|
|
66ebb3 |
diff -up ./nss/lib/certdb/certi.h.1034409 ./nss/lib/certdb/certi.h
|
|
|
66ebb3 |
--- ./nss/lib/certdb/certi.h.1034409 2014-01-03 11:59:10.000000000 -0800
|
|
|
66ebb3 |
+++ ./nss/lib/certdb/certi.h 2014-02-20 08:46:10.345136599 -0800
|
|
|
66ebb3 |
@@ -116,11 +116,16 @@ struct CRLDPCacheStr {
|
|
|
66ebb3 |
#else
|
|
|
66ebb3 |
PRLock* lock;
|
|
|
66ebb3 |
#endif
|
|
|
66ebb3 |
- CERTCertificate* issuer; /* issuer cert
|
|
|
66ebb3 |
- XXX there may be multiple issuer certs,
|
|
|
66ebb3 |
- with different validity dates. Also
|
|
|
66ebb3 |
- need to deal with SKID/AKID . See
|
|
|
66ebb3 |
- bugzilla 217387, 233118 */
|
|
|
66ebb3 |
+ SECItem *issuerDERCert; /* issuer DER cert. Don't hold a reference
|
|
|
66ebb3 |
+ to the actual cert so the trust can be
|
|
|
66ebb3 |
+ updated on the cert automatically.
|
|
|
66ebb3 |
+ XXX there may be multiple issuer certs,
|
|
|
66ebb3 |
+ with different validity dates. Also
|
|
|
66ebb3 |
+ need to deal with SKID/AKID . See
|
|
|
66ebb3 |
+ bugzilla 217387, 233118 */
|
|
|
66ebb3 |
+
|
|
|
66ebb3 |
+ CERTCertDBHandle *dbHandle;
|
|
|
66ebb3 |
+
|
|
|
66ebb3 |
SECItem* subject; /* DER of issuer subject */
|
|
|
66ebb3 |
SECItem* distributionPoint; /* DER of distribution point. This may be
|
|
|
66ebb3 |
NULL when distribution points aren't
|
|
|
66ebb3 |
@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr {
|
|
|
66ebb3 |
NSSRWLock* lock;
|
|
|
66ebb3 |
CRLDPCache** dps;
|
|
|
66ebb3 |
PLHashTable* distributionpoints;
|
|
|
66ebb3 |
- CERTCertificate* issuer;
|
|
|
66ebb3 |
+ CERTCertificate* issuer; /* This should be the DER Cert, not a cert handle */
|
|
|
66ebb3 |
#endif
|
|
|
66ebb3 |
};
|
|
|
66ebb3 |
|
|
|
66ebb3 |
diff -up ./nss/lib/certdb/crl.c.1034409 ./nss/lib/certdb/crl.c
|
|
|
66ebb3 |
--- ./nss/lib/certdb/crl.c.1034409 2014-01-03 11:59:10.000000000 -0800
|
|
|
66ebb3 |
+++ ./nss/lib/certdb/crl.c 2014-02-20 08:49:30.835466687 -0800
|
|
|
66ebb3 |
@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa
|
|
|
66ebb3 |
PORT_Free(cache->crls);
|
|
|
66ebb3 |
}
|
|
|
66ebb3 |
/* destroy the cert */
|
|
|
66ebb3 |
- if (cache->issuer)
|
|
|
66ebb3 |
+ if (cache->issuerDERCert)
|
|
|
66ebb3 |
{
|
|
|
66ebb3 |
- CERT_DestroyCertificate(cache->issuer);
|
|
|
66ebb3 |
+ SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
|
|
|
66ebb3 |
}
|
|
|
66ebb3 |
/* free the subject */
|
|
|
66ebb3 |
if (cache->subject)
|
|
|
66ebb3 |
@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC
|
|
|
66ebb3 |
else
|
|
|
66ebb3 |
{
|
|
|
66ebb3 |
SECStatus signstatus = SECFailure;
|
|
|
66ebb3 |
- if (cache->issuer)
|
|
|
66ebb3 |
+ if (cache->issuerDERCert)
|
|
|
66ebb3 |
{
|
|
|
66ebb3 |
- signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
|
|
|
66ebb3 |
+ CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
|
|
|
66ebb3 |
+ cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
|
|
|
66ebb3 |
+
|
|
|
66ebb3 |
+ if (issuer) {
|
|
|
66ebb3 |
+ signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
|
|
|
66ebb3 |
wincx);
|
|
|
66ebb3 |
+ CERT_DestroyCertificate(issuer);
|
|
|
66ebb3 |
+ }
|
|
|
66ebb3 |
}
|
|
|
66ebb3 |
if (SECSuccess != signstatus)
|
|
|
66ebb3 |
{
|
|
|
66ebb3 |
- if (!cache->issuer)
|
|
|
66ebb3 |
+ if (!cache->issuerDERCert)
|
|
|
66ebb3 |
{
|
|
|
66ebb3 |
/* we tried to verify without an issuer cert . This is
|
|
|
66ebb3 |
because this CRL came through a call to SEC_FindCrlByName.
