Bug 1577836 - Remove nsIX509CertList from getCerts and loadCertsFromCache r=keeler
authorSean Feng <sefeng@mozilla.com>
Thu, 05 Sep 2019 21:35:54 +0000
changeset 492050 b4e80141db474ae1784f9397cc9bfe73cc02b161
parent 492049 8d7284764bd66ba04710d5296357db5bd5206810
child 492051 5e0ff929002acb4e2100e982e663794a9f6cba5e
push id94696
push usersefeng@mozilla.com
push dateFri, 06 Sep 2019 16:45:04 +0000
treeherderautoland@b4e80141db47 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1577836
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1577836 - Remove nsIX509CertList from getCerts and loadCertsFromCache r=keeler Differential Revision: https://phabricator.services.mozilla.com/D44239
security/manager/ssl/nsCertTree.cpp
security/manager/ssl/nsCertTree.h
security/manager/ssl/nsICertTree.idl
security/manager/ssl/nsIX509CertDB.idl
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/nsNSSCertificateDB.h
security/manager/ssl/tests/gtest/CertDBTest.cpp
security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js
security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_master_password.js
security/manager/ssl/tests/unit/test_certDB_import.js
security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
security/manager/ssl/tests/unit/test_certDB_import_with_master_password.js
security/manager/ssl/tests/unit/test_self_signed_certs.js
security/manager/tools/genHPKPStaticPins.js
security/manager/tools/genRootCAHashes.js
taskcluster/docker/periodic-updates/scripts/genHPKPStaticPins.js
--- a/security/manager/ssl/nsCertTree.cpp
+++ b/security/manager/ssl/nsCertTree.cpp
@@ -271,17 +271,17 @@ nsCertTree::nsCertCompareFunc nsCertTree
     case nsIX509Cert::SERVER_CERT:
     default:
       return CmpWebSiteCert;
   }
 }
 
 struct nsCertAndArrayAndPositionAndCounterAndTracker {
   RefPtr<nsCertAddonInfo> certai;
-  nsTArray<RefPtr<nsCertTreeDispInfo> >* array;
+  nsTArray<RefPtr<nsCertTreeDispInfo>>* array;
   int position;
   int counter;
   nsTHashtable<nsCStringHashKey>* tracker;
 };
 
 // Used to enumerate host:port overrides that match a stored
 // certificate, creates and adds a display-info-object to the
 // provided array. Increments insert position and entry counter.
@@ -328,17 +328,17 @@ static void CollectAllHostPortOverridesC
 
   nsAutoCString hostPort;
   nsCertOverrideService::GetHostWithPort(aSettings.mAsciiHost, aSettings.mPort,
                                          hostPort);
   collectorTable->PutEntry(hostPort);
 }
 
 struct nsArrayAndPositionAndCounterAndTracker {
-  nsTArray<RefPtr<nsCertTreeDispInfo> >* array;
+  nsTArray<RefPtr<nsCertTreeDispInfo>>* array;
   int position;
   int counter;
   nsTHashtable<nsCStringHashKey>* tracker;
 };
 
 // Used when enumerating the stored host:port overrides where
 // no associated certificate was found in the NSS database.
 static void AddRemaningHostPortOverridesCallback(
@@ -365,62 +365,40 @@ static void AddRemaningHostPortOverrides
     certdi->mIsTemporary = aSettings.mIsTemporary;
     certdi->mCert = aSettings.mCert;
     cap->array->InsertElementAt(cap->position, certdi);
     cap->position++;
     cap->counter++;
   }
 }
 
-nsresult nsCertTree::GetCertsByTypeFromCertList(nsIX509CertList* aCertList,
-                                                uint32_t aWantedType,
-                                                nsCertCompareFunc aCertCmpFn,
-                                                void* aCertCmpFnArg) {
+nsresult nsCertTree::GetCertsByTypeFromCertList(
+    const nsTArray<RefPtr<nsIX509Cert>>& aCertList, uint32_t aWantedType,
+    nsCertCompareFunc aCertCmpFn, void* aCertCmpFnArg) {
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("GetCertsByTypeFromCertList"));
-  if (!aCertList) return NS_ERROR_FAILURE;
 
   if (!mOriginalOverrideService) return NS_ERROR_FAILURE;
 
   nsTHashtable<nsCStringHashKey> allHostPortOverrideKeys;
 
