Bug 643041 - Merge nsIX509Cert2 and nsIX509Cert3 into nsIX509Cert, and merge nsIX509CertDB2 into nsIX509CertDB. r=keeler
authorHarsh Pathak <hpathak@mozilla.com>
Thu, 03 Jul 2014 22:09:24 -0700
changeset 192383 240a0b085725d132fa9616a78d0ceebe8255c1db
parent 192382 7231daefbb2857793fafdb9e5a37488f31db87df
child 192384 95020e2c631dc467aa4de467e3c78ec22a654374
push id8630
push usercbook@mozilla.com
push dateFri, 04 Jul 2014 12:17:41 +0000
treeherderb2g-inbound@014d17b5ba5a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs643041
milestone33.0a1
Bug 643041 - Merge nsIX509Cert2 and nsIX509Cert3 into nsIX509Cert, and merge nsIX509CertDB2 into nsIX509CertDB. r=keeler
dom/wifi/WifiWorker.js
security/apps/AppSignatureVerification.cpp
security/manager/pki/resources/content/pippki.js
security/manager/pki/resources/content/viewCertDetails.js
security/manager/ssl/public/moz.build
security/manager/ssl/public/nsISSLStatus.idl
security/manager/ssl/public/nsIX509Cert.idl
security/manager/ssl/public/nsIX509Cert2.idl
security/manager/ssl/public/nsIX509Cert3.idl
security/manager/ssl/public/nsIX509CertDB.idl
security/manager/ssl/public/nsIX509CertDB2.idl
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/src/TransportSecurityInfo.cpp
security/manager/ssl/src/nsCertOverrideService.cpp
security/manager/ssl/src/nsCertTree.cpp
security/manager/ssl/src/nsCertVerificationThread.cpp
security/manager/ssl/src/nsNSSCertificate.cpp
security/manager/ssl/src/nsNSSCertificate.h
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/src/nsNSSCertificateDB.h
security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/src/nsVerificationJob.h
security/manager/ssl/tests/unit/test_getchain.js
security/manager/tools/genHPKPStaticPins.js
toolkit/modules/CertUtils.jsm
--- a/dom/wifi/WifiWorker.js
+++ b/dom/wifi/WifiWorker.js
@@ -3304,40 +3304,40 @@ WifiWorker.prototype = {
     const message = "WifiManager:getImportedCerts:Return";
     let self = this;
 
     if (!WifiManager.enabled) {
       this._sendMessage(message, false, "Wifi is disabled", msg);
       return;
     }
 
-    let certDB2 = Cc["@mozilla.org/security/x509certdb;1"]
-                  .getService(Ci.nsIX509CertDB2);
-    if (!certDB2) {
+    let certDB = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+    if (!certDB) {
       self._sendMessage(message, false, "Failed to query NSS DB service", msg);
     }
 
-    let certList = certDB2.getCerts();
+    let certList = certDB.getCerts();
     if (!certList) {
       self._sendMessage(message, false, "Failed to get certificate List", msg);
     }
 
     let certListEnum = certList.getEnumerator();
     if (!certListEnum) {
       self._sendMessage(message, false, "Failed to get certificate List enumerator", msg);
     }
     let importedCerts = {
       ServerCert: [],
     };
     let UsageMapping = {
       SERVERCERT: "ServerCert",
     };
 
     while (certListEnum.hasMoreElements()) {
-      let certInfo = certListEnum.getNext().QueryInterface(Ci.nsIX509Cert3);
+      let certInfo = certListEnum.getNext().QueryInterface(Ci.nsIX509Cert);
       let certNicknameInfo = /WIFI\_([A-Z]*)\_(.*)/.exec(certInfo.nickname);
       if (!certNicknameInfo) {
         continue;
       }
       importedCerts[UsageMapping[certNicknameInfo[1]]].push(certNicknameInfo[2]);
     }
 
     self._sendMessage(message, true, importedCerts, msg);
--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -564,17 +564,17 @@ VerifySignature(AppTrustedRoot trustedRo
   return VerifyCMSDetachedSignatureIncludingCertificate(buffer, detachedDigest,
                                                         VerifyCertificate,
                                                         &context, nullptr);
 }
 
 NS_IMETHODIMP
 OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
                   /*out, optional */ nsIZipReader** aZipReader,
-                  /*out, optional */ nsIX509Cert3** aSignerCert)
+                  /*out, optional */ nsIX509Cert** aSignerCert)
 {
   NS_ENSURE_ARG_POINTER(aJarFile);
 
   if (aZipReader) {
     *aZipReader = nullptr;
   }
 
   if (aSignerCert) {
@@ -723,17 +723,17 @@ OpenSignedAppFile(AppTrustedRoot aTruste
     zip.forget(aZipReader);
   }
 
   // Return the signer's certificate to the reader if they want it.
   // XXX: We should return an nsIX509CertList with the whole validated chain,
   //      but we can't do that until we switch to libpkix.
   if (aSignerCert) {
     MOZ_ASSERT(CERT_LIST_HEAD(builtChain));
-    nsCOMPtr<nsIX509Cert3> signerCert =
+    nsCOMPtr<nsIX509Cert> signerCert =
       nsNSSCertificate::Create(CERT_LIST_HEAD(builtChain)->cert);
     NS_ENSURE_TRUE(signerCert, NS_ERROR_OUT_OF_MEMORY);
     signerCert.forget(aSignerCert);
   }
 
   return NS_OK;
 }
 
@@ -764,17 +764,17 @@ private:
   {
     (void) mCallback->OpenSignedAppFileFinished(rv, mZipReader, mSignerCert);
   }
 
   const AppTrustedRoot mTrustedRoot;
   const nsCOMPtr<nsIFile> mJarFile;
   nsMainThreadPtrHandle<nsIOpenSignedAppFileCallback> mCallback;
   nsCOMPtr<nsIZipReader> mZipReader; // out
-  nsCOMPtr<nsIX509Cert3> mSignerCert; // out
+  nsCOMPtr<nsIX509Cert> mSignerCert; // out
 };
 
 } // unnamed namespace
 
 NS_IMETHODIMP
 nsNSSCertificateDB::OpenSignedAppFileAsync(
   AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
   nsIOpenSignedAppFileCallback* aCallback)
--- a/security/manager/pki/resources/content/pippki.js
+++ b/security/manager/pki/resources/content/pippki.js
@@ -38,17 +38,16 @@ function getDERString(cert)
     derString += String.fromCharCode(derArray[i]);
   }
   return derString;
 }
 
 function getPKCS7String(cert, chainMode)
 {
   var length = {};
-  cert.QueryInterface(Components.interfaces.nsIX509Cert3);
   var pkcs7Array = cert.exportAsCMS(chainMode, length);
   var pkcs7String = '';
   for (var i = 0; i < pkcs7Array.length; i++) {
     pkcs7String += String.fromCharCode(pkcs7Array[i]);
   }
   return pkcs7String;
 }
 
@@ -105,20 +104,20 @@ function exportToFile(parent, cert)
       var chain = cert.getChain();
       for (var i = 1; i < chain.length; i++)
         content += getPEMString(chain.queryElementAt(i, Components.interfaces.nsIX509Cert));
       break;
     case 2:
       content = getDERString(cert);
       break;
     case 3:
-      content = getPKCS7String(cert, Components.interfaces.nsIX509Cert3.CMS_CHAIN_MODE_CertOnly);
+      content = getPKCS7String(cert, Components.interfaces.nsIX509Cert.CMS_CHAIN_MODE_CertOnly);
       break;
     case 4:
-      content = getPKCS7String(cert, Components.interfaces.nsIX509Cert3.CMS_CHAIN_MODE_CertChainWithRoot);
+      content = getPKCS7String(cert, Components.interfaces.nsIX509Cert.CMS_CHAIN_MODE_CertChainWithRoot);
       break;
     case 0:
     default:
       content = getPEMString(cert);
       break;
   }
   var msg;
   var written = 0;
--- a/security/manager/pki/resources/content/viewCertDetails.js
+++ b/security/manager/pki/resources/content/viewCertDetails.js
@@ -1,14 +1,13 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 const nsIX509Cert = Components.interfaces.nsIX509Cert;
-const nsIX509Cert3 = Components.interfaces.nsIX509Cert3;
 const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
 const nsIX509CertDB = Components.interfaces.nsIX509CertDB;
 const nsPK11TokenDB = "@mozilla.org/security/pk11tokendb;1";
 const nsIPK11TokenDB = Components.interfaces.nsIPK11TokenDB;
 const nsIPKIParamBlock = Components.interfaces.nsIPKIParamBlock;
 const nsIASN1Object = Components.interfaces.nsIASN1Object;
 const nsIASN1Sequence = Components.interfaces.nsIASN1Sequence;
 const nsIASN1PrintableItem = Components.interfaces.nsIASN1PrintableItem;
@@ -89,24 +88,19 @@ function setWindowName()
   //  Set the cert attributes for viewing
   //
 
