dogtagpki · fmarco76 · Apr 15, 2024 · Apr 10, 2024 · Apr 11, 2024 · Apr 12, 2024
diff --git a/docs/changes/v5.6.0/Parameter-Changes.adoc b/docs/changes/v5.6.0/Parameter-Changes.adoc
@@ -0,0 +1,5 @@
+= Paramater Changes =
+
+== Rename enableOCSP to enableRevocationCheck ==
+
+The `enableOCSP` param has been deprecated. Use `enableRevocationCheck` instead.
diff --git a/native/src/main/native/org/mozilla/jss/ssl/common.c b/native/src/main/native/org/mozilla/jss/ssl/common.c
@@ -936,24 +936,28 @@ JSSL_verifyCertPKIXInternal(CERTCertificate *cert,
     CERTVerifyLog *log, SECCertificateUsage *usage,
     CERTCertList *trustedCertList)
 {
-    /* Put the first set of possible flags internally here first. Later
-     * there could be a more complete list to choose from; for now we only
-     * support our hard core fetch AIA OCSP policy. Note that we disable
-     * CRL fetching as Dogtag doesn't support it. Additionally, enable OCSP
-     * checking on the chained CA certificates. Since NSS/PKIX's
-     * CERT_GetClassicOCSPEnabledHardFailurePolicy doesn't do what we want,
-     * we construct the policy ourselves. */
+    /* Since NSS/PKIX's CERT_GetClassicOCSPEnabledHardFailurePolicy doesn't
+     * do what we want, we construct the policy ourselves.
+     *
+     * When enabled the checking on the chained CA certificates.
+     * With this policy the verification process does:
+     * - if one between AIA and CRL-DP is present then it will be used;
+     * - if AIA and CRL-DP are both presents only AIA is used and in case
+     *   freshin formation cannot be retrieved it fails the validation;
+     * - it no AIA and CRL-DP are present no revocation check is performed.*/
     PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
         /* crl */
-        CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
+        CERT_REV_M_TEST_USING_THIS_METHOD |
+            CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO,
         /* ocsp */
         CERT_REV_M_TEST_USING_THIS_METHOD |
             CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
     };
 
     PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
         /* crl */
-        CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
+        CERT_REV_M_TEST_USING_THIS_METHOD |
+            CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO,
         /* ocsp */
         CERT_REV_M_TEST_USING_THIS_METHOD |
             CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO

diff --git a/tomcat/src/main/java/org/dogtagpki/jss/tomcat/Http11NioProtocol.java b/tomcat/src/main/java/org/dogtagpki/jss/tomcat/Http11NioProtocol.java
@@ -73,12 +73,20 @@ public void setServerCertNickFile(String serverCertNickFile) {
         tomcatjss.setServerCertNickFile(serverCertNickFile);
     }
 
-    public boolean getEnabledOCSP() {
-        return tomcatjss.getEnableOCSP();
+    public boolean getEnableOCSP() {
+        return tomcatjss.getEnableRevocationCheck();
     }
 
     public void setEnableOCSP(boolean enableOCSP) {
-        tomcatjss.setEnableOCSP(enableOCSP);
+        tomcatjss.setEnableRevocationCheck(enableOCSP);
+    }
+
+    public boolean getEnableRevocationCheck() {
+        return tomcatjss.getEnableRevocationCheck();
+    }
+
+    public void setEnableRevocationCheck(boolean enableRevocationCheck) {
+        tomcatjss.setEnableRevocationCheck(enableRevocationCheck);
     }
 
     public String getOcspResponderURL() {

diff --git a/tomcat/src/main/java/org/dogtagpki/jss/tomcat/TomcatJSS.java b/tomcat/src/main/java/org/dogtagpki/jss/tomcat/TomcatJSS.java
@@ -88,7 +88,7 @@ public class TomcatJSS implements SSLSocketListener {
     boolean requireClientAuth;
     boolean wantClientAuth;
 
-    boolean enableOCSP;
+    boolean enableRevocationCheck;
     String ocspResponderURL;
     String ocspResponderCertNickname;
     int ocspCacheSize = 1000; // entries
@@ -183,12 +183,12 @@ public boolean getWantClientAuth() {
         return wantClientAuth;
     }
 
-    public boolean getEnableOCSP() {
-        return enableOCSP;
+    public boolean getEnableRevocationCheck() {
+        return enableRevocationCheck;
     }
 