   if (aWantedType == nsIX509Cert::SERVER_CERT) {
     mOriginalOverrideService->EnumerateCertOverrides(
         nullptr, CollectAllHostPortOverridesCallback, &allHostPortOverrideKeys);
   }
 
   int count = 0;
-  nsCOMPtr<nsISimpleEnumerator> certListEnumerator;
-  nsresult rv = aCertList->GetEnumerator(getter_AddRefs(certListEnumerator));
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  bool hasMore = false;
-  rv = certListEnumerator->HasMoreElements(&hasMore);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  while (hasMore) {
-    nsCOMPtr<nsISupports> certSupports;
-    rv = certListEnumerator->GetNext(getter_AddRefs(certSupports));
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-    nsCOMPtr<nsIX509Cert> cert = do_QueryInterface(certSupports);
-    if (!cert) {
-      return NS_ERROR_FAILURE;
-    }
-
+  for (const auto& cert : aCertList) {
     bool wantThisCert = (aWantedType == nsIX509Cert::ANY_CERT);
     bool wantThisCertIfNoOverrides = false;
     bool wantThisCertIfHaveOverrides = false;
     bool addOverrides = false;
 
     if (!wantThisCert) {
       uint32_t thisCertType;
-      rv = cert->GetCertType(&thisCertType);
+      nsresult rv = cert->GetCertType(&thisCertType);
       if (NS_FAILED(rv)) {
         return rv;
       }
 
       // The output from GetCertType is a "guess", which can be wrong.
       // The guess is based on stored trust flags, but for the host:port
       // overrides, we are storing certs without any trust flags associated.
       // So we must check whether the cert really belongs to the
@@ -526,21 +504,16 @@ nsresult nsCertTree::GetCertsByTypeFromC
         cap.counter = 0;
         cap.tracker = &allHostPortOverrideKeys;
 
         mOriginalOverrideService->EnumerateCertOverrides(
             cert, MatchingCertOverridesCallback, &cap);
         count += cap.counter;
       }
     }
-
-    rv = certListEnumerator->HasMoreElements(&hasMore);
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
   }
 
   if (aWantedType == nsIX509Cert::SERVER_CERT) {
     nsArrayAndPositionAndCounterAndTracker cap;
     cap.array = &mDispInfo;
     cap.position = 0;
     cap.counter = 0;
     cap.tracker = &allHostPortOverrideKeys;
@@ -551,17 +524,18 @@ nsresult nsCertTree::GetCertsByTypeFromC
   return NS_OK;
 }
 
 // LoadCerts
 //
 // Load all of the certificates in the DB for this type.  Sort them
 // by token, organization, then common name.
 NS_IMETHODIMP
-nsCertTree::LoadCertsFromCache(nsIX509CertList* aCache, uint32_t aType) {
+nsCertTree::LoadCertsFromCache(const nsTArray<RefPtr<nsIX509Cert>>& aCache,
+                               uint32_t aType) {
   if (mTreeArray) {
     FreeCertArray();
     delete[] mTreeArray;
     mTreeArray = nullptr;
     mNumRows = 0;
   }
   ClearCompareHash();
 
@@ -579,18 +553,18 @@ nsCertTree::LoadCerts(uint32_t aType) {
     FreeCertArray();
     delete[] mTreeArray;
     mTreeArray = nullptr;
     mNumRows = 0;
   }
   ClearCompareHash();
 
   nsCOMPtr<nsIX509CertDB> certdb(do_GetService(NS_X509CERTDB_CONTRACTID));
-  nsCOMPtr<nsIX509CertList> certList;
-  nsresult rv = certdb->GetCerts(getter_AddRefs(certList));
+  nsTArray<RefPtr<nsIX509Cert>> certList;
+  nsresult rv = certdb->GetCerts(certList);
   if (NS_FAILED(rv)) {
     return rv;
   }
   rv = GetCertsByTypeFromCertList(
       certList, aType, GetCompareFuncFromCertType(aType), &mCompareCache);
   if (NS_FAILED(rv)) {
     return rv;
   }
--- a/security/manager/ssl/nsCertTree.h
+++ b/security/manager/ssl/nsCertTree.h
@@ -127,17 +127,17 @@ class nsCertTree : public nsICertTree {
   static int32_t CmpUserCert(void* cache, nsIX509Cert* a, nsIX509Cert* b);
   static int32_t CmpEmailCert(void* cache, nsIX509Cert* a, nsIX509Cert* b);
   nsCertCompareFunc GetCompareFuncFromCertType(uint32_t aType);
   int32_t CountOrganizations();
 
  private:
   static const uint32_t kInitialCacheLength = 64;
 
