Bug 1077859: Make ENCODING_FAILED safe to use in static initializers, r=mmc
☠☠ backed out by 8847ac2e2a53 ☠ ☠
authorBrian Smith <brian@briansmith.org>
Fri, 03 Oct 2014 15:52:38 -0700
changeset 209130 76000f9f12dac768085ef3370c4717bb4178cf11
parent 209098 f65726bd726555bd7cab954c3347931f4c9d4c00
child 209131 16fe1b9eb9e6f66d787cbcc72cdfa5328f08f6fa
push id9203
push userryanvm@gmail.com
push dateTue, 07 Oct 2014 20:14:36 +0000
treeherderfx-team@d15aba695f0c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmmc
bugs1077859
milestone35.0a1
Bug 1077859: Make ENCODING_FAILED safe to use in static initializers, r=mmc
security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
security/pkix/test/gtest/pkixbuild_tests.cpp
security/pkix/test/gtest/pkixcert_extension_tests.cpp
security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
security/pkix/test/lib/pkixtestnss.cpp
security/pkix/test/lib/pkixtestutil.cpp
security/pkix/test/lib/pkixtestutil.h
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -194,17 +194,17 @@ GetOCSPResponseForType(OCSPResponseType 
   }
   context.signerKeyPair = CreateTestKeyPairFromCert(*signerCert);
   if (!context.signerKeyPair) {
     PrintPRError("PK11_FindKeyByAnyCert failed");
     return nullptr;
   }
 
   ByteString response(CreateEncodedOCSPResponse(context));
-  if (response == ENCODING_FAILED) {
+  if (ENCODING_FAILED(response)) {
     PrintPRError("CreateEncodedOCSPResponse failed");
     return nullptr;
   }
 
   SECItem item = {
     siBuffer,
     const_cast<uint8_t*>(response.data()),
     static_cast<unsigned int>(response.length())
--- a/security/pkix/test/gtest/pkixbuild_tests.cpp
+++ b/security/pkix/test/gtest/pkixbuild_tests.cpp
@@ -42,39 +42,37 @@ CreateCert(const char* issuerCN,
            EndEntityOrCA endEntityOrCA,
            /*optional*/ TestKeyPair* issuerKey,
            /*out*/ ScopedTestKeyPair& subjectKey,
            /*out*/ ScopedCERTCertificate* subjectCert = nullptr)
 {
   static long serialNumberValue = 0;
   ++serialNumberValue;
   ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
-  EXPECT_NE(ENCODING_FAILED, serialNumber);
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
 
   ByteString issuerDER(CNToDERName(issuerCN));
-  EXPECT_NE(ENCODING_FAILED, issuerDER);
   ByteString subjectDER(CNToDERName(subjectCN));
-  EXPECT_NE(ENCODING_FAILED, subjectDER);
 
   ByteString extensions[2];
   if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
     extensions[0] =
       CreateEncodedBasicConstraints(true, nullptr,
                                     ExtensionCriticality::Critical);
-    EXPECT_NE(ENCODING_FAILED, extensions[0]);
+    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
   }
 
   ByteString certDER(CreateEncodedCertificate(
                        v3, sha256WithRSAEncryption,
                        serialNumber, issuerDER,
                        oneDayBeforeNow, oneDayAfterNow,
                        subjectDER, extensions, issuerKey,
                        SignatureAlgorithm::rsa_pkcs1_with_sha256,
                        subjectKey));
-  EXPECT_NE(ENCODING_FAILED, certDER);
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
   if (subjectCert) {
     SECItem certDERItem = {
       siBuffer,
       const_cast<uint8_t*>(certDER.data()),
       static_cast<unsigned int>(certDER.length())
     };
     *subjectCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                            &certDERItem, nullptr, false, true);
@@ -240,17 +238,17 @@ TEST_F(pkixbuild, MaxAcceptableCertChain
   }
 
   {
     ScopedTestKeyPair unusedKeyPair;
     ScopedCERTCertificate cert;
     ByteString certDER(CreateCert("CA7", "Direct End-Entity",
                                   EndEntityOrCA::MustBeEndEntity,
                                   trustDomain.leafCAKey.get(), unusedKeyPair));
-    ASSERT_NE(ENCODING_FAILED, certDER);
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
     Input certDERInput;
     ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
     ASSERT_EQ(Success,
               BuildCertChain(trustDomain, certDERInput, Now(),
                              EndEntityOrCA::MustBeEndEntity,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
@@ -266,34 +264,34 @@ TEST_F(pkixbuild, BeyondMaxAcceptableCer
   // We need a CERTCertificate for caCert so that the trustdomain's FindIssuer
   // method can find it through the NSS cert DB.
   ScopedCERTCertificate caCert;
 
   {
     ByteString certDER(CreateCert("CA7", caCertName, EndEntityOrCA::MustBeCA,
                                   trustDomain.leafCAKey.get(), caKeyPair,
                                   &caCert));
-    ASSERT_NE(ENCODING_FAILED, certDER);
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
     Input certDERInput;
     ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
     ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
               BuildCertChain(trustDomain, certDERInput, Now(),
                              EndEntityOrCA::MustBeCA,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
                              nullptr/*stapledOCSPResponse*/));
   }
 
   {
     ScopedTestKeyPair unusedKeyPair;
     ByteString certDER(CreateCert(caCertName, "End-Entity Too Far",
                                   EndEntityOrCA::MustBeEndEntity,
                                   caKeyPair.get(), unusedKeyPair));
-    ASSERT_NE(ENCODING_FAILED, certDER);
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
     Input certDERInput;
     ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
     ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
               BuildCertChain(trustDomain, certDERInput, Now(),
                              EndEntityOrCA::MustBeEndEntity,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
@@ -383,35 +381,33 @@ private:
 };
 
