Bug 110161. Code related to the plan to enable OCSP by default.r=rrelyea, toolkit r=mconnor

2024-09-13 09:24:08 -07:00 · 2007-05-30 16:13:28 -07:00 · 2007-05-30 16:13:28 -07:00 · 06f32215fd
commit 06f32215fd
parent 44793caa0f
13 changed files with 127 additions and 61 deletions
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@ -62,4 +62,5 @@ pref("security.warn_leaving_secure",     true);
 pref("security.warn_viewing_mixed",      true);
 pref("security.warn_submit_insecure",    true);

-pref("security.OCSP.enabled",		0);
+pref("security.OCSP.enabled", 0);
+pref("security.OCSP.require", false);
--- a/security/manager/locales/en-US/chrome/pippki/certManager.dtd
+++ b/security/manager/locales/en-US/chrome/pippki/certManager.dtd
@ -98,7 +98,6 @@
 <!ENTITY certmgr.expires                      "Expires On">
 <!ENTITY certmgr.email                        "E-Mail Address">
 <!ENTITY certmgr.serial                       "Serial Number">
-<!ENTITY certmgr.ocsp_info                    "Certificates have not been validated with OCSP. Click View to do so.">

 <!ENTITY certmgr.close.label                  "Close">
 <!ENTITY certmgr.close.accesskey              "C">
--- a/security/manager/locales/en-US/chrome/pippki/pref-validation.dtd
+++ b/security/manager/locales/en-US/chrome/pippki/pref-validation.dtd
@ -72,14 +72,15 @@
 <!ENTITY  edit.button                             "Settings">

 <!ENTITY validation.ocsp.caption                  "OCSP">
-<!ENTITY validation.ocsp.description              "&brandShortName; can use Online Certificate Status Protocol (OCSP) to verify certificates. Set &brandShortName; to use OCSP as follows:">
-<!ENTITY disableOCSP.label                        "Do not use OCSP for certificate validation">
-<!ENTITY disableOCSP.accesskey                    "D">
-<!ENTITY certOCSP.label                           "Use OCSP to validate only certificates that specify an OCSP service URL">
-<!ENTITY certOCSP.accesskey                       "U">
-<!ENTITY proxyOCSP.label                          "Use OCSP to validate all certificates using this URL and signer:">
+<!ENTITY enableOCSP.label                         "Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates">
+<!ENTITY enableOCSP.accesskey                     "E">
+<!ENTITY certOCSP.label2                          "Validate a certificate if it specifies an OCSP server">
+<!ENTITY certOCSP.accesskey                       "C">
+<!ENTITY proxyOCSP.label2                         "Validate all certificates using the following OCSP server:">
 <!ENTITY proxyOCSP.accesskey                      "O">
 <!ENTITY serviceURL.label                         "Service URL:">
 <!ENTITY serviceURL.accesskey                     "S">
 <!ENTITY signingCA.label                          "Response Signer:">
 <!ENTITY signingCA.accesskey                      "R">
+<!ENTITY validation.requireOCSP.description       "When an OCSP server connection fails, treat the certificate as invalid">
+<!ENTITY validation.requireOCSP.accesskey         "V">
--- a/security/manager/pki/resources/content/certManager.js
+++ b/security/manager/pki/resources/content/certManager.js
@ -110,10 +110,6 @@ function LoadCerts()
  } else  {
    enableBackupAllButton.setAttribute("enabled",true);
  }
-
-  if (certdb.isOcspOn) {
-    document.getElementById('ocsp_info').removeAttribute("hidden");
-  }
 }

 function getSelectedCerts()
--- a/security/manager/pki/resources/content/certManager.xul
+++ b/security/manager/pki/resources/content/certManager.xul
@ -78,10 +78,6 @@
      </tabpanels>
    </tabbox>

-    <hbox align="center">
-      <description id="ocsp_info" hidden="true">&certmgr.ocsp_info;</description>
-    </hbox>
-
  </vbox>

 </dialog>
--- a/security/manager/pki/resources/content/pref-validation.js
+++ b/security/manager/pki/resources/content/pref-validation.js
@ -42,6 +42,7 @@ const nsISupportsArray = Components.interfaces.nsISupportsArray;

 var certdb;
 var ocspResponders;
+var cacheRadio = 0;

 function onLoad()
 {
@ -63,26 +64,44 @@ function onLoad()

  parent.initPanel('chrome://pippki/content/pref-validation.xul');