-  nsTArray<RefPtr<nsCertTreeDispInfo> > mDispInfo;
+  nsTArray<RefPtr<nsCertTreeDispInfo>> mDispInfo;
   RefPtr<mozilla::dom::XULTreeElement> mTree;
   nsCOMPtr<nsITreeSelection> mSelection;
   treeArrayEl* mTreeArray;
   int32_t mNumOrgs;
   int32_t mNumRows;
   PLDHashTable mCompareCache;
   nsCOMPtr<nsICertOverrideService> mOverrideService;
   RefPtr<nsCertOverrideService> mOriginalOverrideService;
@@ -145,20 +145,19 @@ class nsCertTree : public nsICertTree {
   treeArrayEl* GetThreadDescAtIndex(int32_t _index);
   already_AddRefed<nsIX509Cert> GetCertAtIndex(
       int32_t _index, int32_t* outAbsoluteCertOffset = nullptr);
   already_AddRefed<nsCertTreeDispInfo> GetDispInfoAtIndex(
       int32_t index, int32_t* outAbsoluteCertOffset = nullptr);
   void FreeCertArray();
   nsresult UpdateUIContents();
 
-  nsresult GetCertsByTypeFromCertList(nsIX509CertList* aCertList,
-                                      uint32_t aType,
-                                      nsCertCompareFunc aCertCmpFn,
-                                      void* aCertCmpFnArg);
+  nsresult GetCertsByTypeFromCertList(
+      const nsTArray<RefPtr<nsIX509Cert>>& aCertList, uint32_t aWantedType,
+      nsCertCompareFunc aCertCmpFn, void* aCertCmpFnArg);
 
   nsCOMPtr<nsIMutableArray> mCellText;
 
 #ifdef DEBUG_CERT_TREE
   /* for debugging purposes */
   void dumpMap();
 #endif
 };
--- a/security/manager/ssl/nsICertTree.idl
+++ b/security/manager/ssl/nsICertTree.idl
@@ -3,32 +3,31 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 #include "nsITreeView.idl"
 
 interface nsIX509Cert;
-interface nsIX509CertList;
 
 [scriptable, uuid(d0180863-606e-49e6-8324-cf45ed4dd891)]
 interface nsICertTreeItem : nsISupports {
   [must_use]
   readonly attribute nsIX509Cert cert;
   [must_use]
   readonly attribute AString hostPort;
 };
 
 [scriptable, uuid(55d5ad6b-5572-47fe-941c-f01fe723659e)]
 interface nsICertTree : nsITreeView {
   [must_use]
   void loadCerts(in unsigned long type);
   [must_use]
-  void loadCertsFromCache(in nsIX509CertList cache, in unsigned long type);
+  void loadCertsFromCache(in Array<nsIX509Cert> cache, in unsigned long type);
 
   [must_use]
   nsIX509Cert getCert(in unsigned long index);
   [must_use]
   nsICertTreeItem getTreeItem(in unsigned long index);
 
   [must_use]
   void deleteEntryObject(in unsigned long index);
--- a/security/manager/ssl/nsIX509CertDB.idl
+++ b/security/manager/ssl/nsIX509CertDB.idl
@@ -322,10 +322,10 @@ interface nsIX509CertDB : nsISupports {
    */
   [must_use]
   nsIX509Cert addCertFromBase64(in ACString base64, in ACString trust);
 
   /*
    * Get all the known certs in the database
    */
   [must_use]
-  nsIX509CertList getCerts();
+  Array<nsIX509Cert> getCerts();
 };
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -392,16 +392,34 @@ nsresult nsNSSCertificateDB::handleCACer
     }
 
     Unused << tmpCert2.release();
   }
 
   return ImportCertsIntoPermanentStorage(certList);
 }
 
+nsresult nsNSSCertificateDB::ConstructCertArrayFromUniqueCertList(
+    const UniqueCERTCertList& aCertListIn,
+    nsTArray<RefPtr<nsIX509Cert>>& aCertListOut) {
+  if (!aCertListIn.get()) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
+  for (CERTCertListNode* node = CERT_LIST_HEAD(aCertListIn.get());
+       !CERT_LIST_END(node, aCertListIn.get()); node = CERT_LIST_NEXT(node)) {
+    RefPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert);
+    if (!cert) {
+      return NS_ERROR_OUT_OF_MEMORY;
+    }
+    aCertListOut.AppendElement(cert);
+  }
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportCertificates(uint8_t* data, uint32_t length,
                                        uint32_t type,
                                        nsIInterfaceRequestor* ctx) {
   // We currently only handle CA certificates.
   if (type != nsIX509Cert::CA_CERT) {
     return NS_ERROR_FAILURE;
   }
@@ -1085,37 +1103,34 @@ nsNSSCertificateDB::SetCertTrustFromStri
   }
   UniqueCERTCertificate nssCert(cert->GetCert());
 
   srv = ChangeCertTrustWithPossibleAuthentication(nssCert, trust, nullptr);
   return MapSECStatus(srv);
 }
 
