| author | Sean Feng <sefeng@mozilla.com> |
| Thu, 05 Sep 2019 21:35:54 +0000 | |
| changeset 492050 | b4e80141db474ae1784f9397cc9bfe73cc02b161 |
| parent 492049 | 8d7284764bd66ba04710d5296357db5bd5206810 |
| child 492051 | 5e0ff929002acb4e2100e982e663794a9f6cba5e |
| push id | 94696 |
| push user | sefeng@mozilla.com |
| push date | Fri, 06 Sep 2019 16:45:04 +0000 |
| treeherder | autoland@b4e80141db47 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | keeler |
| bugs | 1577836 |
| milestone | 71.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/manager/ssl/nsCertTree.cpp +++ b/security/manager/ssl/nsCertTree.cpp @@ -271,17 +271,17 @@ nsCertTree::nsCertCompareFunc nsCertTree case nsIX509Cert::SERVER_CERT: default: return CmpWebSiteCert; } } struct nsCertAndArrayAndPositionAndCounterAndTracker { RefPtr<nsCertAddonInfo> certai; - nsTArray<RefPtr<nsCertTreeDispInfo> >* array; + nsTArray<RefPtr<nsCertTreeDispInfo>>* array; int position; int counter; nsTHashtable<nsCStringHashKey>* tracker; }; // Used to enumerate host:port overrides that match a stored // certificate, creates and adds a display-info-object to the // provided array. Increments insert position and entry counter. @@ -328,17 +328,17 @@ static void CollectAllHostPortOverridesC nsAutoCString hostPort; nsCertOverrideService::GetHostWithPort(aSettings.mAsciiHost, aSettings.mPort, hostPort); collectorTable->PutEntry(hostPort); } struct nsArrayAndPositionAndCounterAndTracker { - nsTArray<RefPtr<nsCertTreeDispInfo> >* array; + nsTArray<RefPtr<nsCertTreeDispInfo>>* array; int position; int counter; nsTHashtable<nsCStringHashKey>* tracker; }; // Used when enumerating the stored host:port overrides where // no associated certificate was found in the NSS database. static void AddRemaningHostPortOverridesCallback( @@ -365,62 +365,40 @@ static void AddRemaningHostPortOverrides certdi->mIsTemporary = aSettings.mIsTemporary; certdi->mCert = aSettings.mCert; cap->array->InsertElementAt(cap->position, certdi); cap->position++; cap->counter++; } } -nsresult nsCertTree::GetCertsByTypeFromCertList(nsIX509CertList* aCertList, - uint32_t aWantedType, - nsCertCompareFunc aCertCmpFn, - void* aCertCmpFnArg) { +nsresult nsCertTree::GetCertsByTypeFromCertList( + const nsTArray<RefPtr<nsIX509Cert>>& aCertList, uint32_t aWantedType, + nsCertCompareFunc aCertCmpFn, void* aCertCmpFnArg) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("GetCertsByTypeFromCertList")); - if (!aCertList) return NS_ERROR_FAILURE; if (!mOriginalOverrideService) return NS_ERROR_FAILURE; nsTHashtable<nsCStringHashKey> allHostPortOverrideKeys; if (aWantedType == nsIX509Cert::SERVER_CERT) { mOriginalOverrideService->EnumerateCertOverrides( nullptr, CollectAllHostPortOverridesCallback, &allHostPortOverrideKeys); } int count = 0; - nsCOMPtr<nsISimpleEnumerator> certListEnumerator; - nsresult rv = aCertList->GetEnumerator(getter_AddRefs(certListEnumerator)); - if (NS_FAILED(rv)) { - return rv; - } - bool hasMore = false; - rv = certListEnumerator->HasMoreElements(&hasMore); - if (NS_FAILED(rv)) { - return rv; - } - while (hasMore) { - nsCOMPtr<nsISupports> certSupports; - rv = certListEnumerator->GetNext(getter_AddRefs(certSupports)); - if (NS_FAILED(rv)) { - return rv; - } - nsCOMPtr<nsIX509Cert> cert = do_QueryInterface(certSupports); - if (!cert) { - return NS_ERROR_FAILURE; - } - + for (const auto& cert : aCertList) { bool wantThisCert = (aWantedType == nsIX509Cert::ANY_CERT); bool wantThisCertIfNoOverrides = false; bool wantThisCertIfHaveOverrides = false; bool addOverrides = false; if (!wantThisCert) { uint32_t thisCertType; - rv = cert->GetCertType(&thisCertType); + nsresult rv = cert->GetCertType(&thisCertType); if (NS_FAILED(rv)) { return rv; } // The output from GetCertType is a "guess", which can be wrong. // The guess is based on stored trust flags, but for the host:port // overrides, we are storing certs without any trust flags associated. // So we must check whether the cert really belongs to the @@ -526,21 +504,16 @@ nsresult nsCertTree::GetCertsByTypeFromC cap.counter = 0; cap.tracker = &allHostPortOverrideKeys; mOriginalOverrideService->EnumerateCertOverrides( cert, MatchingCertOverridesCallback, &cap); count += cap.counter; } } - - rv = certListEnumerator->HasMoreElements(&hasMore); - if (NS_FAILED(rv)) { - return rv; - } } if (aWantedType == nsIX509Cert::SERVER_CERT) { nsArrayAndPositionAndCounterAndTracker cap; cap.array = &mDispInfo; cap.position = 0; cap.counter = 0; cap.tracker = &allHostPortOverrideKeys; @@ -551,17 +524,18 @@ nsresult nsCertTree::GetCertsByTypeFromC return NS_OK; } // LoadCerts // // Load all of the certificates in the DB for this type. Sort them // by token, organization, then common name. NS_IMETHODIMP -nsCertTree::LoadCertsFromCache(nsIX509CertList* aCache, uint32_t aType) { +nsCertTree::LoadCertsFromCache(const nsTArray<RefPtr<nsIX509Cert>>& aCache, + uint32_t aType) { if (mTreeArray) { FreeCertArray(); delete[] mTreeArray; mTreeArray = nullptr; mNumRows = 0; } ClearCompareHash(); @@ -579,18 +553,18 @@ nsCertTree::LoadCerts(uint32_t aType) { FreeCertArray(); delete[] mTreeArray; mTreeArray = nullptr; mNumRows = 0; } ClearCompareHash(); nsCOMPtr<nsIX509CertDB> certdb(do_GetService(NS_X509CERTDB_CONTRACTID)); - nsCOMPtr<nsIX509CertList> certList; - nsresult rv = certdb->GetCerts(getter_AddRefs(certList)); + nsTArray<RefPtr<nsIX509Cert>> certList; + nsresult rv = certdb->GetCerts(certList); if (NS_FAILED(rv)) { return rv; } rv = GetCertsByTypeFromCertList( certList, aType, GetCompareFuncFromCertType(aType), &mCompareCache); if (NS_FAILED(rv)) { return rv; }
--- a/security/manager/ssl/nsCertTree.h +++ b/security/manager/ssl/nsCertTree.h @@ -127,17 +127,17 @@ class nsCertTree : public nsICertTree { static int32_t CmpUserCert(void* cache, nsIX509Cert* a, nsIX509Cert* b); static int32_t CmpEmailCert(void* cache, nsIX509Cert* a, nsIX509Cert* b); nsCertCompareFunc GetCompareFuncFromCertType(uint32_t aType); int32_t CountOrganizations(); private: static const uint32_t kInitialCacheLength = 64; - nsTArray<RefPtr<nsCertTreeDispInfo> > mDispInfo; + nsTArray<RefPtr<nsCertTreeDispInfo>> mDispInfo; RefPtr<mozilla::dom::XULTreeElement> mTree; nsCOMPtr<nsITreeSelection> mSelection; treeArrayEl* mTreeArray; int32_t mNumOrgs; int32_t mNumRows; PLDHashTable mCompareCache; nsCOMPtr<nsICertOverrideService> mOverrideService; RefPtr<nsCertOverrideService> mOriginalOverrideService; @@ -145,20 +145,19 @@ class nsCertTree : public nsICertTree { treeArrayEl* GetThreadDescAtIndex(int32_t _index); already_AddRefed<nsIX509Cert> GetCertAtIndex( int32_t _index, int32_t* outAbsoluteCertOffset = nullptr); already_AddRefed<nsCertTreeDispInfo> GetDispInfoAtIndex( int32_t index, int32_t* outAbsoluteCertOffset = nullptr); void FreeCertArray(); nsresult UpdateUIContents(); - nsresult GetCertsByTypeFromCertList(nsIX509CertList* aCertList, - uint32_t aType, - nsCertCompareFunc aCertCmpFn, - void* aCertCmpFnArg); + nsresult GetCertsByTypeFromCertList( + const nsTArray<RefPtr<nsIX509Cert>>& aCertList, uint32_t aWantedType, + nsCertCompareFunc aCertCmpFn, void* aCertCmpFnArg); nsCOMPtr<nsIMutableArray> mCellText; #ifdef DEBUG_CERT_TREE /* for debugging purposes */ void dumpMap(); #endif };
--- a/security/manager/ssl/nsICertTree.idl +++ b/security/manager/ssl/nsICertTree.idl @@ -3,32 +3,31 @@ * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsISupports.idl" #include "nsITreeView.idl" interface nsIX509Cert; -interface nsIX509CertList; [scriptable, uuid(d0180863-606e-49e6-8324-cf45ed4dd891)] interface nsICertTreeItem : nsISupports { [must_use] readonly attribute nsIX509Cert cert; [must_use] readonly attribute AString hostPort; }; [scriptable, uuid(55d5ad6b-5572-47fe-941c-f01fe723659e)] interface nsICertTree : nsITreeView { [must_use] void loadCerts(in unsigned long type); [must_use] - void loadCertsFromCache(in nsIX509CertList cache, in unsigned long type); + void loadCertsFromCache(in Array<nsIX509Cert> cache, in unsigned long type); [must_use] nsIX509Cert getCert(in unsigned long index); [must_use] nsICertTreeItem getTreeItem(in unsigned long index); [must_use] void deleteEntryObject(in unsigned long index);
--- a/security/manager/ssl/nsIX509CertDB.idl +++ b/security/manager/ssl/nsIX509CertDB.idl @@ -322,10 +322,10 @@ interface nsIX509CertDB : nsISupports { */ [must_use] nsIX509Cert addCertFromBase64(in ACString base64, in ACString trust); /* * Get all the known certs in the database */ [must_use] - nsIX509CertList getCerts(); + Array<nsIX509Cert> getCerts(); };
--- a/security/manager/ssl/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/nsNSSCertificateDB.cpp @@ -392,16 +392,34 @@ nsresult nsNSSCertificateDB::handleCACer } Unused << tmpCert2.release(); } return ImportCertsIntoPermanentStorage(certList); } +nsresult nsNSSCertificateDB::ConstructCertArrayFromUniqueCertList( + const UniqueCERTCertList& aCertListIn, + nsTArray<RefPtr<nsIX509Cert>>& aCertListOut) { + if (!aCertListIn.get()) { + return NS_ERROR_INVALID_ARG; + } + + for (CERTCertListNode* node = CERT_LIST_HEAD(aCertListIn.get()); + !CERT_LIST_END(node, aCertListIn.get()); node = CERT_LIST_NEXT(node)) { + RefPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert); + if (!cert) { + return NS_ERROR_OUT_OF_MEMORY; + } + aCertListOut.AppendElement(cert); + } + return NS_OK; +} + NS_IMETHODIMP nsNSSCertificateDB::ImportCertificates(uint8_t* data, uint32_t length, uint32_t type, nsIInterfaceRequestor* ctx) { // We currently only handle CA certificates. if (type != nsIX509Cert::CA_CERT) { return NS_ERROR_FAILURE; } @@ -1085,37 +1103,34 @@ nsNSSCertificateDB::SetCertTrustFromStri } UniqueCERTCertificate nssCert(cert->GetCert()); srv = ChangeCertTrustWithPossibleAuthentication(nssCert, trust, nullptr); return MapSECStatus(srv); } NS_IMETHODIMP -nsNSSCertificateDB::GetCerts(nsIX509CertList** _retval) { +nsNSSCertificateDB::GetCerts(nsTArray<RefPtr<nsIX509Cert>>& _retval) { nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } rv = CheckForSmartCardChanges(); if (NS_FAILED(rv)) { return rv; } nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); - nsCOMPtr<nsIX509CertList> nssCertList; UniqueCERTCertList certList(PK11_ListCerts(PK11CertListUnique, ctx)); - - // nsNSSCertList 1) adopts certList, and 2) handles the nullptr case fine. - // (returns an empty list) - nssCertList = new nsNSSCertList(std::move(certList)); - - nssCertList.forget(_retval); - return NS_OK; + if (!certList) { + return NS_ERROR_FAILURE; + } + return nsNSSCertificateDB::ConstructCertArrayFromUniqueCertList(certList, + _retval); } nsresult VerifyCertAtTime(nsIX509Cert* aCert, int64_t /*SECCertificateUsage*/ aUsage, uint32_t aFlags, const nsACString& aHostname, mozilla::pkix::Time aTime, nsIX509CertList** aVerifiedChain, bool* aHasEVPolicy, int32_t* /*PRErrorCode*/ _retval) {
--- a/security/manager/ssl/nsNSSCertificateDB.h +++ b/security/manager/ssl/nsNSSCertificateDB.h @@ -23,16 +23,20 @@ class nsNSSCertificateDB final : public NS_DECL_THREADSAFE_ISUPPORTS NS_DECL_NSIX509CERTDB // This is a separate static method so nsNSSComponent can use it during NSS // initialization. Other code should probably not use it. static nsresult FindCertByDBKey(const nsACString& aDBKey, mozilla::UniqueCERTCertificate& cert); + static nsresult ConstructCertArrayFromUniqueCertList( + const mozilla::UniqueCERTCertList& aCertListIn, + nsTArray<RefPtr<nsIX509Cert>>& aCertListOut); + protected: virtual ~nsNSSCertificateDB() {} private: // Use this function to generate a default nickname for a user // certificate that is to be imported onto a token. static void get_default_nickname(CERTCertificate* cert, nsIInterfaceRequestor* ctx,
--- a/security/manager/ssl/tests/gtest/CertDBTest.cpp +++ b/security/manager/ssl/tests/gtest/CertDBTest.cpp @@ -4,17 +4,16 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "gtest/gtest.h" #include "nsCOMPtr.h" #include "nsIPrefService.h" #include "nsISimpleEnumerator.h" #include "nsIX509Cert.h" #include "nsIX509CertDB.h" -#include "nsIX509CertList.h" #include "nsServiceManagerUtils.h" TEST(psm_CertDB, Test) { { nsCOMPtr<nsIPrefBranch> prefs(do_GetService(NS_PREFSERVICE_CONTRACTID)); ASSERT_TRUE(prefs) << "couldn't get nsIPrefBranch"; @@ -24,40 +23,27 @@ TEST(psm_CertDB, Test) nsresult rv = prefs->SetBoolPref("intl.locale.matchOS", true); ASSERT_TRUE(NS_SUCCEEDED(rv)) << "couldn't set pref 'intl.locale.matchOS'"; nsCOMPtr<nsIX509CertDB> certdb(do_GetService(NS_X509CERTDB_CONTRACTID)); ASSERT_TRUE(certdb) << "couldn't get certdb"; - nsCOMPtr<nsIX509CertList> certList; - rv = certdb->GetCerts(getter_AddRefs(certList)); + nsTArray<RefPtr<nsIX509Cert>> certList; + rv = certdb->GetCerts(certList); ASSERT_TRUE(NS_SUCCEEDED(rv)) << "couldn't get list of certificates"; - nsCOMPtr<nsISimpleEnumerator> enumerator; - rv = certList->GetEnumerator(getter_AddRefs(enumerator)); - ASSERT_TRUE(NS_SUCCEEDED(rv)) - << "couldn't enumerate certificate list"; - bool foundBuiltIn = false; - bool hasMore = false; - while (NS_SUCCEEDED(enumerator->HasMoreElements(&hasMore)) && hasMore) { - nsCOMPtr<nsISupports> supports; - ASSERT_TRUE(NS_SUCCEEDED(enumerator->GetNext(getter_AddRefs(supports)))) - << "couldn't get next certificate"; - - nsCOMPtr<nsIX509Cert> cert(do_QueryInterface(supports)); + for (const auto& cert : certList) { ASSERT_TRUE(cert) - << "couldn't QI to nsIX509Cert"; - + << "certlist shouldn't have null certificate"; ASSERT_TRUE(NS_SUCCEEDED(cert->GetIsBuiltInRoot(&foundBuiltIn))) << "GetIsBuiltInRoot failed"; - if (foundBuiltIn) { break; } } ASSERT_TRUE(foundBuiltIn) << "didn't load any built-in certificates";