   //  The chain of trust
   var chain = cert.getChain();
   AddCertChain("treesetDump", chain, "dump_");
   DisplayGeneralDataFromCert(cert);
   BuildPrettyPrint(cert);
-  
-  if (cert instanceof nsIX509Cert3)
-  {
-    cert.requestUsagesArrayAsync(new listener());
-  }
+  cert.requestUsagesArrayAsync(new listener());
 }
 
- 
 function addChildrenToTree(parentTree,label,value,addTwistie)
 {
   var treeChild1 = document.createElement("treechildren");
   var treeElement = addTreeItemToTreeChild(treeChild1,label,value,addTwistie);
   parentTree.appendChild(treeChild1);
   return treeElement;
 }
 
@@ -244,17 +238,17 @@ function DisplayGeneralDataFromCert(cert
   // SHA-256 Fingerprint
   addAttributeFromCert('sha256fingerprint', cert.sha256Fingerprint);
   //  SHA1 Fingerprint
   addAttributeFromCert('sha1fingerprint',cert.sha1Fingerprint);
   // Validity start
   addAttributeFromCert('validitystart', cert.validity.notBeforeLocalDay);
   // Validity end
   addAttributeFromCert('validityend', cert.validity.notAfterLocalDay);
-  
+
   //Now to populate the fields that correspond to the issuer.
   var issuerCommonname, issuerOrg, issuerOrgUnit;
   issuerCommonname = cert.issuerCommonName;
   issuerOrg = cert.issuerOrganization;
   issuerOrgUnit = cert.issuerOrganizationUnit;
   addAttributeFromCert('issuercommonname', issuerCommonname);
   addAttributeFromCert('issuerorganization', issuerOrg);
   addAttributeFromCert('issuerorgunit', issuerOrgUnit);
@@ -282,17 +276,17 @@ function updateCertDump()
 function getCurrentCert()
 {
   var realIndex;
   var tree = document.getElementById('treesetDump');
   if (tree.view.selection.isSelected(tree.currentIndex)
       && document.getElementById('prettyprint_tab').selected) {
     /* if the user manually selected a cert on the Details tab,
        then take that one  */
-    realIndex = tree.currentIndex;    
+    realIndex = tree.currentIndex;
   } else {
     /* otherwise, take the one at the bottom of the chain
        (i.e. the one of the end-entity, unless we're displaying
        CA certs) */
     realIndex = tree.view.rowCount - 1;
   }
   if (realIndex >= 0) {
     var item = tree.contentView.getItemAtIndex(realIndex);
--- a/security/manager/ssl/public/moz.build
+++ b/security/manager/ssl/public/moz.build
@@ -34,20 +34,17 @@ XPIDL_SOURCES += [
     'nsIRecentBadCertsService.idl',
     'nsISSLErrorListener.idl',
     'nsISSLStatus.idl',
     'nsIStreamCipher.idl',
     'nsITokenDialogs.idl',
     'nsITokenPasswordDialogs.idl',
     'nsIUserCertPicker.idl',
     'nsIX509Cert.idl',
-    'nsIX509Cert2.idl',
-    'nsIX509Cert3.idl',
     'nsIX509CertDB.idl',
-    'nsIX509CertDB2.idl',
     'nsIX509CertList.idl',
     'nsIX509CertValidity.idl',
 ]
 
 if CONFIG['MOZ_XUL']:
     XPIDL_SOURCES += [
         'nsICertTree.idl',
     ]
--- a/security/manager/ssl/public/nsISSLStatus.idl
+++ b/security/manager/ssl/public/nsISSLStatus.idl
@@ -18,17 +18,17 @@ interface nsISSLStatus : nsISupports {
 
   readonly attribute boolean isDomainMismatch;
   readonly attribute boolean isNotValidAtThisTime;
 
   /* Note: To distinguish between 
    *         "unstrusted because missing or untrusted issuer"
    *       and 
    *         "untrusted because self signed"
-   *       query nsIX509Cert3::isSelfSigned 
+   *       query nsIX509Cert::isSelfSigned
    */
   readonly attribute boolean isUntrusted;
 
   /**
    * True only if (and after) serverCert was successfully validated as
    * Extended Validation (EV).
    */
   readonly attribute boolean isExtendedValidation;
--- a/security/manager/ssl/public/nsIX509Cert.idl
+++ b/security/manager/ssl/public/nsIX509Cert.idl
@@ -4,21 +4,28 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
 interface nsIArray;
 interface nsIX509CertValidity;
 interface nsIASN1Object;
+interface nsICertVerificationListener;
+
+%{ C++
+ /* forward declaration */
+ typedef struct CERTCertificateStr CERTCertificate;
+%}
+[ptr] native CERTCertificatePtr(CERTCertificate);
 
 /**
  * This represents a X.509 certificate.
  */
-[scriptable, uuid(891d2009-b9ba-4a0d-bebe-6b3a30e33191)]
+[scriptable, uuid(f8ed8364-ced9-4c6e-86ba-48af53c393e6)]
 interface nsIX509Cert : nsISupports {
 
   /**
    *  A nickname for the certificate.
    */
   readonly attribute AString nickname;
 
   /**
@@ -28,26 +35,26 @@ interface nsIX509Cert : nsISupports {
 
   /**
    *  Obtain a list of all email addresses
    *  contained in the certificate.
    *
    *  @param length The number of strings in the returned array.
    *  @return An array of email addresses.
    */
-  void getEmailAddresses(out unsigned long length, 
+  void getEmailAddresses(out unsigned long length,
                          [retval, array, size_is(length)] out wstring addresses);
 
   /**
    *  Check whether a given address is contained in the certificate.
    *  The comparison will convert the email address to lowercase.
    *  The behaviour for non ASCII characters is undefined.
    *
    *  @param aEmailAddress The address to search for.
-   *                
+   *
    *  @return True if the address is contained in the certificate.
    */
   boolean containsEmailAddress(in AString aEmailAddress);
 
   /**
    *  The subject owning the certificate.
    */
   readonly attribute AString subjectName;
@@ -133,31 +140,43 @@ interface nsIX509Cert : nsISupports {
   /**
    *  Constants to classify the type of a certificate.
    */
   const unsigned long UNKNOWN_CERT =      0;
   const unsigned long CA_CERT      = 1 << 0;
   const unsigned long USER_CERT    = 1 << 1;
   const unsigned long EMAIL_CERT   = 1 << 2;
   const unsigned long SERVER_CERT  = 1 << 3;
+  const unsigned long ANY_CERT     = 0xffff;
+
+  /**
+   * Type of this certificate
+   */
+  readonly attribute unsigned long certType;
+
+  /**
+   *  True if the certificate is self-signed. CA issued
+   *  certificates are always self-signed.
+   */
+  readonly attribute boolean isSelfSigned;
 
   /**
    *  Constants for certificate verification results.
    */
   const unsigned long VERIFIED_OK          =      0;
   const unsigned long NOT_VERIFIED_UNKNOWN = 1 << 0;
   const unsigned long CERT_REVOKED         = 1 << 1;
   const unsigned long CERT_EXPIRED         = 1 << 2;
   const unsigned long CERT_NOT_TRUSTED     = 1 << 3;
   const unsigned long ISSUER_NOT_TRUSTED   = 1 << 4;
   const unsigned long ISSUER_UNKNOWN       = 1 << 5;
   const unsigned long INVALID_CA           = 1 << 6;
   const unsigned long USAGE_NOT_ALLOWED    = 1 << 7;
   const unsigned long SIGNATURE_ALGORITHM_DISABLED = 1 << 8;
-  
+
   /**
    *  Constants that describe the certified usages of a certificate.
    *
    *  Deprecated and unused
    */
   const unsigned long CERT_USAGE_SSLClient = 0;
   const unsigned long CERT_USAGE_SSLServer = 1;
   const unsigned long CERT_USAGE_SSLServerWithStepUp = 2;
@@ -167,17 +186,24 @@ interface nsIX509Cert : nsISupports {
   const unsigned long CERT_USAGE_ObjectSigner = 6;
   const unsigned long CERT_USAGE_UserCertImport = 7;
   const unsigned long CERT_USAGE_VerifyCA = 8;
   const unsigned long CERT_USAGE_ProtectedObjectSigner = 9;
   const unsigned long CERT_USAGE_StatusResponder = 10;
   const unsigned long CERT_USAGE_AnyCA = 11;
 
   /**
-   *  Obtain a list of certificates that contains this certificate 
+   *  Constants for specifying the chain mode when exporting a certificate
+   */
+  const unsigned long CMS_CHAIN_MODE_CertOnly = 1;
+  const unsigned long CMS_CHAIN_MODE_CertChain = 2;
+  const unsigned long CMS_CHAIN_MODE_CertChainWithRoot = 3;
+
+  /**
+   *  Obtain a list of certificates that contains this certificate
    *  and the issuing certificates of all involved issuers,
    *  up to the root issuer.
    *
    *  @return The chain of certifficates including the issuers.
    */
   nsIArray getChain();
 