-    public void setEnableOCSP(boolean enableOCSP) {
-        this.enableOCSP = enableOCSP;
+    public void setEnableRevocationCheck(boolean enableRevocationCheck) {
+        this.enableRevocationCheck = enableRevocationCheck;
     }
 
     public String getOcspResponderURL() {
@@ -269,7 +269,11 @@ public void loadJSSConfig(Properties config) {
 
         String enableOCSPProp = config.getProperty("enableOCSP");
         if (enableOCSPProp != null)
-            setEnableOCSP(Boolean.parseBoolean(enableOCSPProp));
+            setEnableRevocationCheck(Boolean.parseBoolean(enableOCSPProp));
+
+        String enableRevocationCheckProp = config.getProperty("enableRevocationCheck");
+        if (enableRevocationCheckProp != null)
+            setEnableRevocationCheck(Boolean.parseBoolean(enableRevocationCheckProp));
 
         String ocspResponderURLProp = config.getProperty("ocspResponderURL");
         if (ocspResponderURLProp != null)
@@ -328,31 +332,35 @@ public void loadTomcatConfig(Document document) throws XPathExpressionException
         }
 
         String certDbProp = connector.getAttribute("certdbDir");
-        if (certDbProp != null)
+        if (StringUtils.isNotEmpty(certDbProp))
             setCertdbDir(certDbProp);
 
         String passwordClassProp = connector.getAttribute("passwordClass");
-        if (passwordClassProp != null)
+        if (StringUtils.isNotEmpty(passwordClassProp))
             setPasswordClass(passwordClassProp);
 
         String passwordFileProp = connector.getAttribute("passwordFile");
-        if (passwordFileProp != null)
+        if (StringUtils.isNotEmpty(passwordFileProp))
             setPasswordFile(passwordFileProp);
 
         String serverCertNickFileProp = connector.getAttribute("serverCertNickFile");
-        if (serverCertNickFileProp != null)
+        if (StringUtils.isNotEmpty(serverCertNickFileProp))
             setServerCertNickFile(serverCertNickFileProp);
 
         String enableOCSPProp = connector.getAttribute("enableOCSP");
-        if (enableOCSPProp != null)
-            setEnableOCSP(Boolean.parseBoolean(enableOCSPProp));
+        if (StringUtils.isNotEmpty(enableOCSPProp))
+            setEnableRevocationCheck(Boolean.parseBoolean(enableOCSPProp));
+
+        String enableRevocationCheckProp = connector.getAttribute("enableRevocationCheck");
+        if (StringUtils.isNotEmpty(enableRevocationCheckProp))
+            setEnableRevocationCheck(Boolean.parseBoolean(enableRevocationCheckProp));
 
         String ocspResponderURLProp = connector.getAttribute("ocspResponderURL");
-        if (ocspResponderURLProp != null)
+        if (StringUtils.isNotEmpty(ocspResponderURLProp))
             setOcspResponderURL(ocspResponderURLProp);
 
         String ocspResponderCertNicknameProp = connector.getAttribute("ocspResponderCertNickname");
-        if (ocspResponderCertNicknameProp != null)
+        if (StringUtils.isNotEmpty(ocspResponderCertNicknameProp))
             setOcspResponderCertNickname(ocspResponderCertNicknameProp);
 
         String ocspCacheSizeProp = connector.getAttribute("ocspCacheSize");
@@ -469,7 +477,7 @@ public void init() throws KeyDatabaseException, CertDatabaseException, GeneralSe
         logger.debug("wantClientAuth: {}", wantClientAuth);
 
         if (requireClientAuth || wantClientAuth) {
-            configureOCSP();
+            configureRevocationCheck();
         }
 
         // 12 hours = 43200 seconds
@@ -549,12 +557,12 @@ public CryptoToken getToken(String tag) throws NoSuchTokenException {
         return null;
     }
 
-    public void configureOCSP() throws GeneralSecurityException, ConfigurationException {
+    public void configureRevocationCheck() throws GeneralSecurityException, ConfigurationException {
 
-        logger.info("configuring OCSP");
+        logger.info("configuring Revocation Check");
 
-        logger.debug("enableOCSP: {}", enableOCSP);
-        if (!enableOCSP) {
+        logger.debug("enableCertificateCheck: {}", enableRevocationCheck);
+        if (!enableRevocationCheck) {
             return;
         }