Bug 1064402 - Part 2: Remove nsIX509CertDB.importServerCertificate() and nsIX509Cert::SERVER_CERT support in importCertsFromFile(). r=keeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Sat, 06 Feb 2016 20:41:11 -0800
changeset 283391 1bde49e1fb1379fe45b4b00d02d067f88088964d
parent 283390 2d3ec6c8bfe4c5b93f8385a78a91e5bda77d54f0
child 283392 18b9f0924b4a73c16b29ab49dfb750ffcf57245a
push id29980
push userphilringnalda@gmail.com
push dateSun, 07 Feb 2016 23:30:48 +0000
treeherdermozilla-central@1cfe34ea394c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1064402
milestone47.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1064402 - Part 2: Remove nsIX509CertDB.importServerCertificate() and nsIX509Cert::SERVER_CERT support in importCertsFromFile(). r=keeler
security/manager/ssl/nsIX509CertDB.idl
security/manager/ssl/nsNSSCertTrust.cpp
security/manager/ssl/nsNSSCertTrust.h
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/nsNSSCertificateDB.h
--- a/security/manager/ssl/nsIX509CertDB.idl
+++ b/security/manager/ssl/nsIX509CertDB.idl
@@ -146,27 +146,16 @@ interface nsIX509CertDB : nsISupports {
    *  @param length The length of the data to be imported
    *  @param ctx A UI context.
    */
   void importEmailCertificate([array, size_is(length)] in octet data,
                               in unsigned long length,
                               in nsIInterfaceRequestor ctx);
 
   /**
-   *  Import a server machine's certificate into the database.
-   *
-   *  @param data The raw data to be imported
-   *  @param length The length of the data to be imported
-   *  @param ctx A UI context.
-   */
-  void importServerCertificate([array, size_is(length)] in octet data,
-                               in unsigned long length,
-                               in nsIInterfaceRequestor ctx);
-
-  /**
    *  Import a personal certificate into the database, assuming
    *  the database already contains the private key for this certificate.
    *
    *  @param data The raw data to be imported
    *  @param length The length of the data to be imported
    *  @param ctx A UI context.
    */
   void importUserCertificate([array, size_is(length)] in octet data,
--- a/security/manager/ssl/nsNSSCertTrust.cpp
+++ b/security/manager/ssl/nsNSSCertTrust.cpp
@@ -177,30 +177,16 @@ nsNSSCertTrust::SetValidPeer()
                 false, false, false,
                 false, false);
   SetObjSignTrust(true, false,
                   false, false, false,
                   false, false);
 }
 
 void 
-nsNSSCertTrust::SetValidServerPeer()
-{
-  SetSSLTrust(true, false,
-              false, false, false,
-              false, false);
-  SetEmailTrust(false, false,
-                false, false, false,
-                false, false);
-  SetObjSignTrust(false, false,
-                  false, false, false,
-                  false, false);
-}
-
-void 
 nsNSSCertTrust::SetTrustedPeer()
 {
   SetSSLTrust(true, true,
               false, false, false,
               false, false);
   SetEmailTrust(true, true,
                 false, false, false,
                 false, false);
--- a/security/manager/ssl/nsNSSCertTrust.h
+++ b/security/manager/ssl/nsNSSCertTrust.h
@@ -42,18 +42,16 @@ public:
 
   /* common defaults */
   /* equivalent to "c,c,c" */
   void SetValidCA();
   /* equivalent to "C,C,C" */
   void SetTrustedServerCA();
   /* equivalent to "CT,CT,CT" */
   void SetTrustedCA();
-  /* equivalent to "p,," */
-  void SetValidServerPeer();
   /* equivalent to "p,p,p" */
   void SetValidPeer();
   /* equivalent to "P,P,P" */
   void SetTrustedPeer();
   /* equivalent to "u,u,u" */
   void SetUser();
 
   /* general setters */
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -652,85 +652,16 @@ loser:
   if (certArray) {
     CERT_DestroyCertArray(certArray, numcerts);
   }
   if (arena) 
     PORT_FreeArena(arena, true);
   return nsrv;
 }
 
-NS_IMETHODIMP
-nsNSSCertificateDB::ImportServerCertificate(uint8_t * data, uint32_t length, 
-                                            nsIInterfaceRequestor *ctx)
-
-{
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  SECStatus srv = SECFailure;
-  nsresult nsrv = NS_OK;
-  ScopedCERTCertificate cert;
-  SECItem **rawCerts = nullptr;
-  int numcerts;
-  int i;
-  nsNSSCertTrust trust;
-  char *serverNickname = nullptr;
- 
-  PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-  if (!arena)
-    return NS_ERROR_OUT_OF_MEMORY;
-
-  CERTDERCerts *certCollection = getCertsFromPackage(arena, data, length, locker);
-  if (!certCollection) {
-    PORT_FreeArena(arena, false);
-    return NS_ERROR_FAILURE;
-  }
-  cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), certCollection->rawCerts,
-                                 nullptr, false, true);
-  if (!cert) {
-    nsrv = NS_ERROR_FAILURE;
-    goto loser;
-  }
-  numcerts = certCollection->numcerts;
-  rawCerts = (SECItem **) PORT_Alloc(sizeof(SECItem *) * numcerts);
-  if ( !rawCerts ) {
-    nsrv = NS_ERROR_FAILURE;
-    goto loser;
-  }
-
-  for ( i = 0; i < numcerts; i++ ) {
-    rawCerts[i] = &certCollection->rawCerts[i];
-  }
-
-  serverNickname = DefaultServerNicknameForCert(cert.get());
-  srv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageSSLServer,
-             numcerts, rawCerts, nullptr, true, false,
-             serverNickname);
-  PR_FREEIF(serverNickname);
-  if ( srv != SECSuccess ) {
-    nsrv = NS_ERROR_FAILURE;
-    goto loser;
-  }
-
-  trust.SetValidServerPeer();
-  srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert.get(),
-                             trust.GetTrust());
-  if ( srv != SECSuccess ) {
-    nsrv = NS_ERROR_FAILURE;
-    goto loser;
-  }
-loser:
-  PORT_Free(rawCerts);
-  if (arena) 
-    PORT_FreeArena(arena, true);
-  return nsrv;
-}
-
 nsresult
 nsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInterfaceRequestor *ctx,  const nsNSSShutDownPreventionLock &proofOfLock)
 {
   ScopedCERTCertList certList;
   SECItem **rawArray;
 