   /**
@@ -187,20 +213,28 @@ interface nsIX509Cert : nsISupports {
    *  @param localOnly Do not hit the network, even if revocation information
    *                   downloading is currently activated.
    *  @param verified The certificate verification result, see constants.
    *  @param count The number of human readable usages returned.
    *  @param usages The array of human readable usages.
    */
   void getUsagesArray(in boolean localOnly,
                       out uint32_t verified,
-                      out uint32_t count, 
+                      out uint32_t count,
                       [array, size_is(count)] out wstring usages);
 
   /**
+   *  Async version of nsIX509Cert::getUsagesArray()
+   *
+   *  Will not block, will request results asynchronously,
+   *  availability of results will be notified on the main thread.
+   */
+  void requestUsagesArrayAsync(in nsICertVerificationListener cvl);
+
+  /**
    *  Obtain a single comma separated human readable string describing
    *  the certificate's certified usages.
    *
    *  @param localOnly Do not hit the network, even if revocation information
    *                   downloading is currently activated.
    *  @param verified The certificate verification result, see constants.
    *  @param purposes The string listing the usages.
    */
@@ -219,21 +253,98 @@ interface nsIX509Cert : nsISupports {
    *
    *  @param length The number of bytes in the binary encoding.
    *  @param data The bytes representing the DER encoded certificate.
    */
   void getRawDER(out unsigned long length,
 	               [retval, array, size_is(length)] out octet data);
 
   /**
-   *  Test whether two certificate instances represent the 
+   *  Test whether two certificate instances represent the
    *  same certificate.
    *
    *  @return Whether the certificates are equal
    */
   boolean equals(in nsIX509Cert other);
 
   /**
    * The base64 encoding of the DER encoded public key info using the specified
    * digest.
    */
   readonly attribute ACString sha256SubjectPublicKeyInfoDigest;
+
+  /**
+   *  Obtain the certificate wrapped in a PKCS#7 SignedData structure,
+   *  with or without the certificate chain
+   *
+   *  @param chainMode Whether to include the chain (with or without the root),
+                       see CMS_CHAIN_MODE constants.
+   *  @param length The number of bytes of the PKCS#7 data.
+   *  @param data The bytes representing the PKCS#7 wrapped certificate.
+   */
+  void exportAsCMS(in unsigned long chainMode,
+                   out unsigned long length,
+                   [retval, array, size_is(length)] out octet data);
+
+  /**
+   * Retrieves the NSS certificate object wrapped by this interface
+   */
+   [notxpcom, noscript] CERTCertificatePtr getCert();
+
+  /**
+   * Human readable names identifying all hardware or
+   * software tokens the certificate is stored on.
+   *
+   * @param length On success, the number of entries in the returned array.
+   * @return On success, an array containing the names of all tokens
+   *         the certificate is stored on (may be empty).
+   *         On failure the function throws/returns an error.
+   */
+  void getAllTokenNames(out unsigned long length,
+                       [retval, array, size_is(length)] out wstring
+                       tokenNames);
+
+  /**
+   * Either delete the certificate from all cert databases,
+   * or mark it as untrusted.
+   */
+  void markForPermDeletion();
 };
+
+[scriptable, uuid(2fd0a785-9f2d-4327-8871-8c3e0783891d)]
+interface nsICertVerificationResult : nsISupports {
+
+  /**
+   *  This interface reflects a container of
+   *  verification results. Call will not block.
+   *
+   *  Obtain an array of human readable strings describing
+   *  the certificate's certified usages.
+   *
+   *  Mirrors the results produced by
+   *  nsIX509Cert::getUsagesArray()
+   *
+   *  As of today, this function is a one-shot object,
+   *  only the first call will succeed.
+   *  This allows an optimization in the implementation,
+   *  ownership of result data will be transfered to caller.
+   *
+   *  @param cert The certificate that was verified.
+   *  @param verified The certificate verification result,
+   *         see constants in nsIX509Cert.
+   *  @param count The number of human readable usages returned.
+   *  @param usages The array of human readable usages.
+   */
+  void getUsagesArrayResult(out uint32_t verified,
+                            out uint32_t count,
+                            [array, size_is(count)] out wstring usages);
+};
+
+[scriptable, uuid(6684bce9-50db-48e1-81b7-98102bf81357)]
+interface nsICertVerificationListener : nsISupports {
+
+  /**
+   *  Notify that results are ready, that have been requested
+   *  using nsIX509Cert::requestUsagesArrayAsync()
+   */
+  void notify(in nsIX509Cert verifiedCert,
+              in nsICertVerificationResult result);
+};
deleted file mode 100644
--- a/security/manager/ssl/public/nsIX509Cert2.idl
+++ /dev/null
@@ -1,30 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsIX509Cert.idl"
-
-interface nsIArray;
-interface nsIASN1Object;
-
-%{ C++
- /* forward declaration */
- typedef struct CERTCertificateStr CERTCertificate;
-%}
-[ptr] native CERTCertificatePtr(CERTCertificate);
-
-/**
- * This represents additional interfaces to X.509 certificates
- */
-[scriptable, uuid(5b62c61c-f898-4dab-8ace-51109bb459b4)]
-interface nsIX509Cert2 : nsIX509Cert {
-  /**
-   *  Additional constants to classify the type of a certificate.
-   */
-  const unsigned long ANY_CERT  = 0xffff;
-  readonly attribute unsigned long certType;
-  void markForPermDeletion();
-  [notxpcom, noscript] CERTCertificatePtr getCert();
-};
deleted file mode 100644
--- a/security/manager/ssl/public/nsIX509Cert3.idl
+++ /dev/null
@@ -1,98 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsIX509Cert2.idl"
-
-interface nsICertVerificationListener;
-
-/**
- * Extending nsIX509Cert
- */
-[scriptable, uuid(399004d8-b8c7-4eb9-8362-d99f4c0161fd)]
-interface nsIX509Cert3 : nsIX509Cert2 {
-
-  /**
-   *  Constants for specifying the chain mode when exporting a certificate
-   */
-  const unsigned long CMS_CHAIN_MODE_CertOnly = 1;
-  const unsigned long CMS_CHAIN_MODE_CertChain = 2;
-  const unsigned long CMS_CHAIN_MODE_CertChainWithRoot = 3;
-
-  /**
-   *  Async version of nsIX509Cert::getUsagesArray()
-   *
-   *  Will not block, will request results asynchronously,
-   *  availability of results will be notified on the main thread.
-   */ 
-  void requestUsagesArrayAsync(in nsICertVerificationListener cvl);
-
-  /**
-   *  Obtain the certificate wrapped in a PKCS#7 SignedData structure,
-   *  with or without the certificate chain
-   *
-   *  @param chainMode Whether to include the chain (with or without the root),
-                       see CMS_CHAIN_MODE constants.
-   *  @param length The number of bytes of the PKCS#7 data.
-   *  @param data The bytes representing the PKCS#7 wrapped certificate.
-   */
-  void exportAsCMS(in unsigned long chainMode,
-                   out unsigned long length,
-                   [retval, array, size_is(length)] out octet data);
-
-  readonly attribute boolean isSelfSigned;
-
-  /**
-   * Human readable names identifying all hardware or
-   * software tokens the certificate is stored on.
-   *
-   * @param length On success, the number of entries in the returned array.
-   * @return On success, an array containing the names of all tokens 
-   *         the certificate is stored on (may be empty).
-   *         On failure the function throws/returns an error.
-   */
-  void getAllTokenNames(out unsigned long length,
-                       [retval, array, size_is(length)] out wstring
-                       tokenNames);
-};
-
-[scriptable, uuid(2fd0a785-9f2d-4327-8871-8c3e0783891d)]
-interface nsICertVerificationResult : nsISupports {
-
-  /**
-   *  This interface reflects a container of
-   *  verification results. Call will not block.
-   *
-   *  Obtain an array of human readable strings describing
-   *  the certificate's certified usages.
-   *
-   *  Mirrors the results produced by 
-   *  nsIX509Cert::getUsagesArray()
-   *
-   *  As of today, this function is a one-shot object,
-   *  only the first call will succeed.
-   *  This allows an optimization in the implementation, 
-   *  ownership of result data will be transfered to caller.
-   *
-   *  @param cert The certificate that was verified.
-   *  @param verified The certificate verification result, 
-   *         see constants in nsIX509Cert.
-   *  @param count The number of human readable usages returned.
-   *  @param usages The array of human readable usages.
-   */ 
-  void getUsagesArrayResult(out uint32_t verified,
-                            out uint32_t count, 
-                            [array, size_is(count)] out wstring usages);
-};
-
-
-[scriptable, uuid(6684bce9-50db-48e1-81b7-98102bf81357)]
-interface nsICertVerificationListener : nsISupports {
-
-  /**
-   *  Notify that results are ready, that have been requested
-   *  using nsIX509Cert3::requestUsagesArrayAsync()
-   */
-  void notify(in nsIX509Cert3 verifiedCert,
-              in nsICertVerificationResult result);
-};
--- a/security/manager/ssl/public/nsIX509CertDB.idl
+++ b/security/manager/ssl/public/nsIX509CertDB.idl
@@ -3,39 +3,38 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
 interface nsIArray;
 interface nsIX509Cert;
-interface nsIX509Cert3;
 interface nsIFile;
 interface nsIInterfaceRequestor;
 interface nsIZipReader;
 interface nsIRecentBadCerts;
 interface nsIX509CertList;
 