 TEST_F(pkixbuild, NoRevocationCheckingForExpiredCert)
 {
   const char* rootCN = "Root CA";
   ScopedTestKeyPair rootKey;
   ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
                                 nullptr, rootKey, nullptr));
-  EXPECT_NE(ENCODING_FAILED, rootDER);
+  EXPECT_FALSE(ENCODING_FAILED(rootDER));
   ExpiredCertTrustDomain expiredCertTrustDomain(rootDER);
 
   ByteString serialNumber(CreateEncodedSerialNumber(100));
-  EXPECT_NE(ENCODING_FAILED, serialNumber);
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
   ByteString issuerDER(CNToDERName(rootCN));
-  EXPECT_NE(ENCODING_FAILED, issuerDER);
   ByteString subjectDER(CNToDERName("Expired End-Entity Cert"));
-  EXPECT_NE(ENCODING_FAILED, subjectDER);
   ScopedTestKeyPair unusedSubjectKey;
   ByteString certDER(CreateEncodedCertificate(
                        v3, sha256WithRSAEncryption,
                        serialNumber, issuerDER,
                        oneDayBeforeNow - Time::ONE_DAY_IN_SECONDS,
                        oneDayBeforeNow,
                        subjectDER, nullptr, rootKey.get(),
                        SignatureAlgorithm::rsa_pkcs1_with_sha256,
                        unusedSubjectKey));
-  EXPECT_NE(ENCODING_FAILED, certDER);
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
 
   Input cert;
   ASSERT_EQ(Success, cert.Init(certDER.data(), certDER.length()));
   ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE,
             BuildCertChain(expiredCertTrustDomain, cert, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::id_kp_serverAuth,
--- a/security/pkix/test/gtest/pkixcert_extension_tests.cpp
+++ b/security/pkix/test/gtest/pkixcert_extension_tests.cpp
@@ -33,21 +33,21 @@ using namespace mozilla::pkix::test;
 static ByteString
 CreateCert(const char* subjectCN,
            const ByteString* extensions, // empty-string-terminated array
            /*out*/ ScopedTestKeyPair& subjectKey)
 {
   static long serialNumberValue = 0;
   ++serialNumberValue;
   ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
-  EXPECT_NE(ENCODING_FAILED, serialNumber);
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
   ByteString issuerDER(CNToDERName(subjectCN));
-  EXPECT_NE(ENCODING_FAILED, issuerDER);
+  EXPECT_FALSE(ENCODING_FAILED(issuerDER));
   ByteString subjectDER(CNToDERName(subjectCN));
-  EXPECT_NE(ENCODING_FAILED, subjectDER);
+  EXPECT_FALSE(ENCODING_FAILED(subjectDER));
   return CreateEncodedCertificate(v3, sha256WithRSAEncryption,
                                   serialNumber, issuerDER,
                                   oneDayBeforeNow, oneDayAfterNow,
                                   subjectDER, extensions,
                                   nullptr,
                                   SignatureAlgorithm::rsa_pkcs1_with_sha256,
                                   subjectKey);
 }
@@ -133,17 +133,17 @@ TEST_F(pkixcert_extension, UnknownCritic
       0x04, 0x00 // OCTET STRING (length = 0)
   };
   static const ByteString
     unknownCriticalExtension(unknownCriticalExtensionBytes,
                              sizeof(unknownCriticalExtensionBytes));
   const char* certCN = "Cert With Unknown Critical Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, unknownCriticalExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -163,17 +163,17 @@ TEST_F(pkixcert_extension, UnknownNonCri
       0x04, 0x00 // OCTET STRING (length = 0)
   };
   static const ByteString
     unknownNonCriticalExtension(unknownNonCriticalExtensionBytes,
                                 sizeof(unknownNonCriticalExtensionBytes));
   const char* certCN = "Cert With Unknown NonCritical Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, unknownNonCriticalExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Success,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -194,17 +194,17 @@ TEST_F(pkixcert_extension, WrongOIDCriti
       0x04, 0x00 // OCTET STRING (length = 0)
   };
   static const ByteString
     wrongOIDCriticalExtension(wrongOIDCriticalExtensionBytes,
                               sizeof(wrongOIDCriticalExtensionBytes));
   const char* certCN = "Cert With Critical Wrong OID Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, wrongOIDCriticalExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -227,17 +227,17 @@ TEST_F(pkixcert_extension, CriticalAIAEx
         0x30, 0x00, // SEQUENCE (length = 0)
   };
   static const ByteString
     criticalAIAExtension(criticalAIAExtensionBytes,
                          sizeof(criticalAIAExtensionBytes));
   const char* certCN = "Cert With Critical AIA Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, criticalAIAExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Success,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -257,17 +257,17 @@ TEST_F(pkixcert_extension, UnknownCritic
       0x04, 0x00 // OCTET STRING (length = 0)
   };
   static const ByteString
     unknownCriticalCEExtension(unknownCriticalCEExtensionBytes,
                                sizeof(unknownCriticalCEExtensionBytes));
   const char* certCN = "Cert With Unknown Critical id-ce Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, unknownCriticalCEExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -287,17 +287,17 @@ TEST_F(pkixcert_extension, KnownCritical
         0x02, 0x01, 0x00, // INTEGER (length = 1, value = 0)
   };
   static const ByteString
     criticalCEExtension(criticalCEExtensionBytes,
                         sizeof(criticalCEExtensionBytes));
   const char* certCN = "Cert With Known Critical id-ce Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, criticalCEExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Success,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -316,17 +316,17 @@ TEST_F(pkixcert_extension, DuplicateSubj
           0x82, 11, // [2] (dNSName) (length = 11)
             'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm'
   };
   static const ByteString DER(DER_BYTES, sizeof(DER_BYTES));
   static const ByteString extensions[] = { DER, DER, ByteString() };
   static const char* certCN = "Cert With Duplicate subjectAltName";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, extensions, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
--- a/security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
+++ b/security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
@@ -82,17 +82,17 @@ private:
 class pkixocsp_CreateEncodedOCSPRequest : public ::testing::Test
 {
 protected:
   void MakeIssuerCertIDComponents(const char* issuerASCII,
                                   /*out*/ ByteString& issuerDER,
                                   /*out*/ ByteString& issuerSPKI)
   {
     issuerDER = CNToDERName(issuerASCII);
-    ASSERT_NE(ENCODING_FAILED, issuerDER);
+    ASSERT_FALSE(ENCODING_FAILED(issuerDER));
 
