Enable support for OCSP. Bug#80178, r=mcgreer@netscape.com, sr=blizzard@mozilla.org

security/manager/pki/resources/content/PrefOverlay.xul

@@ -43,6 +43,14 @@
           </treerow>
         </treeitem>
       </treechildren>
+      <treechildren id="securityChildren">
+        <treeitem id="validationItem" open="true" >
+          <treerow>
+             <treecell class="treecell-indent" url="chrome://pippki/content/pref-validation.xul"
+               label="&validation.label;" />
+          </treerow>
+        </treeitem>
+      </treechildren>
     </treeitem>
   </treechildren>
 </overlay>

security/manager/pki/resources/content/pref-validation.js

@@ -0,0 +1,86 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 2001 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *  David Drinan <ddrinan@netscape.com>
+ */
+
+const nsIX509CertDB = Components.interfaces.nsIX509CertDB;
+const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
+const nsIOCSPResponder = Components.interfaces.nsIOCSPResponder;
+const nsISupportsArray = Components.interfaces.nsISupportsArray;
+
+var certdb;
+var ocspResponders;
+
+function onLoad()
+{
+  var ocspEntry;
+  var i;
+
+  certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
+  ocspResponders = certdb.getOCSPResponders();
+
+  var signersMenu = document.getElementById("signingCA");
+  var signersURL = document.getElementById("serviceURL");
+  for (i=0; i<ocspResponders.Count(); i++) {
+    ocspEntry = ocspResponders.GetElementAt(i).QueryInterface(nsIOCSPResponder);
+    var menuItemNode = document.createElement("menuitem");
+    menuItemNode.setAttribute("value", ocspEntry.responseSigner);
+    menuItemNode.setAttribute("label", ocspEntry.responseSigner);
+    signersMenu.firstChild.appendChild(menuItemNode);
+  }
+
+  parent.initPanel('chrome://pippki/content/pref-validation.xul');
+
+  doEnabling();
+}
+
+function doEnabling()
+{
+  var signersMenu = document.getElementById("signingCA");
+  var signersURL = document.getElementById("serviceURL");
+  var radiogroup = document.getElementById("securityOCSPEnabled");
+  
+  switch ( radiogroup.value ) {
+   case "0":
+   case "1":
+    signersMenu.setAttribute("disabled", true);
+    signersURL.setAttribute("disabled", true);
+    break;
+   case "2":
+   default:
+    signersMenu.removeAttribute("disabled");
+    signersURL.removeAttribute("disabled");
+  }
+}
+
+function changeURL()
+{
+  var signersMenu = document.getElementById("signingCA");
+  var signersURL = document.getElementById("serviceURL");
+  var CA = signersMenu.getAttribute("value");
+
+  for (i=0; i < ocspResponders.Count(); i++) {
+    ocspEntry = ocspResponders.GetElementAt(i).QueryInterface(nsIOCSPResponder);
+    if (CA == ocspEntry.responseSigner) {
+      signersURL.setAttribute("value", ocspEntry.serviceURL);
+      break;
+    }
+  }
+}

