summaryrefslogtreecommitdiff
path: root/nss/lib/certhigh/ocsp.c
diff options
context:
space:
mode:
authorLorry Tar Creator <lorry-tar-importer@lorry>2017-01-04 14:24:24 +0000
committerLorry Tar Creator <lorry-tar-importer@lorry>2017-01-04 14:24:24 +0000
commitdc1565216a5d20ae0d75872151523252309a1292 (patch)
treed57454ba9a40386552179eddf60d28bd1e8f3d54 /nss/lib/certhigh/ocsp.c
parent26c046fbc57d53136b4fb3b5e0d18298318125d4 (diff)
downloadnss-dc1565216a5d20ae0d75872151523252309a1292.tar.gz
nss-3.28.1nss-3.28.1
Diffstat (limited to 'nss/lib/certhigh/ocsp.c')
-rw-r--r--nss/lib/certhigh/ocsp.c2889
1 files changed, 1411 insertions, 1478 deletions
diff --git a/nss/lib/certhigh/ocsp.c b/nss/lib/certhigh/ocsp.c
index 86ae0a0..1048513 100644
--- a/nss/lib/certhigh/ocsp.c
+++ b/nss/lib/certhigh/ocsp.c
@@ -33,13 +33,13 @@
#include "ocspi.h"
#include "genname.h"
#include "certxutl.h"
-#include "pk11func.h" /* for PK11_HashBuf */
+#include "pk11func.h" /* for PK11_HashBuf */
#include <stdarg.h>
#include <plhash.h>
#define DEFAULT_OCSP_CACHE_SIZE 1000
-#define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1*60*60L
-#define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24*60*60L
+#define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1 * 60 * 60L
+#define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24 * 60 * 60L
#define DEFAULT_OSCP_TIMEOUT_SECONDS 60
#define MICROSECONDS_PER_SECOND 1000000L
@@ -89,48 +89,45 @@ static struct OCSPGlobalStruct {
SEC_OcspFailureMode ocspFailureMode;
CERT_StringFromCertFcn alternateOCSPAIAFcn;
PRBool forcePost;
-} OCSP_Global = { NULL,
- NULL,
- DEFAULT_OCSP_CACHE_SIZE,
+} OCSP_Global = { NULL,
+ NULL,
+ DEFAULT_OCSP_CACHE_SIZE,
DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT,
DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT,
DEFAULT_OSCP_TIMEOUT_SECONDS,
- {NULL, 0, NULL, NULL},
+ { NULL, 0, NULL, NULL },
ocspMode_FailureIsVerificationFailure,
NULL,
- PR_FALSE
- };
-
-
+ PR_FALSE };
/* Forward declarations */
static SECItem *
-ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
+ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
CERTOCSPRequest *request,
const char *location,
- const char *method,
- PRTime time,
+ const char *method,
+ PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest);
static SECStatus
-ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
- PRTime time,
+ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
void *pwArg,
PRBool *certIDWasConsumed,
SECStatus *rv_ocsp);
static SECStatus
ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
- PRTime time,
- void *pwArg,
- const SECItem *encodedResponse,
- CERTOCSPResponse **pDecodedResponse,
- CERTOCSPSingleResponse **pSingle);
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
+ void *pwArg,
+ const SECItem *encodedResponse,
+ CERTOCSPResponse **pDecodedResponse,
+ CERTOCSPSingleResponse **pSingle);
static SECStatus
ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time);
@@ -149,19 +146,20 @@ cert_DupOCSPCertID(const CERTOCSPCertID *src);
#define OCSP_TRACE_CERT(cert) dumpCertificate(cert)
#define OCSP_TRACE_CERTID(certid) dumpCertID(certid)
-#if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) \
- || defined(XP_MACOSX)
+#if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) || \
+ defined(XP_MACOSX)
#define NSS_HAVE_GETENV 1
#endif
-static PRBool wantOcspTrace(void)
+static PRBool
+wantOcspTrace(void)
{
static PRBool firstTime = PR_TRUE;
static PRBool wantTrace = PR_FALSE;
#ifdef NSS_HAVE_GETENV
if (firstTime) {
- char *ev = getenv("NSS_TRACE_OCSP");
+ char *ev = PR_GetEnvSecure("NSS_TRACE_OCSP");
if (ev && ev[0]) {
wantTrace = PR_TRUE;
}
@@ -176,7 +174,7 @@ ocsp_Trace(const char *format, ...)
{
char buf[2000];
va_list args;
-
+
if (!wantOcspTrace())
return;
va_start(args, format);
@@ -235,10 +233,10 @@ dumpCertificate(CERTCertificate *cert)
DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter);
PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable);
PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable);
- rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y",
- &beforePrintable);
- rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y",
- &afterPrintable);
+ rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y",
+ &beforePrintable);
+ rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y",
+ &afterPrintable);
ocsp_Trace("OCSP ## VALIDITY: %s to %s\n", rv1 ? beforestr : "",
rv2 ? afterstr : "");
}
@@ -261,27 +259,27 @@ SECStatus
SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable)
{
if (!OCSP_Global.monitor) {
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return SECFailure;
}
-
+
PR_EnterMonitor(OCSP_Global.monitor);
OCSP_Global.defaultHttpClientFcn = fcnTable;
PR_ExitMonitor(OCSP_Global.monitor);
-
+
return SECSuccess;
}
SECStatus
CERT_RegisterAlternateOCSPAIAInfoCallBack(
- CERT_StringFromCertFcn newCallback,
- CERT_StringFromCertFcn * oldCallback)
+ CERT_StringFromCertFcn newCallback,
+ CERT_StringFromCertFcn *oldCallback)
{
CERT_StringFromCertFcn old;
if (!OCSP_Global.monitor) {
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return SECFailure;
}
PR_EnterMonitor(OCSP_Global.monitor);
@@ -289,7 +287,7 @@ CERT_RegisterAlternateOCSPAIAInfoCallBack(
OCSP_Global.alternateOCSPAIAFcn = newCallback;
PR_ExitMonitor(OCSP_Global.monitor);
if (oldCallback)
- *oldCallback = old;
+ *oldCallback = old;
return SECSuccess;
}
@@ -300,18 +298,18 @@ ocsp_CacheKeyHashFunction(const void *key)
PLHashNumber hash = 0;
unsigned int i;
unsigned char *walk;
-
+
/* a very simple hash calculation for the initial coding phase */
- walk = (unsigned char*)cid->issuerNameHash.data;
- for (i=0; i < cid->issuerNameHash.len; ++i, ++walk) {
+ walk = (unsigned char *)cid->issuerNameHash.data;
+ for (i = 0; i < cid->issuerNameHash.len; ++i, ++walk) {
hash += *walk;
}
- walk = (unsigned char*)cid->issuerKeyHash.data;
- for (i=0; i < cid->issuerKeyHash.len; ++i, ++walk) {
+ walk = (unsigned char *)cid->issuerKeyHash.data;
+ for (i = 0; i < cid->issuerKeyHash.len; ++i, ++walk) {
hash += *walk;
}
- walk = (unsigned char*)cid->serialNumber.data;
- for (i=0; i < cid->serialNumber.len; ++i, ++walk) {
+ walk = (unsigned char *)cid->serialNumber.data;
+ for (i = 0; i < cid->serialNumber.len; ++i, ++walk) {
hash += *walk;
}
return hash;
@@ -322,13 +320,13 @@ ocsp_CacheKeyCompareFunction(const void *v1, const void *v2)
{
CERTOCSPCertID *cid1 = (CERTOCSPCertID *)v1;
CERTOCSPCertID *cid2 = (CERTOCSPCertID *)v2;
-
- return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash,
- &cid2->issuerNameHash)
- && SECEqual == SECITEM_CompareItem(&cid1->issuerKeyHash,
- &cid2->issuerKeyHash)
- && SECEqual == SECITEM_CompareItem(&cid1->serialNumber,
- &cid2->serialNumber));
+
+ return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash,
+ &cid2->issuerNameHash) &&
+ SECEqual == SECITEM_CompareItem(&cid1->issuerKeyHash,
+ &cid2->issuerKeyHash) &&
+ SECEqual == SECITEM_CompareItem(&cid1->serialNumber,
+ &cid2->serialNumber));
}
static SECStatus
@@ -337,32 +335,32 @@ ocsp_CopyRevokedInfo(PLArenaPool *arena, ocspCertStatus *dest,
{
SECStatus rv = SECFailure;
void *mark;
-
+
mark = PORT_ArenaMark(arena);
-
- dest->certStatusInfo.revokedInfo =
- (ocspRevokedInfo *) PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo));
+
+ dest->certStatusInfo.revokedInfo =
+ (ocspRevokedInfo *)PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo));
if (!dest->certStatusInfo.revokedInfo) {
goto loser;
}
-
- rv = SECITEM_CopyItem(arena,
- &dest->certStatusInfo.revokedInfo->revocationTime,
+
+ rv = SECITEM_CopyItem(arena,
+ &dest->certStatusInfo.revokedInfo->revocationTime,
&src->revocationTime);
if (rv != SECSuccess) {
goto loser;
}
-
+
if (src->revocationReason) {
- dest->certStatusInfo.revokedInfo->revocationReason =
+ dest->certStatusInfo.revokedInfo->revocationReason =
SECITEM_ArenaDupItem(arena, src->revocationReason);
if (!dest->certStatusInfo.revokedInfo->revocationReason) {
goto loser;
}
- } else {
+ } else {
dest->certStatusInfo.revokedInfo->revocationReason = NULL;
}
-
+
PORT_ArenaUnmark(arena, mark);
return SECSuccess;
@@ -373,39 +371,39 @@ loser:
static SECStatus
ocsp_CopyCertStatus(PLArenaPool *arena, ocspCertStatus *dest,
- ocspCertStatus*src)
+ ocspCertStatus *src)
{
SECStatus rv = SECFailure;
dest->certStatusType = src->certStatusType;
-
+
switch (src->certStatusType) {
- case ocspCertStatus_good:
- dest->certStatusInfo.goodInfo =
- SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo);
- if (dest->certStatusInfo.goodInfo != NULL) {
- rv = SECSuccess;
- }
- break;
- case ocspCertStatus_revoked:
- rv = ocsp_CopyRevokedInfo(arena, dest,
- src->certStatusInfo.revokedInfo);
- break;
- case ocspCertStatus_unknown:
- dest->certStatusInfo.unknownInfo =
- SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo);
- if (dest->certStatusInfo.unknownInfo != NULL) {
- rv = SECSuccess;
- }
- break;
- case ocspCertStatus_other:
- default:
- PORT_Assert(src->certStatusType == ocspCertStatus_other);
- dest->certStatusInfo.otherInfo =
- SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo);
- if (dest->certStatusInfo.otherInfo != NULL) {
- rv = SECSuccess;
- }
- break;
+ case ocspCertStatus_good:
+ dest->certStatusInfo.goodInfo =
+ SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo);
+ if (dest->certStatusInfo.goodInfo != NULL) {
+ rv = SECSuccess;
+ }
+ break;
+ case ocspCertStatus_revoked:
+ rv = ocsp_CopyRevokedInfo(arena, dest,
+ src->certStatusInfo.revokedInfo);
+ break;
+ case ocspCertStatus_unknown:
+ dest->certStatusInfo.unknownInfo =
+ SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo);
+ if (dest->certStatusInfo.unknownInfo != NULL) {
+ rv = SECSuccess;
+ }
+ break;
+ case ocspCertStatus_other:
+ default:
+ PORT_Assert(src->certStatusType == ocspCertStatus_other);
+ dest->certStatusInfo.otherInfo =
+ SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo);
+ if (dest->certStatusInfo.otherInfo != NULL) {
+ rv = SECSuccess;
+ }
+ break;
}
return rv;
}
@@ -453,7 +451,7 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item)
}
PORT_Assert(cache->numberOfEntries > 1);
-
+
if (item == cache->LRUitem) {
PORT_Assert(item != cache->MRUitem);
PORT_Assert(item->lessRecent == NULL);
@@ -461,8 +459,7 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item)
PORT_Assert(item->moreRecent->lessRecent == item);
cache->LRUitem = item->moreRecent;
cache->LRUitem->lessRecent = NULL;
- }
- else if (item == cache->MRUitem) {
+ } else if (item == cache->MRUitem) {
PORT_Assert(item->moreRecent == NULL);
PORT_Assert(item->lessRecent != NULL);
PORT_Assert(item->lessRecent->moreRecent == item);
@@ -487,7 +484,7 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item)
static void
ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, OCSPCacheItem *new_most_recent)
{
- OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n",
+ OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n",
PR_GetCurrentThread()));
PR_EnterMonitor(OCSP_Global.monitor);
if (cache->MRUitem == new_most_recent) {
@@ -504,7 +501,7 @@ ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, OCSPCacheItem *new_most_rece
static PRBool
ocsp_IsCacheDisabled(void)
{
- /*
+ /*
* maxCacheEntries == 0 means unlimited cache entries
* maxCacheEntries < 0 means cache is disabled
*/
@@ -524,12 +521,12 @@ ocsp_FindCacheEntry(OCSPCacheData *cache, CERTOCSPCertID *certID)
PR_EnterMonitor(OCSP_Global.monitor);
if (ocsp_IsCacheDisabled())
goto loser;
-
+
found_ocsp_item = (OCSPCacheItem *)PL_HashTableLookup(
- cache->entries, certID);
+ cache->entries, certID);
if (!found_ocsp_item)
goto loser;
-
+
OCSP_TRACE(("OCSP ocsp_FindCacheEntry FOUND!\n"));
ocsp_MakeCacheEntryMostRecent(cache, found_ocsp_item);
@@ -556,7 +553,7 @@ ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item)
{
/* The item we're removing could be either the least recently used item,
* or it could be an item that couldn't get updated with newer status info
- * because of an allocation failure, or it could get removed because we're
+ * because of an allocation failure, or it could get removed because we're
* cleaning up.
*/
OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread()));
@@ -586,8 +583,8 @@ ocsp_CheckCacheSize(OCSPCacheData *cache)
/* Cache is not disabled. Number of cache entries is limited.
* The monitor ensures that maxCacheEntries remains positive.
*/
- while (cache->numberOfEntries >
- (PRUint32)OCSP_Global.maxCacheEntries) {
+ while (cache->numberOfEntries >
+ (PRUint32)OCSP_Global.maxCacheEntries) {
ocsp_RemoveCacheItem(cache, cache->LRUitem);
}
}
@@ -600,7 +597,7 @@ CERT_ClearOCSPCache(void)
OCSP_TRACE(("OCSP CERT_ClearOCSPCache\n"));
PR_EnterMonitor(OCSP_Global.monitor);
while (OCSP_Global.cache.numberOfEntries > 0) {
- ocsp_RemoveCacheItem(&OCSP_Global.cache,
+ ocsp_RemoveCacheItem(&OCSP_Global.cache,
OCSP_Global.cache.LRUitem);
}
PR_ExitMonitor(OCSP_Global.monitor);
@@ -609,30 +606,30 @@ CERT_ClearOCSPCache(void)
static SECStatus
ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache,
- CERTOCSPCertID *certID,
+ CERTOCSPCertID *certID,
OCSPCacheItem **pCacheItem)
{
PLArenaPool *arena;
void *mark;
PLHashEntry *new_hash_entry;
OCSPCacheItem *item;
-
+
PORT_Assert(pCacheItem != NULL);
*pCacheItem = NULL;
PR_EnterMonitor(OCSP_Global.monitor);
arena = certID->poolp;
mark = PORT_ArenaMark(arena);
-
+
/* ZAlloc will init all Bools to False and all Pointers to NULL
and all error codes to zero/good. */
- item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp,
+ item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp,
sizeof(OCSPCacheItem));
if (!item) {
- goto loser;
+ goto loser;
}
item->certID = certID;
- new_hash_entry = PL_HashTableAdd(cache->entries, item->certID,
+ new_hash_entry = PL_HashTableAdd(cache->entries, item->certID,
item);
if (!new_hash_entry) {
goto loser;
@@ -644,7 +641,7 @@ ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache,
PR_ExitMonitor(OCSP_Global.monitor);
return SECSuccess;
-
+
loser:
PORT_ArenaRelease(arena, mark);
PR_ExitMonitor(OCSP_Global.monitor);
@@ -666,7 +663,7 @@ ocsp_SetCacheItemResponse(OCSPCacheItem *item,
if (item->certStatusArena == NULL) {
return SECFailure;
}
- rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus,
+ rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus,
response->certStatus);
if (rv != SECSuccess) {
PORT_FreeArena(item->certStatusArena, PR_FALSE);
@@ -674,11 +671,11 @@ ocsp_SetCacheItemResponse(OCSPCacheItem *item,
return rv;
}
item->missingResponseError = 0;
- rv = DER_GeneralizedTimeToTime(&item->thisUpdate,
+ rv = DER_GeneralizedTimeToTime(&item->thisUpdate,
&response->thisUpdate);
item->haveThisUpdate = (rv == SECSuccess);
if (response->nextUpdate) {
- rv = DER_GeneralizedTimeToTime(&item->nextUpdate,
+ rv = DER_GeneralizedTimeToTime(&item->nextUpdate,
response->nextUpdate);
item->haveNextUpdate = (rv == SECSuccess);
} else {
@@ -694,60 +691,60 @@ ocsp_FreshenCacheItemNextFetchAttemptTime(OCSPCacheItem *cacheItem)
PRTime now;
PRTime earliestAllowedNextFetchAttemptTime;
PRTime latestTimeWhenResponseIsConsideredFresh;
-
+
OCSP_TRACE(("OCSP ocsp_FreshenCacheItemNextFetchAttemptTime\n"));
PR_EnterMonitor(OCSP_Global.monitor);
-
+
now = PR_Now();
OCSP_TRACE_TIME("now:", now);
-
+
if (cacheItem->haveThisUpdate) {
OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate);
latestTimeWhenResponseIsConsideredFresh = cacheItem->thisUpdate +
- OCSP_Global.maximumSecondsToNextFetchAttempt *
- MICROSECONDS_PER_SECOND;
- OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:",
+ OCSP_Global.maximumSecondsToNextFetchAttempt *
+ MICROSECONDS_PER_SECOND;
+ OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:",
latestTimeWhenResponseIsConsideredFresh);
} else {
latestTimeWhenResponseIsConsideredFresh = now +
- OCSP_Global.minimumSecondsToNextFetchAttempt *
- MICROSECONDS_PER_SECOND;
+ OCSP_Global.minimumSecondsToNextFetchAttempt *
+ MICROSECONDS_PER_SECOND;
OCSP_TRACE_TIME("no thisUpdate, "
- "latestTimeWhenResponseIsConsideredFresh:",
+ "latestTimeWhenResponseIsConsideredFresh:",
latestTimeWhenResponseIsConsideredFresh);
}
-
+
if (cacheItem->haveNextUpdate) {
OCSP_TRACE_TIME("have nextUpdate:", cacheItem->nextUpdate);
}
-
+
if (cacheItem->haveNextUpdate &&
cacheItem->nextUpdate < latestTimeWhenResponseIsConsideredFresh) {
latestTimeWhenResponseIsConsideredFresh = cacheItem->nextUpdate;
OCSP_TRACE_TIME("nextUpdate is smaller than latestFresh, setting "
- "latestTimeWhenResponseIsConsideredFresh:",
+ "latestTimeWhenResponseIsConsideredFresh:",
latestTimeWhenResponseIsConsideredFresh);
}
-
+
earliestAllowedNextFetchAttemptTime = now +
- OCSP_Global.minimumSecondsToNextFetchAttempt *
- MICROSECONDS_PER_SECOND;
- OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:",
+ OCSP_Global.minimumSecondsToNextFetchAttempt *
+ MICROSECONDS_PER_SECOND;
+ OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:",
earliestAllowedNextFetchAttemptTime);
-
- if (latestTimeWhenResponseIsConsideredFresh <
+
+ if (latestTimeWhenResponseIsConsideredFresh <
earliestAllowedNextFetchAttemptTime) {
- latestTimeWhenResponseIsConsideredFresh =
+ latestTimeWhenResponseIsConsideredFresh =
earliestAllowedNextFetchAttemptTime;
- OCSP_TRACE_TIME("latest < earliest, setting latest to:",
+ OCSP_TRACE_TIME("latest < earliest, setting latest to:",
latestTimeWhenResponseIsConsideredFresh);
}
-
- cacheItem->nextFetchAttemptTime =
+
+ cacheItem->nextFetchAttemptTime =
latestTimeWhenResponseIsConsideredFresh;
- OCSP_TRACE_TIME("nextFetchAttemptTime",
- latestTimeWhenResponseIsConsideredFresh);
+ OCSP_TRACE_TIME("nextFetchAttemptTime",
+ latestTimeWhenResponseIsConsideredFresh);
PR_ExitMonitor(OCSP_Global.monitor);
}
@@ -776,14 +773,14 @@ ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem)
}
/*
- * Status in *certIDWasConsumed will always be correct, regardless of
+ * Status in *certIDWasConsumed will always be correct, regardless of
* return value.