     ScopedTestKeyPair keyPair(GenerateKeyPair());
     ASSERT_TRUE(keyPair);
     issuerSPKI = keyPair->subjectPublicKeyInfo;
   }
 
   CreateEncodedOCSPRequestTrustDomain trustDomain;
 };
--- a/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -105,27 +105,27 @@ public:
     if (!rootKeyPair) {
       abort();
     }
   }
 
   void SetUp()
   {
     rootNameDER = CNToDERName(rootName);
-    if (rootNameDER == ENCODING_FAILED) {
+    if (ENCODING_FAILED(rootNameDER)) {
       abort();
     }
     Input rootNameDERInput;
     if (rootNameDERInput.Init(rootNameDER.data(), rootNameDER.length())
           != Success) {
       abort();
     }
 
     serialNumberDER = CreateEncodedSerialNumber(++rootIssuedCount);
-    if (serialNumberDER == ENCODING_FAILED) {
+    if (ENCODING_FAILED(serialNumberDER)) {
       abort();
     }
     Input serialNumberDERInput;
     if (serialNumberDERInput.Init(serialNumberDER.data(),
                                   serialNumberDER.length()) != Success) {
       abort();
     }
 
@@ -243,17 +243,17 @@ public:
                     const TestKeyPair& signerKeyPair,
                     time_t producedAt, time_t thisUpdate,
                     /*optional*/ const time_t* nextUpdate,
                     /*optional*/ const ByteString* certs = nullptr)
   {
     OCSPResponseContext context(certID, producedAt);
     if (signerName) {
       context.signerNameDER = CNToDERName(signerName);
-      EXPECT_NE(ENCODING_FAILED, context.signerNameDER);
+      EXPECT_FALSE(ENCODING_FAILED(context.signerNameDER));
     }
     context.signerKeyPair = signerKeyPair.Clone();
     EXPECT_TRUE(context.signerKeyPair);
     context.responseStatus = OCSPResponseContext::successful;
     context.producedAt = producedAt;
     context.certs = certs;
 
     context.certStatus = certStatus;
@@ -393,25 +393,25 @@ protected:
       ByteString()
     };
     ScopedTestKeyPair signerKeyPair;
     ByteString signerDER(CreateEncodedCertificate(
                            ++rootIssuedCount, rootName,
                            oneDayBeforeNow, oneDayAfterNow, certSubjectName,
                            signerEKUDER ? extensions : nullptr,
                            rootKeyPair.get(), signerKeyPair));
-    EXPECT_NE(ENCODING_FAILED, signerDER);
+    EXPECT_FALSE(ENCODING_FAILED(signerDER));
     if (signerDEROut) {
       *signerDEROut = signerDER;
     }
 
     ByteString signerNameDER;
     if (signerName) {
       signerNameDER = CNToDERName(signerName);
-      EXPECT_NE(ENCODING_FAILED, signerNameDER);
+      EXPECT_FALSE(ENCODING_FAILED(signerNameDER));
     }
     ByteString certs[] = { signerDER, ByteString() };
     return CreateEncodedOCSPSuccessfulResponse(certStatus, *endEntityCertID,
                                                signerName, *signerKeyPair,
                                                oneDayBeforeNow,
                                                oneDayBeforeNow,
                                                &oneDayAfterNow, certs);
   }
@@ -421,26 +421,26 @@ protected:
                                              time_t notBefore,
                                              time_t notAfter,
                                              const char* subject,
                                 /*optional*/ const ByteString* extensions,
                                 /*optional*/ TestKeyPair* signerKeyPair,
                                      /*out*/ ScopedTestKeyPair& keyPair)
   {
     ByteString serialNumberDER(CreateEncodedSerialNumber(serialNumber));
-    if (serialNumberDER == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(serialNumberDER)) {
+      return ByteString();
     }
     ByteString issuerDER(CNToDERName(issuer));
-    if (issuerDER == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(issuerDER)) {
+      return ByteString();
     }
     ByteString subjectDER(CNToDERName(subject));
-    if (subjectDER == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(subjectDER)) {
+      return ByteString();
     }
     return ::mozilla::pkix::test::CreateEncodedCertificate(
                                     v3,
                                     sha256WithRSAEncryption,
                                     serialNumberDER, issuerDER, notBefore,
                                     notAfter, subjectDER, extensions,
                                     signerKeyPair,
                                     SignatureAlgorithm::rsa_pkcs1_with_sha256,
@@ -542,17 +542,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                           ++rootIssuedCount, rootName,
                           now - (10 * Time::ONE_DAY_IN_SECONDS),
                           now - (2 * Time::ONE_DAY_IN_SECONDS),
                           signerName, extensions, rootKeyPair.get(),
                           signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   ByteString certs[] = { signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
   Input response;
@@ -577,17 +577,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          ++rootIssuedCount, rootName,
                          now + (2 * Time::ONE_DAY_IN_SECONDS),
                          now + (10 * Time::ONE_DAY_IN_SECONDS),
                          signerName, extensions, rootKeyPair.get(),
                          signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   ByteString certs[] = { signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
   Input response;
@@ -677,17 +677,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
                               ExtensionCriticality::NotCritical),
     ByteString()
   };
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          1, subCAName, oneDayBeforeNow, oneDayAfterNow,
                          signerName, extensions, unknownKeyPair.get(),
                          signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   // OCSP response signed by that delegated responder
   ByteString certs[] = { signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
@@ -717,30 +717,30 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
     ByteString()
   };
   ScopedTestKeyPair subCAKeyPair;
   ByteString subCADER(CreateEncodedCertificate(
                         ++rootIssuedCount, rootName,
                         oneDayBeforeNow, oneDayAfterNow,
                         subCAName, subCAExtensions, rootKeyPair.get(),
                         subCAKeyPair));
-  ASSERT_NE(ENCODING_FAILED, subCADER);
+  ASSERT_FALSE(ENCODING_FAILED(subCADER));
 