 %{C++
 #define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1"
 %}
 
 typedef uint32_t AppTrustedRoot;
 
-[scriptable, function, uuid(0927baea-622d-4e41-a76d-255af426e7fb)]
+[scriptable, function, uuid(5984db62-d0e5-4671-a082-799cf7271e24)]
 interface nsIOpenSignedAppFileCallback : nsISupports
 {
   void openSignedAppFileFinished(in nsresult rv,
                                  in nsIZipReader aZipReader,
-                                 in nsIX509Cert3 aSignerCert);
+                                 in nsIX509Cert aSignerCert);
 };
 
 /**
- * This represents a service to access and manipulate 
+ * This represents a service to access and manipulate
  * X.509 certificates stored in a database.
  */
 [scriptable, uuid(7446a5b1-84ca-491f-a2fe-0bc60a71ffa5)]
 interface nsIX509CertDB : nsISupports {
 
   /**
    *  Constants that define which usages a certificate
    *  is trusted for.
@@ -44,88 +43,88 @@ interface nsIX509CertDB : nsISupports {
   const unsigned long TRUSTED_SSL     = 1 << 0;
   const unsigned long TRUSTED_EMAIL   = 1 << 1;
   const unsigned long TRUSTED_OBJSIGN = 1 << 2;
 
   /**
    *  Given a nickname and optionally a token,
    *  locate the matching certificate.
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aNickname The nickname to be used as the key
    *                   to find a certificate.
-   *                
+   *
    *  @return The matching certificate if found.
    */
   nsIX509Cert findCertByNickname(in nsISupports aToken,
                                  in AString aNickname);
 
   /**
    *  Will find a certificate based on its dbkey
    *  retrieved by getting the dbKey attribute of
    *  the certificate.
    *
    *  @param aDBkey Database internal key, as obtained using
    *                attribute dbkey in nsIX509Cert.
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    */
   nsIX509Cert findCertByDBKey(in string aDBkey, in nsISupports aToken);
 
   /**
    *  Obtain a list of certificate nicknames from the database.
    *  What the name is depends on type:
    *    user, ca, or server cert - the nickname
    *    email cert - the email address
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aType Type of certificate to obtain
    *               See certificate type constants in nsIX509Cert.
    *  @param count The number of nicknames in the returned array
    *  @param certNameList The returned array of certificate nicknames.
    */
-  void findCertNicknames(in nsISupports aToken, 
+  void findCertNicknames(in nsISupports aToken,
                          in unsigned long aType,
                          out unsigned long count,
                          [array, size_is(count)] out wstring certNameList);
 
   /**
    *  Find user's own email encryption certificate by nickname.
    *
    *  @param aNickname The nickname to be used as the key
    *                   to find the certificate.
-   *                
+   *
    *  @return The matching certificate if found.
    */
   nsIX509Cert findEmailEncryptionCert(in AString aNickname);
 
   /**
    *  Find user's own email signing certificate by nickname.
    *
    *  @param aNickname The nickname to be used as the key
    *                   to find the certificate.
-   *                
+   *
    *  @return The matching certificate if found.
    */
   nsIX509Cert findEmailSigningCert(in AString aNickname);
 
   /**
    *  Find a certificate by email address.
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aEmailAddress The email address to be used as the key
    *                       to find the certificate.
-   *                
+   *
    *  @return The matching certificate if found.
    */
   nsIX509Cert findCertByEmailAddress(in nsISupports aToken,
                                      in string aEmailAddress);
 
   /**
    *  Use this to import a stream sent down as a mime type into
    *  the certificate database on the default token.
@@ -159,17 +158,17 @@ interface nsIX509CertDB : nsISupports {
    *  @param length The length of the data to be imported
    *  @param ctx A UI context.
    */
   void importServerCertificate([array, size_is(length)] in octet data,
                                in unsigned long length,
                                in nsIInterfaceRequestor ctx);
 
   /**
-   *  Import a personal certificate into the database, assuming 
+   *  Import a personal certificate into the database, assuming
    *  the database already contains the private key for this certificate.
    *
    *  @param data The raw data to be imported
    *  @param length The length of the data to be imported
    *  @param ctx A UI context.
    */
   void importUserCertificate([array, size_is(length)] in octet data,
                              in unsigned long length,
@@ -179,17 +178,17 @@ interface nsIX509CertDB : nsISupports {
    *  Delete a certificate stored in the database.
    *
    *  @param aCert Delete this certificate.
    */
   void deleteCertificate(in nsIX509Cert aCert);
 
   /**
    *  Modify the trust that is stored and associated to a certificate within
-   *  a database. Separate trust is stored for 
+   *  a database. Separate trust is stored for
    *  One call manipulates the trust for one trust type only.
    *  See the trust type constants defined within this interface.
    *
    *  @param cert Change the stored trust of this certificate.
    *  @param type The type of the certificate. See nsIX509Cert.
    *  @param trust A bitmask. The new trust for the possible usages.
    *               See the trust constants defined within this interface.
    */
@@ -198,63 +197,63 @@ interface nsIX509CertDB : nsISupports {
                     in unsigned long trust);
 
   /**
    * @param cert        The certificate for which to modify trust.
    * @param trustString decoded by CERT_DecodeTrustString. 3 comma separated
    *                    characters, indicating SSL, Email, and Obj signing
    *                    trust.
    */
-  void setCertTrustFromString(in nsIX509Cert3 cert, in string trustString);
+  void setCertTrustFromString(in nsIX509Cert cert, in string trustString);
 
   /**
    *  Query whether a certificate is trusted for a particular use.
    *
    *  @param cert Obtain the stored trust of this certificate.
    *  @param certType The type of the certificate. See nsIX509Cert.
-   *  @param trustType A single bit from the usages constants defined 
+   *  @param trustType A single bit from the usages constants defined
    *                   within this interface.
    *
    *  @return Returns true if the certificate is trusted for the given use.
    */
   boolean isCertTrusted(in nsIX509Cert cert,
                        in unsigned long certType,
                        in unsigned long trustType);
 
   /**
    *  Import certificate(s) from file
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aFile Identifies a file that contains the certificate
    *               to be imported.
    *  @param aType Describes the type of certificate that is going to
    *               be imported. See type constants in nsIX509Cert.
    */
   void importCertsFromFile(in nsISupports aToken,
                          in nsIFile aFile,
                          in unsigned long aType);
 
   /**
    *  Import a PKCS#12 file containing cert(s) and key(s) into the database.
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aFile Identifies a file that contains the data
    *               to be imported.
    */
   void importPKCS12File(in nsISupports aToken,
                         in nsIFile aFile);
 
   /**
    *  Export a set of certs and keys from the database to a PKCS#12 file.
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aFile Identifies a file that will be filled with the data
    *               to be exported.
    *  @param count The number of certificates to be exported.
    *  @param aCerts The array of all certificates to be exported.
    */
   void exportPKCS12File(in nsISupports aToken,
@@ -311,17 +310,17 @@ interface nsIX509CertDB : nsISupports {
   const AppTrustedRoot AppMarketplaceProdReviewersRoot = 2;
   const AppTrustedRoot AppMarketplaceDevPublicRoot = 3;
   const AppTrustedRoot AppMarketplaceDevReviewersRoot = 4;
   const AppTrustedRoot AppXPCShellRoot = 5;
   void openSignedAppFileAsync(in AppTrustedRoot trustedRoot,
                               in nsIFile aJarFile,
                               in nsIOpenSignedAppFileCallback callback);
 
-  /* 
+  /*
    * Add a cert to a cert DB from a binary string.
    *
    * @param certDER The raw DER encoding of a certificate.
    * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters,
    *                indicating SSL, Email, and Obj signing trust
    * @param aName name of the cert for display purposes.
    */
   void addCert(in ACString certDER, in string aTrust, in string aName);
@@ -356,9 +355,25 @@ interface nsIX509CertDB : nsISupports {
                   in int64_t /*SECCertificateUsage*/ aUsage,
                   in uint32_t aFlags,
                   out nsIX509CertList verifiedChain,
                   out bool aHasEVPolicy);
 