* If the caller is unable to transfer ownership of certID,
* then the caller must set certIDWasConsumed to NULL,
* and this function will potentially duplicate the certID object.
*/
static SECStatus
-ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
+ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
CERTOCSPCertID *certID,
CERTOCSPSingleResponse *single,
PRBool *certIDWasConsumed)
@@ -791,13 +788,13 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
SECStatus rv;
OCSPCacheItem *cacheItem;
OCSP_TRACE(("OCSP ocsp_CreateOrUpdateCacheEntry\n"));
-
+
if (certIDWasConsumed)
*certIDWasConsumed = PR_FALSE;
-
+
PR_EnterMonitor(OCSP_Global.monitor);
PORT_Assert(OCSP_Global.maxCacheEntries >= 0);
-
+
cacheItem = ocsp_FindCacheEntry(cache, certID);
/* Don't replace an unknown or revoked entry with an error entry, even if
@@ -867,12 +864,12 @@ extern SECStatus
CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode)
{
switch (ocspFailureMode) {
- case ocspMode_FailureIsVerificationFailure:
- case ocspMode_FailureIsNotAVerificationFailure:
- break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ case ocspMode_FailureIsVerificationFailure:
+ case ocspMode_FailureIsNotAVerificationFailure:
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
PR_EnterMonitor(OCSP_Global.monitor);
@@ -886,14 +883,14 @@ CERT_OCSPCacheSettings(PRInt32 maxCacheEntries,
PRUint32 minimumSecondsToNextFetchAttempt,
PRUint32 maximumSecondsToNextFetchAttempt)
{
- if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt
- || maxCacheEntries < -1) {
+ if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt ||
+ maxCacheEntries < -1) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
-
+
PR_EnterMonitor(OCSP_Global.monitor);
-
+
if (maxCacheEntries < 0) {
OCSP_Global.maxCacheEntries = -1; /* disable cache */
} else if (maxCacheEntries == 0) {
@@ -901,24 +898,24 @@ CERT_OCSPCacheSettings(PRInt32 maxCacheEntries,
} else {
OCSP_Global.maxCacheEntries = maxCacheEntries;
}
-
- if (minimumSecondsToNextFetchAttempt <
- OCSP_Global.minimumSecondsToNextFetchAttempt
- || maximumSecondsToNextFetchAttempt <
+
+ if (minimumSecondsToNextFetchAttempt <
+ OCSP_Global.minimumSecondsToNextFetchAttempt ||
+ maximumSecondsToNextFetchAttempt <
OCSP_Global.maximumSecondsToNextFetchAttempt) {
/*
- * Ensure our existing cache entries are not used longer than the
+ * Ensure our existing cache entries are not used longer than the
* new settings allow, we're lazy and just clear the cache
*/
CERT_ClearOCSPCache();
}
-
- OCSP_Global.minimumSecondsToNextFetchAttempt =
+
+ OCSP_Global.minimumSecondsToNextFetchAttempt =
minimumSecondsToNextFetchAttempt;
- OCSP_Global.maximumSecondsToNextFetchAttempt =
+ OCSP_Global.maximumSecondsToNextFetchAttempt =
maximumSecondsToNextFetchAttempt;
ocsp_CheckCacheSize(&OCSP_Global.cache);
-
+
PR_ExitMonitor(OCSP_Global.monitor);
return SECSuccess;
}
@@ -932,7 +929,8 @@ CERT_SetOCSPTimeout(PRUint32 seconds)
}
/* this function is called at NSS initialization time */
-SECStatus OCSP_InitGlobal(void)
+SECStatus
+OCSP_InitGlobal(void)
{
SECStatus rv = SECFailure;
@@ -944,12 +942,12 @@ SECStatus OCSP_InitGlobal(void)
PR_EnterMonitor(OCSP_Global.monitor);
if (!OCSP_Global.cache.entries) {
- OCSP_Global.cache.entries =
- PL_NewHashTable(0,
- ocsp_CacheKeyHashFunction,
- ocsp_CacheKeyCompareFunction,
- PL_CompareValues,
- NULL,
+ OCSP_Global.cache.entries =
+ PL_NewHashTable(0,
+ ocsp_CacheKeyHashFunction,
+ ocsp_CacheKeyCompareFunction,
+ PL_CompareValues,
+ NULL,
NULL);
OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure;
OCSP_Global.cache.numberOfEntries = 0;
@@ -969,7 +967,8 @@ SECStatus OCSP_InitGlobal(void)
return rv;
}
-SECStatus OCSP_ShutdownGlobal(void)
+SECStatus
+OCSP_ShutdownGlobal(void)
{
if (!OCSP_Global.monitor)
return SECSuccess;
@@ -986,12 +985,12 @@ SECStatus OCSP_ShutdownGlobal(void)
OCSP_Global.defaultHttpClientFcn = NULL;
OCSP_Global.maxCacheEntries = DEFAULT_OCSP_CACHE_SIZE;
- OCSP_Global.minimumSecondsToNextFetchAttempt =
- DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
+ OCSP_Global.minimumSecondsToNextFetchAttempt =
+ DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
OCSP_Global.maximumSecondsToNextFetchAttempt =
- DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
+ DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
OCSP_Global.ocspFailureMode =
- ocspMode_FailureIsVerificationFailure;
+ ocspMode_FailureIsVerificationFailure;
PR_ExitMonitor(OCSP_Global.monitor);
PR_DestroyMonitor(OCSP_Global.monitor);
@@ -1000,22 +999,23 @@ SECStatus OCSP_ShutdownGlobal(void)
}
/*
- * A return value of NULL means:
+ * A return value of NULL means:
* The application did not register it's own HTTP client.
*/
-const SEC_HttpClientFcn *SEC_GetRegisteredHttpClient(void)
+const SEC_HttpClientFcn *
+SEC_GetRegisteredHttpClient(void)
{
const SEC_HttpClientFcn *retval;
if (!OCSP_Global.monitor) {
- PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
- return NULL;
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return NULL;
}
PR_EnterMonitor(OCSP_Global.monitor);
retval = OCSP_Global.defaultHttpClientFcn;
PR_ExitMonitor(OCSP_Global.monitor);
-
+
return retval;
}
@@ -1057,7 +1057,6 @@ extern const SEC_ASN1Template ocsp_SingleRequestTemplate[];
extern const SEC_ASN1Template ocsp_SingleResponseTemplate[];
extern const SEC_ASN1Template ocsp_TBSRequestTemplate[];
-
/*
* Request-related templates...
*/
@@ -1069,14 +1068,14 @@ extern const SEC_ASN1Template ocsp_TBSRequestTemplate[];
*/
static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPRequest) },
+ 0, NULL, sizeof(CERTOCSPRequest) },
{ SEC_ASN1_POINTER,
- offsetof(CERTOCSPRequest, tbsRequest),
- ocsp_TBSRequestTemplate },
+ offsetof(CERTOCSPRequest, tbsRequest),
+ ocsp_TBSRequestTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(CERTOCSPRequest, optionalSignature),
- ocsp_PointerToSignatureTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(CERTOCSPRequest, optionalSignature),
+ ocsp_PointerToSignatureTemplate },
{ 0 }
};
@@ -1095,22 +1094,22 @@ static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = {
*/
const SEC_ASN1Template ocsp_TBSRequestTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspTBSRequest) },
- { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspTBSRequest, version),
- SEC_ASN1_SUB(SEC_IntegerTemplate) },
+ 0, NULL, sizeof(ocspTBSRequest) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(ocspTBSRequest, version),
+ SEC_ASN1_SUB(SEC_IntegerTemplate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
- offsetof(ocspTBSRequest, derRequestorName),
- SEC_ASN1_SUB(SEC_PointerToAnyTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+ offsetof(ocspTBSRequest, derRequestorName),
+ SEC_ASN1_SUB(SEC_PointerToAnyTemplate) },
{ SEC_ASN1_SEQUENCE_OF,
- offsetof(ocspTBSRequest, requestList),
- ocsp_SingleRequestTemplate },
+ offsetof(ocspTBSRequest, requestList),
+ ocsp_SingleRequestTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
- offsetof(ocspTBSRequest, requestExtensions),
- CERT_SequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+ offsetof(ocspTBSRequest, requestExtensions),
+ CERT_SequenceOfCertExtensionTemplate },
{ 0 }
};
@@ -1122,16 +1121,16 @@ const SEC_ASN1Template ocsp_TBSRequestTemplate[] = {
*/
static const SEC_ASN1Template ocsp_SignatureTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspSignature) },
+ 0, NULL, sizeof(ocspSignature) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
- offsetof(ocspSignature, signatureAlgorithm),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ offsetof(ocspSignature, signatureAlgorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_BIT_STRING,
- offsetof(ocspSignature, signature) },
+ offsetof(ocspSignature, signature) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspSignature, derCerts),
- SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(ocspSignature, derCerts),
+ SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
{ 0 }
};
@@ -1157,19 +1156,18 @@ const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = {
* is the only way it will compile.
*/
const SEC_ASN1Template ocsp_SingleRequestTemplate[] = {
- { SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspSingleRequest) },
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(ocspSingleRequest) },
{ SEC_ASN1_POINTER,
- offsetof(ocspSingleRequest, reqCert),
- ocsp_CertIDTemplate },
+ offsetof(ocspSingleRequest, reqCert),
+ ocsp_CertIDTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(ocspSingleRequest, singleRequestExtensions),
- CERT_SequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(ocspSingleRequest, singleRequestExtensions),
+ CERT_SequenceOfCertExtensionTemplate },
{ 0 }
};
-
/*
* This data structure and template (CertID) is used by both OCSP
* requests and responses. It is the only one that is shared.
@@ -1187,21 +1185,20 @@ const SEC_ASN1Template ocsp_SingleRequestTemplate[] = {
* is the only way it will compile.
*/
const SEC_ASN1Template ocsp_CertIDTemplate[] = {
- { SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPCertID) },
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(CERTOCSPCertID) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
- offsetof(CERTOCSPCertID, hashAlgorithm),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ offsetof(CERTOCSPCertID, hashAlgorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_OCTET_STRING,
- offsetof(CERTOCSPCertID, issuerNameHash) },
+ offsetof(CERTOCSPCertID, issuerNameHash) },
{ SEC_ASN1_OCTET_STRING,
- offsetof(CERTOCSPCertID, issuerKeyHash) },
- { SEC_ASN1_INTEGER,
- offsetof(CERTOCSPCertID, serialNumber) },
+ offsetof(CERTOCSPCertID, issuerKeyHash) },
+ { SEC_ASN1_INTEGER,
+ offsetof(CERTOCSPCertID, serialNumber) },
{ 0 }
};
-
/*
* Response-related templates...
*/
@@ -1212,14 +1209,14 @@ const SEC_ASN1Template ocsp_CertIDTemplate[] = {
* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
*/
const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
- { SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPResponse) },
- { SEC_ASN1_ENUMERATED,
- offsetof(CERTOCSPResponse, responseStatus) },
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(CERTOCSPResponse) },
+ { SEC_ASN1_ENUMERATED,
+ offsetof(CERTOCSPResponse, responseStatus) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(CERTOCSPResponse, responseBytes),
- ocsp_PointerToResponseBytesTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(CERTOCSPResponse, responseBytes),
+ ocsp_PointerToResponseBytesTemplate },
{ 0 }
};
@@ -1230,11 +1227,11 @@ const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
*/
const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspResponseBytes) },
+ 0, NULL, sizeof(ocspResponseBytes) },
{ SEC_ASN1_OBJECT_ID,
- offsetof(ocspResponseBytes, responseType) },
+ offsetof(ocspResponseBytes, responseType) },
{ SEC_ASN1_OCTET_STRING,
- offsetof(ocspResponseBytes, response) },
+ offsetof(ocspResponseBytes, response) },
{ 0 }
};
@@ -1259,21 +1256,21 @@ const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = {
*/
static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspBasicOCSPResponse) },
+ 0, NULL, sizeof(ocspBasicOCSPResponse) },
{ SEC_ASN1_ANY | SEC_ASN1_SAVE,
- offsetof(ocspBasicOCSPResponse, tbsResponseDataDER) },
+ offsetof(ocspBasicOCSPResponse, tbsResponseDataDER) },
{ SEC_ASN1_POINTER,
- offsetof(ocspBasicOCSPResponse, tbsResponseData),
- ocsp_ResponseDataTemplate },
+ offsetof(ocspBasicOCSPResponse, tbsResponseData),
+ ocsp_ResponseDataTemplate },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
- offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_BIT_STRING,
- offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
+ offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
- SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
+ SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
{ 0 }
};
@@ -1291,22 +1288,22 @@ static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = {
*/
const SEC_ASN1Template ocsp_ResponseDataTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspResponseData) },
- { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspResponseData, version),
- SEC_ASN1_SUB(SEC_IntegerTemplate) },
+ 0, NULL, sizeof(ocspResponseData) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(ocspResponseData, version),
+ SEC_ASN1_SUB(SEC_IntegerTemplate) },
{ SEC_ASN1_ANY,
- offsetof(ocspResponseData, derResponderID) },
+ offsetof(ocspResponseData, derResponderID) },
{ SEC_ASN1_GENERALIZED_TIME,
- offsetof(ocspResponseData, producedAt) },
+ offsetof(ocspResponseData, producedAt) },
{ SEC_ASN1_SEQUENCE_OF,
- offsetof(ocspResponseData, responses),
- ocsp_SingleResponseTemplate },
+ offsetof(ocspResponseData, responses),
+ ocsp_SingleResponseTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(ocspResponseData, responseExtensions),
- CERT_SequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+ offsetof(ocspResponseData, responseExtensions),
+ CERT_SequenceOfCertExtensionTemplate },
{ 0 }
};
@@ -1327,24 +1324,25 @@ const SEC_ASN1Template ocsp_ResponseDataTemplate[] = {
*/
const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = {
{ SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(ocspResponderID, responderIDValue.name),
- CERT_NameTemplate }
+ offsetof(ocspResponderID, responderIDValue.name),
+ CERT_NameTemplate }
};
const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = {
{ SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
- SEC_ASN1_XTRN | 2,
- offsetof(ocspResponderID, responderIDValue.keyHash),
- SEC_ASN1_SUB(SEC_OctetStringTemplate) }
+ SEC_ASN1_XTRN | 2,
+ offsetof(ocspResponderID, responderIDValue.keyHash),
+ SEC_ASN1_SUB(SEC_OctetStringTemplate) }
};
static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = {
{ SEC_ASN1_ANY,
- offsetof(ocspResponderID, responderIDValue.other) }
+ offsetof(ocspResponderID, responderIDValue.other) }
};
/* Decode choice container, but leave x509 name object encoded */
static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = {
{ SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
- SEC_ASN1_XTRN | 1, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
+ SEC_ASN1_XTRN | 1,
+ 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
};
/*
@@ -1361,22 +1359,22 @@ static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = {
*/
const SEC_ASN1Template ocsp_SingleResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(CERTOCSPSingleResponse) },
+ 0, NULL, sizeof(CERTOCSPSingleResponse) },
{ SEC_ASN1_POINTER,
- offsetof(CERTOCSPSingleResponse, certID),
- ocsp_CertIDTemplate },
+ offsetof(CERTOCSPSingleResponse, certID),
+ ocsp_CertIDTemplate },
{ SEC_ASN1_ANY,
- offsetof(CERTOCSPSingleResponse, derCertStatus) },
+ offsetof(CERTOCSPSingleResponse, derCertStatus) },
{ SEC_ASN1_GENERALIZED_TIME,
- offsetof(CERTOCSPSingleResponse, thisUpdate) },
+ offsetof(CERTOCSPSingleResponse, thisUpdate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(CERTOCSPSingleResponse, nextUpdate),
- SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(CERTOCSPSingleResponse, nextUpdate),
+ SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(CERTOCSPSingleResponse, singleExtensions),
- CERT_SequenceOfCertExtensionTemplate },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+ offsetof(CERTOCSPSingleResponse, singleExtensions),
+ CERT_SequenceOfCertExtensionTemplate },
{ 0 }
};
@@ -1395,23 +1393,23 @@ const SEC_ASN1Template ocsp_SingleResponseTemplate[] = {
*/
static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = {
{ SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
- offsetof(ocspCertStatus, certStatusInfo.goodInfo),
- SEC_ASN1_SUB(SEC_NullTemplate) }
+ offsetof(ocspCertStatus, certStatusInfo.goodInfo),
+ SEC_ASN1_SUB(SEC_NullTemplate) }
};
static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = {
- { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
- offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
- ocsp_RevokedInfoTemplate }
+ { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+ offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
+ ocsp_RevokedInfoTemplate }
};
static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = {
{ SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
- offsetof(ocspCertStatus, certStatusInfo.unknownInfo),
- SEC_ASN1_SUB(SEC_NullTemplate) }
+ offsetof(ocspCertStatus, certStatusInfo.unknownInfo),
+ SEC_ASN1_SUB(SEC_NullTemplate) }
};
static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = {
{ SEC_ASN1_POINTER | SEC_ASN1_XTRN,
- offsetof(ocspCertStatus, certStatusInfo.otherInfo),
- SEC_ASN1_SUB(SEC_AnyTemplate) }
+ offsetof(ocspCertStatus, certStatusInfo.otherInfo),
+ SEC_ASN1_SUB(SEC_AnyTemplate) }
};
/*
@@ -1425,18 +1423,17 @@ static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = {
*/
const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspRevokedInfo) },
+ 0, NULL, sizeof(ocspRevokedInfo) },
{ SEC_ASN1_GENERALIZED_TIME,
- offsetof(ocspRevokedInfo, revocationTime) },
+ offsetof(ocspRevokedInfo, revocationTime) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
- SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
- SEC_ASN1_XTRN | 0,
- offsetof(ocspRevokedInfo, revocationReason),
- SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate) },
+ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+ SEC_ASN1_XTRN | 0,
+ offsetof(ocspRevokedInfo, revocationReason),
+ SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate) },
{ 0 }
};
-
/*
* OCSP-specific extension templates:
*/
@@ -1448,25 +1445,24 @@ const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = {
*/
static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = {
{ SEC_ASN1_SEQUENCE,
- 0, NULL, sizeof(ocspServiceLocator) },
+ 0, NULL, sizeof(ocspServiceLocator) },
{ SEC_ASN1_POINTER,
- offsetof(ocspServiceLocator, issuer),
- CERT_NameTemplate },
+ offsetof(ocspServiceLocator, issuer),
+ CERT_NameTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
- offsetof(ocspServiceLocator, locator) },
+ offsetof(ocspServiceLocator, locator) },
{ 0 }
};
-
/*
* REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy):
*/
-/*
+/*
* FUNCTION: CERT_EncodeOCSPRequest
* DER encodes an OCSP Request, possibly adding a signature as well.