security/manager/pki/resources/content/pref-validation.xul

@@ -0,0 +1,91 @@
+<?xml version="1.0"?> 
+<!-- 
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is mozilla.org code.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corp.  Portions created by Netscape are
+   - Copyright (C) 2001 Netscape Communications Corp.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   -   David Drinan <ddrinan@netscape.com>
+  -->
+
+<?xml-stylesheet href="chrome://communicator/skin/" type="text/css"?>
+<?xml-stylesheet href="chrome://communicator/skin/dialogOverlay.css" type="text/css"?>
+
+<!DOCTYPE window [
+  <!ENTITY % brandDTD SYSTEM "chrome://global/locale/brand.dtd">
+  <!ENTITY % prefValidationDTD SYSTEM "chrome://pippki/locale/pref-validation.dtd">
+  %brandDTD;
+  %prefValidationDTD;
+]>
+
+<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        class="color-dialog"
+        orient="vertical"
+        onload="onLoad();" >
+
+  <!-- List elements to manage for prefs -->
+  <script language="JavaScript">
+  <![CDATA[
+    var _elementIDs = ["securityOCSPEnabled", "serviceURL", "signingCA"];
+  ]]>
+  </script>
+            
+  <script src="pref-validation.js"/>
+
+  <!-- Fancy panel header -->
+  <box class="box-smallheader" title="&validation.title;" description="&validation.description;"/>
+
+  <!--
+  <titledbox orient="horizontal">
+    <label value="&validation.crl.label;"/>
+  </titledbox>
+  -->
+
+  <titledbox orient="vertical" autostretch="never" >
+    <label value="&validation.ocsp.label;"/>
+    <html> &validation.ocsp.description; </html>
+    <!-- Prefs -->
+    <radiogroup id="securityOCSPEnabled" orient="vertical" autostretch="never"
+                 pref="true" preftype="int" prefstring="security.OCSP.enabled"
+                  prefattribute="value">
+        <radio group="securityOCSPEnabled" value="0" label="&disableOCSP.label;" oncommand="doEnabling();"/>
+        <radio group="securityOCSPEnabled" value="1" label="&certOCSP.label;" oncommand="doEnabling();"/>
+        <radio group="securityOCSPEnabled" value="2" label="&proxyOCSP.label;" oncommand="doEnabling();"/>
+
+        <grid class="indent" flex="1">
+          <columns>
+          <column/>
+          <column flex="1"/>
+          </columns>
+          
+          <rows>
+            <row>
+              <text class="label" value="&serviceURL.label;" for="serviceURL"/>
+              <textbox id="serviceURL" pref="true" preftype="string" prefstring="security.OCSP.URL"
+                           prefattribute="value" flex="1"/>
+            </row>
+            <row>
+              <text class="label" value="&signingCA.label;" for="signingCA"/>
+              <menulist id="signingCA" pref="true" preftype="string" prefstring="security.OCSP.signingCA"
+                           prefattribute="value" flex="1" oncommand="changeURL()">
+                <menupopup/>
+              </menulist>
+            </row>
+         </rows>
+       </grid>
+    </radiogroup>
+  </titledbox>
+</window>

security/manager/pki/resources/jar.mn

@@ -37,6 +37,8 @@ pippki.jar:
     content/pippki/certDump.xul              (content/certDump.xul)
     content/pippki/choosetoken.xul           (content/choosetoken.xul)
     content/pippki/choosetoken.js            (content/choosetoken.js)
+    content/pippki/pref-validation.xul       (content/pref-validation.xul)
+    content/pippki/pref-validation.js        (content/pref-validation.js)
     locale/en-US/pippki/contents.rdf         (locale/en-US/contents.rdf)
     locale/en-US/pippki/pippki.dtd           (locale/en-US/pippki.dtd)
     locale/en-US/pippki/pref-ssl.dtd         (locale/en-US/pref-ssl.dtd)
@@ -47,3 +49,4 @@ pippki.jar:
     locale/en-US/pippki/pref-security.dtd    (locale/en-US/pref-security.dtd)
     locale/en-US/pippki/PageInfoOverlay.dtd  (locale/en-US/PageInfoOverlay.dtd)
     locale/en-US/pippki/certManager.dtd      (locale/en-US/certManager.dtd)
+    locale/en-US/pippki/pref-validation.dtd  (locale/en-US/pref-validation.dtd)

security/manager/pki/resources/locale/en-US/PrefOverlay.dtd

@@ -21,5 +21,7 @@
    -   Terry Hayes <thayes@netscape.com>
   -->
 
-<!ENTITY  security.label               "Privacy and Security">
+<!ENTITY  security.label               "Privacy and Security">
-<!ENTITY  ssl.label                    "SSL">
+
+<!ENTITY  ssl.label                    "SSL">
+<!ENTITY  validation.label             "Validation">