   // Delegated responder cert signed by that sub-CA
   const ByteString extensions[] = {
     CreateEncodedEKUExtension(OCSPSigningEKUDER,
                               ExtensionCriticality::NotCritical),
     ByteString(),
   };
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          1, subCAName, oneDayBeforeNow, oneDayAfterNow,
                          signerName, extensions, subCAKeyPair.get(),
                          signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   // OCSP response signed by the delegated responder issued by the sub-CA
   // that is trying to impersonate the root.
   ByteString certs[] = { subCADER, signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
@@ -771,30 +771,30 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
     ByteString()
   };
   ScopedTestKeyPair subCAKeyPair;
   ByteString subCADER(CreateEncodedCertificate(++rootIssuedCount, rootName,
                                                oneDayBeforeNow, oneDayAfterNow,
                                                subCAName, subCAExtensions,
                                                rootKeyPair.get(),
                                                subCAKeyPair));
-  ASSERT_NE(ENCODING_FAILED, subCADER);
+  ASSERT_FALSE(ENCODING_FAILED(subCADER));
 
   // Delegated responder cert signed by that sub-CA
   const ByteString extensions[] = {
     CreateEncodedEKUExtension(OCSPSigningEKUDER,
                               ExtensionCriticality::NotCritical),
     ByteString()
   };
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          1, subCAName, oneDayBeforeNow, oneDayAfterNow,
                          signerName, extensions, subCAKeyPair.get(),
                          signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   // OCSP response signed by the delegated responder issued by the sub-CA
   // that is trying to impersonate the root.
   ByteString certs[] = { signerDER, subCADER, ByteString() };
   ByteString responseString(
                  CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
@@ -816,17 +816,17 @@ public:
   void SetUp()
   {
     pkixocsp_VerifyEncodedResponse_DelegatedResponder::SetUp();
 
     responseString =
         CreateEncodedIndirectOCSPSuccessfulResponse(
           "OCSPGetCertTrustTest Signer", OCSPResponseContext::good,
           byKey, &OCSPSigningEKUDER, &signerCertDER);
-    if (responseString == ENCODING_FAILED) {
+    if (ENCODING_FAILED(responseString)) {
       abort();
     }
     if (response.Init(responseString.data(), responseString.length())
           != Success) {
       abort();
     }
     if (signerCertDER.length() == 0) {
       abort();
--- a/security/pkix/test/lib/pkixtestnss.cpp
+++ b/security/pkix/test/lib/pkixtestnss.cpp
@@ -186,24 +186,24 @@ GenerateKeyPair()
 
   return nullptr;
 }
 
 ByteString
 SHA1(const ByteString& toHash)
 {
   if (InitNSSIfNeeded() != Success) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
 
   uint8_t digestBuf[SHA1_LENGTH];
   SECStatus srv = PK11_HashBuf(SEC_OID_SHA1, digestBuf, toHash.data(),
                                static_cast<int32_t>(toHash.length()));
   if (srv != SECSuccess) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
   return ByteString(digestBuf, sizeof(digestBuf));
 }
 
 Result
 TestCheckPublicKey(Input subjectPublicKeyInfo)
 {
   Result rv = InitNSSIfNeeded();
--- a/security/pkix/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -92,38 +92,36 @@ TamperOnce(/*in/out*/ ByteString& item, 
   }
   if (item.find(from, pos + from.length()) != string::npos) {
     return Result::FATAL_ERROR_INVALID_ARGS; // More than once match.
   }
   item.replace(pos, from.length(), to);
   return Success;
 }
 
-// An empty string returned from an encoding function signifies failure.
-const ByteString ENCODING_FAILED;
-
 // Given a tag and a value, generates a DER-encoded tag-length-value item.
-static ByteString
+ByteString
 TLV(uint8_t tag, const ByteString& value)
 {
   ByteString result;
   result.push_back(tag);
 
   if (value.length() < 128) {
     result.push_back(value.length());
   } else if (value.length() < 256) {
     result.push_back(0x81u);
     result.push_back(value.length());
   } else if (value.length() < 65536) {
     result.push_back(0x82u);
     result.push_back(static_cast<uint8_t>(value.length() / 256));
     result.push_back(static_cast<uint8_t>(value.length() % 256));
   } else {
-    assert(false);
-    return ENCODING_FAILED;
+    // It is MUCH more convenient for TLV to be infallible than for it to have
+    // "proper" error handling.
+    abort();
   }
   result.append(value);
   return result;
 }
 