* XXX Signing is not yet supported, however; see comments in code.
- * INPUTS:
+ * INPUTS:
* PLArenaPool *arena
* The return value is allocated from here.
* If a NULL is passed in, allocation is done from the heap instead.
@@ -1482,7 +1478,7 @@ static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = {
*/
SECItem *
CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
- void *pwArg)
+ void *pwArg)
{
SECStatus rv;
@@ -1491,10 +1487,10 @@ CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
PORT_Assert(request->tbsRequest);
if (request->tbsRequest->extensionHandle != NULL) {
- rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
- request->tbsRequest->extensionHandle = NULL;
- if (rv != SECSuccess)
- return NULL;
+ rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
+ request->tbsRequest->extensionHandle = NULL;
+ if (rv != SECSuccess)
+ return NULL;
}
/*
@@ -1510,7 +1506,6 @@ CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate);
}
-
/*
* FUNCTION: CERT_DecodeOCSPRequest
* Decode a DER encoded OCSP Request.
@@ -1533,27 +1528,27 @@ CERT_DecodeOCSPRequest(const SECItem *src)
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
- goto loser;
+ goto loser;
}
- dest = (CERTOCSPRequest *) PORT_ArenaZAlloc(arena,
- sizeof(CERTOCSPRequest));
+ dest = (CERTOCSPRequest *)PORT_ArenaZAlloc(arena,
+ sizeof(CERTOCSPRequest));
if (dest == NULL) {
- goto loser;
+ goto loser;
}
dest->arena = arena;
/* copy the DER into the arena, since Quick DER returns data that points
into the DER input, which may get freed by the caller */
rv = SECITEM_CopyItem(arena, &newSrc, src);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, dest, ocsp_OCSPRequestTemplate, &newSrc);
if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
- goto loser;
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ goto loser;
}
/*
@@ -1561,24 +1556,24 @@ CERT_DecodeOCSPRequest(const SECItem *src)
* of doing this copying of the arena pointer.
*/
for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) {
- dest->tbsRequest->requestList[i]->arena = arena;
+ dest->tbsRequest->requestList[i]->arena = arena;
}
return dest;
loser:
if (arena != NULL) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
SECStatus
-CERT_DestroyOCSPCertID(CERTOCSPCertID* certID)
+CERT_DestroyOCSPCertID(CERTOCSPCertID *certID)
{
if (certID && certID->poolp) {
- PORT_FreeArena(certID->poolp, PR_FALSE);
- return SECSuccess;
+ PORT_FreeArena(certID->poolp, PR_FALSE);
+ return SECSuccess;
}
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
@@ -1593,7 +1588,7 @@ CERT_DestroyOCSPCertID(CERTOCSPCertID* certID)
*/
SECItem *
-ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
+ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
SECItem *fill, const SECItem *src)
{
const SECHashObject *digestObject;
@@ -1601,27 +1596,27 @@ ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
void *mark = NULL;
void *digestBuff = NULL;
- if ( arena != NULL ) {
+ if (arena != NULL) {
mark = PORT_ArenaMark(arena);
}
digestObject = HASH_GetHashObjectByOidTag(digestAlg);
- if ( digestObject == NULL ) {
+ if (digestObject == NULL) {
goto loser;
}
if (fill == NULL || fill->data == NULL) {
- result = SECITEM_AllocItem(arena, fill, digestObject->length);
- if ( result == NULL ) {
- goto loser;
- }
- digestBuff = result->data;
+ result = SECITEM_AllocItem(arena, fill, digestObject->length);
+ if (result == NULL) {
+ goto loser;
+ }
+ digestBuff = result->data;
} else {
- if (fill->len < digestObject->length) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto loser;
- }
- digestBuff = fill->data;
+ if (fill->len < digestObject->length) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto loser;
+ }
+ digestBuff = fill->data;
}
if (PK11_HashBuf(digestAlg, digestBuff,
@@ -1629,7 +1624,7 @@ ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,
goto loser;
}
- if ( arena != NULL ) {
+ if (arena != NULL) {
PORT_ArenaUnmark(arena, mark);
}
@@ -1646,7 +1641,7 @@ loser:
SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE);
}
}
- return(NULL);
+ return (NULL);
}
/*
@@ -1713,18 +1708,18 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time)
certID = PORT_ArenaZNew(arena, CERTOCSPCertID);
if (certID == NULL) {
- goto loser;
+ goto loser;
}
rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1,
- NULL);
+ NULL);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
if (issuerCert == NULL) {
- goto loser;
+ goto loser;
}
if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1,
@@ -1745,29 +1740,28 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time)
}
if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1,
- &certID->issuerKeyHash) == NULL) {
- goto loser;
+ &certID->issuerKeyHash) == NULL) {
+ goto loser;
}
certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
/* cache the other two hash algorithms as well */
if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5,
- &certID->issuerMD5KeyHash) == NULL) {
- goto loser;
+ &certID->issuerMD5KeyHash) == NULL) {
+ goto loser;
}
if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2,
- &certID->issuerMD2KeyHash) == NULL) {
- goto loser;
+ &certID->issuerMD2KeyHash) == NULL) {
+ goto loser;
}
-
/* now we are done with issuerCert */
CERT_DestroyCertificate(issuerCert);
issuerCert = NULL;
rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
PORT_ArenaUnmark(arena, mark);
@@ -1775,25 +1769,25 @@ ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time)
loser:
if (issuerCert != NULL) {
- CERT_DestroyCertificate(issuerCert);
+ CERT_DestroyCertificate(issuerCert);
}
PORT_ArenaRelease(arena, mark);
return NULL;
}
-CERTOCSPCertID*
+CERTOCSPCertID *
CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time)
{
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTOCSPCertID *certID;
PORT_Assert(arena != NULL);
if (!arena)
- return NULL;
-
+ return NULL;
+
certID = ocsp_CreateCertID(arena, cert, time);
if (!certID) {
- PORT_FreeArena(arena, PR_FALSE);
- return NULL;
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
}
certID->poolp = arena;
return certID;
@@ -1818,11 +1812,11 @@ cert_DupOCSPCertID(const CERTOCSPCertID *src)
if (!dest)
goto loser;
-#define DUPHELP(element) \
- if (src->element.data && \
- SECITEM_CopyItem(arena, &dest->element, &src->element) \
- != SECSuccess) { \
- goto loser; \
+#define DUPHELP(element) \
+ if (src->element.data && \
+ SECITEM_CopyItem(arena, &dest->element, &src->element) != \
+ SECSuccess) { \
+ goto loser; \
}
DUPHELP(hashAlgorithm.algorithm)
@@ -1850,12 +1844,13 @@ loser:
/*
* Callback to set Extensions in request object
*/
-void SetSingleReqExts(void *object, CERTCertExtension **exts)
+void
+SetSingleReqExts(void *object, CERTCertExtension **exts)
{
- ocspSingleRequest *singleRequest =
- (ocspSingleRequest *)object;
+ ocspSingleRequest *singleRequest =
+ (ocspSingleRequest *)object;
- singleRequest->singleRequestExtensions = exts;
+ singleRequest->singleRequestExtensions = exts;
}
/*
@@ -1866,7 +1861,7 @@ void SetSingleReqExts(void *object, CERTCertExtension **exts)
*/
static SECStatus
ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
- CERTCertificate *cert)
+ CERTCertificate *cert)
{
ocspServiceLocator *serviceLocator = NULL;
void *extensionHandle = NULL;
@@ -1874,7 +1869,7 @@ ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
serviceLocator = PORT_ZNew(ocspServiceLocator);
if (serviceLocator == NULL)
- goto loser;
+ goto loser;
/*
* Normally it would be a bad idea to do a direct reference like
@@ -1886,10 +1881,10 @@ ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
serviceLocator->issuer = &cert->issuer;
rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
- &serviceLocator->locator);
+ &serviceLocator->locator);
if (rv != SECSuccess) {
- if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
- goto loser;
+ if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
+ goto loser;
}
/* prepare for following loser gotos */
@@ -1897,33 +1892,33 @@ ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
PORT_SetError(0);
extensionHandle = cert_StartExtensions(singleRequest,
- singleRequest->arena, SetSingleReqExts);
+ singleRequest->arena, SetSingleReqExts);
if (extensionHandle == NULL)
- goto loser;
+ goto loser;
rv = CERT_EncodeAndAddExtension(extensionHandle,
- SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
- serviceLocator, PR_FALSE,
- ocsp_ServiceLocatorTemplate);
+ SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
+ serviceLocator, PR_FALSE,
+ ocsp_ServiceLocatorTemplate);
loser:
if (extensionHandle != NULL) {
- /*
+ /*
* Either way we have to finish out the extension context (so it gets
* freed). But careful not to override any already-set bad status.
*/
- SECStatus tmprv = CERT_FinishExtensions(extensionHandle);
- if (rv == SECSuccess)
- rv = tmprv;
+ SECStatus tmprv = CERT_FinishExtensions(extensionHandle);
+ if (rv == SECSuccess)
+ rv = tmprv;
}
/*
* Finally, free the serviceLocator structure itself and we are done.
*/
if (serviceLocator != NULL) {
- if (serviceLocator->locator.data != NULL)
- SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE);
- PORT_Free(serviceLocator);
+ if (serviceLocator->locator.data != NULL)
+ SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE);
+ PORT_Free(serviceLocator);
}
return rv;
@@ -1949,18 +1944,18 @@ ocsp_CreateSingleRequestList(PLArenaPool *arena, CERTCertList *certList,
CERTCertListNode *node = NULL;
int i, count;
void *mark = PORT_ArenaMark(arena);
-
+
node = CERT_LIST_HEAD(certList);
for (count = 0; !CERT_LIST_END(node, certList); count++) {
node = CERT_LIST_NEXT(node);
}
if (count == 0)
- goto loser;
+ goto loser;
requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1);
if (requestList == NULL)
- goto loser;
+ goto loser;
node = CERT_LIST_HEAD(certList);
for (i = 0; !CERT_LIST_END(node, certList); i++) {
@@ -1998,7 +1993,7 @@ loser:
static ocspSingleRequest **
ocsp_CreateRequestFromCert(PLArenaPool *arena,
- CERTOCSPCertID *certID,
+ CERTOCSPCertID *certID,
CERTCertificate *singleCert,
PRTime time,
PRBool includeLocator)
@@ -2016,7 +2011,7 @@ ocsp_CreateRequestFromCert(PLArenaPool *arena,
goto loser;
requestList[0]->arena = arena;
/* certID will live longer than the request */
- requestList[0]->reqCert = certID;
+ requestList[0]->reqCert = certID;
if (includeLocator == PR_TRUE) {
SECStatus rv;
@@ -2067,8 +2062,8 @@ loser:
}
CERTOCSPRequest *
-cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
- CERTCertificate *singleCert,
+cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
+ CERTCertificate *singleCert,
PRTime time,
PRBool addServiceLocator,
CERTCertificate *signerCert)
@@ -2091,8 +2086,8 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
* Version 1 is the default, so we need not fill in a version number.
* Now create the list of single requests, one for each cert.
*/
- request->tbsRequest->requestList =
- ocsp_CreateRequestFromCert(request->arena,
+ request->tbsRequest->requestList =
+ ocsp_CreateRequestFromCert(request->arena,
certID,
singleCert,
time,
@@ -2106,7 +2101,7 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
/*
* FUNCTION: CERT_CreateOCSPRequest
- * Creates a CERTOCSPRequest, requesting the status of the certs in
+ * Creates a CERTOCSPRequest, requesting the status of the certs in
* the given list.
* INPUTS:
* CERTCertList *certList
@@ -2118,7 +2113,7 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
* to this routine), who knows about where the request(s) are being
* sent and whether there are any trusted responders in place.
* PRTime time
- * Indicates the time for which the certificate status is to be
+ * Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* but has no effect on the request itself.
* PRBool addServiceLocator
@@ -2137,8 +2132,8 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
*/
CERTOCSPRequest *
CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
- PRBool addServiceLocator,
- CERTCertificate *signerCert)
+ PRBool addServiceLocator,
+ CERTCertificate *signerCert)
{
CERTOCSPRequest *request = NULL;
@@ -2147,7 +2142,7 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
return NULL;
}
/*
- * XXX When we are prepared to put signing of requests back in,
+ * XXX When we are prepared to put signing of requests back in,
* we will need to allocate a signature
* structure for the request, fill in the "derCerts" field in it,
* save the signerCert there, as well as fill in the "requestorName"
@@ -2163,8 +2158,8 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
/*
* Now create the list of single requests, one for each cert.
*/
- request->tbsRequest->requestList =
- ocsp_CreateSingleRequestList(request->arena,
+ request->tbsRequest->requestList =
+ ocsp_CreateSingleRequestList(request->arena,
certList,
time,
addServiceLocator);
@@ -2192,16 +2187,21 @@ CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time,
* All errors are internal or low-level problems (e.g. no memory).
*/
-void SetRequestExts(void *object, CERTCertExtension **exts)
+void
+SetRequestExts(void *object, CERTCertExtension **exts)
{
- CERTOCSPRequest *request = (CERTOCSPRequest *)object;
+ CERTOCSPRequest *request = (CERTOCSPRequest *)object;
- request->tbsRequest->requestExtensions = exts;
+ request->tbsRequest->requestExtensions = exts;
}
+#if defined(__GNUC__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wvarargs"
+#endif
SECStatus
CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
- SECOidTag responseType0, ...)
+ SECOidTag responseType0, ...)
{
void *extHandle;
va_list ap;
@@ -2213,59 +2213,61 @@ CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
extHandle = request->tbsRequest->extensionHandle;
if (extHandle == NULL) {
- extHandle = cert_StartExtensions(request, request->arena, SetRequestExts);
- if (extHandle == NULL)
- goto loser;
+ extHandle = cert_StartExtensions(request, request->arena, SetRequestExts);
+ if (extHandle == NULL)
+ goto loser;
}
/* Count number of OIDS going into the extension value. */
count = 1;
if (responseType0 != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) {
- va_start(ap, responseType0);
- do {
- count++;
- responseType = va_arg(ap, SECOidTag);
- } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
- va_end(ap);
+ va_start(ap, responseType0);
+ do {
+ count++;
+ responseType = va_arg(ap, SECOidTag);
+ } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+ va_end(ap);
}
acceptableResponses = PORT_NewArray(SECItem *, count + 1);
if (acceptableResponses == NULL)
- goto loser;
+ goto loser;
i = 0;
responseOid = SECOID_FindOIDByTag(responseType0);
acceptableResponses[i++] = &(responseOid->oid);
if (count > 1) {
- va_start(ap, responseType0);
- for ( ; i < count; i++) {
- responseType = va_arg(ap, SECOidTag);
- responseOid = SECOID_FindOIDByTag(responseType);
- acceptableResponses[i] = &(responseOid->oid);
- }
- va_end(ap);
+ va_start(ap, responseType0);
+ for (; i < count; i++) {
+ responseType = va_arg(ap, SECOidTag);
+ responseOid = SECOID_FindOIDByTag(responseType);
+ acceptableResponses[i] = &(responseOid->oid);
+ }
+ va_end(ap);
}
acceptableResponses[i] = NULL;
rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE,
- &acceptableResponses, PR_FALSE,
- SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate));
+ &acceptableResponses, PR_FALSE,
+ SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate));
if (rv != SECSuccess)
- goto loser;
+ goto loser;
PORT_Free(acceptableResponses);
if (request->tbsRequest->extensionHandle == NULL)
- request->tbsRequest->extensionHandle = extHandle;
+ request->tbsRequest->extensionHandle = extHandle;
return SECSuccess;
loser:
if (acceptableResponses != NULL)
- PORT_Free(acceptableResponses);
+ PORT_Free(acceptableResponses);
if (extHandle != NULL)
- (void) CERT_FinishExtensions(extHandle);
+ (void)CERT_FinishExtensions(extHandle);
return rv;
}
-
+#if defined(__GNUC__)
+#pragma GCC diagnostic pop
+#endif
/*
* FUNCTION: CERT_DestroyOCSPRequest
@@ -2280,20 +2282,20 @@ void
CERT_DestroyOCSPRequest(CERTOCSPRequest *request)
{
if (request == NULL)
- return;
+ return;
if (request->tbsRequest != NULL) {
- if (request->tbsRequest->requestorName != NULL)
- CERT_DestroyGeneralNameList(request->tbsRequest->requestorName);
- if (request->tbsRequest->extensionHandle != NULL)
- (void) CERT_FinishExtensions(request->tbsRequest->extensionHandle);
+ if (request->tbsRequest->requestorName != NULL)
+ CERT_DestroyGeneralNameList(request->tbsRequest->requestorName);
+ if (request->tbsRequest->extensionHandle != NULL)
+ (void)CERT_FinishExtensions(request->tbsRequest->extensionHandle);
}
if (request->optionalSignature != NULL) {
- if (request->optionalSignature->cert != NULL)
- CERT_DestroyCertificate(request->optionalSignature->cert);
+ if (request->optionalSignature->cert != NULL)
+ CERT_DestroyCertificate(request->optionalSignature->cert);
- /*
+ /*
* XXX Need to free derCerts? Or do they come out of arena?