-  doEnabling();
+  doEnabling(0);
 }

-function doEnabling()
+function doEnabling(called_by)
 {
-  var signersMenu = document.getElementById("signingCA");
-  var signersURL = document.getElementById("serviceURL");
-  var radiogroup = document.getElementById("securityOCSPEnabled");
-  
-  switch ( radiogroup.value ) {
-   case "0":
-   case "1":
-    signersMenu.setAttribute("disabled", true);
-    signersURL.setAttribute("disabled", true);
-    break;
-   case "2":
-   default:
-    signersMenu.removeAttribute("disabled");
-    signersURL.removeAttribute("disabled");
+  var signingCA = document.getElementById("signingCA");
+  var serviceURL = document.getElementById("serviceURL");
+  var securityOCSPEnabled = document.getElementById("securityOCSPEnabled");
+  var requireWorkingOCSP = document.getElementById("requireWorkingOCSP");
+  var enableOCSPBox = document.getElementById("enableOCSPBox");
+  var certOCSP = document.getElementById("certOCSP");
+  var proxyOCSP = document.getElementById("proxyOCSP");
+
+  var OCSPPrefValue = parseInt(securityOCSPEnabled.value);
+
+  if (called_by == 0) {
+    // the radio button changed, or we init the stored value from prefs
+    enableOCSPBox.checked = (OCSPPrefValue != 0);
  }
+  else {
+    // the user toggled the checkbox to enable/disable OCSP
+    var new_val = 0;
+    if (enableOCSPBox.checked) {
+      // now enabled. if we have a cached radio val, restore it.
+      // if not, use the first setting
+      new_val = (cacheRadio > 0) ? cacheRadio : 1;
+    }
+    else {
+      // now disabled. remember current value
+      cacheRadio = OCSPPrefValue;
+    }
+    securityOCSPEnabled.value = OCSPPrefValue = new_val;
+  }
+
+  certOCSP.disabled = (OCSPPrefValue == 0);
+  proxyOCSP.disabled = (OCSPPrefValue == 0);
+  signingCA.disabled = serviceURL.disabled = OCSPPrefValue == 0 || OCSPPrefValue == 1;
+  requireWorkingOCSP.disabled = (OCSPPrefValue == 0);
 }

 function changeURL()
--- a/security/manager/pki/resources/content/pref-validation.xul
+++ b/security/manager/pki/resources/content/pref-validation.xul
@ -52,7 +52,7 @@
  <!-- List elements to manage for prefs -->
  <script type="application/x-javascript">
  <![CDATA[
-    var _elementIDs = ["securityOCSPEnabled", "serviceURL", "signingCA"];
+    var _elementIDs = ["securityOCSPEnabled", "serviceURL", "signingCA", "requireWorkingOCSP"];
  ]]>
  </script>
            
@ -72,16 +72,16 @@

  <groupbox align="start">
    <caption label="&validation.ocsp.caption;"/>
-    <description>&validation.ocsp.description;</description>
+    <checkbox id="enableOCSPBox" label="&enableOCSP.label;"
+              accesskey="&enableOCSP.accesskey;" oncommand="doEnabling(1);"/>
    <!-- Prefs -->
    <radiogroup id="securityOCSPEnabled"
                prefstring="security.OCSP.enabled">
-        <radio value="0" label="&disableOCSP.label;"
-               accesskey="&disableOCSP.accesskey;" oncommand="doEnabling();"/>
-        <radio value="1" label="&certOCSP.label;"
-               accesskey="&certOCSP.accesskey;" oncommand="doEnabling();"/>
-        <radio value="2" label="&proxyOCSP.label;"
-               accesskey="&proxyOCSP.accesskey;" oncommand="doEnabling();"/>
+        <radio value="0" hidden="true"/>
+        <radio id="certOCSP" value="1" label="&certOCSP.label2;"
+               accesskey="&certOCSP.accesskey;" oncommand="doEnabling(0);"/>
+        <radio id="proxyOCSP" value="2" label="&proxyOCSP.label2;"
+               accesskey="&proxyOCSP.accesskey;" oncommand="doEnabling(0);"/>