 NS_IMETHODIMP
-nsNSSCertificateDB::GetCerts(nsIX509CertList** _retval) {
+nsNSSCertificateDB::GetCerts(nsTArray<RefPtr<nsIX509Cert>>& _retval) {
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   rv = CheckForSmartCardChanges();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
-  nsCOMPtr<nsIX509CertList> nssCertList;
   UniqueCERTCertList certList(PK11_ListCerts(PK11CertListUnique, ctx));
-
-  // nsNSSCertList 1) adopts certList, and 2) handles the nullptr case fine.
-  // (returns an empty list)
-  nssCertList = new nsNSSCertList(std::move(certList));
-
-  nssCertList.forget(_retval);
-  return NS_OK;
+  if (!certList) {
+    return NS_ERROR_FAILURE;
+  }
+  return nsNSSCertificateDB::ConstructCertArrayFromUniqueCertList(certList,
+                                                                  _retval);
 }
 
 nsresult VerifyCertAtTime(nsIX509Cert* aCert,
                           int64_t /*SECCertificateUsage*/ aUsage,
                           uint32_t aFlags, const nsACString& aHostname,
                           mozilla::pkix::Time aTime,
                           nsIX509CertList** aVerifiedChain, bool* aHasEVPolicy,
                           int32_t* /*PRErrorCode*/ _retval) {
--- a/security/manager/ssl/nsNSSCertificateDB.h
+++ b/security/manager/ssl/nsNSSCertificateDB.h
@@ -23,16 +23,20 @@ class nsNSSCertificateDB final : public 
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIX509CERTDB
 
   // This is a separate static method so nsNSSComponent can use it during NSS
   // initialization. Other code should probably not use it.
   static nsresult FindCertByDBKey(const nsACString& aDBKey,
                                   mozilla::UniqueCERTCertificate& cert);
 
+  static nsresult ConstructCertArrayFromUniqueCertList(
+      const mozilla::UniqueCERTCertList& aCertListIn,
+      nsTArray<RefPtr<nsIX509Cert>>& aCertListOut);
+
  protected:
   virtual ~nsNSSCertificateDB() {}
 
  private:
   // Use this function to generate a default nickname for a user
   // certificate that is to be imported onto a token.
   static void get_default_nickname(CERTCertificate* cert,
                                    nsIInterfaceRequestor* ctx,
--- a/security/manager/ssl/tests/gtest/CertDBTest.cpp
+++ b/security/manager/ssl/tests/gtest/CertDBTest.cpp
@@ -4,17 +4,16 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "gtest/gtest.h"
 #include "nsCOMPtr.h"
 #include "nsIPrefService.h"
 #include "nsISimpleEnumerator.h"
 #include "nsIX509Cert.h"
 #include "nsIX509CertDB.h"
-#include "nsIX509CertList.h"
 #include "nsServiceManagerUtils.h"
 
 TEST(psm_CertDB, Test)
 {
   {
     nsCOMPtr<nsIPrefBranch> prefs(do_GetService(NS_PREFSERVICE_CONTRACTID));
     ASSERT_TRUE(prefs)
     << "couldn't get nsIPrefBranch";
@@ -24,40 +23,27 @@ TEST(psm_CertDB, Test)
     nsresult rv = prefs->SetBoolPref("intl.locale.matchOS", true);
     ASSERT_TRUE(NS_SUCCEEDED(rv))
     << "couldn't set pref 'intl.locale.matchOS'";
 
     nsCOMPtr<nsIX509CertDB> certdb(do_GetService(NS_X509CERTDB_CONTRACTID));
     ASSERT_TRUE(certdb)
     << "couldn't get certdb";
 