security/manager/pki/resources/locale/en-US/pref-validation.dtd

@@ -0,0 +1,34 @@
+<!-- 
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is mozilla.org code.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corp.  Portions created by Netscape are
+   - Copyright (C) 2001 Netscape Communications Corp.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   - David P. Drinan (ddrinan@netscape.com)
+  -->
+
+<!ENTITY  validation.title          "Validation">
+<!ENTITY  validation.description    "Settings for Validation">
+
+<!ENTITY  validation.crl.label      "CRL">
+
+<!ENTITY validation.ocsp.label      "OCSP">
+<!ENTITY validation.ocsp.description "&brandShortName; can use Online Certificate Status Protocol(OCSP) to verify certificates. Set &brandShortName; to use OCSP as follows:">
+<!ENTITY disableOCSP.label "Do not use OCSP for certificate validation">
+<!ENTITY certOCSP.label "Use OCSP to validate only cerificates that specify on OCSP service URL">
+<!ENTITY proxyOCSP.label "Use OCSP to validate all certificates using the URL and signer specified here:">
+<!ENTITY serviceURL.label "Service URL:">
+<!ENTITY signingCA.label "Response Signer:">

security/manager/ssl/public/nsIX509CertDB.idl

@@ -64,6 +64,13 @@ native nsCertCompareFunc(nsCertCompareFunc);
 native nsAutoString(nsAutoString);
 [ref] native nsAutoStringRef(nsAutoString);
 
+[scriptable, uuid(96b2f5ae-4334-11d5-ba27-00108303b117)]
+interface nsIOCSPResponder : nsISupports {
+  readonly attribute wstring responseSigner;
+  readonly attribute wstring serviceURL;
+};
+
+
 [scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
 interface nsIX509CertDB : nsISupports {
 
@@ -182,6 +189,12 @@ interface nsIX509CertDB : nsISupports {
                         in PRUint32 count,
                         [array, size_is(count)] in nsIX509Cert aCerts);
                         //[array, size_is(count)] in wstring aCertNames);
+  /*
+   * getOCSPResponders
+   *
+   * Export a set of OCSP responders i.e. CA names and (optional) URLs.
+   */
+  nsISupportsArray getOCSPResponders();
 
 };
 

security/manager/ssl/src/nsNSSCertificate.cpp

@@ -32,7 +32,7 @@
  * may use your version of this file under either the MPL or the
  * GPL.
  *
- * $Id: nsNSSCertificate.cpp,v 1.22 2001/05/15 14:56:42 mcgreer%netscape.com Exp $
+ * $Id: nsNSSCertificate.cpp,v 1.23 2001/05/15 17:35:33 ddrinan%netscape.com Exp $
  */
 
 #include "prmem.h"
@@ -64,6 +64,7 @@ extern "C" {
 #include "secasn1.h"
 #include "secder.h"
 }
+#include "ocsp.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
@@ -2541,6 +2542,210 @@ nsNSSCertificateDB::ExportPKCS12File(nsIPK11Token     *aToken,
   return blob.ExportToFile(aFile, certs, count);
 }
 