        <grid class="indent" flex="1">
          <columns>
@ -106,5 +106,11 @@
         </rows>
       </grid>
    </radiogroup>
+    <separator class="thin"/>
+    <checkbox id="requireWorkingOCSP" label="&validation.requireOCSP.description;"
+                accesskey="&validation.requireOCSP.accesskey;"
+                prefstring="security.OCSP.require"/>
+
  </groupbox>
+
 </page>
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@ -767,7 +767,7 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
    PRUint32 verified;

    nsAutoString theUsages;
-    rv = cert->GetUsagesString(PR_TRUE, &verified, theUsages); // ignore OCSP
+    rv = cert->GetUsagesString(PR_FALSE, &verified, theUsages); // allow OCSP
    if (NS_FAILED(rv)) {
      verified = nsIX509Cert::NOT_VERIFIED_UNKNOWN;
    }
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@ -259,7 +259,7 @@ SECStatus nsNSSHttpRequestSession::trySendAndReceiveFcn(PRPollDesc **pPollDesc,
  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
         ("nsNSSHttpRequestSession::trySendAndReceiveFcn to %s\n", mURL.get()));

-  const int max_retries = 5;
+  const int max_retries = 2;
  int retry_count = 0;
  PRBool retryable_error = PR_FALSE;
  SECStatus result_sec_status = SECFailure;
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@ -992,6 +992,14 @@ static void setOCSPOptions(nsIPrefBranch * pref)
    }
    break;
  }
+  PRBool ocspRequired;
+  pref->GetBoolPref("security.OCSP.require", &ocspRequired);
+  if (ocspRequired) {
+    CERT_SetOCSPFailureMode(ocspMode_FailureIsVerificationFailure);
+  }
+  else {
+    CERT_SetOCSPFailureMode(ocspMode_FailureIsNotAVerificationFailure);
+  }
 }

 nsresult
@ -1969,7 +1977,8 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
      mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
      SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
      clearSessionCache = PR_TRUE;
-    } else if (prefName.Equals("security.OCSP.enabled")) {
+    } else if (prefName.Equals("security.OCSP.enabled")
+               || prefName.Equals("security.OCSP.require")) {
      setOCSPOptions(mPrefBranch);
    } else {
      /* Look through the cipher table and set according to pref setting */
--- a/toolkit/locales/en-US/chrome/mozapps/preferences/ocsp.dtd
+++ b/toolkit/locales/en-US/chrome/mozapps/preferences/ocsp.dtd
@ -1,11 +1,13 @@
-<!ENTITY window.width                 "38em">
-
-<!ENTITY ocspDialog.title             "Verification">
-<!ENTITY validation.ocsp.description  "&brandShortName; can use Online Certificate Status Protocol (OCSP) to verify certificates. Set &brandShortName; to use OCSP as follows:">
-<!ENTITY disableOCSP.label            "Do not use OCSP for certificate validation">
-<!ENTITY certOCSP.label               "Use OCSP to validate only certificates that specify an OCSP service URL">
-<!ENTITY proxyOCSP.label              "Use OCSP to validate all certificates using this URL and signer:">
+<!ENTITY ocspDialog.title             "Certificate Validation">
+<!ENTITY enableOCSP.label             "Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates">
+<!ENTITY enableOCSP.accesskey         "U">
+<!ENTITY certOCSP.label               "Validate a certificate if it specifies an OCSP server">
+<!ENTITY certOCSP.accesskey           "V">
+<!ENTITY proxyOCSP.label              "Validate all certificates using the following OCSP server:">
+<!ENTITY proxyOCSP.accesskey          "a">
 <!ENTITY serviceURL.label             "Service URL:">
 <!ENTITY serviceURL.accesskey         "S">
 <!ENTITY signingCA.label              "Response Signer:">
 <!ENTITY signingCA.accesskey          "R">
+<!ENTITY requireOCSP.label            "When an OCSP server connection fails, treat the certificate as invalid">
+<!ENTITY requireOCSP.accesskey        "W">
--- a/toolkit/mozapps/preferences/ocsp.js
+++ b/toolkit/mozapps/preferences/ocsp.js
@ -36,9 +36,11 @@
 #
 # ***** END LICENSE BLOCK *****

+
 var gOCSPDialog = {
  _certDB         : null,
  _OCSPResponders : null,
+  _cacheRadio     : 0,

  init: function ()
  {
@ -67,14 +69,42 @@ var gOCSPDialog = {
    this.chooseServiceURL();
  },
  