-    nsCOMPtr<nsIX509CertList> certList;
-    rv = certdb->GetCerts(getter_AddRefs(certList));
+    nsTArray<RefPtr<nsIX509Cert>> certList;
+    rv = certdb->GetCerts(certList);
     ASSERT_TRUE(NS_SUCCEEDED(rv))
     << "couldn't get list of certificates";
 
-    nsCOMPtr<nsISimpleEnumerator> enumerator;
-    rv = certList->GetEnumerator(getter_AddRefs(enumerator));
-    ASSERT_TRUE(NS_SUCCEEDED(rv))
-    << "couldn't enumerate certificate list";
-
     bool foundBuiltIn = false;
-    bool hasMore = false;
-    while (NS_SUCCEEDED(enumerator->HasMoreElements(&hasMore)) && hasMore) {
-      nsCOMPtr<nsISupports> supports;
-      ASSERT_TRUE(NS_SUCCEEDED(enumerator->GetNext(getter_AddRefs(supports))))
-      << "couldn't get next certificate";
-
-      nsCOMPtr<nsIX509Cert> cert(do_QueryInterface(supports));
+    for (const auto& cert : certList) {
       ASSERT_TRUE(cert)
-      << "couldn't QI to nsIX509Cert";
-
+      << "certlist shouldn't have null certificate";
       ASSERT_TRUE(NS_SUCCEEDED(cert->GetIsBuiltInRoot(&foundBuiltIn)))
       << "GetIsBuiltInRoot failed";
-
       if (foundBuiltIn) {
         break;
       }
     }
 
     ASSERT_TRUE(foundBuiltIn)
     << "didn't load any built-in certificates";
 
--- a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
@@ -127,17 +127,17 @@ function checkDialogContents(win, notBef
   is(
     tokenName,
     "Stored on: Software Security Device",
     "Actual and expected token name should be equal"
   );
 }
 
 function findCertByCommonName(commonName) {
-  for (let cert of certDB.getCerts().getEnumerator()) {
+  for (let cert of certDB.getCerts()) {
     if (cert.commonName == commonName) {
       return cert;
     }
   }
   return null;
 }
 
 add_task(async function setup() {
--- a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js
+++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js
@@ -13,17 +13,17 @@ const gCertDB = Cc["@mozilla.org/securit
 );
 
 const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
 const CERT_COMMON_NAME = "test_cert_from_windows";
 const TEST_CERT_PASSWORD = "黒い";
 const TEST_OUTPUT_PASSWORD = "other password";
 
 function findCertByCommonName(commonName) {
-  for (let cert of gCertDB.getCerts().getEnumerator()) {
+  for (let cert of gCertDB.getCerts()) {
     if (cert.commonName == commonName) {
       return cert;
     }
   }
   return null;
 }
 
 function run_test() {
--- a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_master_password.js
+++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_master_password.js
@@ -43,17 +43,17 @@ var gPrompt = {
 };
 
 const gPromptFactory = {
   QueryInterface: ChromeUtils.generateQI([Ci.nsIPromptFactory]),
   getPrompt: (aWindow, aIID) => gPrompt,
 };
 
 function findCertByCommonName(commonName) {
-  for (let cert of gCertDB.getCerts().getEnumerator()) {
+  for (let cert of gCertDB.getCerts()) {
     if (cert.commonName == commonName) {
       return cert;
     }
   }
   return null;
 }
 
 function run_test() {
--- a/security/manager/ssl/tests/unit/test_certDB_import.js
+++ b/security/manager/ssl/tests/unit/test_certDB_import.js
@@ -64,17 +64,17 @@ function getCertAsByteArray(certPath) {
   for (let i = 0; i < certBytes.length; i++) {
     byteArray.push(certBytes.charCodeAt(i));
   }
 
   return byteArray;
 }
 
 function commonFindCertBy(propertyName, value) {
-  for (let cert of gCertDB.getCerts().getEnumerator()) {
+  for (let cert of gCertDB.getCerts()) {
     if (cert[propertyName] == value) {
       return cert;
     }
   }
   return null;
 }
 
 function findCertByCommonName(commonName) {
--- a/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
+++ b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
@@ -70,17 +70,17 @@ let gTestcases = [
     successExpected: true,
     errorCode: Ci.nsIX509CertDB.Success,
     checkCertExist: false,
   },
 ];
 
 function doesCertExist(commonName) {
   let allCerts = gCertDB.getCerts();
-  for (let cert of allCerts.getEnumerator()) {
+  for (let cert of allCerts) {
     if (cert.isBuiltInRoot) {
       continue;
     }
     if (cert.commonName == commonName) {
       return true;
     }
   }
 