 OCSPResponseContext::OCSPResponseContext(const CertID& certID, time_t time)
   : certID(certID)
   , responseStatus(successful)
@@ -150,18 +148,18 @@ static ByteString KeyHash(const ByteStri
 static ByteString SingleResponse(OCSPResponseContext& context);
 static ByteString CertID(OCSPResponseContext& context);
 static ByteString CertStatus(OCSPResponseContext& context);
 
 static ByteString
 HashedOctetString(const ByteString& bytes)
 {
   ByteString digest(SHA1(bytes));
-  if (digest == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(digest)) {
+    return ByteString();
   }
   return TLV(der::OCTET_STRING, digest);
 }
 
 static ByteString
 BitString(const ByteString& rawBytes, bool corrupt)
 {
   ByteString prefixed;
@@ -185,17 +183,19 @@ Boolean(bool value)
   return TLV(der::BOOLEAN, encodedValue);
 }
 
 static ByteString
 Integer(long value)
 {
   if (value < 0 || value > 127) {
     // TODO: add encoding of larger values
-    return ENCODING_FAILED;
+    // It is MUCH more convenient for Integer to be infallible than for it to
+    // have "proper" error handling.
+    abort();
   }
 
   ByteString encodedValue;
   encodedValue.push_back(static_cast<uint8_t>(value));
   return TLV(der::INTEGER, encodedValue);
 }
 
 enum TimeEncoding { UTCTime = 0, GeneralizedTime = 1 };
@@ -220,29 +220,29 @@ gmtime_r(const time_t* t, /*out*/ tm* ex
 // the number of seconds since the Unix epoch.
 static ByteString
 TimeToEncodedTime(time_t time, TimeEncoding encoding)
 {
   assert(encoding == UTCTime || encoding == GeneralizedTime);
 
   tm exploded;
   if (!gmtime_r(&time, &exploded)) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
 
   if (exploded.tm_sec >= 60) {
     // round down for leap seconds
     exploded.tm_sec = 59;
   }
 
   // exploded.tm_year is the year offset by 1900.
   int year = exploded.tm_year + 1900;
 
   if (encoding == UTCTime && (year < 1950 || year >= 2050)) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
 
   ByteString value;
 
   if (encoding == GeneralizedTime) {
     value.push_back('0' + (year / 1000));
     value.push_back('0' + ((year % 1000) / 100));
   }
@@ -276,17 +276,17 @@ TimeToGeneralizedTime(time_t time)
 // as UTCTime; certificate validity dates in 2050 or later MUST be encoded as
 // GeneralizedTime." (This is a special case of the rule that we must always
 // use the shortest possible encoding.)
 static ByteString
 TimeToTimeChoice(time_t time)
 {
   tm exploded;
   if (!gmtime_r(&time, &exploded)) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
   TimeEncoding encoding = (exploded.tm_year + 1900 >= 1950 &&
                            exploded.tm_year + 1900 < 2050)
                         ? UTCTime
                         : GeneralizedTime;
 
   return TimeToEncodedTime(time, encoding);
 }
@@ -336,58 +336,55 @@ YMDHMS(int16_t year, int16_t month, int1
   totalSeconds += hour * 60 * 60;
   totalSeconds += minutes * 60;
   totalSeconds += seconds;
   return TimeFromElapsedSecondsAD(totalSeconds);
 }
 
 static ByteString
 SignedData(const ByteString& tbsData,
-           TestKeyPair& keyPair,
+           /*optional*/ TestKeyPair* keyPair,
            SignatureAlgorithm signatureAlgorithm,
            bool corrupt, /*optional*/ const ByteString* certs)
 {
   ByteString signature;
-  if (keyPair.SignData(tbsData, signatureAlgorithm, signature) != Success) {
-     return ENCODING_FAILED;
-   }
+  if (keyPair) {
+    if (keyPair->SignData(tbsData, signatureAlgorithm, signature)
+          != Success) {
+       return ByteString();
+     }
+  }
 
   ByteString signatureAlgorithmDER;
   switch (signatureAlgorithm) {
     case SignatureAlgorithm::rsa_pkcs1_with_sha256:
       signatureAlgorithmDER.assign(alg_sha256WithRSAEncryption,
                                    sizeof(alg_sha256WithRSAEncryption));
       break;
     default:
-      return ENCODING_FAILED;
+      return ByteString();
   }
 
   // TODO: add ability to have signatures of bit length not divisible by 8,
   // resulting in unused bits in the bitstring encoding
   ByteString signatureNested(BitString(signature, corrupt));
-  if (signatureNested == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(signatureNested)) {
+    return ByteString();
   }
 
   ByteString certsNested;
   if (certs) {
     ByteString certsSequenceValue;
     while (!(*certs).empty()) {
       certsSequenceValue.append(*certs);
       ++certs;
     }
     ByteString certsSequence(TLV(der::SEQUENCE, certsSequenceValue));
-    if (certsSequence == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     certsNested = TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
                       certsSequence);
-    if (certsNested == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
   }
 
   ByteString value;
   value.append(tbsData);
   value.append(signatureAlgorithmDER);
   value.append(signatureNested);
   value.append(certsNested);
   return TLV(der::SEQUENCE, value);
@@ -406,30 +403,21 @@ Extension(Input extnID, ExtensionCritica
           const ByteString& extnValueBytes)
 {
   ByteString encoded;
 
   encoded.append(ByteString(extnID.UnsafeGetData(), extnID.GetLength()));
 
   if (criticality == ExtensionCriticality::Critical) {
     ByteString critical(Boolean(true));
-    if (critical == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     encoded.append(critical);
   }
 