-  _updateUI: function ()
+  _updateUI: function (called_by)
  {
    var signingCA = document.getElementById("security.OCSP.signingCA");
    var serviceURL = document.getElementById("security.OCSP.URL");
    var securityOCSPEnabled = document.getElementById("security.OCSP.enabled");
+    var requireWorkingOCSP = document.getElementById("security.OCSP.require");
+    var enableOCSPBox = document.getElementById("enableOCSPBox");
+    var certOCSP = document.getElementById("certOCSP");
+    var proxyOCSP = document.getElementById("proxyOCSP");

-    var OCSPEnabled = parseInt(securityOCSPEnabled.value);
-    signingCA.disabled = serviceURL.disabled = OCSPEnabled == 0 || OCSPEnabled == 1;
+    var OCSPPrefValue = parseInt(securityOCSPEnabled.value);
+
+    if (called_by == 0) {
+      // the radio button changed, or we init the stored value from prefs
+      enableOCSPBox.checked = (OCSPPrefValue != 0);
+    }
+    else {
+      // the user toggled the checkbox to enable/disable OCSP
+      var new_val = 0;
+      if (enableOCSPBox.checked) {
+        // now enabled. if we have a cached radio val, restore it.
+        // if not, use the first setting
+        new_val = (this._cacheRadio > 0) ? this._cacheRadio : 1;
+      }
+      else {
+        // now disabled. remember current value
+        this._cacheRadio = OCSPPrefValue;
+      }
+      securityOCSPEnabled.value = OCSPPrefValue = new_val;
+    }
+
+    certOCSP.disabled = (OCSPPrefValue == 0);
+    proxyOCSP.disabled = (OCSPPrefValue == 0);
+    signingCA.disabled = serviceURL.disabled = OCSPPrefValue == 0 || OCSPPrefValue == 1;
+    requireWorkingOCSP.disabled = (OCSPPrefValue == 0);
+    
    return undefined;
  },
  
--- a/toolkit/mozapps/preferences/ocsp.xul
+++ b/toolkit/mozapps/preferences/ocsp.xul
@ -50,8 +50,7 @@
 <prefwindow id="OCSPDialog" type="child"
            xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
            dlgbuttons="accept,cancel"
-            title="&ocspDialog.title;"
-            style="width: &window.width; !important;">
+            title="&ocspDialog.title;">

  <prefpane id="OCSPDialogPane" onpaneload="gOCSPDialog.init();">
    <script type="application/javascript" src="chrome://mozapps/content/preferences/ocsp.js"/>
@ -60,14 +59,19 @@
      <preference id="security.OCSP.enabled"    name="security.OCSP.enabled"   type="int"/>
      <preference id="security.OCSP.signingCA"  name="security.OCSP.signingCA" type="string"/>
      <preference id="security.OCSP.URL"        name="security.OCSP.URL"       type="string"/>
+      <preference id="security.OCSP.require"    name="security.OCSP.require"   type="bool"/>
    </preferences>
    
-    <description control="securityOSCPEnabled">&validation.ocsp.description;</description>
+    <checkbox id="enableOCSPBox" label="&enableOCSP.label;" accesskey="&enableOCSP.accesskey;"
+              oncommand="gOCSPDialog._updateUI(1);"/>
    <radiogroup id="securityOCSPEnabled" preference="security.OCSP.enabled"
-                onsyncfrompreference="return gOCSPDialog._updateUI();">
-      <radio value="0" label="&disableOCSP.label;"/>
-      <radio value="1" label="&certOCSP.label;"/>
-      <radio value="2" label="&proxyOCSP.label;"/>
+                onsyncfrompreference="return gOCSPDialog._updateUI(0);"
+                class="indent">
+      <radio value="0" hidden="true"/>
+      <radio id="certOCSP" value="1" label="&certOCSP.label;"
+             accesskey="&certOCSP.accesskey;"/>
+      <radio id="proxyOCSP" value="2" label="&proxyOCSP.label;"
+             accesskey="&proxyOCSP.accesskey;"/>

      <grid class="indent" flex="1">
        <columns>
@ -93,6 +97,9 @@
        </rows>
      </grid>
    </radiogroup>
-    <separator/>
+    <separator class="thin"/>
+    <checkbox id="requireWorkingOCSP" preference="security.OCSP.require" 
+              label="&requireOCSP.label;"
+              accesskey="&requireOCSP.accesskey;"/>
  </prefpane>
 </prefwindow>