--- a/security/manager/ssl/tests/unit/test_certDB_import_with_master_password.js
+++ b/security/manager/ssl/tests/unit/test_certDB_import_with_master_password.js
@@ -84,17 +84,17 @@ function getCertAsByteArray(certPath) {
   for (let i = 0; i < certBytes.length; i++) {
     byteArray.push(certBytes.charCodeAt(i));
   }
 
   return byteArray;
 }
 
 function findCertByCommonName(commonName) {
-  for (let cert of gCertDB.getCerts().getEnumerator()) {
+  for (let cert of gCertDB.getCerts()) {
     if (cert.commonName == commonName) {
       return cert;
     }
   }
   return null;
 }
 
 function run_test() {
--- a/security/manager/ssl/tests/unit/test_self_signed_certs.js
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs.js
@@ -28,17 +28,17 @@ add_task(async function run_test_no_over
   const CERT_DB_NAME = "cert9.db";
   let srcCertDBFile = do_get_file(`test_self_signed_certs/${CERT_DB_NAME}`);
   srcCertDBFile.copyTo(profile, CERT_DB_NAME);
 
   let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
     Ci.nsIX509CertDB
   );
   let certToVerify = null;
-  for (let cert of certDB.getCerts().getEnumerator()) {
+  for (let cert of certDB.getCerts()) {
     if (cert.subjectName == "CN=self-signed cert") {
       certToVerify = cert;
       break;
     }
   }
   notEqual(
     certToVerify,
     null,
--- a/security/manager/tools/genHPKPStaticPins.js
+++ b/security/manager/tools/genHPKPStaticPins.js
@@ -400,17 +400,17 @@ function downloadAndParseChromePins(
 }
 
 // Returns a pair of maps [certNameToSKD, certSKDToName] between cert
 // nicknames and digests of the SPKInfo for the mozilla trust store
 function loadNSSCertinfo(extraCertificates) {
   let allCerts = gCertDB.getCerts();
   let certNameToSKD = {};
   let certSKDToName = {};
-  for (let cert of allCerts.getEnumerator()) {
+  for (let cert of allCerts) {
     if (!cert.isBuiltInRoot) {
       continue;
     }
     let name = cert.displayName;
     let SKD = cert.sha256SubjectPublicKeyInfoDigest;
     certNameToSKD[name] = SKD;
     certSKDToName[SKD] = name;
   }
--- a/security/manager/tools/genRootCAHashes.js
+++ b/security/manager/tools/genRootCAHashes.js
@@ -186,17 +186,17 @@ function getLabelForCert(cert) {
 
 // Fill in the gTrustAnchors list with trust anchors from the database.
 function insertTrustAnchorsFromDatabase() {
   // We only want CA certs for SSL
   const CERT_TYPE = Ci.nsIX509Cert.CA_CERT;
   const TRUST_TYPE = Ci.nsIX509CertDB.TRUSTED_SSL;
 
   // Iterate through the whole Cert DB
-  for (let cert of CertDb.getCerts().getEnumerator()) {
+  for (let cert of CertDb.getCerts()) {
     // Find the certificate in our existing list. Do it here because we need to check if
     // it's untrusted too.
 
     // If this is a trusted cert
     if (CertDb.isCertTrusted(cert, CERT_TYPE, TRUST_TYPE)) {
       // Base64 encode the hex string
       let binaryFingerprint = CommonUtils.hexToBytes(
         stripColons(cert.sha256Fingerprint)
--- a/taskcluster/docker/periodic-updates/scripts/genHPKPStaticPins.js
+++ b/taskcluster/docker/periodic-updates/scripts/genHPKPStaticPins.js
@@ -391,17 +391,17 @@ function downloadAndParseChromePins(
 }
 
 // Returns a pair of maps [certNameToSKD, certSKDToName] between cert
 // nicknames and digests of the SPKInfo for the mozilla trust store
 function loadNSSCertinfo(extraCertificates) {
   let allCerts = gCertDB.getCerts();
   let certNameToSKD = {};
   let certSKDToName = {};
-  for (let cert of allCerts.getEnumerator()) {
+  for (let cert of allCerts) {
     if (!cert.isBuiltInRoot) {
       continue;
     }
     let name = cert.displayName;
     let SKD = cert.sha256SubjectPublicKeyInfoDigest;
     certNameToSKD[name] = SKD;
     certSKDToName[SKD] = name;
   }