* (Currently we never fill in derCerts, which is why the
* answer is not obvious. Once we do, add any necessary code
@@ -2308,10 +2310,9 @@ CERT_DestroyOCSPRequest(CERTOCSPRequest *request)
*/
PORT_Assert(request->arena != NULL);
if (request->arena != NULL)
- PORT_FreeArena(request->arena, PR_FALSE);
+ PORT_FreeArena(request->arena, PR_FALSE);
}
-
/*
* RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy):
*/
@@ -2326,17 +2327,17 @@ ocsp_ResponderIDTemplateByType(CERTOCSPResponderIDType responderIDType)
const SEC_ASN1Template *responderIDTemplate;
switch (responderIDType) {
- case ocspResponderID_byName:
- responderIDTemplate = ocsp_ResponderIDByNameTemplate;
- break;
- case ocspResponderID_byKey:
- responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
- break;
- case ocspResponderID_other:
- default:
- PORT_Assert(responderIDType == ocspResponderID_other);
- responderIDTemplate = ocsp_ResponderIDOtherTemplate;
- break;
+ case ocspResponderID_byName:
+ responderIDTemplate = ocsp_ResponderIDByNameTemplate;
+ break;
+ case ocspResponderID_byKey:
+ responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
+ break;
+ case ocspResponderID_other:
+ default:
+ PORT_Assert(responderIDType == ocspResponderID_other);
+ responderIDTemplate = ocsp_ResponderIDOtherTemplate;
+ break;
}
return responderIDTemplate;
@@ -2352,20 +2353,20 @@ ocsp_CertStatusTemplateByType(ocspCertStatusType certStatusType)
const SEC_ASN1Template *certStatusTemplate;
switch (certStatusType) {
- case ocspCertStatus_good:
- certStatusTemplate = ocsp_CertStatusGoodTemplate;
- break;
- case ocspCertStatus_revoked:
- certStatusTemplate = ocsp_CertStatusRevokedTemplate;
- break;
- case ocspCertStatus_unknown:
- certStatusTemplate = ocsp_CertStatusUnknownTemplate;
- break;
- case ocspCertStatus_other:
- default:
- PORT_Assert(certStatusType == ocspCertStatus_other);
- certStatusTemplate = ocsp_CertStatusOtherTemplate;
- break;
+ case ocspCertStatus_good:
+ certStatusTemplate = ocsp_CertStatusGoodTemplate;
+ break;
+ case ocspCertStatus_revoked:
+ certStatusTemplate = ocsp_CertStatusRevokedTemplate;
+ break;
+ case ocspCertStatus_unknown:
+ certStatusTemplate = ocsp_CertStatusUnknownTemplate;
+ break;
+ case ocspCertStatus_other:
+ default:
+ PORT_Assert(certStatusType == ocspCertStatus_other);
+ certStatusTemplate = ocsp_CertStatusOtherTemplate;
+ break;
}
return certStatusTemplate;
@@ -2381,18 +2382,18 @@ ocsp_CertStatusTypeByTag(int derTag)
ocspCertStatusType certStatusType;
switch (derTag) {
- case 0:
- certStatusType = ocspCertStatus_good;
- break;
- case 1:
- certStatusType = ocspCertStatus_revoked;
- break;
- case 2:
- certStatusType = ocspCertStatus_unknown;
- break;
- default:
- certStatusType = ocspCertStatus_other;
- break;
+ case 0:
+ certStatusType = ocspCertStatus_good;
+ break;
+ case 1:
+ certStatusType = ocspCertStatus_revoked;
+ break;
+ case 2:
+ certStatusType = ocspCertStatus_unknown;
+ break;
+ default:
+ certStatusType = ocspCertStatus_other;
+ break;
}
return certStatusType;
@@ -2407,7 +2408,7 @@ ocsp_CertStatusTypeByTag(int derTag)
*/
static SECStatus
ocsp_FinishDecodingSingleResponses(PLArenaPool *reqArena,
- CERTOCSPSingleResponse **responses)
+ CERTOCSPSingleResponse **responses)
{
ocspCertStatus *certStatus;
ocspCertStatusType certStatusType;
@@ -2421,39 +2422,39 @@ ocsp_FinishDecodingSingleResponses(PLArenaPool *reqArena,
return SECFailure;
}
- if (responses == NULL) /* nothing to do */
- return SECSuccess;
+ if (responses == NULL) /* nothing to do */
+ return SECSuccess;
for (i = 0; responses[i] != NULL; i++) {
- SECItem* newStatus;
- /*
+ SECItem *newStatus;
+ /*
* The following assert points out internal errors (problems in
* the template definitions or in the ASN.1 decoder itself, etc.).
*/
- PORT_Assert(responses[i]->derCertStatus.data != NULL);
+ PORT_Assert(responses[i]->derCertStatus.data != NULL);
- derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK;
- certStatusType = ocsp_CertStatusTypeByTag(derTag);
- certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType);
+ derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK;
+ certStatusType = ocsp_CertStatusTypeByTag(derTag);
+ certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType);
- certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus));
- if (certStatus == NULL) {
- goto loser;
- }
+ certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus));
+ if (certStatus == NULL) {
+ goto loser;
+ }
newStatus = SECITEM_ArenaDupItem(reqArena, &responses[i]->derCertStatus);
if (!newStatus) {
goto loser;
}
- rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate,
- newStatus);
- if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto loser;
- }
+ rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate,
+ newStatus);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ goto loser;
+ }
- certStatus->certStatusType = certStatusType;
- responses[i]->certStatus = certStatus;
+ certStatus->certStatusType = certStatusType;
+ responses[i]->certStatus = certStatus;
}
return SECSuccess;
@@ -2472,15 +2473,15 @@ ocsp_ResponderIDTypeByTag(int derTag)
CERTOCSPResponderIDType responderIDType;
switch (derTag) {
- case 1:
- responderIDType = ocspResponderID_byName;
- break;
- case 2:
- responderIDType = ocspResponderID_byKey;
- break;
- default:
- responderIDType = ocspResponderID_other;
- break;
+ case 1:
+ responderIDType = ocspResponderID_byName;
+ break;
+ case 2:
+ responderIDType = ocspResponderID_byKey;
+ break;
+ default:
+ responderIDType = ocspResponderID_other;
+ break;
}
return responderIDType;
@@ -2506,22 +2507,22 @@ ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src)
basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse));
if (basicResponse == NULL) {
- goto loser;
+ goto loser;
}
/* copy the DER into the arena, since Quick DER returns data that points
into the DER input, which may get freed by the caller */
rv = SECITEM_CopyItem(arena, &newsrc, src);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, basicResponse,
- ocsp_BasicOCSPResponseTemplate, &newsrc);
+ ocsp_BasicOCSPResponseTemplate, &newsrc);
if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto loser;
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ goto loser;
}
responseData = basicResponse->tbsResponseData;
@@ -2543,15 +2544,15 @@ ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src)
responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID));
if (responderID == NULL) {
- goto loser;
+ goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, responderID, responderIDTemplate,
- &responseData->derResponderID);
+ &responseData->derResponderID);
if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto loser;
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ goto loser;
}
responderID->responderIDType = responderIDType;
@@ -2563,7 +2564,7 @@ ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src)
*/
rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
PORT_ArenaUnmark(arena, mark);
@@ -2574,7 +2575,6 @@ loser:
return NULL;
}
-
/*
* Decode the responseBytes based on the responseType found in "rbytes",
* leaving the resulting translated/decoded information in there as well.
@@ -2583,38 +2583,35 @@ static SECStatus
ocsp_DecodeResponseBytes(PLArenaPool *arena, ocspResponseBytes *rbytes)
{
if (rbytes == NULL) {
- PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
+ return SECFailure;
}
rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType);
switch (rbytes->responseTypeTag) {
- case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
- {
- ocspBasicOCSPResponse *basicResponse;
+ case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: {
+ ocspBasicOCSPResponse *basicResponse;
- basicResponse = ocsp_DecodeBasicOCSPResponse(arena,
- &rbytes->response);
- if (basicResponse == NULL)
- return SECFailure;
+ basicResponse = ocsp_DecodeBasicOCSPResponse(arena,
+ &rbytes->response);
+ if (basicResponse == NULL)
+ return SECFailure;
- rbytes->decodedResponse.basic = basicResponse;
- }
- break;
+ rbytes->decodedResponse.basic = basicResponse;
+ } break;
- /*
+ /*
* Add new/future response types here.
*/
- default:
- PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
- return SECFailure;
+ default:
+ PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
+ return SECFailure;
}
return SECSuccess;
}
-
/*
* FUNCTION: CERT_DecodeOCSPResponse
* Decode a DER encoded OCSP Response.
@@ -2639,37 +2636,37 @@ CERT_DecodeOCSPResponse(const SECItem *src)
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
- goto loser;
+ goto loser;
}
- response = (CERTOCSPResponse *) PORT_ArenaZAlloc(arena,
- sizeof(CERTOCSPResponse));
+ response = (CERTOCSPResponse *)PORT_ArenaZAlloc(arena,
+ sizeof(CERTOCSPResponse));
if (response == NULL) {
- goto loser;
+ goto loser;
}
response->arena = arena;
/* copy the DER into the arena, since Quick DER returns data that points
into the DER input, which may get freed by the caller */
rv = SECITEM_CopyItem(arena, &newSrc, src);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, response, ocsp_OCSPResponseTemplate, &newSrc);
if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto loser;
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ goto loser;
}
- sv = (ocspResponseStatus) DER_GetInteger(&response->responseStatus);
+ sv = (ocspResponseStatus)DER_GetInteger(&response->responseStatus);
response->statusValue = sv;
if (sv != ocspResponse_successful) {
- /*
+ /*
* If the response status is anything but successful, then we
* are all done with decoding; the status is all there is.
*/
- return response;
+ return response;
}
/*
@@ -2678,14 +2675,14 @@ CERT_DecodeOCSPResponse(const SECItem *src)
*/
rv = ocsp_DecodeResponseBytes(arena, response->responseBytes);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
return response;
loser:
if (arena != NULL) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
@@ -2711,7 +2708,7 @@ loser:
*
* FUNCTION: ocsp_GetResponseData
* Returns ocspResponseData structure and a pointer to tbs response
- * data DER from a valid ocsp response.
+ * data DER from a valid ocsp response.
* INPUTS:
* CERTOCSPResponse *response
* structure of a valid ocsp response
@@ -2729,8 +2726,8 @@ ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER)
PORT_Assert(response->responseBytes != NULL);
- PORT_Assert(response->responseBytes->responseTypeTag
- == SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+ PORT_Assert(response->responseBytes->responseTypeTag ==
+ SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
basic = response->responseBytes->decodedResponse.basic;
PORT_Assert(basic != NULL);
@@ -2761,8 +2758,8 @@ ocsp_GetResponseSignature(CERTOCSPResponse *response)
if (NULL == response->responseBytes) {
return NULL;
}
- if (response->responseBytes->responseTypeTag
- != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) {
+ if (response->responseBytes->responseTypeTag !=
+ SEC_OID_PKIX_OCSP_BASIC_RESPONSE) {
return NULL;
}
basic = response->responseBytes->decodedResponse.basic;
@@ -2771,7 +2768,6 @@ ocsp_GetResponseSignature(CERTOCSPResponse *response)
return &(basic->responseSignature);
}
-
/*
* FUNCTION: CERT_DestroyOCSPResponse
* Frees an OCSP Response structure.
@@ -2785,28 +2781,26 @@ void
CERT_DestroyOCSPResponse(CERTOCSPResponse *response)
{
if (response != NULL) {
- ocspSignature *signature = ocsp_GetResponseSignature(response);
- if (signature && signature->cert != NULL)
- CERT_DestroyCertificate(signature->cert);
+ ocspSignature *signature = ocsp_GetResponseSignature(response);
+ if (signature && signature->cert != NULL)
+ CERT_DestroyCertificate(signature->cert);
- /*
+ /*
* We should actually never have a response without an arena,
* but check just in case. (If there isn't one, there is not
* much we can do about it...)
*/
- PORT_Assert(response->arena != NULL);
- if (response->arena != NULL) {
- PORT_FreeArena(response->arena, PR_FALSE);
- }
+ PORT_Assert(response->arena != NULL);
+ if (response->arena != NULL) {
+ PORT_FreeArena(response->arena, PR_FALSE);
+ }
}
}
-
/*
* OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response):
*/
-
/*
* Pick apart a URL, saving the important things in the passed-in pointers.
*
@@ -2822,7 +2816,7 @@ CERT_DestroyOCSPResponse(CERTOCSPResponse *response)
static SECStatus
ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
{
- unsigned short port = 80; /* default, in case not in url */
+ unsigned short port = 80; /* default, in case not in url */
char *hostname = NULL;
char *path = NULL;
const char *save;
@@ -2830,25 +2824,25 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
int len;
if (url == NULL)
- goto loser;
+ goto loser;
/*
* Skip beginning whitespace.
*/
c = *url;
while ((c == ' ' || c == '\t') && c != '\0') {
- url++;
- c = *url;
+ url++;
+ c = *url;
}
if (c == '\0')
- goto loser;
+ goto loser;
/*
* Confirm, then skip, protocol. (Since we only know how to do http,
* that is all we will accept).
*/
if (PORT_Strncasecmp(url, "http://", 7) != 0)
- goto loser;
+ goto loser;
url += 7;
/*
@@ -2866,13 +2860,13 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
save = url;
c = *url;
while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') {
- url++;
- c = *url;
+ url++;
+ c = *url;
}
len = url - save;
hostname = PORT_Alloc(len + 1);
if (hostname == NULL)
- goto loser;
+ goto loser;
PORT_Memcpy(hostname, save, len);
hostname[len] = '\0';
@@ -2881,15 +2875,15 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
* If so, we need to parse it (as a number) and skip it.
*/
if (c == ':') {
- url++;
- port = (unsigned short) PORT_Atoi(url);
- c = *url;
- while (c != '/' && c != '\0' && c != ' ' && c != '\t') {
- if (c < '0' || c > '9')
- goto loser;
- url++;
- c = *url;
- }
+ url++;
+ port = (unsigned short)PORT_Atoi(url);
+ c = *url;
+ while (c != '/' && c != '\0' && c != ' ' && c != '\t') {
+ if (c < '0' || c > '9')
+ goto loser;
+ url++;
+ c = *url;
+ }
}
/*
@@ -2897,21 +2891,21 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
* if nothing else -- but if there is not we provide one.
*/
if (c == '/') {
- save = url;
- while (c != '\0' && c != ' ' && c != '\t') {
- url++;
- c = *url;
- }
- len = url - save;
- path = PORT_Alloc(len + 1);
- if (path == NULL)
- goto loser;
- PORT_Memcpy(path, save, len);
- path[len] = '\0';
+ save = url;
+ while (c != '\0' && c != ' ' && c != '\t') {
+ url++;
+ c = *url;
+ }
+ len = url - save;
+ path = PORT_Alloc(len + 1);
+ if (path == NULL)
+ goto loser;
+ PORT_Memcpy(path, save, len);
+ path[len] = '\0';
} else {
- path = PORT_Strdup("/");
- if (path == NULL)
- goto loser;
+ path = PORT_Strdup("/");
+ if (path == NULL)
+ goto loser;
}
*pHostname = hostname;
@@ -2921,7 +2915,7 @@ ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
loser:
if (hostname != NULL)
- PORT_Free(hostname);
+ PORT_Free(hostname);
PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
return SECFailure;
}
@@ -2940,7 +2934,7 @@ ocsp_ConnectToHost(const char *host, PRUint16 port)
sock = PR_NewTCPSocket();
if (sock == NULL)
- goto loser;
+ goto loser;
/* XXX Some day need a way to set (and get?) the following value */
timeout = PR_SecondsToInterval(30);
@@ -2954,42 +2948,42 @@ ocsp_ConnectToHost(const char *host, PRUint16 port)
* valid numerical IP address from a hostname.
*/
if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) {
- PRIntn hostIndex;
- PRHostEnt hostEntry;
+ PRIntn hostIndex;
+ PRHostEnt hostEntry;
- netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE);
- if (netdbbuf == NULL)
- goto loser;
+ netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE);
+ if (netdbbuf == NULL)
+ goto loser;
- if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE,
- &hostEntry) != PR_SUCCESS)
- goto loser;
+ if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE,
+ &hostEntry) != PR_SUCCESS)
+ goto loser;
- hostIndex = 0;
- do {
- hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
- if (hostIndex <= 0)
- goto loser;
- } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS);
+ hostIndex = 0;
+ do {
+ hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
+ if (hostIndex <= 0)
+ goto loser;
+ } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS);
- PORT_Free(netdbbuf);
+ PORT_Free(netdbbuf);
} else {
- /*
+ /*
* First put the port into the address, then connect.
*/
- if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
- goto loser;
- if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
- goto loser;
+ if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
+ goto loser;
+ if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
+ goto loser;
}
return sock;
loser:
if (sock != NULL)
- PR_Close(sock);
+ PR_Close(sock);
if (netdbbuf != NULL)
- PORT_Free(netdbbuf);
+ PORT_Free(netdbbuf);
return NULL;
}
@@ -3024,14 +3018,14 @@ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
*/
rv = ocsp_ParseURL(location, &hostname, &port, &path);
if (rv != SECSuccess)
- goto loser;
+ goto loser;
PORT_Assert(hostname != NULL);
PORT_Assert(path != NULL);
sock = ocsp_ConnectToHost(hostname, port);
if (sock == NULL)
- goto loser;
+ goto loser;
portstr[0] = '\0';
if (port != 80) {
@@ -3039,38 +3033,37 @@ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
}
if (!encodedRequest) {
- header = PR_smprintf("GET %s HTTP/1.0\r\n"
- "Host: %s%s\r\n\r\n",
- path, hostname, portstr);
- if (header == NULL)
- goto loser;
-
- /*
- * The NSPR documentation promises that if it can, it will write the full
- * amount; this will not return a partial value expecting us to loop.
- */
- if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
- goto loser;
- }
- else {
- header = PR_smprintf("POST %s HTTP/1.0\r\n"
- "Host: %s%s\r\n"
- "Content-Type: application/ocsp-request\r\n"
- "Content-Length: %u\r\n\r\n",
- path, hostname, portstr, encodedRequest->len);
- if (header == NULL)
- goto loser;
-
- /*
- * The NSPR documentation promises that if it can, it will write the full
- * amount; this will not return a partial value expecting us to loop.
- */
- if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
- goto loser;
-
- if (PR_Write(sock, encodedRequest->data,
- (PRInt32) encodedRequest->len) < 0)
- goto loser;
+ header = PR_smprintf("GET %s HTTP/1.0\r\n"
+ "Host: %s%s\r\n\r\n",
+ path, hostname, portstr);
+ if (header == NULL)
+ goto loser;
+
+ /*
+ * The NSPR documentation promises that if it can, it will write the full
+ * amount; this will not return a partial value expecting us to loop.
+ */
+ if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0)
+ goto loser;
+ } else {
+ header = PR_smprintf("POST %s HTTP/1.0\r\n"
+ "Host: %s%s\r\n"
+ "Content-Type: application/ocsp-request\r\n"
+ "Content-Length: %u\r\n\r\n",
+ path, hostname, portstr, encodedRequest->len);
+ if (header == NULL)
+ goto loser;
+
+ /*
+ * The NSPR documentation promises that if it can, it will write the full
+ * amount; this will not return a partial value expecting us to loop.
+ */
+ if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0)
+ goto loser;
+
+ if (PR_Write(sock, encodedRequest->data,
+ (PRInt32)encodedRequest->len) < 0)
+ goto loser;
}
returnSock = sock;
@@ -3078,13 +3071,13 @@ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
loser:
if (header != NULL)
- PORT_Free(header);
+ PORT_Free(header);
if (sock != NULL)
- PR_Close(sock);
+ PR_Close(sock);
if (path != NULL)
- PORT_Free(path);
+ PORT_Free(path);
if (hostname != NULL)
- PORT_Free(hostname);
+ PORT_Free(hostname);
return returnSock;
}
@@ -3099,22 +3092,16 @@ ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout)
{
int total = 0;
- while (total < toread)
- {
+ while (total < toread) {
PRInt32 got;
- got = PR_Recv(fd, buf + total, (PRInt32) (toread - total), 0, timeout);
- if (got < 0)
- {
- if (0 == total)
- {
+ got = PR_Recv(fd, buf + total, (PRInt32)(toread - total), 0, timeout);
+ if (got < 0) {
+ if (0 == total) {
total = -1; /* report the error if we didn't read anything yet */
}
break;
- }
- else
- if (got == 0)
- { /* EOS */
+ } else if (got == 0) { /* EOS */
break;
}
@@ -3126,14 +3113,13 @@ ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout)
#define OCSP_BUFSIZE 1024
-#define AbortHttpDecode(error) \
-{ \
- if (inBuffer) \
+#define AbortHttpDecode(error) \
+ { \
+ if (inBuffer) \
PORT_Free(inBuffer); \
- PORT_SetError(error); \
- return NULL; \
-}
-
+ PORT_SetError(error); \
+ return NULL; \
+ }
/*
* Reads on the given socket and returns an encoded response when received.