   ByteString extnValueSequence(TLV(der::SEQUENCE, extnValueBytes));
-  if (extnValueBytes == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   ByteString extnValue(TLV(der::OCTET_STRING, extnValueSequence));
-  if (extnValue == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   encoded.append(extnValue);
   return TLV(der::SEQUENCE, encoded);
 }
 
 void
 MaybeLogOutput(const ByteString& result, const char* suffix)
 {
   assert(suffix);
@@ -482,34 +470,34 @@ CreateEncodedCertificate(long version, I
                          SignatureAlgorithm signatureAlgorithm,
                          /*out*/ ScopedTestKeyPair& keyPairResult)
 {
   // It may be the case that privateKeyResult references the same TestKeyPair
   // as issuerKeyPair. Thus, we can't set keyPairResult until after we're done
   // with issuerKeyPair.
   ScopedTestKeyPair subjectKeyPair(GenerateKeyPair());
   if (!subjectKeyPair) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
 
   ByteString tbsCertificate(TBSCertificate(version, serialNumber,
                                            signature, issuerNameDER, notBefore,
                                            notAfter, subjectNameDER,
                                            subjectKeyPair->subjectPublicKeyInfo,
                                            extensions));
-  if (tbsCertificate == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(tbsCertificate)) {
+    return ByteString();
   }
 
   ByteString result(SignedData(tbsCertificate,
-                               issuerKeyPair ? *issuerKeyPair
-                                             : *subjectKeyPair,
+                               issuerKeyPair ? issuerKeyPair
+                                             : subjectKeyPair.get(),
                                signatureAlgorithm, false, nullptr));
-  if (result == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(result)) {
+    return ByteString();
   }
 
   MaybeLogOutput(result, "cert");
 
   keyPairResult = subjectKeyPair.release();
 
   return result;
 }
@@ -535,72 +523,66 @@ TBSCertificate(long versionValue,
                time_t notAfterTime, const ByteString& subject,
                const ByteString& subjectPublicKeyInfo,
                /*optional*/ const ByteString* extensions)
 {
   ByteString value;
 
   if (versionValue != static_cast<long>(der::Version::v1)) {
     ByteString versionInteger(Integer(versionValue));
-    if (versionInteger == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     ByteString version(TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
                            versionInteger));
-    if (version == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     value.append(version);
   }
 
   value.append(serialNumber);
   value.append(signature.UnsafeGetData(), signature.GetLength());
   value.append(issuer);
 
   // Validity ::= SEQUENCE {
   //       notBefore      Time,
   //       notAfter       Time }
   ByteString validity;
   {
     ByteString notBefore(TimeToTimeChoice(notBeforeTime));
-    if (notBefore == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(notBefore)) {
+      return ByteString();
     }
     ByteString notAfter(TimeToTimeChoice(notAfterTime));
-    if (notAfter == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(notAfter)) {
+      return ByteString();
     }
     ByteString validityValue;
     validityValue.append(notBefore);
     validityValue.append(notAfter);
     validity = TLV(der::SEQUENCE, validityValue);
-    if (validity == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(validity)) {
+      return ByteString();
     }
   }
   value.append(validity);
 
   value.append(subject);
 
   value.append(subjectPublicKeyInfo);
 
   if (extensions) {
     ByteString extensionsValue;
     while (!(*extensions).empty()) {
       extensionsValue.append(*extensions);
       ++extensions;
     }
     ByteString extensionsSequence(TLV(der::SEQUENCE, extensionsValue));
-    if (extensionsSequence == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(extensionsSequence)) {
+      return ByteString();
     }
     ByteString extensionsWrapped(
       TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3, extensionsSequence));
-    if (extensionsWrapped == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(extensionsWrapped)) {
+      return ByteString();
     }
     value.append(extensionsWrapped);
   }
 
   return TLV(der::SEQUENCE, value);
 }
 
 ByteString
@@ -639,25 +621,17 @@ CNToDERName(const char* cn)
 
   ByteString value(reinterpret_cast<const ByteString::value_type*>(cn));
   value = TLV(der::UTF8String, value);
 
   ByteString ava;
   ava.append(tlv_id_at_commonName, sizeof(tlv_id_at_commonName));
   ava.append(value);
   ava = TLV(der::SEQUENCE, ava);
-  if (ava == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
-
   ByteString rdn(TLV(der::SET, ava));
-  if (rdn == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
-
   return TLV(der::SEQUENCE, rdn);
 }
 
 ByteString
 CreateEncodedSerialNumber(long serialNumberValue)
 {
   return Integer(serialNumberValue);
 }
@@ -669,27 +643,21 @@ ByteString
 CreateEncodedBasicConstraints(bool isCA,
                               /*optional*/ long* pathLenConstraintValue,
                               ExtensionCriticality criticality)
 {
   ByteString value;
 
   if (isCA) {
     ByteString cA(Boolean(true));
-    if (cA == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     value.append(cA);
   }
 
   if (pathLenConstraintValue) {
     ByteString pathLenConstraint(Integer(*pathLenConstraintValue));
-    if (pathLenConstraint == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     value.append(pathLenConstraint);
   }
 
   // python DottedOIDToCode.py --tlv id-ce-basicConstraints 2.5.29.19
   static const uint8_t tlv_id_ce_basicConstraints[] = {
     0x06, 0x03, 0x55, 0x1d, 0x13
   };
   return Extension(Input(tlv_id_ce_basicConstraints), criticality, value);
@@ -713,17 +681,17 @@ CreateEncodedEKUExtension(Input ekuOID, 
 ///////////////////////////////////////////////////////////////////////////////
 // OCSP responses
 
 ByteString
 CreateEncodedOCSPResponse(OCSPResponseContext& context)
 {
   if (!context.skipResponseBytes) {
     if (!context.signerKeyPair) {
-      return ENCODING_FAILED;
+      return ByteString();
     }
   }
 
   // OCSPResponse ::= SEQUENCE {
   //    responseStatus          OCSPResponseStatus,
   //    responseBytes       [0] EXPLICIT ResponseBytes OPTIONAL }
 
