Bug 802302: Remove obsolete OCSP responder override UI and API, r=honzab

--HG--
extra : rebase_source : 5d241a8b9573f442c37d0aeef0689ae5054dd08d

security/manager/ssl/public/Makefile.in

@@ -57,7 +57,6 @@ XPIDLSRCS = \
     nsICMSMessage.idl \
     nsICMSMessage2.idl \
     nsINSSCertCache.idl \
-    nsIOCSPResponder.idl \
     nsIPK11Token.idl \
     nsIPKCS11ModuleDB.idl \
     nsIPKCS11Module.idl \

security/manager/ssl/public/nsIOCSPResponder.idl

@@ -1,12 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-[scriptable, uuid(96b2f5ae-4334-11d5-ba27-00108303b117)]
-interface nsIOCSPResponder : nsISupports {
-  readonly attribute wstring responseSigner;
-  readonly attribute wstring serviceURL;
-};
-

security/manager/ssl/public/nsIX509CertDB.idl

@@ -19,7 +19,7 @@ interface nsIInterfaceRequestor;
  * This represents a service to access and manipulate 
  * X.509 certificates stored in a database.
  */
-[scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
+[scriptable, uuid(eb426311-69cd-4a74-a7db-a4a215854c78)]
 interface nsIX509CertDB : nsISupports {
 
   /**
@@ -240,14 +240,6 @@ interface nsIX509CertDB : nsISupports {
                         in unsigned long count,
                         [array, size_is(count)] in nsIX509Cert aCerts);
 
-  /**
-   *  An array of all known OCSP responders within the scope of the 
-   *  certificate database.
-   *
-   *  @return Array of OCSP responders, entries are QIable to nsIOCSPResponder.
-   */
-  nsIArray getOCSPResponders();
-
   /**
    *  Whether OCSP is enabled in preferences.
    */

security/manager/ssl/src/Makefile.in

@@ -56,7 +56,6 @@ CPPSRCS = 				\
   nsNSSCertificateDB.cpp \
   nsNSSCertTrust.cpp \
   nsNSSCertValidity.cpp \
-  nsOCSPResponder.cpp \
   nsUsageArrayHelper.cpp \
   nsCRLManager.cpp \
   nsNSSShutDown.cpp \

security/manager/ssl/src/nsNSSCertificateDB.cpp

@@ -20,7 +20,6 @@
 #include "nsIFile.h"
 #include "nsPKCS12Blob.h"
 #include "nsPK11TokenDB.h"
-#include "nsOCSPResponder.h"
 #include "nsReadableUtils.h"
 #include "nsIMutableArray.h"
 #include "nsArrayUtils.h"
@@ -1212,85 +1211,6 @@ nsNSSCertificateDB::ExportPKCS12File(nsISupports     *aToken,
   return blob.ExportToFile(aFile, certs, count);
 }
 
-
-static SECStatus 
-GetOCSPResponders (CERTCertificate *aCert,
-                   SECItem         *aDBKey,
-                   void            *aArg)
-{
-  nsIMutableArray *array = static_cast<nsIMutableArray*>(aArg);
-  PRUnichar* nn = nullptr;
-  PRUnichar* url = nullptr;
-  char *serviceURL = nullptr;
-  char *nickname = nullptr;
-  uint32_t i, count;
-
-  // Are we interested in this cert //
-  if (!nsOCSPResponder::IncludeCert(aCert)) {
-    return SECSuccess;
-  }
-
-  // Get the AIA and nickname //
-  serviceURL = CERT_GetOCSPAuthorityInfoAccessLocation(aCert);
-  if (serviceURL) {
-    url = ToNewUnicode(NS_ConvertUTF8toUTF16(serviceURL));
-    PORT_Free(serviceURL);
-  }
-
-  nickname = aCert->nickname;
-  nn = ToNewUnicode(NS_ConvertUTF8toUTF16(nickname));
-
-  nsCOMPtr<nsIOCSPResponder> new_entry = new nsOCSPResponder(nn, url);
-  nsMemory::Free(nn);
-  nsMemory::Free(url);
-
-  // Sort the items according to nickname //
-  array->GetLength(&count);
-  for (i=0; i < count; ++i) {
-    nsCOMPtr<nsIOCSPResponder> entry = do_QueryElementAt(array, i);
-    if (nsOCSPResponder::CompareEntries(new_entry, entry) < 0) {
-      array->InsertElementAt(new_entry, i, false);
-      break;
-    }
-  }
-  if (i == count) {
-    array->AppendElement(new_entry, false);
-  }
-  return SECSuccess;
-}
-
-
-
-/*
- * getOCSPResponders
- *
- * Export a set of certs and keys from the database to a PKCS#12 file.
-*/
-NS_IMETHODIMP 
-nsNSSCertificateDB::GetOCSPResponders(nsIArray ** aResponders)
-{
-  nsNSSShutDownPreventionLock locker;
-  SECStatus sec_rv;
-  nsCOMPtr<nsIMutableArray> respondersArray =
-    do_CreateInstance(NS_ARRAY_CONTRACTID);
-  if (!respondersArray) {
-    return NS_ERROR_OUT_OF_MEMORY;
-  }
-
-  sec_rv = PK11_TraverseSlotCerts(::GetOCSPResponders,
-                                  respondersArray,
-                                  nullptr);
-  if (sec_rv != SECSuccess) {
-    goto loser;
-  }
-
-  *aResponders = respondersArray;
-  NS_IF_ADDREF(*aResponders);
-  return NS_OK;
-loser:
-  return NS_ERROR_FAILURE;
-}
-
 /*
  * NSS Helper Routines (private to nsNSSCertificateDB)
  */

security/manager/ssl/src/nsNSSComponent.cpp

@@ -1044,33 +1044,14 @@ static CipherPref CipherPrefs[] = {
 static void
 setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)
 {
-  switch (ocspEnabled) {
-  case 0:
+  // Note: this preference is numeric vs bolean because previously we
+  // supported more than two options.
+  if (!ocspEnabled) {
     CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
     CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
-    break;
-  case 1:
+  } else {
     CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
     CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
-    break;
-  case 2:
-    {
-      char *signingCA = nullptr;
-      char *url = nullptr;
-
-      // Get the signing CA and service url //
-      pref->GetCharPref("security.OCSP.signingCA", &signingCA);
-      pref->GetCharPref("security.OCSP.URL", &url);
-
-      // Set OCSP up
-      CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
-      CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(), url, signingCA);
-      CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
-
-      nsMemory::Free(signingCA);
-      nsMemory::Free(url);
-    }
-    break;
   }
 }
 

security/manager/ssl/src/nsOCSPResponder.cpp

@@ -1,125 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsOCSPResponder.h"
-
-#include "nsCOMPtr.h"
-#include "nsIDateTimeFormat.h"
-#include "nsDateTimeFormatCID.h"
-#include "nsComponentManagerUtils.h"
-#include "nsReadableUtils.h"
-
-#include "certdb.h"
-
-/* Implementation file */
-NS_IMPL_ISUPPORTS1(nsOCSPResponder, nsIOCSPResponder)
-
-nsOCSPResponder::nsOCSPResponder()
-{
-  /* member initializers and constructor code */
-}
-
-nsOCSPResponder::nsOCSPResponder(const PRUnichar * aCA, const PRUnichar * aURL)
-{
-  mCA.Assign(aCA);
-  mURL.Assign(aURL);
-}
-
-nsOCSPResponder::~nsOCSPResponder()
-{
-  /* destructor code */
-}
-
-/* readonly attribute */
-NS_IMETHODIMP nsOCSPResponder::GetResponseSigner(PRUnichar** aCA)
-{
-  NS_ENSURE_ARG(aCA);
-  *aCA = ToNewUnicode(mCA);
-  return NS_OK;
-}
-
-/* readonly attribute */
-NS_IMETHODIMP nsOCSPResponder::GetServiceURL(PRUnichar** aURL)
-{
-  NS_ENSURE_ARG(aURL);
-  *aURL = ToNewUnicode(mURL);
-  return NS_OK;
-}
-
-bool nsOCSPResponder::IncludeCert(CERTCertificate *aCert)
-{
-  CERTCertTrust *trust;
-  char *nickname;
-
-  trust = aCert->trust;
-  nickname = aCert->nickname;
-
-  PR_ASSERT(trust != nullptr);
-
-  // Check that trust is non-null //
-  if (trust == nullptr) {
-    return false;
-  }
-
-  if ( ( ( trust->sslFlags & CERTDB_INVISIBLE_CA ) ||
-         (trust->emailFlags & CERTDB_INVISIBLE_CA ) ||
-         (trust->objectSigningFlags & CERTDB_INVISIBLE_CA ) ) ||
-       nickname == NULL) {
-      return false;
-  }
-  if ((trust->sslFlags & CERTDB_VALID_CA) ||
-      (trust->emailFlags & CERTDB_VALID_CA) ||
-      (trust->objectSigningFlags & CERTDB_VALID_CA)) {
-      return true;
-  }
-  return false;
-}
-
-// CmpByCAName
-//
-// Compare two responders their token name.  Returns -1, 0, 1 as
-// in strcmp.  No token name (null) is treated as >.
-int32_t nsOCSPResponder::CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b)
-{
-  int32_t cmp1;
-  nsXPIDLString aTok, bTok;
-  a->GetResponseSigner(getter_Copies(aTok));
-  b->GetResponseSigner(getter_Copies(bTok));
-  if (aTok != nullptr && bTok != nullptr) {
-    cmp1 = Compare(aTok, bTok);
-  } else {
-    cmp1 = (aTok == nullptr) ? 1 : -1;
-  }
-  return cmp1;
-}
-
-// ocsp_compare_entries
-//
-// Compare two responders.  Returns -1, 0, 1 as
-// in strcmp.  Entries with urls come before those without urls.
-int32_t nsOCSPResponder::CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b)
-{
-  nsXPIDLString aURL, bURL;
-  nsAutoString aURLAuto, bURLAuto;
-
-  a->GetServiceURL(getter_Copies(aURL));
-  aURLAuto.Assign(aURL);
-  b->GetServiceURL(getter_Copies(bURL));
-  bURLAuto.Assign(bURL);
-
-  if (!aURLAuto.IsEmpty()) {
-    if (!bURLAuto.IsEmpty()) {
-      return nsOCSPResponder::CmpCAName(a, b);
-    } else {
-      return -1;
-    }
-  } else {
-    if (!bURLAuto.IsEmpty()) {
-      return 1;
-    } else {
-      return nsOCSPResponder::CmpCAName(a, b);
-    }
-  }
-}
-

security/manager/ssl/src/nsOCSPResponder.h

@@ -1,31 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef __NSOCSPRESPONDER_H__
-#define __NSOCSPRESPONDER_H__
-
-#include "nsIOCSPResponder.h"
-#include "nsString.h"
-
-#include "certt.h"
-
-class nsOCSPResponder : public nsIOCSPResponder
-{
-public:
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSIOCSPRESPONDER
-
-  nsOCSPResponder();
-  nsOCSPResponder(const PRUnichar*, const PRUnichar*);
-  virtual ~nsOCSPResponder();
-  /* additional members */
-  static int32_t CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b);
-  static int32_t CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b);
-  static bool IncludeCert(CERTCertificate *aCert);
-private:
-  nsString mCA;
-  nsString mURL;
-};
-
-#endif

toolkit/locales/en-US/chrome/mozapps/preferences/ocsp.dtd

@@ -5,13 +5,5 @@
 <!ENTITY ocspDialog.title             "Certificate Validation">
 <!ENTITY enableOCSP.label             "Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates">
 <!ENTITY enableOCSP.accesskey         "U">
-<!ENTITY certOCSP2.label              "Validate a certificate if it specifies an OCSP server">
-<!ENTITY certOCSP2.accesskey          "V">
-<!ENTITY proxyOCSP2.label             "Validate all certificates using the following OCSP server:">
-<!ENTITY proxyOCSP2.accesskey         "a">
-<!ENTITY serviceURL.label             "Service URL:">
-<!ENTITY serviceURL.accesskey         "S">
-<!ENTITY signingCA.label              "Response Signer:">
-<!ENTITY signingCA.accesskey          "R">
 <!ENTITY requireOCSP.label            "When an OCSP server connection fails, treat the certificate as invalid">
 <!ENTITY requireOCSP.accesskey        "W">

toolkit/mozapps/preferences/ocsp.js

@@ -5,89 +5,18 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 var gOCSPDialog = {
-  _certDB         : null,
-  _OCSPResponders : null,
-  _cacheRadio     : 0,
-
-  init: function ()
-  {
-    this._certDB = Components.classes["@mozilla.org/security/x509certdb;1"]
-                             .getService(Components.interfaces.nsIX509CertDB);
-    this._OCSPResponders = this._certDB.getOCSPResponders();
-
-    var signingCA = document.getElementById("signingCA");
-    const nsIOCSPResponder = Components.interfaces.nsIOCSPResponder;
-    for (var i = 0; i < this._OCSPResponders.length; ++i) {
-      var ocspEntry = this._OCSPResponders.queryElementAt(i, nsIOCSPResponder);
-      var menuitem = document.createElement("menuitem");
-      menuitem.setAttribute("value", ocspEntry.responseSigner);
-      menuitem.setAttribute("label", ocspEntry.responseSigner);
-      signingCA.firstChild.appendChild(menuitem);
-    }
-    
-    var signingCAPref = document.getElementById("security.OCSP.signingCA");
-    if (!signingCAPref.hasUserValue)
-      signingCA.selectedIndex = 0;
-    else {
-      // We need to initialize manually since auto-initialization is often 
-      // called prior to menulist population above.
-      signingCA.value = signingCAPref.value;
-    }
-    this.chooseServiceURL();
-  },
-  
-  _updateUI: function (called_by)
-  {
-    var signingCA = document.getElementById("security.OCSP.signingCA");
-    var serviceURL = document.getElementById("security.OCSP.URL");
+  _updateUI: function (called_by) {
     var securityOCSPEnabled = document.getElementById("security.OCSP.enabled");
-    var requireWorkingOCSP = document.getElementById("security.OCSP.require");
-    var enableOCSPBox = document.getElementById("enableOCSPBox");
-    var certOCSP = document.getElementById("certOCSP");
-    var proxyOCSP = document.getElementById("proxyOCSP");
+    var enableOCSP = document.getElementById("enableOCSP");
+    var requireOCSP = document.getElementById("requireOCSP");
 
-    var OCSPPrefValue = parseInt(securityOCSPEnabled.value);
-
-    if (called_by == 0) {
-      // the radio button changed, or we init the stored value from prefs
-      enableOCSPBox.checked = (OCSPPrefValue != 0);
-    }
-    else {
-      // the user toggled the checkbox to enable/disable OCSP
-      var new_val = 0;
-      if (enableOCSPBox.checked) {
-        // now enabled. if we have a cached radio val, restore it.
-        // if not, use the first setting
-        new_val = (this._cacheRadio > 0) ? this._cacheRadio : 1;
-      }
-      else {
-        // now disabled. remember current value
-        this._cacheRadio = OCSPPrefValue;
-      }
-      securityOCSPEnabled.value = OCSPPrefValue = new_val;
+    if (called_by) {
+      securityOCSPEnabled.value = enableOCSP.checked ? 1 : 0
+    } else {
+      enableOCSP.checked = parseInt(securityOCSPEnabled.value) != 0;
     }
 
-    certOCSP.disabled = (OCSPPrefValue == 0);
-    proxyOCSP.disabled = (OCSPPrefValue == 0);
-    signingCA.disabled = serviceURL.disabled = OCSPPrefValue == 0 || OCSPPrefValue == 1;
-    requireWorkingOCSP.disabled = (OCSPPrefValue == 0);
-    
+    requireOCSP.disabled = !enableOCSP.checked;
     return undefined;
-  },
-  
-  chooseServiceURL: function ()
-  {
-    var signingCA = document.getElementById("signingCA");
-    var serviceURL = document.getElementById("serviceURL");
-    var CA = signingCA.value;
-    
-    const nsIOCSPResponder = Components.interfaces.nsIOCSPResponder;
-    for (var i = 0; i < this._OCSPResponders.length; ++i) {
-      var ocspEntry = this._OCSPResponders.queryElementAt(i, nsIOCSPResponder);
-      if (CA == ocspEntry.responseSigner) {
-        serviceURL.value = ocspEntry.serviceURL;
-        break;
-      }
-    }
   }
 };

toolkit/mozapps/preferences/ocsp.xul

@@ -18,53 +18,20 @@
             dlgbuttons="accept,cancel"
             title="&ocspDialog.title;">
 
-  <prefpane id="OCSPDialogPane" onpaneload="gOCSPDialog.init();">
+  <prefpane id="OCSPDialogPane" onpaneload="gOCSPDialog._updateUI(0)">
     <script type="application/javascript" src="chrome://mozapps/content/preferences/ocsp.js"/>
 
     <preferences>
       <preference id="security.OCSP.enabled"    name="security.OCSP.enabled"   type="int"/>
-      <preference id="security.OCSP.signingCA"  name="security.OCSP.signingCA" type="string"/>
-      <preference id="security.OCSP.URL"        name="security.OCSP.URL"       type="string"/>
       <preference id="security.OCSP.require"    name="security.OCSP.require"   type="bool"/>
     </preferences>
     
-    <checkbox id="enableOCSPBox" label="&enableOCSP.label;" accesskey="&enableOCSP.accesskey;"
-              oncommand="gOCSPDialog._updateUI(1);"/>
-    <radiogroup id="securityOCSPEnabled" preference="security.OCSP.enabled"
-                onsyncfrompreference="return gOCSPDialog._updateUI(0);"
-                class="indent">
-      <radio value="0" hidden="true"/>
-      <radio id="certOCSP" value="1" label="&certOCSP2.label;"
-             accesskey="&certOCSP2.accesskey;"/>
-      <radio id="proxyOCSP" value="2" label="&proxyOCSP2.label;"
-             accesskey="&proxyOCSP2.accesskey;"/>
-
-      <grid class="indent" flex="1">
-        <columns>
-          <column/>
-          <column flex="1"/>
-        </columns>
-          
-        <rows>
-          <row align="center">
-            <label value="&signingCA.label;" accesskey="&signingCA.accesskey;" control="signingCA"/>
-            <hbox id="signingCABox" flex="1">
-              <menulist id="signingCA" flex="1"
-                        preference="security.OCSP.signingCA"
-                        oncommand="gOCSPDialog.chooseServiceURL()">
-                <menupopup/>
-              </menulist>
-            </hbox>            
-          </row>
-          <row align="center">
-            <label value="&serviceURL.label;" accesskey="&serviceURL.accesskey;" control="serviceURL"/>
-            <textbox id="serviceURL" preference="security.OCSP.URL"/>
-          </row>
-        </rows>
-      </grid>
-    </radiogroup>
-    <separator class="thin"/>
-    <checkbox id="requireWorkingOCSP" preference="security.OCSP.require" 
+    <checkbox id="enableOCSP"
+              label="&enableOCSP.label;"
+              accesskey="&enableOCSP.accesskey;"
+              oncommand="gOCSPDialog._updateUI(1)"/>
+    <checkbox id="requireOCSP"
+              preference="security.OCSP.require"
               label="&requireOCSP.label;"
               accesskey="&requireOCSP.accesskey;"/>
   </prefpane>