@@ -3148,92 +3134,81 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock)
{
/* first read HTTP status line and headers */
- char* inBuffer = NULL;
+ char *inBuffer = NULL;
PRInt32 offset = 0;
PRInt32 inBufsize = 0;
- const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */
- const PRInt32 maxBufSize = 8 * bufSizeIncrement ; /* 8 KB max */
- const char* CRLF = "\r\n";
+ const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */
+ const PRInt32 maxBufSize = 8 * bufSizeIncrement; /* 8 KB max */
+ const char *CRLF = "\r\n";
const PRInt32 CRLFlen = strlen(CRLF);
- const char* headerEndMark = "\r\n\r\n";
+ const char *headerEndMark = "\r\n\r\n";
const PRInt32 markLen = strlen(headerEndMark);
const PRIntervalTime ocsptimeout =
PR_SecondsToInterval(30); /* hardcoded to 30s for now */
- char* headerEnd = NULL;
+ char *headerEnd = NULL;
PRBool EOS = PR_FALSE;
- const char* httpprotocol = "HTTP/";
+ const char *httpprotocol = "HTTP/";
const PRInt32 httplen = strlen(httpprotocol);
- const char* httpcode = NULL;
- const char* contenttype = NULL;
+ const char *httpcode = NULL;
+ const char *contenttype = NULL;
PRInt32 contentlength = 0;
PRInt32 bytesRead = 0;
- char* statusLineEnd = NULL;
- char* space = NULL;
- char* nextHeader = NULL;
- SECItem* result = NULL;
+ char *statusLineEnd = NULL;
+ char *space = NULL;
+ char *nextHeader = NULL;
+ SECItem *result = NULL;
/* read up to at least the end of the HTTP headers */
- do
- {
+ do {
inBufsize += bufSizeIncrement;
- inBuffer = PORT_Realloc(inBuffer, inBufsize+1);
- if (NULL == inBuffer)
- {
+ inBuffer = PORT_Realloc(inBuffer, inBufsize + 1);
+ if (NULL == inBuffer) {
AbortHttpDecode(SEC_ERROR_NO_MEMORY);
}
bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement,
- ocsptimeout);
- if (bytesRead > 0)
- {
- PRInt32 searchOffset = (offset - markLen) >0 ? offset-markLen : 0;
+ ocsptimeout);
+ if (bytesRead > 0) {
+ PRInt32 searchOffset = (offset - markLen) > 0 ? offset - markLen : 0;
offset += bytesRead;
*(inBuffer + offset) = '\0'; /* NULL termination */
- headerEnd = strstr((const char*)inBuffer + searchOffset, headerEndMark);
- if (bytesRead < bufSizeIncrement)
- {
+ headerEnd = strstr((const char *)inBuffer + searchOffset, headerEndMark);
+ if (bytesRead < bufSizeIncrement) {
/* we read less data than requested, therefore we are at
EOS or there was a read error */
EOS = PR_TRUE;
}
- }
- else
- {
+ } else {
/* recv error or EOS */
EOS = PR_TRUE;
}
- } while ( (!headerEnd) && (PR_FALSE == EOS) &&
- (inBufsize < maxBufSize) );
+ } while ((!headerEnd) && (PR_FALSE == EOS) &&
+ (inBufsize < maxBufSize));
- if (!headerEnd)
- {
+ if (!headerEnd) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
/* parse the HTTP status line */
- statusLineEnd = strstr((const char*)inBuffer, CRLF);
- if (!statusLineEnd)
- {
+ statusLineEnd = strstr((const char *)inBuffer, CRLF);
+ if (!statusLineEnd) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
*statusLineEnd = '\0';
/* check for HTTP/ response */
- space = strchr((const char*)inBuffer, ' ');
- if (!space || PORT_Strncasecmp((const char*)inBuffer, httpprotocol, httplen) != 0 )
- {
+ space = strchr((const char *)inBuffer, ' ');
+ if (!space || PORT_Strncasecmp((const char *)inBuffer, httpprotocol, httplen) != 0) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
/* check the HTTP status code of 200 */
- httpcode = space +1;
+ httpcode = space + 1;
space = strchr(httpcode, ' ');
- if (!space)
- {
+ if (!space) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
*space = 0;
- if (0 != strcmp(httpcode, "200"))
- {
+ if (0 != strcmp(httpcode, "200")) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
@@ -3243,14 +3218,12 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock)
nextHeader = statusLineEnd + CRLFlen;
*headerEnd = '\0'; /* terminate */
- do
- {
- char* thisHeaderEnd = NULL;
- char* value = NULL;
- char* colon = strchr(nextHeader, ':');
-
- if (!colon)
- {
+ do {
+ char *thisHeaderEnd = NULL;
+ char *value = NULL;
+ char *colon = strchr(nextHeader, ':');
+
+ if (!colon) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
@@ -3263,90 +3236,71 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock)
and should not be an issue, but it could become one in the
future */
- if (*value != ' ')
- {
+ if (*value != ' ') {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
value++;
- thisHeaderEnd = strstr(value, CRLF);
- if (thisHeaderEnd )
- {
- *thisHeaderEnd = '\0';
+ thisHeaderEnd = strstr(value, CRLF);
+ if (thisHeaderEnd) {
+ *thisHeaderEnd = '\0';
}
- if (0 == PORT_Strcasecmp(nextHeader, "content-type"))
- {
+ if (0 == PORT_Strcasecmp(nextHeader, "content-type")) {
contenttype = value;
- }
- else
- if (0 == PORT_Strcasecmp(nextHeader, "content-length"))
- {
+ } else if (0 == PORT_Strcasecmp(nextHeader, "content-length")) {
contentlength = atoi(value);
}
- if (thisHeaderEnd )
- {
+ if (thisHeaderEnd) {
nextHeader = thisHeaderEnd + CRLFlen;
- }
- else
- {
+ } else {
nextHeader = NULL;
}
- } while (nextHeader && (nextHeader < (headerEnd + CRLFlen) ) );
+ } while (nextHeader && (nextHeader < (headerEnd + CRLFlen)));
/* check content-type */
if (!contenttype ||
- (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response")) )
- {
+ (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response"))) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
/* read the body of the OCSP response */
- offset = offset - (PRInt32) (headerEnd - (const char*)inBuffer) - markLen;
- if (offset)
- {
+ offset = offset - (PRInt32)(headerEnd - (const char *)inBuffer) - markLen;
+ if (offset) {
/* move all data to the beginning of the buffer */
PORT_Memmove(inBuffer, headerEnd + markLen, offset);
}
/* resize buffer to only what's needed to hold the current response */
- inBufsize = (1 + (offset-1) / bufSizeIncrement ) * bufSizeIncrement ;
+ inBufsize = (1 + (offset - 1) / bufSizeIncrement) * bufSizeIncrement;
- while ( (PR_FALSE == EOS) &&
- ( (contentlength == 0) || (offset < contentlength) ) &&
- (inBufsize < maxBufSize)
- )
- {
+ while ((PR_FALSE == EOS) &&
+ ((contentlength == 0) || (offset < contentlength)) &&
+ (inBufsize < maxBufSize)) {
/* we still need to receive more body data */
inBufsize += bufSizeIncrement;
- inBuffer = PORT_Realloc(inBuffer, inBufsize+1);
- if (NULL == inBuffer)
- {
+ inBuffer = PORT_Realloc(inBuffer, inBufsize + 1);
+ if (NULL == inBuffer) {
AbortHttpDecode(SEC_ERROR_NO_MEMORY);
}
bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement,
ocsptimeout);
- if (bytesRead > 0)
- {
+ if (bytesRead > 0) {
offset += bytesRead;
- if (bytesRead < bufSizeIncrement)
- {
+ if (bytesRead < bufSizeIncrement) {
/* we read less data than requested, therefore we are at
EOS or there was a read error */
EOS = PR_TRUE;
}
- }
- else
- {
+ } else {
/* recv error or EOS */
EOS = PR_TRUE;
}
}
- if (0 == offset)
- {
+ if (0 == offset) {
AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
}
@@ -3354,14 +3308,13 @@ ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock)
* Now allocate the item to hold the data.
*/
result = SECITEM_AllocItem(arena, NULL, offset);
- if (NULL == result)
- {
+ if (NULL == result) {
AbortHttpDecode(SEC_ERROR_NO_MEMORY);
}
/*
* And copy the data left in the buffer.
- */
+ */
PORT_Memcpy(result->data, inBuffer, offset);
/* and free the temporary buffer */
@@ -3378,7 +3331,7 @@ CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
/*
* Limit the size of http responses we are willing to accept.
*/
-#define MAX_WANTED_OCSP_RESPONSE_LEN 64*1024
+#define MAX_WANTED_OCSP_RESPONSE_LEN 64 * 1024
/* if (encodedRequest == NULL)
* then location MUST already include the full request,
@@ -3388,9 +3341,9 @@ CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
* then the request will be sent with POST
*/
static SECItem *
-fetchOcspHttpClientV1(PLArenaPool *arena,
- const SEC_HttpClientFcnV1 *hcv1,
- const char *location,
+fetchOcspHttpClientV1(PLArenaPool *arena,
+ const SEC_HttpClientFcnV1 *hcv1,
+ const char *location,
const SECItem *encodedRequest)
{
char *hostname = NULL;
@@ -3407,13 +3360,13 @@ fetchOcspHttpClientV1(PLArenaPool *arena,
PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
goto loser;
}
-
+
PORT_Assert(hostname != NULL);
PORT_Assert(path != NULL);
if ((*hcv1->createSessionFcn)(
- hostname,
- port,
+ hostname,
+ port,
&pServerSession) != SECSuccess) {
PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
goto loser;
@@ -3439,8 +3392,8 @@ fetchOcspHttpClientV1(PLArenaPool *arena,
if (encodedRequest &&
(*hcv1->setPostDataFcn)(
- pRequestSession,
- (char*)encodedRequest->data,
+ pRequestSession,
+ (char *)encodedRequest->data,
encodedRequest->len,
"application/ocsp-request") != SECSuccess) {
PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
@@ -3453,7 +3406,7 @@ fetchOcspHttpClientV1(PLArenaPool *arena,
OCSP_TRACE(("OCSP trySendAndReceive %s\n", location));
if ((*hcv1->trySendAndReceiveFcn)(
- pRequestSession,
+ pRequestSession,
NULL,
&myHttpResponseCode,
NULL,
@@ -3481,15 +3434,15 @@ fetchOcspHttpClientV1(PLArenaPool *arena,
PORT_Memcpy(encodedResponse->data, myHttpResponseData, myHttpResponseDataLen);
loser:
- if (pRequestSession != NULL)
+ if (pRequestSession != NULL)
(*hcv1->freeFcn)(pRequestSession);
if (pServerSession != NULL)
(*hcv1->freeSessionFcn)(pServerSession);
if (path != NULL)
- PORT_Free(path);
+ PORT_Free(path);
if (hostname != NULL)
- PORT_Free(hostname);
-
+ PORT_Free(hostname);
+
return encodedResponse;
}
@@ -3518,7 +3471,7 @@ loser:
* Additionals methods for http or other protocols might be added
* in the future.
* PRTime time
- * Indicates the time for which the certificate status is to be
+ * Indicates the time for which the certificate status is to be
* determined -- this may be used in the search for the cert's issuer
* but has no other bearing on the operation.
* PRBool addServiceLocator
@@ -3546,10 +3499,10 @@ loser:
*/
SECItem *
CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList,
- const char *location, const char *method,
- PRTime time, PRBool addServiceLocator,
- CERTCertificate *signerCert, void *pwArg,
- CERTOCSPRequest **pRequest)
+ const char *location, const char *method,
+ PRTime time, PRBool addServiceLocator,
+ CERTCertificate *signerCert, void *pwArg,
+ CERTOCSPRequest **pRequest)
{
CERTOCSPRequest *request;
request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
@@ -3571,25 +3524,25 @@ CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList,
*/
SECItem *
CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
- const char *location, PRTime time,
- PRBool addServiceLocator,
- CERTCertificate *signerCert, void *pwArg,
- CERTOCSPRequest **pRequest)
+ const char *location, PRTime time,
+ PRBool addServiceLocator,
+ CERTCertificate *signerCert, void *pwArg,
+ CERTOCSPRequest **pRequest)
{
return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location,
- "POST", time, addServiceLocator,
- signerCert, pwArg, pRequest);
+ "POST", time, addServiceLocator,
+ signerCert, pwArg, pRequest);
}
/* URL encode a buffer that consists of base64-characters, only,
* which means we can use a simple encoding logic.
- *
+ *
* No output buffer size checking is performed.
* You should call the function twice, to calculate the required buffer size.
- *
- * If the outpufBuf parameter is NULL, the function will calculate the
+ *
+ * If the outpufBuf parameter is NULL, the function will calculate the
* required size, including the trailing zero termination char.
- *
+ *
* The function returns the number of bytes calculated or produced.
*/
size_t
@@ -3598,44 +3551,44 @@ ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf)
const char *walkInput = NULL;
char *walkOutput = outputBuf;
size_t count = 0;
-
- for (walkInput=base64Buf; *walkInput; ++walkInput) {
- char c = *walkInput;
- if (isspace(c))
- continue;
- switch (c) {
- case '+':
- if (outputBuf) {
- strcpy(walkOutput, "%2B");
- walkOutput += 3;
- }
- count += 3;
- break;
- case '/':
- if (outputBuf) {
- strcpy(walkOutput, "%2F");
- walkOutput += 3;
- }
- count += 3;
- break;
- case '=':
- if (outputBuf) {
- strcpy(walkOutput, "%3D");
- walkOutput += 3;
- }
- count += 3;
- break;
- default:
- if (outputBuf) {
- *walkOutput = *walkInput;
- ++walkOutput;
- }
- ++count;
- break;
- }
+
+ for (walkInput = base64Buf; *walkInput; ++walkInput) {
+ char c = *walkInput;
+ if (isspace(c))
+ continue;
+ switch (c) {
+ case '+':
+ if (outputBuf) {
+ strcpy(walkOutput, "%2B");
+ walkOutput += 3;
+ }
+ count += 3;
+ break;
+ case '/':
+ if (outputBuf) {
+ strcpy(walkOutput, "%2F");
+ walkOutput += 3;
+ }
+ count += 3;
+ break;
+ case '=':
+ if (outputBuf) {
+ strcpy(walkOutput, "%3D");
+ walkOutput += 3;
+ }
+ count += 3;
+ break;
+ default:
+ if (outputBuf) {
+ *walkOutput = *walkInput;
+ ++walkOutput;
+ }
+ ++count;
+ break;
+ }
}
if (outputBuf) {
- *walkOutput = 0;
+ *walkOutput = 0;
}
++count;
return count;
@@ -3644,15 +3597,15 @@ ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf)
enum { max_get_request_size = 255 }; /* defined by RFC2560 */
static SECItem *
-cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
+cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest);
static SECItem *
ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
CERTOCSPRequest *request,
const char *location,
- const char *method,
- PRTime time,
+ const char *method,
+ PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest)
@@ -3665,44 +3618,42 @@ ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
goto loser;
rv = CERT_AddOCSPAcceptableResponses(request,
- SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+ SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
if (rv != SECSuccess)
- goto loser;
+ goto loser;
encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
if (encodedRequest == NULL)
- goto loser;
+ goto loser;
if (!strcmp(method, "GET")) {
encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest);
- }
- else if (!strcmp(method, "POST")) {
+ } else if (!strcmp(method, "POST")) {
encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
- }
- else {
- goto loser;
+ } else {
+ goto loser;
}
if (encodedResponse != NULL && pRequest != NULL) {
- *pRequest = request;
- request = NULL; /* avoid destroying below */
+ *pRequest = request;
+ request = NULL; /* avoid destroying below */
}
loser:
if (request != NULL)
- CERT_DestroyOCSPRequest(request);
+ CERT_DestroyOCSPRequest(request);
if (encodedRequest != NULL)
- SECITEM_FreeItem(encodedRequest, PR_TRUE);
+ SECITEM_FreeItem(encodedRequest, PR_TRUE);
return encodedResponse;
}
static SECItem *
-cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
+cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest);
/* using HTTP GET method */
static SECItem *
-cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
+cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest)
{
char *walkOutput = NULL;
@@ -3710,49 +3661,49 @@ cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
size_t pathLength;
PRInt32 urlEncodedBufLength;
size_t base64size;
- char b64ReqBuf[max_get_request_size+1];
+ char b64ReqBuf[max_get_request_size + 1];
size_t slashLengthIfNeeded = 0;
size_t getURLLength;
SECItem *item;
if (!location || !*location) {
- return NULL;
+ return NULL;
}
-
+
pathLength = strlen(location);
- if (location[pathLength-1] != '/') {
- slashLengthIfNeeded = 1;
+ if (location[pathLength - 1] != '/') {
+ slashLengthIfNeeded = 1;
}
-
+
/* Calculation as documented by PL_Base64Encode function.
* Use integer conversion to avoid having to use function ceil().
*/
- base64size = (((encodedRequest->len +2)/3) * 4);
+ base64size = (((encodedRequest->len + 2) / 3) * 4);
if (base64size > max_get_request_size) {
- return NULL;
+ return NULL;
}
memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
- PL_Base64Encode((const char*)encodedRequest->data, encodedRequest->len,
- b64ReqBuf);
+ PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len,
+ b64ReqBuf);
urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
-
+
/* urlEncodedBufLength already contains room for the zero terminator.
* Add another if we must add the '/' char.