   // Clears the OCSP cache for the current certificate verification
   // implementation.
   void clearOCSPCache();
+
+  /*
+   * Add a cert to a cert DB from a base64 encoded string.
+   *
+   * @param base64 The raw representation of a certificate,
+   *                encoded as Base 64.
+   * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters,
+   *                indicating SSL, Email, and Obj signing trust
+   * @param aName name of the cert for display purposes.
+   */
+  void addCertFromBase64(in string base64, in string aTrust, in string aName);
+
+  /*
+   * Get all the known certs in the database
+   */
+  nsIX509CertList getCerts();
 };
deleted file mode 100644
--- a/security/manager/ssl/public/nsIX509CertDB2.idl
+++ /dev/null
@@ -1,36 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-interface nsIX509CertList;
-
-/**
- * This represents a service to access and manipulate 
- * X.509 certificates stored in a database through methods
- * not in nsIX509CertDB, which is frozen
- *
- */
-[scriptable, uuid(e0df4784-6560-45bf-b1b7-86076a0e8381)]
-interface nsIX509CertDB2 : nsISupports {
-
-  /* 
-   * Add a cert to a cert DB from a base64 encoded string.
-   *
-   * @param base64 The raw representation of a certificate,
-   *                encoded as Base 64.
-   * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters,
-   *                indicating SSL, Email, and Obj signing trust
-   * @param aName name of the cert for display purposes.
-   */
-  void addCertFromBase64(in string base64, in string aTrust, in string aName);
-
-  /*
-   * Get all the known certs in the database
-   */
-  nsIX509CertList getCerts();
-};
-
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -684,58 +684,57 @@ SSLServerCertVerificationJob::SSLServerC
 // in order to support SPDY's cross-origin connection pooling.
 static SECStatus
 BlockServerCertChangeForSpdy(nsNSSSocketInfo* infoObject,
                              CERTCertificate* serverCert)
 {
   // Get the existing cert. If there isn't one, then there is
   // no cert change to worry about.
   nsCOMPtr<nsIX509Cert> cert;
-  nsCOMPtr<nsIX509Cert2> cert2;
 
   RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
   if (!status) {
     // If we didn't have a status, then this is the
     // first handshake on this connection, not a
     // renegotiation.
     return SECSuccess;
   }
 
   status->GetServerCert(getter_AddRefs(cert));
-  cert2 = do_QueryInterface(cert);
-  if (!cert2) {
+  if (!cert) {
     NS_NOTREACHED("every nsSSLStatus must have a cert"
-                  "that implements nsIX509Cert2");
+                  "that implements nsIX509Cert");
     PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
     return SECFailure;
   }
 
   // Filter out sockets that did not neogtiate SPDY via NPN
   nsAutoCString negotiatedNPN;
   nsresult rv = infoObject->GetNegotiatedNPN(negotiatedNPN);
   NS_ASSERTION(NS_SUCCEEDED(rv),
                "GetNegotiatedNPN() failed during renegotiation");
 
   if (NS_SUCCEEDED(rv) && !StringBeginsWith(negotiatedNPN,
-                                            NS_LITERAL_CSTRING("spdy/")))
+                                            NS_LITERAL_CSTRING("spdy/"))) {
     return SECSuccess;
-
+  }
   // If GetNegotiatedNPN() failed we will assume spdy for safety's safe
   if (NS_FAILED(rv)) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
            ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call."
             " Assuming spdy.\n"));
   }
 
   // Check to see if the cert has actually changed
-  ScopedCERTCertificate c(cert2->GetCert());
+  ScopedCERTCertificate c(cert->GetCert());
   NS_ASSERTION(c, "very bad and hopefully impossible state");
   bool sameCert = CERT_CompareCerts(c, serverCert);
-  if (sameCert)
+  if (sameCert) {
     return SECSuccess;
+  }
 
   // Report an error - changed cert is confirmed
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
          ("SPDY Refused to allow new cert during renegotiation\n"));
   PR_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, 0);
   return SECFailure;
 }
 
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -530,23 +530,19 @@ formatPlainErrorMessage(const nsXPIDLCSt
 static void
 AppendErrorTextUntrusted(PRErrorCode errTrust,
                          const nsString &host,
                          nsIX509Cert* ix509,
                          nsINSSComponent *component,
                          nsString &returnedMessage)
 {
   const char *errorID = nullptr;
-  nsCOMPtr<nsIX509Cert3> cert3 = do_QueryInterface(ix509);
-  if (cert3) {
-    bool isSelfSigned;
-    if (NS_SUCCEEDED(cert3->GetIsSelfSigned(&isSelfSigned))
-        && isSelfSigned) {
-      errorID = "certErrorTrust_SelfSigned";
-    }
+  bool isSelfSigned;
+  if (NS_SUCCEEDED(ix509->GetIsSelfSigned(&isSelfSigned)) && isSelfSigned) {
+    errorID = "certErrorTrust_SelfSigned";
   }
 
   if (!errorID) {
     switch (errTrust) {
       case SEC_ERROR_UNKNOWN_ISSUER:
       {
         nsCOMPtr<nsIArray> chain;
         ix509->GetChain(getter_AddRefs(chain));
@@ -685,21 +681,17 @@ AppendErrorTextMismatch(const nsString &
                         nsIX509Cert* ix509,
                         nsINSSComponent *component,
                         bool wantsHtml,
                         nsString &returnedMessage)
 {
   const char16_t *params[1];
   nsresult rv;
 
-  mozilla::pkix::ScopedCERTCertificate nssCert;
-
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
-  if (cert2)
-    nssCert = cert2->GetCert();
+  mozilla::pkix::ScopedCERTCertificate nssCert(ix509->GetCert());
 
   if (!nssCert) {
     // We are unable to extract the valid names, say "not valid for name".
     params[0] = host.get();
     nsString formattedString;
     rv = component->PIPBundleFormatStringFromName("certErrorMismatch", 
                                                   params, 1, 
                                                   formattedString);
--- a/security/manager/ssl/src/nsCertOverrideService.cpp
+++ b/security/manager/ssl/src/nsCertOverrideService.cpp
@@ -385,24 +385,21 @@ nsCertOverrideService::Write()
   return NS_OK;
 }
 
 static nsresult
 GetCertFingerprintByOidTag(nsIX509Cert *aCert,
                            SECOidTag aOidTag, 
                            nsCString &fp)
 {
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
-  if (!cert2)
+
+  mozilla::pkix::ScopedCERTCertificate nsscert(aCert->GetCert());
+  if (!nsscert) {
     return NS_ERROR_FAILURE;
-
-  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
-  if (!nsscert)
-    return NS_ERROR_FAILURE;
-
+  }
   return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
 }
 
 static nsresult
 GetCertFingerprintByDottedOidString(CERTCertificate* nsscert,
                                     const nsCString &dottedOid, 
                                     nsCString &fp)
 {
@@ -420,49 +417,45 @@ GetCertFingerprintByDottedOidString(CERT
   if (oid_tag == SEC_OID_UNKNOWN)
     return NS_ERROR_FAILURE;
 
   return GetCertFingerprintByOidTag(nsscert, oid_tag, fp);
 }
 
 static nsresult
 GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
-                                    const nsCString &dottedOid, 
+                                    const nsCString &dottedOid,
                                     nsCString &fp)
 {
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
-  if (!cert2)
+
+  mozilla::pkix::ScopedCERTCertificate nsscert(aCert->GetCert());
+  if (!nsscert) {
     return NS_ERROR_FAILURE;
-
-  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
-  if (!nsscert)
-    return NS_ERROR_FAILURE;
+  }
 
   return GetCertFingerprintByDottedOidString(nsscert.get(), dottedOid, fp);
 }
 
 NS_IMETHODIMP
-nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, int32_t aPort, 
-                                                nsIX509Cert *aCert,
-                                                uint32_t aOverrideBits, 
+nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
+                                                int32_t aPort,
+                                                nsIX509Cert* aCert,
+                                                uint32_t aOverrideBits,
                                                 bool aTemporary)
 {
   NS_ENSURE_ARG_POINTER(aCert);
   if (aHostName.IsEmpty())
     return NS_ERROR_INVALID_ARG;
   if (aPort < -1)
     return NS_ERROR_INVALID_ARG;
 
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
-  if (!cert2)
+  mozilla::pkix::ScopedCERTCertificate nsscert(aCert->GetCert());
+  if (!nsscert) {
     return NS_ERROR_FAILURE;
-
-  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
-  if (!nsscert)
-    return NS_ERROR_FAILURE;
+  }
 
   char* nickname = DefaultServerNicknameForCert(nsscert.get());
   if (!aTemporary && nickname && *nickname)
   {
     ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
     if (!slot) {
       PR_Free(nickname);
       return NS_ERROR_FAILURE;
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -325,17 +325,17 @@ nsCertTree::GetDispInfoAtIndex(int32_t i
   }
   return nullptr;
 }
 
 nsCertTree::nsCertCompareFunc
 nsCertTree::GetCompareFuncFromCertType(uint32_t aType)
 {
   switch (aType) {
-    case nsIX509Cert2::ANY_CERT:
+    case nsIX509Cert::ANY_CERT:
     case nsIX509Cert::USER_CERT:
       return CmpUserCert;
     case nsIX509Cert::CA_CERT:
       return CmpCACert;
     case nsIX509Cert::EMAIL_CERT:
       return CmpEmailCert;
     case nsIX509Cert::SERVER_CERT:
     default:
@@ -472,17 +472,17 @@ nsCertTree::GetCertsByTypeFromCertList(C
   }
 
