Bug 375019, Cache-enable pkix_OcspChecker_Check

Additional patch to address Alexei's review comments. r=alexei.volkov
2008-02-07 23:30:34 +00:00 · 2008-02-07 23:30:34 +00:00 · 2ccf0f4668
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@ -39,7 +39,7 @@
 * Implementation of OCSP services, for both client and server.
 * (XXX, really, mostly just for client right now, but intended to do both.)
 *
- * $Id: ocsp.c,v 1.47 2008-02-06 17:27:47 kaie%kuix.de Exp $
+ * $Id: ocsp.c,v 1.48 2008-02-07 23:30:33 kaie%kuix.de Exp $
 */

 #include "prerror.h"
@ -4558,7 +4558,7 @@ ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
 /* Return value SECFailure means: not found or not fresh.
 * On SECSuccess, the out parameters contain the OCSP status.
 * rvOcsp contains the overall result of the OCSP operation.
- * Depending on input parameter ignoreOcspFailureMode,
+ * Depending on input parameter ignoreGlobalOcspFailureSetting,
 * a soft failure might be converted into *rvOcsp=SECSuccess.
 * If the cached attempt to obtain OCSP information had resulted
 * in a failure, missingResponseError shows the error code of
@ -4567,7 +4567,7 @@ ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
 SECStatus
 ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, 
                                        int64 time, 
-                                        PRBool ignoreOcspFailureMode,
+                                        PRBool ignoreGlobalOcspFailureSetting,
                                        SECStatus *rvOcsp,
                                        SECErrorCodes *missingResponseError)
 {
@ -4595,7 +4595,7 @@ ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID,
             * However, if OCSP is optional, a recent OCSP failure is
             * an allowed good state.
             */
-            if (!ignoreOcspFailureMode &&
+            if (!ignoreGlobalOcspFailureSetting &&
                OCSP_Global.ocspFailureMode == 
                    ocspMode_FailureIsNotAVerificationFailure) {
                rv = SECSuccess;
@ -4675,7 +4675,7 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
    if (!certID)
        return SECFailure;
    rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
-        certID, time, PR_FALSE, /* do not ignore global failure mode */
+        certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
        &rvOcsp, &dummy_error_code);
    if (rv == SECSuccess) {
        CERT_DestroyOCSPCertID(certID);
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
@ -168,9 +168,14 @@ PKIX_PL_OcspCertID_Create(
        }

        cid->certID = CERT_CreateOCSPCertID(cert->nssCert, time);
+        if (!cid->certID) {
+                PKIX_ERROR(PKIX_COULDNOTCREATEOBJECT);
+        }
+
        *object = cid;
        cid = NULL;
 cleanup:
+        PKIX_DECREF(cid);
        PKIX_RETURN(OCSPCERTID);
 }

@ -226,15 +231,9 @@ PKIX_PL_OcspCertID_GetFreshCacheStatus(
        }

        rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
-                cid->certID, time, PR_TRUE, /* ignore OCSP failure mode */
+                cid->certID, time, PR_TRUE, /*ignoreGlobalOcspFailureSetting*/
                &rvOcsp, missingResponseError);

-        /* We ignore rvBasedOnOcspFailureMode, we are interested in the
-         * real result. 
-         * XXX This may change in the future, when libpkix allows the
-         * application to specify the desired failure behavior.
-         */
-
        *hasFreshStatus = (rv == SECSuccess);
        if (*hasFreshStatus) {
                *statusIsGood = (rvOcsp == SECSuccess);