*/
if (arena) {
- fullGetPath = (char*)PORT_ArenaAlloc(arena, getURLLength);
+ fullGetPath = (char *)PORT_ArenaAlloc(arena, getURLLength);
} else {
- fullGetPath = (char*)PORT_Alloc(getURLLength);
+ fullGetPath = (char *)PORT_Alloc(getURLLength);
}
if (!fullGetPath) {
- return NULL;
+ return NULL;
}
-
+
strcpy(fullGetPath, location);
walkOutput = fullGetPath + pathLength;
-
+
if (walkOutput > fullGetPath && slashLengthIfNeeded) {
strcpy(walkOutput, "/");
++walkOutput;
@@ -3761,20 +3712,20 @@ cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
item = cert_FetchOCSPResponse(arena, fullGetPath, NULL);
if (!arena) {
- PORT_Free(fullGetPath);
+ PORT_Free(fullGetPath);
}
return item;
}
SECItem *
-CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
+CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest)
{
return cert_FetchOCSPResponse(arena, location, encodedRequest);
}
SECItem *
-cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
+cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
const SECItem *encodedRequest)
{
const SEC_HttpClientFcn *registeredHttpClient;
@@ -3784,10 +3735,10 @@ cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
if (registeredHttpClient && registeredHttpClient->version == 1) {
encodedResponse = fetchOcspHttpClientV1(
- arena,
- &registeredHttpClient->fcnTable.ftable1,
- location,
- encodedRequest);
+ arena,
+ &registeredHttpClient->fcnTable.ftable1,
+ location,
+ encodedRequest);
} else {
/* use internal http client */
PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest);
@@ -3801,18 +3752,18 @@ cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
}
static SECItem *
-ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena,
- CERTOCSPCertID *certID,
- CERTCertificate *singleCert,
+ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena,
+ CERTOCSPCertID *certID,
+ CERTCertificate *singleCert,
const char *location,
- const char *method,
- PRTime time,
+ const char *method,
+ PRTime time,
PRBool addServiceLocator,
void *pwArg,
CERTOCSPRequest **pRequest)
{
CERTOCSPRequest *request;
- request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time,
+ request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time,
addServiceLocator, NULL);
if (!request)
return NULL;
@@ -3833,29 +3784,28 @@ ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert)
PRBool retval;
CERTOidSequence *oidSeq = NULL;
-
extItem.data = NULL;
rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
- if ( rv != SECSuccess ) {
- goto loser;
+ if (rv != SECSuccess) {
+ goto loser;
}
oidSeq = CERT_DecodeOidSequence(&extItem);
- if ( oidSeq == NULL ) {
- goto loser;
+ if (oidSeq == NULL) {
+ goto loser;
}
oids = oidSeq->oids;
- while ( *oids != NULL ) {
- oid = *oids;
-
- oidTag = SECOID_FindOIDTag(oid);
-
- if ( oidTag == SEC_OID_OCSP_RESPONDER ) {
- goto success;
- }
-
- oids++;
+ while (*oids != NULL) {
+ oid = *oids;
+
+ oidTag = SECOID_FindOIDTag(oid);
+
+ if (oidTag == SEC_OID_OCSP_RESPONDER) {
+ goto success;
+ }
+
+ oids++;
}
loser:
@@ -3865,42 +3815,41 @@ loser:
success:
retval = PR_TRUE;
done:
- if ( extItem.data != NULL ) {
- PORT_Free(extItem.data);
+ if (extItem.data != NULL) {
+ PORT_Free(extItem.data);
}
- if ( oidSeq != NULL ) {
- CERT_DestroyOidSequence(oidSeq);
+ if (oidSeq != NULL) {
+ CERT_DestroyOidSequence(oidSeq);
}
-
- return(retval);
-}
+ return (retval);
+}
-#ifdef LATER /*
- * XXX This function is not currently used, but will
- * be needed later when we do revocation checking of
- * the responder certificate. Of course, it may need
- * revising then, if the cert extension interface has
- * changed. (Hopefully it will!)
- */
+#ifdef LATER /* \
+ * XXX This function is not currently used, but will \
+ * be needed later when we do revocation checking of \
+ * the responder certificate. Of course, it may need \
+ * revising then, if the cert extension interface has \
+ * changed. (Hopefully it will!) \
+ */
/* Checks a certificate to see if it has the OCSP no check extension. */
static PRBool
ocsp_CertHasNoCheckExtension(CERTCertificate *cert)
{
SECStatus rv;
-
- rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK,
- NULL);
+
+ rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK,
+ NULL);
if (rv == SECSuccess) {
- return PR_TRUE;
+ return PR_TRUE;
}
return PR_FALSE;
}
-#endif /* LATER */
+#endif /* LATER */
static PRBool
-ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
+ocsp_matchcert(SECItem *certIndex, CERTCertificate *testCert)
{
SECItem item;
unsigned char buf[HASH_LENGTH_MAX];
@@ -3908,33 +3857,33 @@ ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
item.data = buf;
item.len = SHA1_LENGTH;
- if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1,
- &item) == NULL) {
- return PR_FALSE;
+ if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_SHA1,
+ &item) == NULL) {
+ return PR_FALSE;
}
- if (SECITEM_ItemsAreEqual(certIndex,&item)) {
- return PR_TRUE;
+ if (SECITEM_ItemsAreEqual(certIndex, &item)) {
+ return PR_TRUE;
}
- if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5,
- &item) == NULL) {
- return PR_FALSE;
+ if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD5,
+ &item) == NULL) {
+ return PR_FALSE;
}
- if (SECITEM_ItemsAreEqual(certIndex,&item)) {
- return PR_TRUE;
+ if (SECITEM_ItemsAreEqual(certIndex, &item)) {
+ return PR_TRUE;
}
- if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2,
- &item) == NULL) {
- return PR_FALSE;
+ if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD2,
+ &item) == NULL) {
+ return PR_FALSE;
}
- if (SECITEM_ItemsAreEqual(certIndex,&item)) {
- return PR_TRUE;
+ if (SECITEM_ItemsAreEqual(certIndex, &item)) {
+ return PR_TRUE;
}
return PR_FALSE;
}
static CERTCertificate *
-ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle,CERTOCSPCertID *certID);
+ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID);
CERTCertificate *
ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
@@ -3949,19 +3898,19 @@ ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
PORT_Assert(tbsData->responderID != NULL);
switch (tbsData->responderID->responderIDType) {
- case ocspResponderID_byName:
- lookupByName = PR_TRUE;
- certIndex = &tbsData->derResponderID;
- break;
- case ocspResponderID_byKey:
- lookupByName = PR_FALSE;
- certIndex = &tbsData->responderID->responderIDValue.keyHash;
- break;
- case ocspResponderID_other:
- default:
- PORT_Assert(0);
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- return NULL;
+ case ocspResponderID_byName:
+ lookupByName = PR_TRUE;
+ certIndex = &tbsData->derResponderID;
+ break;
+ case ocspResponderID_byKey:
+ lookupByName = PR_FALSE;
+ certIndex = &tbsData->responderID->responderIDValue.keyHash;
+ break;
+ case ocspResponderID_other:
+ default:
+ PORT_Assert(0);
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ return NULL;
}
/*
@@ -3972,14 +3921,14 @@ ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
* to be destroyed.
*/
if (signature->derCerts != NULL) {
- for (; signature->derCerts[certCount] != NULL; certCount++) {
- /* just counting */
- }
- rv = CERT_ImportCerts(handle, certUsageStatusResponder, certCount,
- signature->derCerts, &certs,
- PR_FALSE, PR_FALSE, NULL);
- if (rv != SECSuccess)
- goto finish;
+ for (; signature->derCerts[certCount] != NULL; certCount++) {
+ /* just counting */
+ }
+ rv = CERT_ImportCerts(handle, certUsageStatusResponder, certCount,
+ signature->derCerts, &certs,
+ PR_FALSE, PR_FALSE, NULL);
+ if (rv != SECSuccess)
+ goto finish;
}
/*
@@ -3987,51 +3936,51 @@ ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
* The signer can be specified either by name or by key hash.
*/
if (lookupByName) {
- SECItem *crIndex = (SECItem*)certIndex;
- SECItem encodedName;
- PLArenaPool *arena;
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena != NULL) {
-
- rv = SEC_QuickDERDecodeItem(arena, &encodedName,
- ocsp_ResponderIDDerNameTemplate,
- crIndex);
- if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- } else {
- signerCert = CERT_FindCertByName(handle, &encodedName);
- }
- PORT_FreeArena(arena, PR_FALSE);
- }
+ SECItem *crIndex = (SECItem *)certIndex;
+ SECItem encodedName;
+ PLArenaPool *arena;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena != NULL) {
+
+ rv = SEC_QuickDERDecodeItem(arena, &encodedName,
+ ocsp_ResponderIDDerNameTemplate,
+ crIndex);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_BAD_DER)
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ } else {
+ signerCert = CERT_FindCertByName(handle, &encodedName);
+ }
+ PORT_FreeArena(arena, PR_FALSE);
+ }
} else {
- /*
- * The signer is either 1) a known issuer CA we passed in,
- * 2) the default OCSP responder, or 3) an intermediate CA
- * passed in the cert list to use. Figure out which it is.
- */
- int i;
- CERTCertificate *responder =
+ /*
+ * The signer is either 1) a known issuer CA we passed in,
+ * 2) the default OCSP responder, or 3) an intermediate CA
+ * passed in the cert list to use. Figure out which it is.
+ */
+ int i;
+ CERTCertificate *responder =
ocsp_CertGetDefaultResponder(handle, NULL);
- if (responder && ocsp_matchcert(certIndex,responder)) {
- signerCert = CERT_DupCertificate(responder);
- } else if (issuer && ocsp_matchcert(certIndex,issuer)) {
- signerCert = CERT_DupCertificate(issuer);
- }
- for (i=0; (signerCert == NULL) && (i < certCount); i++) {
- if (ocsp_matchcert(certIndex,certs[i])) {
- signerCert = CERT_DupCertificate(certs[i]);
- }
- }
- if (signerCert == NULL) {
- PORT_SetError(SEC_ERROR_UNKNOWN_CERT);
- }
+ if (responder && ocsp_matchcert(certIndex, responder)) {
+ signerCert = CERT_DupCertificate(responder);
+ } else if (issuer && ocsp_matchcert(certIndex, issuer)) {
+ signerCert = CERT_DupCertificate(issuer);
+ }
+ for (i = 0; (signerCert == NULL) && (i < certCount); i++) {
+ if (ocsp_matchcert(certIndex, certs[i])) {
+ signerCert = CERT_DupCertificate(certs[i]);
+ }
+ }
+ if (signerCert == NULL) {
+ PORT_SetError(SEC_ERROR_UNKNOWN_CERT);
+ }
}
finish:
if (certs != NULL) {
- CERT_DestroyCertArray(certs, certCount);
+ CERT_DestroyCertArray(certs, certCount);
}
return signerCert;
@@ -4067,7 +4016,7 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
rv = CERT_VerifySignedDataWithPublicKey(&signedData, signerKey, pwArg);
if (rv != SECSuccess &&
- (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE ||
+ (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE ||
PORT_GetError() == SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)) {
PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE);
}
@@ -4079,7 +4028,6 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
return rv;
}
-
/*
* FUNCTION: CERT_VerifyOCSPResponseSignature
* Check the signature on an OCSP Response. Will also perform a
@@ -4110,10 +4058,10 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
* verifying the signer's cert, or low-level problems (no memory, etc.)
*/
SECStatus
-CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
- CERTCertDBHandle *handle, void *pwArg,
- CERTCertificate **pSignerCert,
- CERTCertificate *issuer)
+CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
+ CERTCertDBHandle *handle, void *pwArg,
+ CERTCertificate **pSignerCert,
+ CERTCertificate *issuer)
{
SECItem *tbsResponseDataDER;
CERTCertificate *signerCert = NULL;
@@ -4138,24 +4086,24 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
* return the cached result.
*/
if (signature->wasChecked) {
- if (signature->status == SECSuccess) {
- if (pSignerCert != NULL)
- *pSignerCert = CERT_DupCertificate(signature->cert);
- } else {
- PORT_SetError(signature->failureReason);
- }
- return signature->status;
+ if (signature->status == SECSuccess) {
+ if (pSignerCert != NULL)
+ *pSignerCert = CERT_DupCertificate(signature->cert);
+ } else {
+ PORT_SetError(signature->failureReason);
+ }
+ return signature->status;
}
signerCert = ocsp_GetSignerCertificate(handle, tbsData,
signature, issuer);
if (signerCert == NULL) {
- rv = SECFailure;
- if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
- /* Make the error a little more specific. */
- PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
- }
- goto finish;
+ rv = SECFailure;
+ if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
+ /* Make the error a little more specific. */
+ PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
+ }
+ goto finish;
}
/*
@@ -4180,9 +4128,7 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
* Just because we have a cert does not mean it is any good; check
* it for validity, trust and usage.
*/
- if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) {
- rv = SECSuccess;
- } else {
+ if (!ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) {
SECCertUsage certUsage;
if (CERT_IsCACert(signerCert, NULL)) {
certUsage = certUsageAnyCA;
@@ -4204,24 +4150,24 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
finish:
if (signature->wasChecked)
- signature->status = rv;
+ signature->status = rv;
if (rv != SECSuccess) {
- signature->failureReason = PORT_GetError();
- if (signerCert != NULL)
- CERT_DestroyCertificate(signerCert);
+ signature->failureReason = PORT_GetError();
+ if (signerCert != NULL)
+ CERT_DestroyCertificate(signerCert);
} else {
- /*
- * Save signer's certificate in signature.
- */
- signature->cert = signerCert;
- if (pSignerCert != NULL) {
- /*
- * Pass pointer to signer's certificate back to our caller,
- * who is also now responsible for destroying it.
- */
- *pSignerCert = CERT_DupCertificate(signerCert);
- }
+ /*
+ * Save signer's certificate in signature.
+ */
+ signature->cert = signerCert;
+ if (pSignerCert != NULL) {
+ /*
+ * Pass pointer to signer's certificate back to our caller,
+ * who is also now responsible for destroying it.
+ */
+ *pSignerCert = CERT_DupCertificate(signerCert);
+ }
}
return rv;
@@ -4234,7 +4180,7 @@ finish:
*/
static PRBool
ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID,
- CERTOCSPCertID *responseCertID)
+ CERTOCSPCertID *responseCertID)
{
PRBool match = PR_FALSE;
SECOidTag hashAlg;
@@ -4248,8 +4194,8 @@ ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID,
* We just compare the easier things first.
*/
if (SECITEM_CompareItem(&requestCertID->serialNumber,
- &responseCertID->serialNumber) != SECEqual) {
- goto done;
+ &responseCertID->serialNumber) != SECEqual) {
+ goto done;
}
/*
@@ -4257,48 +4203,49 @@ ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID,
* requestCertID->hashAlgorithm, we don't need to check it.
*/
if (responseCertID->hashAlgorithm.parameters.len > 2) {
- goto done;
+ goto done;
}
if (SECITEM_CompareItem(&requestCertID->hashAlgorithm.algorithm,
- &responseCertID->hashAlgorithm.algorithm) == SECEqual) {
- /*
- * If the hash algorithms match then we can do a simple compare
- * of the hash values themselves.
- */
- if ((SECITEM_CompareItem(&requestCertID->issuerNameHash,
- &responseCertID->issuerNameHash) == SECEqual)
- && (SECITEM_CompareItem(&requestCertID->issuerKeyHash,
- &responseCertID->issuerKeyHash) == SECEqual)) {
- match = PR_TRUE;
- }
- goto done;
+ &responseCertID->hashAlgorithm.algorithm) ==
+ SECEqual) {
+ /*
+ * If the hash algorithms match then we can do a simple compare
+ * of the hash values themselves.
+ */
+ if ((SECITEM_CompareItem(&requestCertID->issuerNameHash,
+ &responseCertID->issuerNameHash) == SECEqual) &&
+ (SECITEM_CompareItem(&requestCertID->issuerKeyHash,
+ &responseCertID->issuerKeyHash) == SECEqual)) {
+ match = PR_TRUE;
+ }
+ goto done;
}
hashAlg = SECOID_FindOIDTag(&responseCertID->hashAlgorithm.algorithm);
switch (hashAlg) {
- case SEC_OID_SHA1:
- keyHash = &requestCertID->issuerSHA1KeyHash;
- nameHash = &requestCertID->issuerSHA1NameHash;
- break;
- case SEC_OID_MD5:
- keyHash = &requestCertID->issuerMD5KeyHash;
- nameHash = &requestCertID->issuerMD5NameHash;
- break;
- case SEC_OID_MD2:
- keyHash = &requestCertID->issuerMD2KeyHash;
- nameHash = &requestCertID->issuerMD2NameHash;
- break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- return PR_FALSE;
- }
-
- if ((keyHash != NULL)
- && (SECITEM_CompareItem(nameHash,
- &responseCertID->issuerNameHash) == SECEqual)
- && (SECITEM_CompareItem(keyHash,
- &responseCertID->issuerKeyHash) == SECEqual)) {
- match = PR_TRUE;
+ case SEC_OID_SHA1:
+ keyHash = &requestCertID->issuerSHA1KeyHash;
+ nameHash = &requestCertID->issuerSHA1NameHash;
+ break;
+ case SEC_OID_MD5:
+ keyHash = &requestCertID->issuerMD5KeyHash;
+ nameHash = &requestCertID->issuerMD5NameHash;
+ break;
+ case SEC_OID_MD2:
+ keyHash = &requestCertID->issuerMD2KeyHash;
+ nameHash = &requestCertID->issuerMD2NameHash;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return PR_FALSE;
+ }
+
+ if ((keyHash != NULL) &&
+ (SECITEM_CompareItem(nameHash,
+ &responseCertID->issuerNameHash) == SECEqual) &&
+ (SECITEM_CompareItem(keyHash,
+ &responseCertID->issuerKeyHash) == SECEqual)) {
+ match = PR_TRUE;
}
done:
@@ -4313,27 +4260,27 @@ done:
*/
static CERTOCSPSingleResponse *
ocsp_GetSingleResponseForCertID(CERTOCSPSingleResponse **responses,
- CERTCertDBHandle *handle,
- CERTOCSPCertID *certID)
+ CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID)
{
CERTOCSPSingleResponse *single;
int i;
if (responses == NULL)
- return NULL;
+ return NULL;
for (i = 0; responses[i] != NULL; i++) {
- single = responses[i];
- if (ocsp_CertIDsMatch(certID, single->certID)) {
- return single;
- }
+ single = responses[i];
+ if (ocsp_CertIDsMatch(certID, single->certID)) {
+ return single;
+ }
}
/*
* The OCSP server should have included a response even if it knew
* nothing about the certificate in question. Since it did not,
* this will make it look as if it had.
- *
+ *
* XXX Should we make this a separate error to notice the server's
* bad behavior?
*/
@@ -4349,19 +4296,19 @@ ocsp_GetCheckingContext(CERTCertDBHandle *handle)
statusConfig = CERT_GetStatusConfig(handle);
if (statusConfig != NULL) {
- ocspcx = statusConfig->statusContext;
+ ocspcx = statusConfig->statusContext;
- /*
- * This is actually an internal error, because we should never
- * have a good statusConfig without a good statusContext, too.
- * For lack of anything better, though, we just assert and use
- * the same error as if there were no statusConfig (set below).
- */
- PORT_Assert(ocspcx != NULL);
+ /*
+ * This is actually an internal error, because we should never
+ * have a good statusConfig without a good statusContext, too.
+ * For lack of anything better, though, we just assert and use
+ * the same error as if there were no statusConfig (set below).
+ */
+ PORT_Assert(ocspcx != NULL);
}
if (ocspcx == NULL)
- PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
+ PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
return ocspcx;
}
@@ -4377,19 +4324,19 @@ ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID)
ocspcx = ocsp_GetCheckingContext(handle);
if (ocspcx == NULL)
- goto loser;
-
- /*
- * Right now we have only one default responder. It applies to
- * all certs when it is used, so the check is simple and certID
- * has no bearing on the answer. Someday in the future we may
- * allow configuration of different responders for different
- * issuers, and then we would have to use the issuer specified
- * in certID to determine if signerCert is the right one.
- */
+ goto loser;
+
+ /*
+ * Right now we have only one default responder. It applies to
+ * all certs when it is used, so the check is simple and certID
+ * has no bearing on the answer. Someday in the future we may
+ * allow configuration of different responders for different
+ * issuers, and then we would have to use the issuer specified
+ * in certID to determine if signerCert is the right one.
+ */
if (ocspcx->useDefaultResponder) {
- PORT_Assert(ocspcx->defaultResponderCert != NULL);
- return ocspcx->defaultResponderCert;
+ PORT_Assert(ocspcx->defaultResponderCert != NULL);
+ return ocspcx->defaultResponderCert;
}
loser:
@@ -4407,19 +4354,19 @@ ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert)
ocspcx = ocsp_GetCheckingContext(handle);
if (ocspcx == NULL)
- return PR_FALSE;
-
- /*
- * Right now we have only one default responder. It applies to
- * all certs when it is used, so the check is simple and certID
- * has no bearing on the answer. Someday in the future we may
- * allow configuration of different responders for different
- * issuers, and then we would have to use the issuer specified
- * in certID to determine if signerCert is the right one.