   CERTCertListNode *node;
   int count = 0;
   for (node = CERT_LIST_HEAD(aCertList);
        !CERT_LIST_END(node, aCertList);
        node = CERT_LIST_NEXT(node)) {
 
-    bool wantThisCert = (aWantedType == nsIX509Cert2::ANY_CERT);
+    bool wantThisCert = (aWantedType == nsIX509Cert::ANY_CERT);
     bool wantThisCertIfNoOverrides = false;
     bool wantThisCertIfHaveOverrides = false;
     bool addOverrides = false;
 
     if (!wantThisCert) {
       uint32_t thisCertType = getCertType(node->cert);
 
       // The output from getCertType is a "guess", which can be wrong.
@@ -804,22 +804,17 @@ nsCertTree::DeleteEntryObject(uint32_t i
           } 
         }
         else {
           if (addonInfo && addonInfo->mUsageCount > 1) {
             // user is trying to delete a perm trusted cert,
             // although there are still overrides stored,
             // so, we keep the cert, but remove the trust
 
-            mozilla::pkix::ScopedCERTCertificate nsscert;
-
-            nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
-            if (cert2) {
-              nsscert = cert2->GetCert();
-            }
+            mozilla::pkix::ScopedCERTCertificate nsscert(cert->GetCert());
 
             if (nsscert) {
               CERTCertTrust trust;
               memset((void*)&trust, 0, sizeof(trust));
             
               SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override 
               if (srv == SECSuccess) {
                 CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert.get(),
@@ -1230,22 +1225,18 @@ nsCertTree::GetCellText(int32_t row, nsI
     else {
       _retval = NS_LITERAL_STRING("*");
     }
   } else if (NS_LITERAL_STRING("lifetimecol").Equals(colID)) {
     const char *stringID = 
       (certdi->mIsTemporary) ? "CertExceptionTemporary" : "CertExceptionPermanent";
     rv = mNSSComponent->GetPIPNSSBundleString(stringID, _retval);
   } else if (NS_LITERAL_STRING("typecol").Equals(colID) && cert) {
-    nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
     uint32_t type = nsIX509Cert::UNKNOWN_CERT;
-
-    if (pipCert) {
-	rv = pipCert->GetCertType(&type);
-    }
+    rv = cert->GetCertType(&type);
 
     switch (type) {
     case nsIX509Cert::USER_CERT:
         rv = mNSSComponent->GetPIPNSSBundleString("CertUser", _retval);
 	break;
     case nsIX509Cert::CA_CERT:
         rv = mNSSComponent->GetPIPNSSBundleString("CertCA", _retval);
 	break;
--- a/security/manager/ssl/src/nsCertVerificationThread.cpp
+++ b/security/manager/ssl/src/nsCertVerificationThread.cpp
@@ -12,31 +12,31 @@ nsCertVerificationThread *nsCertVerifica
 
 NS_IMPL_ISUPPORTS(nsCertVerificationResult, nsICertVerificationResult)
 
 namespace {
 class DispatchCertVerificationResult : public nsRunnable
 {
 public:
   DispatchCertVerificationResult(const nsMainThreadPtrHandle<nsICertVerificationListener>& aListener,
-                                 nsIX509Cert3* aCert,
+                                 nsIX509Cert* aCert,
                                  nsICertVerificationResult* aResult)
     : mListener(aListener)
     , mCert(aCert)
     , mResult(aResult)
   { }
 
   NS_IMETHOD Run() {
     mListener->Notify(mCert, mResult);
     return NS_OK;
   }
 
 private:
   nsMainThreadPtrHandle<nsICertVerificationListener> mListener;
-  nsCOMPtr<nsIX509Cert3> mCert;
+  nsCOMPtr<nsIX509Cert> mCert;
   nsCOMPtr<nsICertVerificationResult> mResult;
 };
 } // anonymous namespace
 
 void nsCertVerificationJob::Run()
 {
   if (!mListener || !mCert)
     return;
@@ -58,19 +58,18 @@ void nsCertVerificationJob::Run()
     {
       vres->mVerified = verified;
       vres->mCount = count;
       vres->mUsages = usages;
     }
 
     ires = vres;
   }
-  
-  nsCOMPtr<nsIX509Cert3> c3 = do_QueryInterface(mCert);
-  nsCOMPtr<nsIRunnable> r = new DispatchCertVerificationResult(mListener, c3, ires);
+
+  nsCOMPtr<nsIRunnable> r = new DispatchCertVerificationResult(mListener, mCert, ires);
   NS_DispatchToMainThread(r);
 }
 
 nsCertVerificationThread::nsCertVerificationThread()
 : mJobQ(nullptr)
 {
   NS_ASSERTION(!verification_thread_singleton, 
                "nsCertVerificationThread is a singleton, caller attempts"
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -14,17 +14,16 @@
 #include "nsNSSComponent.h" // for PIPNSS string bundle calls.
 #include "nsNSSCleaner.h"
 #include "nsCOMPtr.h"
 #include "nsIMutableArray.h"
 #include "nsNSSCertValidity.h"
 #include "nsPKCS12Blob.h"
 #include "nsPK11TokenDB.h"
 #include "nsIX509Cert.h"
-#include "nsIX509Cert3.h"
 #include "nsNSSASN1Object.h"
 #include "nsString.h"
 #include "nsXPIDLString.h"
 #include "nsReadableUtils.h"
 #include "nsIURI.h"
 #include "nsCRT.h"
 #include "nsUsageArrayHelper.h"
 #include "nsICertificateDialogs.h"
@@ -63,18 +62,16 @@ NSSCleanupAutoPtrClass_WithParam(PLArena
 // This is being stored in an uint32_t that can otherwise
 // only take values from nsIX509Cert's list of cert types.
 // As nsIX509Cert is frozen, we choose a value not contained
 // in the list to mean not yet initialized.
 #define CERT_TYPE_NOT_YET_INITIALIZED (1 << 30)
 
 NS_IMPL_ISUPPORTS(nsNSSCertificate,
                   nsIX509Cert,
-                  nsIX509Cert2,
-                  nsIX509Cert3,
                   nsIIdentityInfo,
                   nsISerializable,
                   nsIClassInfo)
 
 /*static*/ nsNSSCertificate*
 nsNSSCertificate::Create(CERTCertificate* cert, SECOidTag* evOidPolicy)
 {
   if (GeckoProcessType_Default != XRE_GetProcessType()) {
@@ -1136,19 +1133,19 @@ nsNSSCertificate::ExportAsCMS(uint32_t c
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   if (!mCert)
     return NS_ERROR_FAILURE;
 
   switch (chainMode) {
-    case nsIX509Cert3::CMS_CHAIN_MODE_CertOnly:
-    case nsIX509Cert3::CMS_CHAIN_MODE_CertChain:
-    case nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot:
+    case nsIX509Cert::CMS_CHAIN_MODE_CertOnly:
+    case nsIX509Cert::CMS_CHAIN_MODE_CertChain:
+    case nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot:
       break;
     default:
       return NS_ERROR_INVALID_ARG;
   };
 
   PLArenaPool* arena = PORT_NewArena(1024);
   PLArenaPoolCleanerFalseParam arenaCleaner(arena);
   if (!arena) {
@@ -1173,25 +1170,25 @@ nsNSSCertificate::ExportAsCMS(uint32_t c
     return NS_ERROR_FAILURE;
   }
 
   // Calling NSS_CMSSignedData_CreateCertsOnly() will not allow us
   // to specify the inclusion of the root, but CERT_CertChainFromCert() does.
   // Since CERT_CertChainFromCert() also includes the certificate itself,
   // we have to start at the issuing cert (to avoid duplicate certs
   // in the SignedData).
-  if (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChain ||
-      chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot) {
+  if (chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChain ||
+      chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot) {
     ScopedCERTCertificate issuerCert(
         CERT_FindCertIssuer(mCert.get(), PR_Now(), certUsageAnyCA));
     // the issuerCert of a self signed root is the cert itself,
     // so make sure we're not adding duplicates, again
     if (issuerCert && issuerCert != mCert.get()) {
       bool includeRoot =
-        (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot);
+        (chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot);
       ScopedCERTCertificateList certChain(
           CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot));
       if (certChain) {
         if (NSS_CMSSignedData_AddCertList(sigd, certChain) == SECSuccess) {
           certChain.forget();
         }
         else {
           PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
@@ -1372,21 +1369,17 @@ nsNSSCertificate::Equals(nsIX509Cert* ot
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(other);
   NS_ENSURE_ARG(result);
 