--- a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js +++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js @@ -127,17 +127,17 @@ function checkDialogContents(win, notBef is( tokenName, "Stored on: Software Security Device", "Actual and expected token name should be equal" ); } function findCertByCommonName(commonName) { - for (let cert of certDB.getCerts().getEnumerator()) { + for (let cert of certDB.getCerts()) { if (cert.commonName == commonName) { return cert; } } return null; } add_task(async function setup() {
--- a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js +++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js @@ -13,17 +13,17 @@ const gCertDB = Cc["@mozilla.org/securit ); const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx"; const CERT_COMMON_NAME = "test_cert_from_windows"; const TEST_CERT_PASSWORD = "黒い"; const TEST_OUTPUT_PASSWORD = "other password"; function findCertByCommonName(commonName) { - for (let cert of gCertDB.getCerts().getEnumerator()) { + for (let cert of gCertDB.getCerts()) { if (cert.commonName == commonName) { return cert; } } return null; } function run_test() {
--- a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_master_password.js +++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_master_password.js @@ -43,17 +43,17 @@ var gPrompt = { }; const gPromptFactory = { QueryInterface: ChromeUtils.generateQI([Ci.nsIPromptFactory]), getPrompt: (aWindow, aIID) => gPrompt, }; function findCertByCommonName(commonName) { - for (let cert of gCertDB.getCerts().getEnumerator()) { + for (let cert of gCertDB.getCerts()) { if (cert.commonName == commonName) { return cert; } } return null; } function run_test() {
--- a/security/manager/ssl/tests/unit/test_certDB_import.js +++ b/security/manager/ssl/tests/unit/test_certDB_import.js @@ -64,17 +64,17 @@ function getCertAsByteArray(certPath) { for (let i = 0; i < certBytes.length; i++) { byteArray.push(certBytes.charCodeAt(i)); } return byteArray; } function commonFindCertBy(propertyName, value) { - for (let cert of gCertDB.getCerts().getEnumerator()) { + for (let cert of gCertDB.getCerts()) { if (cert[propertyName] == value) { return cert; } } return null; } function findCertByCommonName(commonName) {
--- a/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js +++ b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js @@ -70,17 +70,17 @@ let gTestcases = [ successExpected: true, errorCode: Ci.nsIX509CertDB.Success, checkCertExist: false, }, ]; function doesCertExist(commonName) { let allCerts = gCertDB.getCerts(); - for (let cert of allCerts.getEnumerator()) { + for (let cert of allCerts) { if (cert.isBuiltInRoot) { continue; } if (cert.commonName == commonName) { return true; } }