   // build a CertList for filtering
   certList = CERT_NewCertList();
@@ -1088,70 +1019,59 @@ nsNSSCertificateDB::ImportCertsFromFile(
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ENSURE_ARG(aFile);
   switch (aType) {
     case nsIX509Cert::CA_CERT:
     case nsIX509Cert::EMAIL_CERT:
-    case nsIX509Cert::SERVER_CERT:
       // good
       break;
 
     default:
       // not supported (yet)
       return NS_ERROR_FAILURE;
   }
 
-  nsresult rv;
-  PRFileDesc *fd = nullptr;
-
-  rv = aFile->OpenNSPRFileDesc(PR_RDONLY, 0, &fd);
-
-  if (NS_FAILED(rv))
+  PRFileDesc* fd = nullptr;
+  nsresult rv = aFile->OpenNSPRFileDesc(PR_RDONLY, 0, &fd);
+  if (NS_FAILED(rv)) {
     return rv;
-
-  if (!fd)
-    return NS_ERROR_FAILURE;
-
-  PRFileInfo file_info;
-  if (PR_SUCCESS != PR_GetOpenFileInfo(fd, &file_info))
+  }
+  if (!fd) {
     return NS_ERROR_FAILURE;
-  
-  unsigned char *buf = new unsigned char[file_info.size];
-  
-  int32_t bytes_obtained = PR_Read(fd, buf, file_info.size);
-  PR_Close(fd);
-  
-  if (bytes_obtained != file_info.size)
-    rv = NS_ERROR_FAILURE;
-  else {
-	  nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
+  }
 
-    switch (aType) {
-      case nsIX509Cert::CA_CERT:
-        rv = ImportCertificates(buf, bytes_obtained, aType, cxt);
-        break;
-        
-      case nsIX509Cert::SERVER_CERT:
-        rv = ImportServerCertificate(buf, bytes_obtained, cxt);
-        break;
-
-      case nsIX509Cert::EMAIL_CERT:
-        rv = ImportEmailCertificate(buf, bytes_obtained, cxt);
-        break;
-      
-      default:
-        break;
-    }
+  PRFileInfo fileInfo;
+  if (PR_GetOpenFileInfo(fd, &fileInfo) != PR_SUCCESS) {
+    return NS_ERROR_FAILURE;
   }
 
-  delete [] buf;
-  return rv;  
+  auto buf = MakeUnique<unsigned char[]>(fileInfo.size);
+  int32_t bytesObtained = PR_Read(fd, buf.get(), fileInfo.size);
+  PR_Close(fd);
+
+  if (bytesObtained != fileInfo.size) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
+
+  switch (aType) {
+    case nsIX509Cert::CA_CERT:
+      return ImportCertificates(buf.get(), bytesObtained, aType, cxt);
+    case nsIX509Cert::EMAIL_CERT:
+      return ImportEmailCertificate(buf.get(), bytesObtained, cxt);
+    default:
+      MOZ_ASSERT(false, "Unsupported type should have been filtered out");
+      break;
+  }
+
+  return NS_ERROR_FAILURE;
 }
 
 NS_IMETHODIMP 
 nsNSSCertificateDB::ImportPKCS12File(nsISupports* aToken, nsIFile* aFile)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
--- a/security/manager/ssl/nsNSSCertificateDB.h
+++ b/security/manager/ssl/nsNSSCertificateDB.h
@@ -1,20 +1,21 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef __NSNSSCERTIFICATEDB_H__
-#define __NSNSSCERTIFICATEDB_H__
+#ifndef nsNSSCertificateDB_h
+#define nsNSSCertificateDB_h
 
+#include "certt.h"
+#include "mozilla/Mutex.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/UniquePtr.h"
 #include "nsIX509CertDB.h"
 #include "nsNSSShutDown.h"
-#include "mozilla/RefPtr.h"
-#include "mozilla/Mutex.h"
-#include "certt.h"
 
 class nsCString;
 class nsIArray;
 
 class nsNSSCertificateDB final : public nsIX509CertDB
                                , public nsNSSShutDownObject
 
 {
@@ -65,9 +66,9 @@ private:
 
 #define NS_X509CERTDB_CID { /* fb0bbc5c-452e-4783-b32c-80124693d871 */ \
     0xfb0bbc5c,                                                        \
     0x452e,                                                            \
     0x4783,                                                            \
     {0xb3, 0x2c, 0x80, 0x12, 0x46, 0x93, 0xd8, 0x71}                   \
   }
 
-#endif
+#endif // nsNSSCertificateDB_h