Resolves 66606. Added -O (enable OCSP checking).

security/nss/cmd/signtool/signtool.c

@@ -92,6 +92,7 @@ static char *install_script = NULL;
 static int list_certs = 0;
 static int list_modules = 0;
 static int optimize = 0;
+static int enableOCSP = 0;
 static char *tell_who = NULL;
 static char *outfile = NULL;
 static char *cmdFile = NULL;
@@ -114,6 +115,7 @@ typedef enum {
 	LIST_ALL_CERTS_OPT,
 	METAFILE_OPT,
 	OPTIMIZE_OPT,
+	ENABLE_OCSP_OPT,
 	PASSWORD_OPT,
 	VERIFY_OPT,
 	WHO_OPT,
@@ -229,6 +231,8 @@ ProcessCommandFile()
 			type = MODULES_OPT;
 		} else if(!PL_strcasecmp(buf, "optimize")) {
 			type = OPTIMIZE_OPT;
+		} else if(!PL_strcasecmp(buf, "ocsp")) {
+			type = ENABLE_OCSP_OPT;
 		} else if(!PL_strcasecmp(buf, "password")) {
 			type = PASSWORD_OPT;
 		} else if(!PL_strcasecmp(buf, "verify")) {
@@ -373,6 +377,9 @@ parse_args(int argc, char *argv[])
 				case 'o':
 					type = OPTIMIZE_OPT;
 					break;
+				case 'O':
+					type = ENABLE_OCSP_OPT;
+					break;
 				case 'p':
 					type = PASSWORD_OPT;
 					break;
@@ -598,6 +605,9 @@ ProcessOneOpt(OPT_TYPE type, char *arg)
 	case OPTIMIZE_OPT:
 		optimize = 1;
 		break;
+	case ENABLE_OCSP_OPT:
+		enableOCSP = 1;
+		break;
 	case PASSWORD_OPT:
 		if(password) {
 			PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
@@ -925,6 +935,15 @@ main(int argc, char *argv[])
 		goto cleanup;
 	}
 
+	if (enableOCSP) {
+		SECStatus rv = CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
+		if (rv != SECSuccess) {
+	        PR_fprintf(errorFD, "ERROR: Attempt to enable OCSP Checking failed.\n");
+	        errorCount++;
+	        retval = -1;
+		}
+	}
+
   if (verify)
     {
     if (VerifyJar(verify))

security/nss/cmd/signtool/signtool.h

@@ -43,6 +43,7 @@
 #include "prprf.h"
 #include "prio.h"
 #include "secutil.h"
+#include "ocsp.h"
 #include "jar.h"
 #include "jarfile.h"
 #include "secpkcs7.h"

security/nss/cmd/signtool/util.c

@@ -209,6 +209,7 @@ usage (void)
   PR_fprintf(outputFD, "    -m\"metafile\"\t\tinclude custom meta-information\n");
   PR_fprintf(outputFD, "    --norecurse\t\t\tdo not operate on subdirectories\n");
   PR_fprintf(outputFD, "    -o\t\t\t\toptimize - omit optional headers\n");
+  PR_fprintf(outputFD, "    -O\t\t\t\tenableOCSP - enable OCSP checking\n");
   PR_fprintf(outputFD, "    --outfile \"filename\"\tredirect output to file\n");
   PR_fprintf(outputFD, "    -p\"password\"\t\tfor password on command line (insecure)\n");
   PR_fprintf(outputFD, "    -s keysize\t\t\tkeysize in bits of generated cert\n");