   // OCSPResponseStatus ::= ENUMERATED {
@@ -733,41 +701,32 @@ CreateEncodedOCSPResponse(OCSPResponseCo
   //    tryLater            (3),  -- Try again later
   //                              -- (4) is not used
   //    sigRequired         (5),  -- Must sign the request
   //    unauthorized        (6)   -- Request unauthorized
   // }
   ByteString reponseStatusValue;
   reponseStatusValue.push_back(context.responseStatus);
   ByteString responseStatus(TLV(der::ENUMERATED, reponseStatusValue));
-  if (responseStatus == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
 
   ByteString responseBytesNested;
   if (!context.skipResponseBytes) {
     ByteString responseBytes(ResponseBytes(context));
-    if (responseBytes == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(responseBytes)) {
+      return ByteString();
     }
 
     responseBytesNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC,
                               responseBytes);
-    if (responseBytesNested == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
   }
 
   ByteString value;
   value.append(responseStatus);
   value.append(responseBytesNested);
   ByteString result(TLV(der::SEQUENCE, value));
-  if (result == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
 
   MaybeLogOutput(result, "ocsp");
 
   return result;
 }
 
 // ResponseBytes ::= SEQUENCE {
 //    responseType            OBJECT IDENTIFIER,
@@ -775,23 +734,20 @@ CreateEncodedOCSPResponse(OCSPResponseCo
 ByteString
 ResponseBytes(OCSPResponseContext& context)
 {
   // Includes tag and length
   static const uint8_t id_pkix_ocsp_basic_encoded[] = {
     0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
   };
   ByteString response(BasicOCSPResponse(context));
-  if (response == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(response)) {
+    return ByteString();
   }
   ByteString responseNested = TLV(der::OCTET_STRING, response);
-  if (responseNested == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
 
   ByteString value;
   value.append(id_pkix_ocsp_basic_encoded,
                sizeof(id_pkix_ocsp_basic_encoded));
   value.append(responseNested);
   return TLV(der::SEQUENCE, value);
 }
 
@@ -799,98 +755,86 @@ ResponseBytes(OCSPResponseContext& conte
 //   tbsResponseData          ResponseData,
 //   signatureAlgorithm       AlgorithmIdentifier,
 //   signature                BIT STRING,
 //   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
 ByteString
 BasicOCSPResponse(OCSPResponseContext& context)
 {
   ByteString tbsResponseData(ResponseData(context));
-  if (tbsResponseData == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(tbsResponseData)) {
+    return ByteString();
   }
 
   // TODO(bug 980538): certs
-  return SignedData(tbsResponseData, *context.signerKeyPair,
+  return SignedData(tbsResponseData, context.signerKeyPair.get(),
                     SignatureAlgorithm::rsa_pkcs1_with_sha256,
                     context.badSignature, context.certs);
 }
 
 // Extension ::= SEQUENCE {
 //   id               OBJECT IDENTIFIER,
 //   critical         BOOLEAN DEFAULT FALSE
 //   value            OCTET STRING
 // }
 static ByteString
 OCSPExtension(OCSPResponseContext& context, OCSPResponseExtension& extension)
 {
   ByteString encoded;
   encoded.append(extension.id);
   if (extension.critical) {
     ByteString critical(Boolean(true));
-    if (critical == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     encoded.append(critical);
   }
   ByteString value(TLV(der::OCTET_STRING, extension.value));
-  if (value == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   encoded.append(value);
   return TLV(der::SEQUENCE, encoded);
 }
 
 // Extensions ::= [1] {
 //   SEQUENCE OF Extension
 // }
 static ByteString
 Extensions(OCSPResponseContext& context)
 {
   ByteString value;
   for (OCSPResponseExtension* extension = context.extensions;
        extension; extension = extension->next) {
     ByteString extensionEncoded(OCSPExtension(context, *extension));
-    if (extensionEncoded == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(extensionEncoded)) {
+      return ByteString();
     }
     value.append(extensionEncoded);
   }
   ByteString sequence(TLV(der::SEQUENCE, value));
-  if (sequence == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   return TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1, sequence);
 }
 
 // ResponseData ::= SEQUENCE {
 //    version             [0] EXPLICIT Version DEFAULT v1,
 //    responderID             ResponderID,
 //    producedAt              GeneralizedTime,
 //    responses               SEQUENCE OF SingleResponse,
 //    responseExtensions  [1] EXPLICIT Extensions OPTIONAL }
 ByteString
 ResponseData(OCSPResponseContext& context)
 {
   ByteString responderID(ResponderID(context));
-  if (responderID == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(responderID)) {
+    return ByteString();
   }
   ByteString producedAtEncoded(TimeToGeneralizedTime(context.producedAt));
-  if (producedAtEncoded == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(producedAtEncoded)) {
+    return ByteString();
   }
   ByteString response(SingleResponse(context));
-  if (response == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(response)) {
+    return ByteString();
   }
   ByteString responses(TLV(der::SEQUENCE, response));
-  if (responses == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   ByteString responseExtensions;
   if (context.extensions || context.includeEmptyExtensions) {
     responseExtensions = Extensions(context);
   }
 
   ByteString value;
   value.append(responderID);
   value.append(producedAtEncoded);
@@ -908,18 +852,18 @@ ResponderID(OCSPResponseContext& context
 {
   ByteString contents;
   uint8_t responderIDType;
   if (!context.signerNameDER.empty()) {
     contents = context.signerNameDER;
     responderIDType = 1; // byName
   } else {
     contents = KeyHash(context.signerKeyPair->subjectPublicKey);
-    if (contents == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(contents)) {
+      return ByteString();
     }
     responderIDType = 2; // byKey
   }
 
   return TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | responderIDType,
              contents);
 }
 