|
|
|
66ebb3 |
@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL
|
|
|
66ebb3 |
}
|
|
|
66ebb3 |
|
|
|
66ebb3 |
/* add issuer certificate if it was previously unavailable */
|
|
|
66ebb3 |
- if (issuer && (NULL == cache->issuer) &&
|
|
|
66ebb3 |
+ if (issuer && (NULL == cache->issuerDERCert) &&
|
|
|
66ebb3 |
(SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
|
|
|
66ebb3 |
{
|
|
|
66ebb3 |
/* if we didn't have a valid issuer cert yet, but we do now. add it */
|
|
|
66ebb3 |
DPCache_LockWrite();
|
|
|
66ebb3 |
- if (!cache->issuer)
|
|
|
66ebb3 |
+ if (!cache->issuerDERCert)
|
|
|
66ebb3 |
{
|
|
|
66ebb3 |
dirty = PR_TRUE;
|
|
|
66ebb3 |
- cache->issuer = CERT_DupCertificate(issuer);
|
|
|
66ebb3 |
+ cache->dbHandle = issuer->dbhandle;
|
|
|
66ebb3 |
+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
|
|
|
66ebb3 |
}
|
|
|
66ebb3 |
DPCache_UnlockWrite();
|
|
|
66ebb3 |
}
|
|
|
66ebb3 |
@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL
|
|
|
66ebb3 |
SEC_FindCrlByName, or through manual insertion, rather than through a
|
|
|
66ebb3 |
certificate verification (CERT_CheckCRL) */
|
|
|
66ebb3 |
|
|
|
66ebb3 |
- if (cache->issuer && vfdate )
|
|
|
66ebb3 |
+ if (cache->issuerDERCert && vfdate )
|
|
|
66ebb3 |
{
|
|
|
66ebb3 |
mustunlock = PR_FALSE;
|
|
|
66ebb3 |
/* re-process all unverified CRLs */
|
|
|
66ebb3 |
@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac
|
|
|
66ebb3 |
}
|
|
|
66ebb3 |
if (issuer)
|
|
|
66ebb3 |
{
|
|
|
66ebb3 |
- cache->issuer = CERT_DupCertificate(issuer);
|
|
|
66ebb3 |
+ cache->dbHandle = issuer->dbhandle;
|
|
|
66ebb3 |
+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
|
|
|
66ebb3 |
}
|
|
|
66ebb3 |
cache->distributionPoint = SECITEM_DupItem(dp);
|
|
|
66ebb3 |
cache->subject = SECITEM_DupItem(subject);
|
|
|
66ebb3 |
diff -up ./nss/tests/chains/chains.sh.1034409 ./nss/tests/chains/chains.sh
|
|
|
66ebb3 |
--- ./nss/tests/chains/chains.sh.1034409 2014-02-20 08:16:34.867686934 -0800
|
|
|
66ebb3 |
+++ ./nss/tests/chains/chains.sh 2014-02-20 08:34:35.149603340 -0800
|
|
|
66ebb3 |
@@ -974,6 +974,7 @@ check_ocsp()
|
|
|
66ebb3 |
OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
|
|
|
66ebb3 |
OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
|
|
|
66ebb3 |
|
|
|
66ebb3 |
+ echo "Cert = ${CERT_NICK}.cert"
|
|
|
66ebb3 |
echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
|
|
|
66ebb3 |
tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
|
|
|
66ebb3 |
return $?
|