- */
+ return PR_FALSE;
+
+ /*
+ * Right now we have only one default responder. It applies to
+ * all certs when it is used, so the check is simple and certID
+ * has no bearing on the answer. Someday in the future we may
+ * allow configuration of different responders for different
+ * issuers, and then we would have to use the issuer specified
+ * in certID to determine if signerCert is the right one.
+ */
if (ocspcx->useDefaultResponder &&
CERT_CompareCerts(ocspcx->defaultResponderCert, cert)) {
- return PR_TRUE;
+ return PR_TRUE;
}
return PR_FALSE;
@@ -4444,9 +4391,9 @@ ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert)
*/
static PRBool
ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
- CERTCertificate *signerCert,
- CERTOCSPCertID *certID,
- PRTime thisUpdate)
+ CERTCertificate *signerCert,
+ CERTOCSPCertID *certID,
+ PRTime thisUpdate)
{
CERTCertificate *issuerCert = NULL, *defRespCert;
SECItem *keyHash = NULL;
@@ -4490,7 +4437,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
nameHashEQ =
(SECITEM_CompareItem(nameHash,
&certID->issuerNameHash) == SECEqual);
-
+
SECITEM_FreeItem(nameHash, PR_TRUE);
if (nameHashEQ) {
/* The issuer of the cert is the the signer of the response */
@@ -4498,7 +4445,6 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
}
}
-
keyHashEQ = PR_FALSE;
nameHashEQ = PR_FALSE;
@@ -4529,7 +4475,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
CERT_DestroyCertificate(issuerCert);
if (keyHash != NULL && nameHash != NULL) {
- keyHashEQ =
+ keyHashEQ =
(SECITEM_CompareItem(keyHash,
&certID->issuerKeyHash) == SECEqual);
@@ -4565,7 +4511,7 @@ ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
* want something from within the last 24 hours. This macro defines that
* number in seconds.
*/
-#define OCSP_ALLOWABLE_LAPSE_SECONDS (24L * 60L * 60L)
+#define OCSP_ALLOWABLE_LAPSE_SECONDS (24L * 60L * 60L)
static PRBool
ocsp_TimeIsRecent(PRTime checkTime)
@@ -4575,19 +4521,19 @@ ocsp_TimeIsRecent(PRTime checkTime)
LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS);
LL_I2L(tmp, PR_USEC_PER_SEC);
- LL_MUL(lapse, lapse, tmp); /* allowable lapse in microseconds */
+ LL_MUL(lapse, lapse, tmp); /* allowable lapse in microseconds */
LL_ADD(checkTime, checkTime, lapse);
if (LL_CMP(now, >, checkTime))
- return PR_FALSE;
+ return PR_FALSE;
return PR_TRUE;
}
-#define OCSP_SLOP (5L*60L) /* OCSP responses are allowed to be 5 minutes
- in the future by default */
+#define OCSP_SLOP (5L * 60L) /* OCSP responses are allowed to be 5 minutes \
+ in the future by default */
-static PRUint32 ocspsloptime = OCSP_SLOP; /* seconds */
+static PRUint32 ocspsloptime = OCSP_SLOP; /* seconds */
/*
* If an old response contains the revoked certificate status, we want
@@ -4610,7 +4556,6 @@ ocsp_HandleOldSingleResponse(CERTOCSPSingleResponse *single, PRTime time)
*/
return SECSuccess;
}
-
}
PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
return SECFailure;
@@ -4638,19 +4583,19 @@ ocsp_HandleOldSingleResponse(CERTOCSPSingleResponse *single, PRTime time)
* SEC_ERROR_OCSP_OLD_RESPONSE
* SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
* Other errors are low-level problems (no memory, bad database, etc.).
- */
+ */
static SECStatus
ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
- CERTCertDBHandle *handle,
- CERTCertificate *signerCert,
- PRTime producedAt)
+ CERTCertDBHandle *handle,
+ CERTCertificate *signerCert,
+ PRTime producedAt)
{
CERTOCSPCertID *certID = single->certID;
PRTime now, thisUpdate, nextUpdate, tmstamp, tmp;
SECStatus rv;
- OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n",
- ((single->nextUpdate) != 0)));
+ OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n",
+ ((single->nextUpdate) != 0)));
/*
* If all the responder said was that the given cert was unknown to it,
* that is a valid response. Not very interesting to us, of course,
@@ -4659,7 +4604,7 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
*/
PORT_Assert(single->certStatus != NULL);
if (single->certStatus->certStatusType == ocspCertStatus_unknown)
- return SECSuccess;
+ return SECSuccess;
/*
* We need to extract "thisUpdate" for use below and to pass along
@@ -4668,14 +4613,14 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
*/
rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate);
if (rv != SECSuccess)
- return rv;
+ return rv;
/*
* First confirm that signerCert is authorized to give this status.
*/
if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID,
- thisUpdate) != PR_TRUE)
- return SECFailure;
+ thisUpdate) != PR_TRUE)
+ return SECFailure;
/*
* Now check the time stuff, as described above.
@@ -4688,25 +4633,24 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
LL_ADD(tmstamp, tmp, now); /* add current time to it */
if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) {
- PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE);
+ return SECFailure;
}
if (single->nextUpdate != NULL) {
- rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
- if (rv != SECSuccess)
- return rv;
+ rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
+ if (rv != SECSuccess)
+ return rv;
- LL_ADD(tmp, tmp, nextUpdate);
- if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate))
- return ocsp_HandleOldSingleResponse(single, now);
+ LL_ADD(tmp, tmp, nextUpdate);
+ if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate))
+ return ocsp_HandleOldSingleResponse(single, now);
} else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
- return ocsp_HandleOldSingleResponse(single, now);
+ return ocsp_HandleOldSingleResponse(single, now);
}
return SECSuccess;
}
-
/*
* FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
* Get the value of the URI of the OCSP responder for the given cert.
@@ -4721,7 +4665,7 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
* extension is not present or it does not contain an entry for OCSP,
* SEC_ERROR_CERT_BAD_ACCESS_LOCATION will be set and a NULL returned.
* Any other error will also result in a NULL being returned.
- *
+ *
* This result should be freed (via PORT_Free) when no longer in use.
*/
char *
@@ -4743,13 +4687,13 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
*/
encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0);
if (encodedAuthInfoAccess == NULL)
- goto loser;
+ goto loser;
rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
- encodedAuthInfoAccess);
+ encodedAuthInfoAccess);
if (rv == SECFailure) {
- PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- goto loser;
+ PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ goto loser;
}
/*
@@ -4760,16 +4704,16 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
*/
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL)
- goto loser;
+ goto loser;
authInfoAccess = CERT_DecodeAuthInfoAccessExtension(arena,
- encodedAuthInfoAccess);
+ encodedAuthInfoAccess);
if (authInfoAccess == NULL)
- goto loser;
+ goto loser;
for (i = 0; authInfoAccess[i] != NULL; i++) {
- if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP)
- locname = authInfoAccess[i]->location;
+ if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP)
+ locname = authInfoAccess[i]->location;
}
/*
@@ -4780,8 +4724,8 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
* not there at all.
*/
if (locname == NULL) {
- PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- goto loser;
+ PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ goto loser;
}
/*
@@ -4790,15 +4734,15 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
*/
location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE);
if (location == NULL) {
- /*
- * XXX Appears that CERT_GetGeneralNameByType does not set an
- * error if there is no name by that type. For lack of anything
- * better, act as if the extension was not found. In the future
- * this should probably be something more like the extension was
- * badly formed.
- */
- PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- goto loser;
+ /*
+ * XXX Appears that CERT_GetGeneralNameByType does not set an
+ * error if there is no name by that type. For lack of anything
+ * better, act as if the extension was not found. In the future
+ * this should probably be something more like the extension was
+ * badly formed.
+ */
+ PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ goto loser;
}
/*
@@ -4809,22 +4753,21 @@ CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert)
*/
locURI = PORT_Alloc(location->len + 1);
if (locURI == NULL) {
- goto loser;
+ goto loser;
}
PORT_Memcpy(locURI, location->data, location->len);
locURI[location->len] = '\0';
loser:
if (arena != NULL)
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
if (encodedAuthInfoAccess != NULL)
- SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE);
+ SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE);
return locURI;
}
-
/*
* Figure out where we should go to find out the status of the given cert
* via OCSP. If allowed to use a default responder uri and a default
@@ -4840,7 +4783,7 @@ loser:
*/
char *
ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRBool canUseDefault, PRBool *isDefault)
+ PRBool canUseDefault, PRBool *isDefault)
{
ocspCheckingContext *ocspcx = NULL;
char *ocspUrl = NULL;
@@ -4849,15 +4792,15 @@ ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
ocspcx = ocsp_GetCheckingContext(handle);
}
if (ocspcx != NULL && ocspcx->useDefaultResponder) {
- /*
- * A default responder wins out, if specified.
- * XXX Someday this may be a more complicated determination based
- * on the cert's issuer. (That is, we could have different default
- * responders configured for different issuers.)
- */
- PORT_Assert(ocspcx->defaultResponderURI != NULL);
- *isDefault = PR_TRUE;
- return (PORT_Strdup(ocspcx->defaultResponderURI));
+ /*
+ * A default responder wins out, if specified.
+ * XXX Someday this may be a more complicated determination based
+ * on the cert's issuer. (That is, we could have different default
+ * responders configured for different issuers.)
+ */
+ PORT_Assert(ocspcx->defaultResponderURI != NULL);
+ *isDefault = PR_TRUE;
+ return (PORT_Strdup(ocspcx->defaultResponderURI));
}
/*
@@ -4867,16 +4810,16 @@ ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
*isDefault = PR_FALSE;
ocspUrl = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
if (!ocspUrl) {
- CERT_StringFromCertFcn altFcn;
+ CERT_StringFromCertFcn altFcn;
- PR_EnterMonitor(OCSP_Global.monitor);
- altFcn = OCSP_Global.alternateOCSPAIAFcn;
- PR_ExitMonitor(OCSP_Global.monitor);
- if (altFcn) {
- ocspUrl = (*altFcn)(cert);
- if (ocspUrl)
- *isDefault = PR_TRUE;
- }
+ PR_EnterMonitor(OCSP_Global.monitor);
+ altFcn = OCSP_Global.alternateOCSPAIAFcn;
+ PR_ExitMonitor(OCSP_Global.monitor);
+ if (altFcn) {
+ ocspUrl = (*altFcn)(cert);
+ if (ocspUrl)
+ *isDefault = PR_TRUE;
+ }
}
return ocspUrl;
}
@@ -4893,7 +4836,7 @@ ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time)
rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime);
if (rv != SECSuccess)
- return rv;
+ return rv;
/*
* Set the error even if we will return success; someone might care.
@@ -4901,7 +4844,7 @@ ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time)
PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
if (LL_CMP(revokedTime, >, time))
- return SECSuccess;
+ return SECSuccess;
return SECFailure;
}
@@ -4915,28 +4858,28 @@ ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time)
{
SECStatus rv;
switch (status->certStatusType) {
- case ocspCertStatus_good:
- rv = SECSuccess;
- break;
- case ocspCertStatus_revoked:
- rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time);
- break;
- case ocspCertStatus_unknown:
- PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
- rv = SECFailure;
- break;
- case ocspCertStatus_other:
- default:
- PORT_Assert(0);
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- rv = SECFailure;
- break;
+ case ocspCertStatus_good:
+ rv = SECSuccess;
+ break;
+ case ocspCertStatus_revoked:
+ rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time);
+ break;
+ case ocspCertStatus_unknown:
+ PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
+ rv = SECFailure;
+ break;
+ case ocspCertStatus_other:
+ default:
+ PORT_Assert(0);
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+ rv = SECFailure;
+ break;
}
return rv;
}
static SECStatus
-ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
+ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
PRTime time)
{
return ocsp_CertHasGoodStatus(single->certStatus, time);
@@ -4963,7 +4906,7 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
OCSPFreshness *cacheFreshness)
{
OCSPCacheItem *cacheItem = NULL;
-
+
if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
@@ -4971,7 +4914,7 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
*rvOcsp = SECFailure;
*missingResponseError = 0;
*cacheFreshness = ocspMissing;
-
+
PR_EnterMonitor(OCSP_Global.monitor);
cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID);
if (cacheItem) {
@@ -4986,13 +4929,13 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
} else {
/*
* No status cached, the previous attempt failed.
- * If OCSP is required, we never decide based on a failed attempt
+ * If OCSP is required, we never decide based on a failed attempt
* However, if OCSP is optional, a recent OCSP failure is
* an allowed good state.
*/
if (*cacheFreshness == ocspFresh &&
!ignoreGlobalOcspFailureSetting &&
- OCSP_Global.ocspFailureMode ==
+ OCSP_Global.ocspFailureMode ==
ocspMode_FailureIsNotAVerificationFailure) {
*rvOcsp = SECSuccess;
}
@@ -5064,10 +5007,10 @@ ocsp_FetchingFailureIsVerificationFailure(void)
* (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
* verifying the signer's cert, or low-level problems (error allocating
* memory, error performing ASN.1 decoding, etc.).
- */
-SECStatus
+ */
+SECStatus
CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
- PRTime time, void *pwArg)
+ PRTime time, void *pwArg)
{
CERTOCSPCertID *certID;
PRBool certIDWasConsumed = PR_FALSE;
@@ -5075,10 +5018,10 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
SECStatus rvOcsp;
SECErrorCodes cachedErrorCode;
OCSPFreshness cachedResponseFreshness;
-
+
OCSP_TRACE_CERT(cert);
OCSP_TRACE_TIME("## requested validity time:", time);
-
+
certID = CERT_CreateOCSPCertID(cert, time);
if (!certID)
return SECFailure;
@@ -5098,7 +5041,7 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
}
rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg,
- &certIDWasConsumed,
+ &certIDWasConsumed,
&rvOcsp);
if (rv != SECSuccess) {
PRErrorCode err = PORT_GetError();
@@ -5157,10 +5100,10 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
*/
SECStatus
CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
- CERTCertificate *cert,
- PRTime time,
- const SECItem *encodedResponse,
- void *pwArg)
+ CERTCertificate *cert,
+ PRTime time,
+ const SECItem *encodedResponse,
+ void *pwArg)
{
CERTOCSPCertID *certID = NULL;
PRBool certIDWasConsumed = PR_FALSE;
@@ -5235,17 +5178,17 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
* ocsp_CacheSingleResponse. */
rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
- time, pwArg,
- encodedResponse,
- &decodedResponse,
- &singleResponse);
+ time, pwArg,
+ encodedResponse,
+ &decodedResponse,
+ &singleResponse);
if (rv == SECSuccess) {
- rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
- /* Cache any valid singleResponse, regardless of status. */
- ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed);
+ rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
+ /* Cache any valid singleResponse, regardless of status. */
+ ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed);
}
if (decodedResponse) {
- CERT_DestroyOCSPResponse(decodedResponse);
+ CERT_DestroyOCSPResponse(decodedResponse);
}
if (!certIDWasConsumed) {
CERT_DestroyOCSPCertID(certID);
@@ -5254,13 +5197,13 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
}
/*
- * Status in *certIDWasConsumed will always be correct, regardless of
+ * Status in *certIDWasConsumed will always be correct, regardless of
* return value.
*/
static SECStatus
-ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
+ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
PRTime time,
void *pwArg,
PRBool *certIDWasConsumed,
@@ -5274,7 +5217,8 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
CERTOCSPResponse *decodedResponse = NULL;
CERTOCSPSingleResponse *singleResponse = NULL;
- enum { stageGET, stagePOST } currentStage;
+ enum { stageGET,
+ stagePOST } currentStage;
PRBool retry = PR_FALSE;
if (!certIDWasConsumed || !rv_ocsp) {
@@ -5310,14 +5254,14 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
location = ocsp_GetResponderLocation(handle, cert, PR_TRUE,
&locationIsDefault);
if (location == NULL) {
- int err = PORT_GetError();
- if (err == SEC_ERROR_EXTENSION_NOT_FOUND ||
- err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
- PORT_SetError(0);
- *rv_ocsp = SECSuccess;
- return SECSuccess;
- }
- return SECFailure;
+ int err = PORT_GetError();
+ if (err == SEC_ERROR_EXTENSION_NOT_FOUND ||
+ err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
+ PORT_SetError(0);
+ *rv_ocsp = SECSuccess;
+ return SECSuccess;
+ }
+ return SECFailure;
}
/*
@@ -5343,75 +5287,75 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
*/
do {
- const char *method;
- PRBool validResponseWithAccurateInfo = PR_FALSE;
- retry = PR_FALSE;
- *rv_ocsp = SECFailure;
-
- if (currentStage == stageGET) {
- method = "GET";
- } else {
- PORT_Assert(currentStage == stagePOST);
- method = "POST";
- }
-
- encodedResponse =
- ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
- location, method,
- time, locationIsDefault,
- pwArg, &request);
-
- if (encodedResponse) {
- rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
- time, pwArg,
- encodedResponse,
- &decodedResponse,
- &singleResponse);
- if (rv == SECSuccess) {
- switch (singleResponse->certStatus->certStatusType) {
- case ocspCertStatus_good:
- case ocspCertStatus_revoked:
- validResponseWithAccurateInfo = PR_TRUE;
- break;
- default:
- break;
- }
- *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
- }
- }
-
- if (currentStage == stageGET) {
- /* only accept GET response if good or revoked */
- if (validResponseWithAccurateInfo) {
- ocsp_CacheSingleResponse(certID, singleResponse,
- certIDWasConsumed);
- } else {
- retry = PR_TRUE;
- currentStage = stagePOST;
- }
- } else {
- /* cache the POST respone, regardless of status */
- if (!singleResponse) {
- cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed);
- } else {
- ocsp_CacheSingleResponse(certID, singleResponse,
- certIDWasConsumed);
- }
- }
-
- if (encodedResponse) {
- SECITEM_FreeItem(encodedResponse, PR_TRUE);
- encodedResponse = NULL;
- }
- if (request) {
- CERT_DestroyOCSPRequest(request);
- request = NULL;
- }
- if (decodedResponse) {
- CERT_DestroyOCSPResponse(decodedResponse);
- decodedResponse = NULL;
- }
- singleResponse = NULL;
+ const char *method;
+ PRBool validResponseWithAccurateInfo = PR_FALSE;
+ retry = PR_FALSE;
+ *rv_ocsp = SECFailure;
+
+ if (currentStage == stageGET) {
+ method = "GET";
+ } else {
+ PORT_Assert(currentStage == stagePOST);
+ method = "POST";
+ }
+
+ encodedResponse =
+ ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
+ location, method,
+ time, locationIsDefault,
+ pwArg, &request);
+
+ if (encodedResponse) {
+ rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
+ time, pwArg,
+ encodedResponse,
+ &decodedResponse,
+ &singleResponse);
+ if (rv == SECSuccess) {
+ switch (singleResponse->certStatus->certStatusType) {
+ case ocspCertStatus_good:
+ case ocspCertStatus_revoked:
+ validResponseWithAccurateInfo = PR_TRUE;
+ break;
+ default:
+ break;
+ }
+ *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
+ }
+ }
+
+ if (currentStage == stageGET) {
+ /* only accept GET response if good or revoked */
+ if (validResponseWithAccurateInfo) {
+ ocsp_CacheSingleResponse(certID, singleResponse,
+ certIDWasConsumed);
+ } else {
+ retry = PR_TRUE;
+ currentStage = stagePOST;
+ }
+ } else {
+ /* cache the POST respone, regardless of status */
+ if (!singleResponse) {
+ cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed);
+ } else {
+ ocsp_CacheSingleResponse(certID, singleResponse,
+ certIDWasConsumed);
+ }
+ }
+
+ if (encodedResponse) {
+ SECITEM_FreeItem(encodedResponse, PR_TRUE);
+ encodedResponse = NULL;
+ }
+ if (request) {
+ CERT_DestroyOCSPRequest(request);
+ request = NULL;
+ }
+ if (decodedResponse) {
+ CERT_DestroyOCSPResponse(decodedResponse);
+ decodedResponse = NULL;
+ }
+ singleResponse = NULL;
} while (retry);
@@ -5454,25 +5398,25 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,
*/
static SECStatus
ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
- CERTOCSPCertID *certID,
- CERTCertificate *cert,
- PRTime time,
- void *pwArg,
- const SECItem *encodedResponse,
- CERTOCSPResponse **pDecodedResponse,
- CERTOCSPSingleResponse **pSingle)
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
+ void *pwArg,
+ const SECItem *encodedResponse,
+ CERTOCSPResponse **pDecodedResponse,
+ CERTOCSPSingleResponse **pSingle)
{
CERTCertificate *signerCert = NULL;
CERTCertificate *issuerCert = NULL;
SECStatus rv = SECFailure;
if (!pSingle || !pDecodedResponse) {
- return SECFailure;
+ return SECFailure;
}
*pSingle = NULL;
*pDecodedResponse = CERT_DecodeOCSPResponse(encodedResponse);
if (!*pDecodedResponse) {
- return SECFailure;
+ return SECFailure;
}
/*
@@ -5485,7 +5429,7 @@ ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
* in the response.