--- a/security/manager/ssl/tests/unit/test_certDB_import_with_master_password.js +++ b/security/manager/ssl/tests/unit/test_certDB_import_with_master_password.js @@ -84,17 +84,17 @@ function getCertAsByteArray(certPath) { for (let i = 0; i < certBytes.length; i++) { byteArray.push(certBytes.charCodeAt(i)); } return byteArray; } function findCertByCommonName(commonName) { - for (let cert of gCertDB.getCerts().getEnumerator()) { + for (let cert of gCertDB.getCerts()) { if (cert.commonName == commonName) { return cert; } } return null; } function run_test() {
--- a/security/manager/ssl/tests/unit/test_self_signed_certs.js +++ b/security/manager/ssl/tests/unit/test_self_signed_certs.js @@ -28,17 +28,17 @@ add_task(async function run_test_no_over const CERT_DB_NAME = "cert9.db"; let srcCertDBFile = do_get_file(`test_self_signed_certs/${CERT_DB_NAME}`); srcCertDBFile.copyTo(profile, CERT_DB_NAME); let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( Ci.nsIX509CertDB ); let certToVerify = null; - for (let cert of certDB.getCerts().getEnumerator()) { + for (let cert of certDB.getCerts()) { if (cert.subjectName == "CN=self-signed cert") { certToVerify = cert; break; } } notEqual( certToVerify, null,
--- a/security/manager/tools/genHPKPStaticPins.js +++ b/security/manager/tools/genHPKPStaticPins.js @@ -400,17 +400,17 @@ function downloadAndParseChromePins( } // Returns a pair of maps [certNameToSKD, certSKDToName] between cert // nicknames and digests of the SPKInfo for the mozilla trust store function loadNSSCertinfo(extraCertificates) { let allCerts = gCertDB.getCerts(); let certNameToSKD = {}; let certSKDToName = {}; - for (let cert of allCerts.getEnumerator()) { + for (let cert of allCerts) { if (!cert.isBuiltInRoot) { continue; } let name = cert.displayName; let SKD = cert.sha256SubjectPublicKeyInfoDigest; certNameToSKD[name] = SKD; certSKDToName[SKD] = name; }
--- a/security/manager/tools/genRootCAHashes.js +++ b/security/manager/tools/genRootCAHashes.js @@ -186,17 +186,17 @@ function getLabelForCert(cert) { // Fill in the gTrustAnchors list with trust anchors from the database. function insertTrustAnchorsFromDatabase() { // We only want CA certs for SSL const CERT_TYPE = Ci.nsIX509Cert.CA_CERT; const TRUST_TYPE = Ci.nsIX509CertDB.TRUSTED_SSL; // Iterate through the whole Cert DB - for (let cert of CertDb.getCerts().getEnumerator()) { + for (let cert of CertDb.getCerts()) { // Find the certificate in our existing list. Do it here because we need to check if // it's untrusted too. // If this is a trusted cert if (CertDb.isCertTrusted(cert, CERT_TYPE, TRUST_TYPE)) { // Base64 encode the hex string let binaryFingerprint = CommonUtils.hexToBytes( stripColons(cert.sha256Fingerprint)
--- a/taskcluster/docker/periodic-updates/scripts/genHPKPStaticPins.js +++ b/taskcluster/docker/periodic-updates/scripts/genHPKPStaticPins.js @@ -391,17 +391,17 @@ function downloadAndParseChromePins( } // Returns a pair of maps [certNameToSKD, certSKDToName] between cert // nicknames and digests of the SPKInfo for the mozilla trust store function loadNSSCertinfo(extraCertificates) { let allCerts = gCertDB.getCerts(); let certNameToSKD = {}; let certSKDToName = {}; - for (let cert of allCerts.getEnumerator()) { + for (let cert of allCerts) { if (!cert.isBuiltInRoot) { continue; } let name = cert.displayName; let SKD = cert.sha256SubjectPublicKeyInfoDigest; certNameToSKD[name] = SKD; certSKDToName[SKD] = name; }