@@ -939,38 +883,35 @@ KeyHash(const ByteString& subjectPublicK
 //    certStatus              CertStatus,
 //    thisUpdate              GeneralizedTime,
 //    nextUpdate          [0] EXPLICIT GeneralizedTime OPTIONAL,
 //    singleExtensions    [1] EXPLICIT Extensions OPTIONAL }
 ByteString
 SingleResponse(OCSPResponseContext& context)
 {
   ByteString certID(CertID(context));
-  if (certID == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(certID)) {
+    return ByteString();
   }
   ByteString certStatus(CertStatus(context));
-  if (certStatus == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(certStatus)) {
+    return ByteString();
   }
   ByteString thisUpdateEncoded(TimeToGeneralizedTime(context.thisUpdate));
-  if (thisUpdateEncoded == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(thisUpdateEncoded)) {
+    return ByteString();
   }
   ByteString nextUpdateEncodedNested;
   if (context.includeNextUpdate) {
     ByteString nextUpdateEncoded(TimeToGeneralizedTime(context.nextUpdate));
-    if (nextUpdateEncoded == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(nextUpdateEncoded)) {
+      return ByteString();
     }
     nextUpdateEncodedNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0,
                                   nextUpdateEncoded);
-    if (nextUpdateEncodedNested == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
   }
 
   ByteString value;
   value.append(certID);
   value.append(certStatus);
   value.append(thisUpdateEncoded);
   value.append(nextUpdateEncodedNested);
   return TLV(der::SEQUENCE, value);
@@ -982,52 +923,49 @@ SingleResponse(OCSPResponseContext& cont
 //        issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
 //        serialNumber        CertificateSerialNumber }
 ByteString
 CertID(OCSPResponseContext& context)
 {
   ByteString issuerName(context.certID.issuer.UnsafeGetData(),
                         context.certID.issuer.GetLength());
   ByteString issuerNameHash(HashedOctetString(issuerName));
-  if (issuerNameHash == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(issuerNameHash)) {
+    return ByteString();
   }
 
   ByteString issuerKeyHash;
   {
     // context.certID.issuerSubjectPublicKeyInfo is the entire
     // SubjectPublicKeyInfo structure, but we need just the subjectPublicKey
     // part.
     Reader input(context.certID.issuerSubjectPublicKeyInfo);
     Reader contents;
     if (der::ExpectTagAndGetValue(input, der::SEQUENCE, contents) != Success) {
-      return ENCODING_FAILED;
+      return ByteString();
     }
     // Skip AlgorithmIdentifier
     if (der::ExpectTagAndSkipValue(contents, der::SEQUENCE) != Success) {
-      return ENCODING_FAILED;
+      return ByteString();
     }
     Input subjectPublicKey;
     if (der::BitStringWithNoUnusedBits(contents, subjectPublicKey)
           != Success) {
-      return ENCODING_FAILED;
+      return ByteString();
     }
     issuerKeyHash = KeyHash(ByteString(subjectPublicKey.UnsafeGetData(),
                                        subjectPublicKey.GetLength()));
-    if (issuerKeyHash == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(issuerKeyHash)) {
+      return ByteString();
     }
   }
 
   ByteString serialNumberValue(context.certID.serialNumber.UnsafeGetData(),
                                context.certID.serialNumber.GetLength());
   ByteString serialNumber(TLV(der::INTEGER, serialNumberValue));
-  if (serialNumber == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
 
   // python DottedOIDToCode.py --alg id-sha1 1.3.14.3.2.26
   static const uint8_t alg_id_sha1[] = {
     0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a
   };
 
   ByteString value;
   value.append(alg_id_sha1, sizeof(alg_id_sha1));
@@ -1057,22 +995,22 @@ CertStatus(OCSPResponseContext& context)
     case 0:
     case 2:
     {
       return TLV(der::CONTEXT_SPECIFIC | context.certStatus, ByteString());
     }
     case 1:
     {
       ByteString revocationTime(TimeToGeneralizedTime(context.revocationTime));
-      if (revocationTime == ENCODING_FAILED) {
-        return ENCODING_FAILED;
+      if (ENCODING_FAILED(revocationTime)) {
+        return ByteString();
       }
       // TODO(bug 980536): add support for revocationReason
       return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1, revocationTime);
     }
     default:
       assert(false);
       // fall through
   }
-  return ENCODING_FAILED;
+  return ByteString();
 }
 
 } } } // namespace mozilla::pkix::test
--- a/security/pkix/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -31,17 +31,18 @@
 
 #include "pkix/enumclass.h"
 #include "pkix/pkixtypes.h"
 #include "pkix/ScopedPtr.h"
 
 namespace mozilla { namespace pkix { namespace test {
 
 typedef std::basic_string<uint8_t> ByteString;
-extern const ByteString ENCODING_FAILED;
+
+inline bool ENCODING_FAILED(const ByteString& bs) { return bs.empty(); }
 
 // XXX: Ideally, we should define this instead:
 //
 //   template <typename T, std::size_t N>
 //   constexpr inline std::size_t
 //   ArrayLength(T (&)[N])
 //   {
 //     return N;
@@ -74,17 +75,16 @@ static const uint8_t tlv_id_kp_serverAut
 };
 
 extern const Input sha256WithRSAEncryption;
 
 // e.g. YMDHMS(2016, 12, 31, 1, 23, 45) => 2016-12-31:01:23:45 (GMT)
 mozilla::pkix::Time YMDHMS(int16_t year, int16_t month, int16_t day,
                            int16_t hour, int16_t minutes, int16_t seconds);
 
-
 ByteString CNToDERName(const char* cn);
 
 class TestKeyPair
 {
 public:
   virtual ~TestKeyPair() { }
 
   // The DER encoding of the entire SubjectPublicKeyInfo structure. This is