+/* Header file */
+class nsOCSPResponder : public nsIOCSPResponder
+{
+public:
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIOCSPRESPONDER
+
+  nsOCSPResponder();
+  nsOCSPResponder(const PRUnichar*, const PRUnichar*);
+  virtual ~nsOCSPResponder();
+  /* additional members */
+  static PRInt32 CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b);
+  static PRInt32 CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b);
+  static PRBool IncludeCert(CERTCertificate *aCert);
+private:
+  nsString mCA;
+  nsString mURL;
+};
+
+/* Implementation file */
+NS_IMPL_ISUPPORTS1(nsOCSPResponder, nsIOCSPResponder)
+
+nsOCSPResponder::nsOCSPResponder()
+{
+  NS_INIT_ISUPPORTS();
+  /* member initializers and constructor code */
+}
+
+nsOCSPResponder::nsOCSPResponder(const PRUnichar * aCA, const PRUnichar * aURL)
+{
+  NS_INIT_ISUPPORTS();
+  mCA.Assign(aCA);
+  mURL.Assign(aURL);
+}
+
+nsOCSPResponder::~nsOCSPResponder()
+{
+  /* destructor code */
+}
+
+/* readonly attribute */
+NS_IMETHODIMP nsOCSPResponder::GetResponseSigner(PRUnichar** aCA)
+{
+  NS_ENSURE_ARG(aCA);
+  *aCA = mCA.ToNewUnicode();
+  return NS_OK;
+}
+
+/* readonly attribute */
+NS_IMETHODIMP nsOCSPResponder::GetServiceURL(PRUnichar** aURL)
+{
+  NS_ENSURE_ARG(aURL);
+  *aURL = mURL.ToNewUnicode();
+  return NS_OK;
+}
+
+PRBool nsOCSPResponder::IncludeCert(CERTCertificate *aCert)
+{
+  CERTCertTrust *trust;
+  char *nickname;
+
+  trust = aCert->trust;
+  nickname = aCert->nickname;
+
+  if ( ( ( trust->sslFlags & CERTDB_INVISIBLE_CA ) ||
+         (trust->emailFlags & CERTDB_INVISIBLE_CA ) ||
+         (trust->objectSigningFlags & CERTDB_INVISIBLE_CA ) ) ||
+       nickname == NULL) {
+      return PR_FALSE;
+  }
+  if ((trust->sslFlags & CERTDB_VALID_CA) ||
+      (trust->emailFlags & CERTDB_VALID_CA) ||
+      (trust->objectSigningFlags & CERTDB_VALID_CA)) {
+      return PR_TRUE;
+  }
+  return PR_FALSE;
+}
+
+// CmpByCAName
+//
+// Compare two responders their token name.  Returns -1, 0, 1 as
+// in strcmp.  No token name (null) is treated as >.
+PRInt32 nsOCSPResponder::CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b)
+{
+  PRInt32 cmp1;
+  nsXPIDLString aTok, bTok;
+  a->GetResponseSigner(getter_Copies(aTok));
+  b->GetResponseSigner(getter_Copies(bTok));
+  if (aTok != nsnull && bTok != nsnull) {
+    nsAutoString aStr(aTok);
+    cmp1 = aStr.CompareWithConversion(bTok);
+  } else {
+    cmp1 = (aTok == nsnull) ? 1 : -1;
+  }
+  return cmp1;
+}
+
+// ocsp_compare_entries
+//
+// Compare two responders.  Returns -1, 0, 1 as
+// in strcmp.  Entries with urls come before those without urls.
+PRInt32 nsOCSPResponder::CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b)
+{
+  nsXPIDLString aURL, bURL;
+  nsAutoString aURLAuto, bURLAuto;
+
+  a->GetServiceURL(getter_Copies(aURL));
+  aURLAuto.Assign(aURL);
+  b->GetServiceURL(getter_Copies(bURL));
+  bURLAuto.Assign(bURL);
+
+  if (aURLAuto.Length() > 0 ) {
+    if (bURLAuto.Length() > 0) {
+      return nsOCSPResponder::CmpCAName(a, b);
+    } else {
+      return -1;
+    }
+  } else {
+    if (bURLAuto.Length() > 0) {
+      return 1;
+    } else {
+      return nsOCSPResponder::CmpCAName(a, b);
+    }
+  }
+}
+
+static SECStatus GetOCSPResponders (CERTCertificate *aCert,
+                          SECItem         *aDBKey,
+                          void            *aArg)
+{
+  nsISupportsArray *array = NS_STATIC_CAST(nsISupportsArray*, aArg);
+  PRUnichar* nn = nsnull;
+  PRUnichar* url = nsnull;
+  char *serviceURL = nsnull;
+  char *nickname = nsnull;
+  PRUint32 i, count;
+  nsresult rv;
+
+  // Are we interested in this cert //
+  if (!nsOCSPResponder::IncludeCert(aCert)) {
+    return SECSuccess;
+  }
+
+  // Get the AIA and nickname //
+  serviceURL = CERT_GetOCSPAuthorityInfoAccessLocation(aCert);
+  if (serviceURL) {
+	url = NS_ConvertASCIItoUCS2(serviceURL).ToNewUnicode();
+  }
+
+  nickname = aCert->nickname;
+  nn = NS_ConvertASCIItoUCS2(nickname).ToNewUnicode();
+
+  nsCOMPtr<nsIOCSPResponder> new_entry = new nsOCSPResponder(nn, url);
+
+  // Sort the items according to nickname //
+  rv = array->Count(&count);
+  for (i=0; i < count; ++i) {
+    nsCOMPtr<nsISupports> isupport = getter_AddRefs(array->ElementAt(i));
+    nsCOMPtr<nsIOCSPResponder> entry = do_QueryInterface(isupport);
+    if (nsOCSPResponder::CompareEntries(new_entry, entry) < 0) {
+      array->InsertElementAt(new_entry, i);
+      break;
+    }
+  }
+  if (i == count) {
+    array->AppendElement(new_entry);
+  }
+  return SECSuccess;
+}
+
+/*
+ * getOCSPResponders
+ *
+ * Export a set of certs and keys from the database to a PKCS#12 file.
+*/
+NS_IMETHODIMP 
+nsNSSCertificateDB::GetOCSPResponders(nsISupportsArray ** aResponders)
+{
+  SECStatus sec_rv;
+  nsCOMPtr<nsISupportsArray> respondersArray;
+  nsresult rv = NS_NewISupportsArray(getter_AddRefs(respondersArray));
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  sec_rv = SEC_TraversePermCerts(CERT_GetDefaultCertDB(),
+                              ::GetOCSPResponders,
+                              respondersArray);
+  if (sec_rv == SECSuccess) {
+    sec_rv = PK11_TraverseSlotCerts(::GetOCSPResponders,
+                                 respondersArray,
+                                 nsnull);
+  }
+  if (sec_rv != SECSuccess) {
+    goto loser;
+  }
+
+  *aResponders = respondersArray;
+  NS_IF_ADDREF(*aResponders);
+  return NS_OK;
+loser:
+  return NS_ERROR_FAILURE;
+}
+
 /*
  * NSS Helper Routines (private to nsNSSCertificateDB)
  */

