FALSE); | |
5911 CERT_DestroyCertificate(cert); | |
5912 /*OCSP currently not enabled, no need to clear cache*/ | |
5913 } | |
5914 | |
5915 return SECSuccess; | |
5916 | |
5917 loser: | |
5918 CERT_DestroyCertificate(cert); | |
5919 if (url_copy != NULL) | |
5920 PORT_Free(url_copy); | |
5921 if (name_copy != NULL) | |
5922 PORT_Free(name_copy); | |
5923 return rv; | |
5924 } | |
5925 | |
5926 /* | |
5927 * FUNCTION: CERT_EnableOCSPDefaultResponder | |
5928 * Turns on use of a default responder when OCSP checking. | |
5929 * If OCSP checking is already enabled, this will make subsequent checks | |
5930 * go directly to the default responder. (The location of the responder | |
5931 * and the nickname of the responder cert must already be specified.) | |
5932 * If OCSP checking is not enabled, this will be recorded and take effect | |
5933 * whenever it is enabled. | |
5934 * INPUTS: | |
5935 * CERTCertDBHandle *handle | |
5936 * Cert database on which OCSP checking should use the default responder. | |
5937 * RETURN: | |
5938 * Returns SECFailure if an error occurred; SECSuccess otherwise. | |
5939 * No errors are especially likely unless the caller did not previously | |
5940 * perform a successful call to SetOCSPDefaultResponder (in which case | |
5941 * the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER). | |
5942 */ | |
5943 SECStatus | |
5944 CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle) | |
5945 { | |
5946 ocspCheckingContext *statusContext; | |
5947 CERTCertificate *cert; | |
5948 SECStatus rv; | |
5949 SECCertificateUsage usage; | |
5950 | |
5951 if (handle == NULL) { | |
5952 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
5953 return SECFailure; | |
5954 } | |
5955 | |
5956 statusContext = ocsp_GetCheckingContext(handle); | |
5957 | |
5958 if (statusContext == NULL) { | |
5959 /* | |
5960 * Strictly speaking, the error already set is "correct", | |
5961 * but cover over it with one more helpful in this context. | |
5962 */ | |
5963 PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); | |
5964 return SECFailure; | |
5965 } | |
5966 | |
5967 if (statusContext->defaultResponderURI == NULL) { | |
5968 PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); | |
5969 return SECFailure; | |
5970 } | |
5971 | |
5972 if (statusContext->defaultResponderNickname == NULL) { | |
5973 PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); | |
5974 return SECFailure; | |
5975 } | |
5976 | |
5977 /* | |
5978 * Find the cert for the nickname. | |
5979 */ | |
5980 cert = CERT_FindCertByNickname(handle, | |
5981 statusContext->defaultResponderNickname); | |
5982 if (cert == NULL) { | |
5983 cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname
, | |
5984 NULL); | |
5985 } | |
5986 /* | |
5987 * We should never have trouble finding the cert, because its | |
5988 * existence should have been proven by SetOCSPDefaultResponder. | |
5989 */ | |
5990 PORT_Assert(cert != NULL); | |
5991 if (cert == NULL) | |
5992 return SECFailure; | |
5993 | |
5994 /* | |
5995 * Supplied cert should at least have a signing capability in order for us | |
5996 * to use it as a trusted responder cert. Ability to sign is guaranteed if | |
5997 * cert is validated to have any set of the usages below. | |
5998 */ | |
5999 rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE, | |
6000 certificateUsageCheckAllUsages, | |
6001 NULL, &usage); | |
6002 if (rv != SECSuccess || (usage & (certificateUsageSSLClient | | |
6003 certificateUsageSSLServer | | |
6004 certificateUsageSSLServerWithStepUp | | |
6005 certificateUsageEmailSigner | | |
6006 certificateUsageObjectSigner | | |
6007 certificateUsageStatusResponder | | |
6008 certificateUsageSSLCA)) == 0) { | |
6009 PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID); | |
6010 return SECFailure; | |
6011 } | |
6012 | |
6013 /* | |
6014 * And hang onto it. | |
6015 */ | |
6016 statusContext->defaultResponderCert = cert; | |
6017 | |
6018 /* we don't allow a mix of cache entries from different responders */ | |
6019 CERT_ClearOCSPCache(); | |
6020 | |
6021 /* | |
6022 * Finally, record the fact that we now have a default responder enabled. | |
6023 */ | |
6024 statusContext->useDefaultResponder = PR_TRUE; | |
6025 return SECSuccess; | |
6026 } | |
6027 | |
6028 /* | |
6029 * FUNCTION: CERT_DisableOCSPDefaultResponder | |
6030 * Turns off use of a default responder when OCSP checking. | |
6031 * (Does nothing if use of a default responder is not enabled.) | |
6032 * INPUTS: | |
6033 * CERTCertDBHandle *handle | |
6034 * Cert database on which OCSP checking should stop using a default | |
6035 * responder. | |
6036 * RETURN: | |
6037 * Returns SECFailure if an error occurred; SECSuccess otherwise. | |
6038 * Errors very unlikely (like random memory corruption...). | |
6039 */ | |
6040 SECStatus | |
6041 CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle) | |
6042 { | |
6043 CERTStatusConfig *statusConfig; | |
6044 ocspCheckingContext *statusContext; | |
6045 CERTCertificate *tmpCert; | |
6046 | |
6047 if (handle == NULL) { | |
6048 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
6049 return SECFailure; | |
6050 } | |
6051 | |
6052 statusConfig = CERT_GetStatusConfig(handle); | |
6053 if (statusConfig == NULL) | |
6054 return SECSuccess; | |
6055 | |
6056 statusContext = ocsp_GetCheckingContext(handle); | |
6057 PORT_Assert(statusContext != NULL); | |
6058 if (statusContext == NULL) | |
6059 return SECFailure; | |
6060 | |
6061 tmpCert = statusContext->defaultResponderCert; | |
6062 if (tmpCert) { | |
6063 statusContext->defaultResponderCert = NULL; | |
6064 CERT_DestroyCertificate(tmpCert); | |
6065 /* we don't allow a mix of cache entries from different responders */ | |
6066 CERT_ClearOCSPCache(); | |
6067 } | |
6068 | |
6069 /* | |
6070 * Finally, record the fact. | |
6071 */ | |
6072 statusContext->useDefaultResponder = PR_FALSE; | |
6073 return SECSuccess; | |
6074 } | |
6075 | |
6076 SECStatus | |
6077 CERT_ForcePostMethodForOCSP(PRBool forcePost) | |
6078 { | |
6079 if (!OCSP_Global.monitor) { | |
6080 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | |
6081 return SECFailure; | |
6082 } | |
6083 | |
6084 PR_EnterMonitor(OCSP_Global.monitor); | |
6085 OCSP_Global.forcePost = forcePost; | |
6086 PR_ExitMonitor(OCSP_Global.monitor); | |
6087 | |
6088 return SECSuccess; | |
6089 } | |
6090 | |
6091 SECStatus | |
6092 CERT_GetOCSPResponseStatus(CERTOCSPResponse *response) | |
6093 { | |
6094 PORT_Assert(response); | |
6095 if (response->statusValue == ocspResponse_successful) | |
6096 return SECSuccess; | |
6097 | |
6098 switch (response->statusValue) { | |
6099 case ocspResponse_malformedRequest: | |
6100 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); | |
6101 break; | |
6102 case ocspResponse_internalError: | |
6103 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | |
6104 break; | |
6105 case ocspResponse_tryLater: | |
6106 PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER); | |
6107 break; | |
6108 case ocspResponse_sigRequired: | |
6109 /* XXX We *should* retry with a signature, if possible. */ | |
6110 PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG); | |
6111 break; | |
6112 case ocspResponse_unauthorized: | |
6113 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST); | |
6114 break; | |
6115 case ocspResponse_unused: | |
6116 default: | |
6117 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS); | |
6118 break; | |
6119 } | |
6120 return SECFailure; | |
6121 } | |
OLD | NEW |