*/
if (CERT_GetOCSPResponseStatus(*pDecodedResponse) != SECSuccess) {
- goto loser;
+ goto loser;
}
/*
@@ -5496,32 +5440,32 @@ ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
rv = CERT_VerifyOCSPResponseSignature(*pDecodedResponse, handle, pwArg,
&signerCert, issuerCert);
if (rv != SECSuccess) {
- goto loser;
+ goto loser;
}
- PORT_Assert(signerCert != NULL); /* internal consistency check */
+ PORT_Assert(signerCert != NULL); /* internal consistency check */
/* XXX probably should set error, return failure if signerCert is null */
/*
* Again, we are only doing one request for one cert.
* XXX When we handle cert chains, the following code will obviously
* have to be modified, in coordation with the code above that will
- * have to determine how to make multiple requests, etc.
+ * have to determine how to make multiple requests, etc.
*/
- rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, certID,
+ rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, certID,
signerCert, time, pSingle);
loser:
if (issuerCert != NULL)
- CERT_DestroyCertificate(issuerCert);
+ CERT_DestroyCertificate(issuerCert);
if (signerCert != NULL)
- CERT_DestroyCertificate(signerCert);
+ CERT_DestroyCertificate(signerCert);
return rv;
}
/*
* FUNCTION: ocsp_CacheSingleResponse
* This function requires that the caller has checked that the response
- * is valid and verified.
+ * is valid and verified.
* The (positive or negative) valid response will be used to update the cache.
* INPUTS:
* CERTOCSPCertID *certID
@@ -5532,27 +5476,27 @@ loser:
*/
void
ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
- CERTOCSPSingleResponse *single,
- PRBool *certIDWasConsumed)
+ CERTOCSPSingleResponse *single,
+ PRBool *certIDWasConsumed)
{
if (single != NULL) {
- PR_EnterMonitor(OCSP_Global.monitor);
- if (OCSP_Global.maxCacheEntries >= 0) {
- ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single,
- certIDWasConsumed);
- /* ignore cache update failures */
- }
- PR_ExitMonitor(OCSP_Global.monitor);
+ PR_EnterMonitor(OCSP_Global.monitor);
+ if (OCSP_Global.maxCacheEntries >= 0) {
+ ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single,
+ certIDWasConsumed);
+ /* ignore cache update failures */
+ }
+ PR_ExitMonitor(OCSP_Global.monitor);
}
}
SECStatus
-ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time,
- CERTOCSPSingleResponse
+ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time,
+ CERTOCSPSingleResponse
**pSingleResponse)
{
SECStatus rv;
@@ -5596,11 +5540,11 @@ loser:
}
SECStatus
-CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time)
+CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time)
{
/*
* We do not update the cache, because:
@@ -5612,17 +5556,17 @@ CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
* requires the ability to transfer ownership of the the given certID to
* the cache. The external API doesn't allow us to prevent the caller from
* destroying the certID. We don't have the original certificate available,
- * therefore we are unable to produce another certID object (that could
+ * therefore we are unable to produce another certID object (that could
* be stored in the cache).
*
* Should we ever implement code to produce a deep copy of certID,
* then this could be changed to allow updating the cache.
- * The duplication would have to be done in
+ * The duplication would have to be done in
* cert_ProcessOCSPResponse, if the out parameter to indicate
* a transfer of ownership is NULL.
*/
- return cert_ProcessOCSPResponse(handle, response, certID,
- signerCert, time,
+ return cert_ProcessOCSPResponse(handle, response, certID,
+ signerCert, time,
NULL, NULL);
}
@@ -5630,23 +5574,23 @@ CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,
* The first 5 parameters match the definition of CERT_GetOCSPStatusForCertID.
*/
SECStatus
-cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
- CERTOCSPResponse *response,
- CERTOCSPCertID *certID,
- CERTCertificate *signerCert,
- PRTime time,
- PRBool *certIDWasConsumed,
- SECStatus *cacheUpdateStatus)
+cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+ CERTCertificate *signerCert,
+ PRTime time,
+ PRBool *certIDWasConsumed,
+ SECStatus *cacheUpdateStatus)
{
SECStatus rv;
SECStatus rv_cache = SECSuccess;
CERTOCSPSingleResponse *single = NULL;
- rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID,
+ rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID,
signerCert, time, &single);
if (rv == SECSuccess) {
/*
- * Check whether the status says revoked, and if so
+ * Check whether the status says revoked, and if so
* how that compares to the time value passed into this routine.
*/
rv = ocsp_SingleResponseCertHasGoodStatus(single, time);
@@ -5654,15 +5598,15 @@ cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
if (certIDWasConsumed) {
/*
- * We don't have copy-of-certid implemented. In order to update
- * the cache, the caller must supply an out variable
+ * We don't have copy-of-certid implemented. In order to update
+ * the cache, the caller must supply an out variable
* certIDWasConsumed, allowing us to return ownership status.
*/
-
+
PR_EnterMonitor(OCSP_Global.monitor);
if (OCSP_Global.maxCacheEntries >= 0) {
/* single == NULL means: remember response failure */
- rv_cache =
+ rv_cache =
ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID,
single, certIDWasConsumed);
}
@@ -5677,12 +5621,12 @@ cert_ProcessOCSPResponse(CERTCertDBHandle *handle,
SECStatus
cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
- PRBool *certIDWasConsumed)
+ PRBool *certIDWasConsumed)
{
SECStatus rv = SECSuccess;
PR_EnterMonitor(OCSP_Global.monitor);
if (OCSP_Global.maxCacheEntries >= 0) {
- rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL,
+ rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL,
certIDWasConsumed);
}
PR_ExitMonitor(OCSP_Global.monitor);
@@ -5705,12 +5649,12 @@ ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig)
statusContext = statusConfig->statusContext;
PORT_Assert(statusContext != NULL);
if (statusContext == NULL)
- return SECFailure;
+ return SECFailure;
if (statusContext->defaultResponderURI != NULL)
- PORT_Free(statusContext->defaultResponderURI);
+ PORT_Free(statusContext->defaultResponderURI);
if (statusContext->defaultResponderNickname != NULL)
- PORT_Free(statusContext->defaultResponderNickname);
+ PORT_Free(statusContext->defaultResponderNickname);
PORT_Free(statusContext);
statusConfig->statusContext = NULL;
@@ -5720,7 +5664,6 @@ ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig)
return SECSuccess;
}
-
/*
* FUNCTION: CERT_DisableOCSPChecking
* Turns off OCSP checking for the given certificate database.
@@ -5743,22 +5686,22 @@ CERT_DisableOCSPChecking(CERTCertDBHandle *handle)
ocspCheckingContext *statusContext;
if (handle == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
statusConfig = CERT_GetStatusConfig(handle);
statusContext = ocsp_GetCheckingContext(handle);
if (statusContext == NULL)
- return SECFailure;
+ return SECFailure;
if (statusConfig->statusChecker != CERT_CheckOCSPStatus) {
- /*
- * Status configuration is present, but either not currently
- * enabled or not for OCSP.
- */
- PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
- return SECFailure;
+ /*
+ * Status configuration is present, but either not currently
+ * enabled or not for OCSP.
+ */
+ PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
+ return SECFailure;
}
/* cache no longer necessary */
@@ -5786,17 +5729,17 @@ ocsp_InitStatusChecking(CERTCertDBHandle *handle)
PORT_Assert(CERT_GetStatusConfig(handle) == NULL);
if (CERT_GetStatusConfig(handle) != NULL) {
- /* XXX or call statusConfig->statusDestroy and continue? */
- return SECFailure;
+ /* XXX or call statusConfig->statusDestroy and continue? */
+ return SECFailure;
}
statusConfig = PORT_ZNew(CERTStatusConfig);
if (statusConfig == NULL)
- goto loser;
+ goto loser;
statusContext = PORT_ZNew(ocspCheckingContext);
if (statusContext == NULL)
- goto loser;
+ goto loser;
statusConfig->statusDestroy = ocsp_DestroyStatusChecking;
statusConfig->statusContext = statusContext;
@@ -5807,11 +5750,10 @@ ocsp_InitStatusChecking(CERTCertDBHandle *handle)
loser:
if (statusConfig != NULL)
- PORT_Free(statusConfig);
+ PORT_Free(statusConfig);
return SECFailure;
}
-
/*
* FUNCTION: CERT_EnableOCSPChecking
* Turns on OCSP checking for the given certificate database.
@@ -5826,23 +5768,23 @@ SECStatus
CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
{
CERTStatusConfig *statusConfig;
-
+
SECStatus rv;
if (handle == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
statusConfig = CERT_GetStatusConfig(handle);
if (statusConfig == NULL) {
- rv = ocsp_InitStatusChecking(handle);
- if (rv != SECSuccess)
- return rv;
+ rv = ocsp_InitStatusChecking(handle);
+ if (rv != SECSuccess)
+ return rv;
- /* Get newly established value */
- statusConfig = CERT_GetStatusConfig(handle);
- PORT_Assert(statusConfig != NULL);
+ /* Get newly established value */
+ statusConfig = CERT_GetStatusConfig(handle);
+ PORT_Assert(statusConfig != NULL);
}
/*
@@ -5854,7 +5796,6 @@ CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
return SECSuccess;
}
-
/*
* FUNCTION: CERT_SetOCSPDefaultResponder
* Specify the location and cert of the default responder.
@@ -5881,7 +5822,7 @@ CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
*/
SECStatus
CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
- const char *url, const char *name)
+ const char *url, const char *name)
{
CERTCertificate *cert;
ocspCheckingContext *statusContext;
@@ -5890,12 +5831,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
SECStatus rv;
if (handle == NULL || url == NULL || name == NULL) {
- /*
- * XXX When interface is exported, probably want better errors;
- * perhaps different one for each parameter.
- */
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ /*
+ * XXX When interface is exported, probably want better errors;
+ * perhaps different one for each parameter.
+ */
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
/*
@@ -5905,15 +5846,15 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
* XXX Shouldn't need that cast if the FindCertByNickname interface
* used const to convey that it does not modify the name. Maybe someday.
*/
- cert = CERT_FindCertByNickname(handle, (char *) name);
+ cert = CERT_FindCertByNickname(handle, (char *)name);
if (cert == NULL) {
- /*
- * look for the cert on an external token.
- */
- cert = PK11_FindCertFromNickname((char *)name, NULL);
+ /*
+ * look for the cert on an external token.
+ */
+ cert = PK11_FindCertFromNickname((char *)name, NULL);
}
if (cert == NULL)
- return SECFailure;
+ return SECFailure;
/*
* Make a copy of the url and nickname.
@@ -5921,8 +5862,8 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
url_copy = PORT_Strdup(url);
name_copy = PORT_Strdup(name);
if (url_copy == NULL || name_copy == NULL) {
- rv = SECFailure;
- goto loser;
+ rv = SECFailure;
+ goto loser;
}
statusContext = ocsp_GetCheckingContext(handle);
@@ -5931,12 +5872,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
* Allocate and init the context if it doesn't already exist.
*/
if (statusContext == NULL) {
- rv = ocsp_InitStatusChecking(handle);
- if (rv != SECSuccess)
- goto loser;
+ rv = ocsp_InitStatusChecking(handle);
+ if (rv != SECSuccess)
+ goto loser;
- statusContext = ocsp_GetCheckingContext(handle);
- PORT_Assert(statusContext != NULL); /* extreme paranoia */
+ statusContext = ocsp_GetCheckingContext(handle);
+ PORT_Assert(statusContext != NULL); /* extreme paranoia */
}
/*
@@ -5949,9 +5890,9 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
* Get rid of old url and name if there.
*/
if (statusContext->defaultResponderNickname != NULL)
- PORT_Free(statusContext->defaultResponderNickname);
+ PORT_Free(statusContext->defaultResponderNickname);
if (statusContext->defaultResponderURI != NULL)
- PORT_Free(statusContext->defaultResponderURI);
+ PORT_Free(statusContext->defaultResponderURI);
/*
* And replace them with the new ones.
@@ -5966,13 +5907,13 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
* enabled.
*/
if (statusContext->defaultResponderCert != NULL) {
- CERT_DestroyCertificate(statusContext->defaultResponderCert);
- statusContext->defaultResponderCert = cert;
+ CERT_DestroyCertificate(statusContext->defaultResponderCert);
+ statusContext->defaultResponderCert = cert;
/*OCSP enabled, switching responder: clear cache*/
CERT_ClearOCSPCache();
} else {
- PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
- CERT_DestroyCertificate(cert);
+ PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
+ CERT_DestroyCertificate(cert);
/*OCSP currently not enabled, no need to clear cache*/
}
@@ -5981,13 +5922,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
loser:
CERT_DestroyCertificate(cert);
if (url_copy != NULL)
- PORT_Free(url_copy);
+ PORT_Free(url_copy);
if (name_copy != NULL)
- PORT_Free(name_copy);
+ PORT_Free(name_copy);
return rv;
}
-
/*
* FUNCTION: CERT_EnableOCSPDefaultResponder
* Turns on use of a default responder when OCSP checking.
@@ -6014,36 +5954,36 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
SECCertificateUsage usage;
if (handle == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
statusContext = ocsp_GetCheckingContext(handle);
if (statusContext == NULL) {
- /*
- * Strictly speaking, the error already set is "correct",
- * but cover over it with one more helpful in this context.
- */
- PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
- return SECFailure;
+ /*
+ * Strictly speaking, the error already set is "correct",
+ * but cover over it with one more helpful in this context.
+ */
+ PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+ return SECFailure;
}
if (statusContext->defaultResponderURI == NULL) {
- PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+ return SECFailure;
}
if (statusContext->defaultResponderNickname == NULL) {
- PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+ return SECFailure;
}
/*
* Find the cert for the nickname.
*/
cert = CERT_FindCertByNickname(handle,
- statusContext->defaultResponderNickname);
+ statusContext->defaultResponderNickname);
if (cert == NULL) {
cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname,
NULL);
@@ -6054,25 +5994,19 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
*/
PORT_Assert(cert != NULL);
if (cert == NULL)
- return SECFailure;
+ return SECFailure;
- /*
- * Supplied cert should at least have a signing capability in order for us
- * to use it as a trusted responder cert. Ability to sign is guaranteed if
- * cert is validated to have any set of the usages below.
- */
+ /*
+ * Supplied cert should at least have a signing capability in order for us
+ * to use it as a trusted responder cert. Ability to sign is guaranteed if
+ * cert is validated to have any set of the usages below.
+ */
rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE,
certificateUsageCheckAllUsages,
NULL, &usage);
- if (rv != SECSuccess || (usage & (certificateUsageSSLClient |
- certificateUsageSSLServer |
- certificateUsageSSLServerWithStepUp |
- certificateUsageEmailSigner |
- certificateUsageObjectSigner |
- certificateUsageStatusResponder |
- certificateUsageSSLCA)) == 0) {
- PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID);
- return SECFailure;
+ if (rv != SECSuccess || (usage & (certificateUsageSSLClient | certificateUsageSSLServer | certificateUsageSSLServerWithStepUp | certificateUsageEmailSigner | certificateUsageObjectSigner | certificateUsageStatusResponder | certificateUsageSSLCA)) == 0) {
+ PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID);
+ return SECFailure;
}
/*
@@ -6090,7 +6024,6 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
return SECSuccess;
}
-
/*
* FUNCTION: CERT_DisableOCSPDefaultResponder
* Turns off use of a default responder when OCSP checking.
@@ -6111,23 +6044,23 @@ CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle)
CERTCertificate *tmpCert;
if (handle == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
}
statusConfig = CERT_GetStatusConfig(handle);
if (statusConfig == NULL)
- return SECSuccess;
+ return SECSuccess;
statusContext = ocsp_GetCheckingContext(handle);
PORT_Assert(statusContext != NULL);
if (statusContext == NULL)
- return SECFailure;
+ return SECFailure;
tmpCert = statusContext->defaultResponderCert;
if (tmpCert) {
- statusContext->defaultResponderCert = NULL;
- CERT_DestroyCertificate(tmpCert);
+ statusContext->defaultResponderCert = NULL;
+ CERT_DestroyCertificate(tmpCert);
/* we don't allow a mix of cache entries from different responders */
CERT_ClearOCSPCache();
}
@@ -6159,29 +6092,29 @@ CERT_GetOCSPResponseStatus(CERTOCSPResponse *response)
{
PORT_Assert(response);
if (response->statusValue == ocspResponse_successful)
- return SECSuccess;
+ return SECSuccess;
switch (response->statusValue) {
- case ocspResponse_malformedRequest:
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
- break;
- case ocspResponse_internalError:
- PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
- break;
- case ocspResponse_tryLater:
- PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
- break;
- case ocspResponse_sigRequired:
- /* XXX We *should* retry with a signature, if possible. */
- PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
- break;
- case ocspResponse_unauthorized:
- PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
- break;
- case ocspResponse_unused:
- default:
- PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
- break;
+ case ocspResponse_malformedRequest:
+ PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ break;
+ case ocspResponse_internalError:
+ PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+ break;
+ case ocspResponse_tryLater:
+ PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
+ break;
+ case ocspResponse_sigRequired:
+ /* XXX We *should* retry with a signature, if possible. */
+ PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
+ break;
+ case ocspResponse_unauthorized:
+ PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
+ break;
+ case ocspResponse_unused:
+ default:
+ PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
+ break;
}
return SECFailure;
}
View Lorry Controller Status