-  nsCOMPtr<nsIX509Cert2> other2 = do_QueryInterface(other);
-  if (!other2)
-    return NS_ERROR_FAILURE;
-
-  ScopedCERTCertificate cert(other2->GetCert());
+  ScopedCERTCertificate cert(other->GetCert());
   *result = (mCert.get() == cert.get());
   return NS_OK;
 }
 
 #ifndef MOZ_NO_EV_CERTS
 
 nsresult
 nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
@@ -1547,20 +1540,17 @@ void nsNSSCertList::destructorSafeDestro
 
 NS_IMETHODIMP
 nsNSSCertList::AddCert(nsIX509Cert* aCert)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
-  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
-  CERTCertificate* cert;
-
-  cert = nssCert->GetCert();
+  CERTCertificate* cert = aCert->GetCert();
   if (!cert) {
     NS_ERROR("Somehow got nullptr for mCertificate in nsNSSCertificate.");
     return NS_ERROR_FAILURE;
   }
 
   if (!mCertList) {
     NS_ERROR("Somehow got nullptr for mCertList in nsNSSCertList.");
     return NS_ERROR_FAILURE;
@@ -1572,18 +1562,17 @@ nsNSSCertList::AddCert(nsIX509Cert* aCer
 
 NS_IMETHODIMP
 nsNSSCertList::DeleteCert(nsIX509Cert* aCert)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
-  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
-  CERTCertificate* cert = nssCert->GetCert();
+  CERTCertificate* cert = aCert->GetCert();
   CERTCertListNode* node;
 
   if (!cert) {
     NS_ERROR("Somehow got nullptr for mCertificate in nsNSSCertificate.");
     return NS_ERROR_FAILURE;
   }
 
   if (!mCertList) {
@@ -1600,18 +1589,19 @@ nsNSSCertList::DeleteCert(nsIX509Cert* a
   }
   return NS_OK; // XXX Should we fail if we couldn't find it?
 }
 
 CERTCertList*
 nsNSSCertList::DupCertList(CERTCertList* aCertList,
                            const nsNSSShutDownPreventionLock& /*proofOfLock*/)
 {
-  if (!aCertList)
+  if (!aCertList) {
     return nullptr;
+  }
 
   CERTCertList* newList = CERT_NewCertList();
 
   if (!newList) {
     return nullptr;
   }
 
   CERTCertListNode* node;
--- a/security/manager/ssl/src/nsNSSCertificate.h
+++ b/security/manager/ssl/src/nsNSSCertificate.h
@@ -2,45 +2,41 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef _NS_NSSCERTIFICATE_H_
 #define _NS_NSSCERTIFICATE_H_
 
 #include "nsIX509Cert.h"
-#include "nsIX509Cert2.h"
-#include "nsIX509Cert3.h"
 #include "nsIX509CertDB.h"
 #include "nsIX509CertList.h"
 #include "nsIASN1Object.h"
 #include "nsIIdentityInfo.h"
 #include "nsCOMPtr.h"
 #include "nsNSSShutDown.h"
 #include "nsISimpleEnumerator.h"
 #include "nsISerializable.h"
 #include "nsIClassInfo.h"
 #include "pkix/pkixtypes.h"
 #include "certt.h"
 
 class nsAutoString;
 class nsINSSComponent;
 class nsIASN1Sequence;
 
-class nsNSSCertificate : public nsIX509Cert3,
+class nsNSSCertificate : public nsIX509Cert,
                          public nsIIdentityInfo,
                          public nsISerializable,
                          public nsIClassInfo,
                          public nsNSSShutDownObject
 {
 public:
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIX509CERT
-  NS_DECL_NSIX509CERT2
-  NS_DECL_NSIX509CERT3
   NS_DECL_NSIIDENTITYINFO
   NS_DECL_NSISERIALIZABLE
   NS_DECL_NSICLASSINFO
 
   friend class nsNSSCertificateFakeTransport;
 
   nsNSSCertificate(CERTCertificate* cert, SECOidTag* evOidPolicy = nullptr);
   nsNSSCertificate();
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -77,17 +77,17 @@ attemptToLogInWithDefaultPassword()
     // has a non-default password.
     (void) PK11_InitPin(slot, nullptr, nullptr);
   }
 #endif
 
   return NS_OK;
 }
 
-NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB, nsIX509CertDB2)
+NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB)
 
 nsNSSCertificateDB::nsNSSCertificateDB()
 : mBadCertsLock("nsNSSCertificateDB::mBadCertsLock")
 {
   SharedSSLState::NoteCertDBServiceInstantiated();
 }
 
 nsNSSCertificateDB::~nsNSSCertificateDB()
@@ -949,24 +949,25 @@ loser:
  */
 NS_IMETHODIMP 
 nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
-  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
-  mozilla::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
-  if (!cert) return NS_ERROR_FAILURE;
+  mozilla::pkix::ScopedCERTCertificate cert(aCert->GetCert());
+  if (!cert) {
+    return NS_ERROR_FAILURE;
+  }
   SECStatus srv = SECSuccess;
 
   uint32_t certType;
-  nssCert->GetCertType(&certType);
-  if (NS_FAILED(nssCert->MarkForPermDeletion()))
+  aCert->GetCertType(&certType);
+  if (NS_FAILED(aCert->MarkForPermDeletion()))
   {
     return NS_ERROR_FAILURE;
   }
 
   if (cert->slot && certType != nsIX509Cert::USER_CERT) {
     // To delete a cert of a slot (builtin, most likely), mark it as
     // completely untrusted.  This way we keep a copy cached in the
     // local database, and next time we try to load it off of the 
@@ -993,21 +994,17 @@ nsNSSCertificateDB::SetCertTrust(nsIX509
                                  uint32_t trusted)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   nsNSSCertTrust trust;
   nsresult rv;
-  nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert, &rv);
-  if (!pipCert) {
-    return rv;
-  }
-  mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert->GetCert());
 
   rv = attemptToLogInWithDefaultPassword();
   if (NS_WARN_IF(rv != NS_OK)) {
     return rv;
   }
 
   SECStatus srv;
   if (type == nsIX509Cert::CA_CERT) {
@@ -1049,18 +1046,17 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50
   NS_ENSURE_ARG_POINTER(_isTrusted);
   *_isTrusted = false;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   SECStatus srv;
-  nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
-  mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert->GetCert());
   CERTCertTrust nsstrust;
   srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
   if (srv != SECSuccess)
     return NS_ERROR_FAILURE;
 
   nsNSSCertTrust trust(&nsstrust);
   if (certType == nsIX509Cert::CA_CERT) {
     if (trustType & nsIX509CertDB::TRUSTED_SSL) {
@@ -1279,17 +1275,18 @@ nsNSSCertificateDB::getCertNames(CERTCer
   }
 finish:
   *_count = numcerts;
   *_certNames = tmpArray;
 }
 
 /* nsIX509Cert getDefaultEmailEncryptionCert (); */
 NS_IMETHODIMP
-nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString &aNickname, nsIX509Cert **_retval)
+nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString& aNickname,
+                                            nsIX509Cert** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
   *_retval = nullptr;
 
   if (aNickname.IsEmpty())
     return NS_OK;
 
   nsNSSShutDownPreventionLock locker;
@@ -1315,17 +1312,18 @@ nsNSSCertificateDB::FindEmailEncryptionC
     return NS_ERROR_OUT_OF_MEMORY;
   }
   nssCert.forget(_retval);
   return NS_OK;
 }
 
 /* nsIX509Cert getDefaultEmailSigningCert (); */
 NS_IMETHODIMP
-nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert **_retval)
+nsNSSCertificateDB::FindEmailSigningCert(const nsAString& aNickname,
+                                         nsIX509Cert** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
   *_retval = nullptr;
 
   if (aNickname.IsEmpty())
     return NS_OK;
 
   nsNSSShutDownPreventionLock locker;
@@ -1585,24 +1583,26 @@ nsNSSCertificateDB::get_default_nickname
 	   * There is another certificate with the same nickname and
 	   * the same subject name on the smart card, so let's use this
 	   * nickname.
 	   */
 	  dummycert = nullptr;
 	}
       }
     }
-    if (!dummycert) 
+    if (!dummycert) {
       break;
-    
+    }
     count++;
   }
 }
 
-NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const char *aTrust, const char *aName)
+NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char* aBase64,
+                                                    const char* aTrust,
+                                                    const char* aName)
 {
   NS_ENSURE_ARG_POINTER(aBase64);
   nsCOMPtr <nsIX509Cert> newCert;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
@@ -1663,17 +1663,17 @@ nsNSSCertificateDB::AddCert(const nsACSt
 {
   nsCString base64;
   nsresult rv = Base64Encode(aCertDER, base64);
   NS_ENSURE_SUCCESS(rv, rv);
   return AddCertFromBase64(base64.get(), aTrust, aName);
 }
 