security/manager/ssl/src/nsNSSComponent.cpp

@@ -53,6 +53,7 @@
 #include "ssl.h"
 #include "sslproto.h"
 #include "secmod.h"
+#include "ocsp.h"
 extern "C" {
 #include "pkcs11.h"
 #include "pkcs12.h"
@@ -368,6 +369,40 @@ static CipherPref CipherPrefs[] = {
  {NULL, 0} /* end marker */
 };
 
+static void setOCSPOptions(nsIPref * pref)
+{
+  // Set up OCSP //
+  PRInt32 ocspEnabled;
+  pref->GetIntPref("security.OCSP.enabled", &ocspEnabled);
+  switch (ocspEnabled) {
+  case 0:
+	  CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
+	  CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
+	  break;
+  case 1:
+    CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
+    break;
+  case 2:
+    {
+      char *signingCA = nsnull;
+      char *url = nsnull;
+
+      // Get the signing CA and service url //
+      pref->CopyCharPref("security.OCSP.signingCA", &signingCA);
+      pref->CopyCharPref("security.OCSP.URL", &url);
+
+      // Set OCSP up
+      CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
+      CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(), url, signingCA);
+      CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
+
+      nsMemory::Free(signingCA);
+      nsMemory::Free(url);
+    }
+	  break;
+  }
+}
+
 nsresult
 nsNSSComponent::InitializeNSS()
 {
@@ -438,6 +473,9 @@ nsNSSComponent::InitializeNSS()
   SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
   PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn);
 
+  // Set up OCSP //
+  setOCSPOptions(mPref);
+
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n"));
   return NS_OK;
 }
@@ -566,6 +604,8 @@ nsNSSComponent::PrefChanged(const char* prefName)
   } else if (!nsCRT::strcmp(prefName, "security.enable_tls")) {
     mPref->GetBoolPref("security.enable_tls", &enabled);
     SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
+  } else if (!nsCRT::strcmp(prefName, "security.OCSP.enabled")) {
+    setOCSPOptions(mPref);
   } else {
     /* Look through the cipher table and set according to pref setting */
     for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {