gecko/security/certverifier/OCSPRequestor.cpp
Camilo Viecco d20bcaf3c2 Bug 1005142 - Part 1/2 - Add OCSP get capabilities to OCSPRequestor. r=keeler
--HG--
extra : rebase_source : ee4a86bf02a466a31de8b0b6cd7ce375a7f28c6d
2014-05-21 15:42:21 -07:00

203 lines
6.4 KiB
C++

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "OCSPRequestor.h"
#include "mozilla/Base64.h"
#include "nsIURLParser.h"
#include "nsNSSCallbacks.h"
#include "nsNetCID.h"
#include "nsServiceManagerUtils.h"
#include "pkix/ScopedPtr.h"
#include "secerr.h"
#ifdef PR_LOGGING
extern PRLogModuleInfo* gCertVerifierLog;
#endif
namespace mozilla { namespace psm {
using mozilla::pkix::ScopedPtr;
void
ReleaseHttpServerSession(nsNSSHttpServerSession* httpServerSession)
{
delete httpServerSession;
}
typedef ScopedPtr<nsNSSHttpServerSession, ReleaseHttpServerSession>
ScopedHTTPServerSession;
void
ReleaseHttpRequestSession(nsNSSHttpRequestSession* httpRequestSession)
{
httpRequestSession->Release();
}
typedef ScopedPtr<nsNSSHttpRequestSession, ReleaseHttpRequestSession>
ScopedHTTPRequestSession;
static nsresult
AppendEscapedBase64Item(const SECItem* encodedRequest, nsACString& path)
{
nsresult rv;
nsDependentCSubstring requestAsSubstring(
reinterpret_cast<const char*>(encodedRequest->data), encodedRequest->len);
nsCString base64Request;
rv = Base64Encode(requestAsSubstring, base64Request);
if (NS_WARN_IF(NS_FAILED(rv))) {
return rv;
}
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("Setting up OCSP GET path, pre path =%s\n",
PromiseFlatCString(path).get()));
// The path transformation is not a direct url encoding. Three characters
// need change '+' -> "%2B", '/' -> "%2F", and '=' -> '%3D'.
// http://tools.ietf.org/html/rfc5019#section-5
base64Request.ReplaceSubstring("+", "%2B");
base64Request.ReplaceSubstring("/", "%2F");
base64Request.ReplaceSubstring("=", "%3D");
path.Append(base64Request);
return NS_OK;
}
SECItem*
DoOCSPRequest(PLArenaPool* arena, const char* url,
const SECItem* encodedRequest, PRIntervalTime timeout,
bool useGET)
{
nsCOMPtr<nsIURLParser> urlParser = do_GetService(NS_STDURLPARSER_CONTRACTID);
if (!urlParser) {
PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
return nullptr;
}
uint32_t schemePos;
int32_t schemeLen;
uint32_t authorityPos;
int32_t authorityLen;
uint32_t pathPos;
int32_t pathLen;
nsresult rv = urlParser->ParseURL(url, PL_strlen(url),
&schemePos, &schemeLen,
&authorityPos, &authorityLen,
&pathPos, &pathLen);
if (NS_FAILED(rv)) {
PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
return nullptr;
}
if (schemeLen < 0 || authorityLen < 0) {
PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
return nullptr;
}
nsAutoCString scheme(url + schemePos, schemeLen);
if (!scheme.LowerCaseEqualsLiteral("http")) {
// We dont support https:// to avoid loops see Bug 92923
PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
return nullptr;
}
uint32_t hostnamePos;
int32_t hostnameLen;
int32_t port;
// We do not support urls with user@pass sections in the URL,
// In cas we find them we will ignore and try to connect with
rv = urlParser->ParseAuthority(url + authorityPos, authorityLen,
nullptr, nullptr, nullptr, nullptr,
&hostnamePos, &hostnameLen, &port);
if (NS_FAILED(rv)) {
PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
return nullptr;
}
if (hostnameLen < 0) {
PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0);
return nullptr;
}
if (port == -1) {
port = 80;
}
nsAutoCString hostname(url + authorityPos + hostnamePos, hostnameLen);
SEC_HTTP_SERVER_SESSION serverSessionPtr = nullptr;
if (nsNSSHttpInterface::createSessionFcn(hostname.BeginReading(), port,
&serverSessionPtr) != SECSuccess) {
PR_SetError(SEC_ERROR_NO_MEMORY, 0);
return nullptr;
}
ScopedHTTPServerSession serverSession(
reinterpret_cast<nsNSSHttpServerSession*>(serverSessionPtr));
nsAutoCString path;
if (pathLen > 0) {
path.Assign(url + pathPos, pathLen);
} else {
path.Assign("/");
}
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("Setting up OCSP request: pre all path =%s pathlen=%d\n", path.get(),
pathLen));
nsAutoCString method("POST");
if (useGET) {
method.Assign("GET");
if (!StringEndsWith(path, NS_LITERAL_CSTRING("/"))) {
path.Append("/");
}
nsresult rv = AppendEscapedBase64Item(encodedRequest, path);
if (NS_WARN_IF(NS_FAILED(rv))) {
return nullptr;
}
}
SEC_HTTP_REQUEST_SESSION requestSessionPtr = nullptr;
if (nsNSSHttpInterface::createFcn(serverSession.get(), "http",
path.get(), method.get(),
timeout, &requestSessionPtr)
!= SECSuccess) {
PR_SetError(SEC_ERROR_NO_MEMORY, 0);
return nullptr;
}
ScopedHTTPRequestSession requestSession(
reinterpret_cast<nsNSSHttpRequestSession*>(requestSessionPtr));
if (!useGET) {
if (nsNSSHttpInterface::setPostDataFcn(requestSession.get(),
reinterpret_cast<char*>(encodedRequest->data), encodedRequest->len,
"application/ocsp-request") != SECSuccess) {
PR_SetError(SEC_ERROR_NO_MEMORY, 0);
return nullptr;
}
}
uint16_t httpResponseCode;
const char* httpResponseData;
uint32_t httpResponseDataLen = 0; // 0 means any response size is acceptable
if (nsNSSHttpInterface::trySendAndReceiveFcn(requestSession.get(), nullptr,
&httpResponseCode, nullptr,
nullptr, &httpResponseData,
&httpResponseDataLen)
!= SECSuccess) {
PR_SetError(SEC_ERROR_OCSP_SERVER_ERROR, 0);
return nullptr;
}
if (httpResponseCode != 200) {
PR_SetError(SEC_ERROR_OCSP_SERVER_ERROR, 0);
return nullptr;
}
SECItem* encodedResponse = SECITEM_AllocItem(arena, nullptr,
httpResponseDataLen);
if (!encodedResponse) {
PR_SetError(SEC_ERROR_NO_MEMORY, 0);
return nullptr;
}
memcpy(encodedResponse->data, httpResponseData, httpResponseDataLen);
return encodedResponse;
}
} } // namespace mozilla::psm