From 6e84b4cae75fa1cd5ec8915fcde601d41408fb4f Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Fri, 3 Jun 2011 10:46:59 -0400
Subject: [PATCH 121/150] - turn on OCSP checking and try to use the
 require_crl option to control the OCSP failure
 behavior

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   25 +++++++++++++++++++++++-
 1 files changed, 24 insertions(+), 1 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index f3dd62b..b98edb2 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -47,6 +47,7 @@
 #include <ciferfam.h>
 #include <cms.h>
 #include <keyhi.h>
+#include <ocsp.h>
 #include <p12plcy.h>
 #include <p12.h>
 #include <pk11pub.h>
@@ -4511,6 +4512,29 @@ crypto_signeddata_common_verify(krb5_context context,
 			pkiDebug("%s: no digests?\n", __FUNCTION__);
 			return ENOENT;
 		}
+		status = CERT_EnableOCSPChecking(certdb);
+		if (status != SECSuccess) {
+			pkiDebug("%s: error enabling OCSP: %s\n", __FUNCTION__,
+				 PR_ErrorToString(status == SECFailure ?
+						  PORT_GetError() : status,
+						  PR_LANGUAGE_I_DEFAULT));
+			return ENOMEM;
+		}
+		/* NSS will use OCSP if there's no applicable CRL cached, and
+		 * if OCSP fails, we'll take advice from the
+		 * require_crl_checking flag, because it has to affect
+		 * something.  */
+		status = CERT_SetOCSPFailureMode(require_crl_checking ?
+						 ocspMode_FailureIsVerificationFailure :
+						 ocspMode_FailureIsNotAVerificationFailure);
+		if (status != SECSuccess) {
+			pkiDebug("%s: error setting OCSP failure mode: %s\n",
+				 __FUNCTION__,
+				 PR_ErrorToString(status == SECFailure ?
+						  PORT_GetError() : status,
+						  PR_LANGUAGE_I_DEFAULT));
+			return ENOMEM;
+		}
 		status = NSS_CMSSignedData_VerifySignerInfo(sdata, 0, certdb,
 							    usage);
 		if (status != SECSuccess) {
@@ -4625,7 +4649,6 @@ cms_envelopeddata_verify(krb5_context context,
 
 	/* Okay, it's enveloped-data. */
 	env = NSS_CMSContentInfo_GetContent(info);
-	/* FIXME: what do we do about "require_crl_checking"? */
 
 	/* Pull out the encapsulated content.  It should be signed-data. */
 	info = NSS_CMSEnvelopedData_GetContentInfo(env);
-- 
1.7.6.4