NSS server certificate revocation support

The NSS server supports the checking of certificate revocation lists (CRLs) when verifying a signature. The NSS server obtains the CRL of a certificate from an HTTP repository, determining the location of the CRL using the CRLDistributionPoints extension of the certificate. The NSS server searches each distribution point entry in the CRLDistributionPoints extension that contains a reason field pertaining to the all-reasons special value and that references the CRL by using an HTTP URL scheme. The search continues until a CRL that matches the certificate attributes is retrieved or until all distribution points containing an HTTP URL scheme are processed. If a certificate does not contain a CRLDistributionPoints extension or the CRLDistributionPoints extension does not contain at least one suitable distribution point that contains an HTTP URL scheme, then the NSS server is unable to retrieve the CRL.

The NSS server also supports the retrieval of certificate bundles, which can also contain a CRL. If a CRL cannot be retrieved using the CRLDistributionPoints extension of a certificate, the NSS server looks for a CRL in any certificate bundle that has hash and URL information provided by the network security client. The network security client obtains certificate bundle hash and URL information from certificate payloads sent by a remote security endpoint.