 NS_IMETHODIMP
-nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert3* cert,
+nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert* cert,
                                            const char* trustString)
 {
   CERTCertTrust trust;
 
   // need to calculate the trust bits from the aTrust string.
   SECStatus srv = CERT_DecodeTrustString(&trust,
                                          const_cast<char *>(trustString));
   if (srv != SECSuccess) {
@@ -1756,21 +1756,20 @@ nsNSSCertificateDB::VerifyCertNow(nsIX50
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
 #ifndef MOZ_NO_EV_CERTS
   EnsureIdentityInfoLoaded();
 #endif
 
-  nsCOMPtr<nsIX509Cert2> x509Cert = do_QueryInterface(aCert);
-  if (!x509Cert) {
+  ScopedCERTCertificate nssCert(aCert->GetCert());
+  if (!nssCert) {
     return NS_ERROR_INVALID_ARG;
   }
-  ScopedCERTCertificate nssCert(x509Cert->GetCert());
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
 
   mozilla::pkix::ScopedCERTCertList resultChain;
   SECOidTag evOidPolicy;
   SECStatus srv;
 
--- a/security/manager/ssl/src/nsNSSCertificateDB.h
+++ b/security/manager/ssl/src/nsNSSCertificateDB.h
@@ -1,35 +1,32 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef __NSNSSCERTIFICATEDB_H__
 #define __NSNSSCERTIFICATEDB_H__
 
 #include "nsIX509CertDB.h"
-#include "nsIX509CertDB2.h"
 #include "nsNSSShutDown.h"
 #include "mozilla/RefPtr.h"
 #include "mozilla/Mutex.h"
 #include "certt.h"
 
 class nsCString;
 class nsIArray;
 class nsRecentBadCerts;
 
 class nsNSSCertificateDB : public nsIX509CertDB
-                         , public nsIX509CertDB2
                          , public nsNSSShutDownObject
 
 {
 public:
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIX509CERTDB
-  NS_DECL_NSIX509CERTDB2
 
   nsNSSCertificateDB(); 
 
   // Use this function to generate a default nickname for a user
   // certificate that is to be imported onto a token.
   static void
   get_default_nickname(CERTCertificate *cert, nsIInterfaceRequestor* ctx,
                        nsCString &nickname,
--- a/security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp
@@ -7,17 +7,16 @@
 
 #include "nsCOMPtr.h"
 #include "nsIObjectInputStream.h"
 #include "nsIObjectOutputStream.h"
 #include "nsIProgrammingLanguage.h"
 #include "nsISupportsPrimitives.h"
 #include "nsIX509Cert.h"
 #include "nsNSSCertificate.h"
-#include "nsNSSCertificate.h"
 #include "nsString.h"
 #include "nsXPIDLString.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 /* nsNSSCertificateFakeTransport */
@@ -352,8 +351,60 @@ nsNSSCertificateFakeTransport::GetFlags(
 NS_IMETHODIMP
 nsNSSCertificateFakeTransport::GetClassIDNoAlloc(nsCID *aClassIDNoAlloc)
 {
   static NS_DEFINE_CID(kNSSCertificateCID, NS_X509CERT_CID);
 
   *aClassIDNoAlloc = kNSSCertificateCID;
   return NS_OK;
 }
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::GetCertType(unsigned int*)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::GetIsSelfSigned(bool*)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::RequestUsagesArrayAsync(nsICertVerificationListener*)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::GetAllTokenNames(unsigned int*,
+                                                char16_t***)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+CERTCertificate*
+nsNSSCertificateFakeTransport::GetCert()
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return nullptr;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::ExportAsCMS(unsigned int,
+                                           unsigned int*,
+                                           unsigned char**)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::MarkForPermDeletion()
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
\ No newline at end of file
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -382,26 +382,29 @@ nsNSSSocketInfo::JoinConnection(const ns
   if (mSentClientCert)
     return NS_OK;
 
   // Ensure that the server certificate covers the hostname that would
   // like to join this connection
 
   ScopedCERTCertificate nssCert;
 
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(SSLStatus()->mServerCert);
-  if (cert2)
-    nssCert = cert2->GetCert();
+  nsCOMPtr<nsIX509Cert> cert(SSLStatus()->mServerCert);
+  if (cert) {
+    nssCert = cert->GetCert();
+  }
 
-  if (!nssCert)
+  if (!nssCert) {
     return NS_OK;
+  }
 
   if (CERT_VerifyCertName(nssCert, PromiseFlatCString(hostname).get()) !=
-      SECSuccess)
-    return NS_OK;
+      SECSuccess) {
+      return NS_OK;
+  }
 
   // All tests pass - this is joinable
   mJoined = true;
   *_retval = true;
   return NS_OK;
 }
 
 bool
--- a/security/manager/ssl/src/nsVerificationJob.h
+++ b/security/manager/ssl/src/nsVerificationJob.h
@@ -5,17 +5,16 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef _INC_NSVERIFICATIONJOB_H
 #define _INC_NSVERIFICATIONJOB_H
 
 #include "nspr.h"
 
 #include "nsIX509Cert.h"
-#include "nsIX509Cert3.h"
 #include "nsProxyRelease.h"
 
 class nsBaseVerificationJob
 {
 public:
   virtual ~nsBaseVerificationJob() {}
   virtual void Run() = 0;
 };
--- a/security/manager/ssl/tests/unit/test_getchain.js
+++ b/security/manager/ssl/tests/unit/test_getchain.js
@@ -3,19 +3,16 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 "use strict";
 
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb  = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
-const certdb2 = Cc["@mozilla.org/security/x509certdb;1"]
-                  .getService(Ci.nsIX509CertDB2);
-
 // This is the list of certificates needed for the test
 // The certificates prefixed by 'int-' are intermediates
 let certList = [
   'ee',
   'ca-1',
   'ca-2',
 ]
 
@@ -24,17 +21,17 @@ function load_cert(cert_name, trust_stri
   addCertFromFile(certdb, "test_getchain/" + cert_filename, trust_string);
 }
 
 // Since all the ca's are identical expect for the serial number
 // I have to grab them by enumerating all the certs and then finding
 // the ones that I am interested in.
 function get_ca_array() {
   let ret_array = new Array();
-  let allCerts = certdb2.getCerts();
+  let allCerts = certdb.getCerts();
   let enumerator = allCerts.getEnumerator();
   while (enumerator.hasMoreElements()) {
     let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
     if (cert.commonName == 'ca') {
       ret_array[parseInt(cert.serialNumber)] = cert;
     }
   }
   return ret_array;
--- a/security/manager/tools/genHPKPStaticPins.js
+++ b/security/manager/tools/genHPKPStaticPins.js
@@ -20,17 +20,17 @@ if (arguments.length != 3) {
 
 const { 'classes': Cc, 'interfaces': Ci, 'utils': Cu, 'results': Cr } = Components;
 
 let { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
 let { FileUtils } = Cu.import("resource://gre/modules/FileUtils.jsm", {});
 let { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
 
 let gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
-                 .getService(Ci.nsIX509CertDB2);
+                .getService(Ci.nsIX509CertDB);
 gCertDB.QueryInterface(Ci.nsIX509CertDB);
 
 const BUILT_IN_NICK_PREFIX = "Builtin Object Token:";
 const SHA1_PREFIX = "sha1/";
 const SHA256_PREFIX = "sha256/";
 const GOOGLE_PIN_PREFIX = "GOOGLE_PIN_";
 
 // Pins expire in 14 weeks (6 weeks on Beta + 8 weeks on stable)
@@ -103,18 +103,17 @@ function stripComments(buf) {
   return data;
 }
 
 function isBuiltinToken(tokenName) {
   return tokenName == "Builtin Object Token";
 }
 
 function isCertBuiltIn(cert) {
-  let cert3 = cert.QueryInterface(Ci.nsIX509Cert3);
-  let tokenNames = cert3.getAllTokenNames({});
+  let tokenNames = cert.getAllTokenNames({});
   if (!tokenNames) {
     return false;
   }
   if (tokenNames.some(isBuiltinToken)) {
     return true;
   }
   return false;
 }
--- a/toolkit/modules/CertUtils.jsm
+++ b/toolkit/modules/CertUtils.jsm
@@ -162,17 +162,16 @@ this.checkCert =
   var issuerCert = cert;
   while (issuerCert.issuer && !issuerCert.issuer.equals(issuerCert))
     issuerCert = issuerCert.issuer;
 
   const certNotBuiltInErr = "Certificate issuer is not built-in.";
   if (!issuerCert)
     throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
 
-  issuerCert = issuerCert.QueryInterface(Ci.nsIX509Cert3);
   var tokenNames = issuerCert.getAllTokenNames({});
 
   if (!tokenNames || !tokenNames.some(isBuiltinToken))
     throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
 }
 
 function isBuiltinToken(tokenName) {
   return tokenName == "Builtin Object Token";