| author | Cykesiopka <cykesiopka.bmo@gmail.com> |
| Sat, 06 Feb 2016 20:41:11 -0800 | |
| changeset 283391 | 1bde49e1fb1379fe45b4b00d02d067f88088964d |
| parent 283390 | 2d3ec6c8bfe4c5b93f8385a78a91e5bda77d54f0 |
| child 283392 | 18b9f0924b4a73c16b29ab49dfb750ffcf57245a |
| push id | 29980 |
| push user | philringnalda@gmail.com |
| push date | Sun, 07 Feb 2016 23:30:48 +0000 |
| treeherder | mozilla-central@1cfe34ea394c [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | keeler |
| bugs | 1064402 |
| milestone | 47.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/manager/ssl/nsIX509CertDB.idl +++ b/security/manager/ssl/nsIX509CertDB.idl @@ -146,27 +146,16 @@ interface nsIX509CertDB : nsISupports { * @param length The length of the data to be imported * @param ctx A UI context. */ void importEmailCertificate([array, size_is(length)] in octet data, in unsigned long length, in nsIInterfaceRequestor ctx); /** - * Import a server machine's certificate into the database. - * - * @param data The raw data to be imported - * @param length The length of the data to be imported - * @param ctx A UI context. - */ - void importServerCertificate([array, size_is(length)] in octet data, - in unsigned long length, - in nsIInterfaceRequestor ctx); - - /** * Import a personal certificate into the database, assuming * the database already contains the private key for this certificate. * * @param data The raw data to be imported * @param length The length of the data to be imported * @param ctx A UI context. */ void importUserCertificate([array, size_is(length)] in octet data,
--- a/security/manager/ssl/nsNSSCertTrust.cpp +++ b/security/manager/ssl/nsNSSCertTrust.cpp @@ -177,30 +177,16 @@ nsNSSCertTrust::SetValidPeer() false, false, false, false, false); SetObjSignTrust(true, false, false, false, false, false, false); } void -nsNSSCertTrust::SetValidServerPeer() -{ - SetSSLTrust(true, false, - false, false, false, - false, false); - SetEmailTrust(false, false, - false, false, false, - false, false); - SetObjSignTrust(false, false, - false, false, false, - false, false); -} - -void nsNSSCertTrust::SetTrustedPeer() { SetSSLTrust(true, true, false, false, false, false, false); SetEmailTrust(true, true, false, false, false, false, false);
--- a/security/manager/ssl/nsNSSCertTrust.h +++ b/security/manager/ssl/nsNSSCertTrust.h @@ -42,18 +42,16 @@ public: /* common defaults */ /* equivalent to "c,c,c" */ void SetValidCA(); /* equivalent to "C,C,C" */ void SetTrustedServerCA(); /* equivalent to "CT,CT,CT" */ void SetTrustedCA(); - /* equivalent to "p,," */ - void SetValidServerPeer(); /* equivalent to "p,p,p" */ void SetValidPeer(); /* equivalent to "P,P,P" */ void SetTrustedPeer(); /* equivalent to "u,u,u" */ void SetUser(); /* general setters */
--- a/security/manager/ssl/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/nsNSSCertificateDB.cpp @@ -652,85 +652,16 @@ loser: if (certArray) { CERT_DestroyCertArray(certArray, numcerts); } if (arena) PORT_FreeArena(arena, true); return nsrv; } -NS_IMETHODIMP -nsNSSCertificateDB::ImportServerCertificate(uint8_t * data, uint32_t length, - nsIInterfaceRequestor *ctx) - -{ - nsNSSShutDownPreventionLock locker; - if (isAlreadyShutDown()) { - return NS_ERROR_NOT_AVAILABLE; - } - - SECStatus srv = SECFailure; - nsresult nsrv = NS_OK; - ScopedCERTCertificate cert; - SECItem **rawCerts = nullptr; - int numcerts; - int i; - nsNSSCertTrust trust; - char *serverNickname = nullptr; - - PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (!arena) - return NS_ERROR_OUT_OF_MEMORY; - - CERTDERCerts *certCollection = getCertsFromPackage(arena, data, length, locker); - if (!certCollection) { - PORT_FreeArena(arena, false); - return NS_ERROR_FAILURE; - } - cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), certCollection->rawCerts, - nullptr, false, true); - if (!cert) { - nsrv = NS_ERROR_FAILURE; - goto loser; - } - numcerts = certCollection->numcerts; - rawCerts = (SECItem **) PORT_Alloc(sizeof(SECItem *) * numcerts); - if ( !rawCerts ) { - nsrv = NS_ERROR_FAILURE; - goto loser; - } - - for ( i = 0; i < numcerts; i++ ) { - rawCerts[i] = &certCollection->rawCerts[i]; - } - - serverNickname = DefaultServerNicknameForCert(cert.get()); - srv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageSSLServer, - numcerts, rawCerts, nullptr, true, false, - serverNickname); - PR_FREEIF(serverNickname); - if ( srv != SECSuccess ) { - nsrv = NS_ERROR_FAILURE; - goto loser; - } - - trust.SetValidServerPeer(); - srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert.get(), - trust.GetTrust()); - if ( srv != SECSuccess ) { - nsrv = NS_ERROR_FAILURE; - goto loser; - } -loser: - PORT_Free(rawCerts); - if (arena) - PORT_FreeArena(arena, true); - return nsrv; -} - nsresult nsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInterfaceRequestor *ctx, const nsNSSShutDownPreventionLock &proofOfLock) { ScopedCERTCertList certList; SECItem **rawArray; // build a CertList for filtering certList = CERT_NewCertList(); @@ -1088,70 +1019,59 @@ nsNSSCertificateDB::ImportCertsFromFile( if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } NS_ENSURE_ARG(aFile); switch (aType) { case nsIX509Cert::CA_CERT: case nsIX509Cert::EMAIL_CERT: - case nsIX509Cert::SERVER_CERT: // good break; default: // not supported (yet) return NS_ERROR_FAILURE; } - nsresult rv; - PRFileDesc *fd = nullptr; - - rv = aFile->OpenNSPRFileDesc(PR_RDONLY, 0, &fd); - - if (NS_FAILED(rv)) + PRFileDesc* fd = nullptr; + nsresult rv = aFile->OpenNSPRFileDesc(PR_RDONLY, 0, &fd); + if (NS_FAILED(rv)) { return rv; - - if (!fd) - return NS_ERROR_FAILURE; - - PRFileInfo file_info; - if (PR_SUCCESS != PR_GetOpenFileInfo(fd, &file_info)) + } + if (!fd) { return NS_ERROR_FAILURE; - - unsigned char *buf = new unsigned char[file_info.size]; - - int32_t bytes_obtained = PR_Read(fd, buf, file_info.size); - PR_Close(fd); - - if (bytes_obtained != file_info.size) - rv = NS_ERROR_FAILURE; - else { - nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext(); + } - switch (aType) { - case nsIX509Cert::CA_CERT: - rv = ImportCertificates(buf, bytes_obtained, aType, cxt); - break; - - case nsIX509Cert::SERVER_CERT: - rv = ImportServerCertificate(buf, bytes_obtained, cxt); - break; - - case nsIX509Cert::EMAIL_CERT: - rv = ImportEmailCertificate(buf, bytes_obtained, cxt); - break; - - default: - break; - } + PRFileInfo fileInfo; + if (PR_GetOpenFileInfo(fd, &fileInfo) != PR_SUCCESS) { + return NS_ERROR_FAILURE; } - delete [] buf; - return rv; + auto buf = MakeUnique<unsigned char[]>(fileInfo.size); + int32_t bytesObtained = PR_Read(fd, buf.get(), fileInfo.size); + PR_Close(fd); + + if (bytesObtained != fileInfo.size) { + return NS_ERROR_FAILURE; + } + + nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext(); + + switch (aType) { + case nsIX509Cert::CA_CERT: + return ImportCertificates(buf.get(), bytesObtained, aType, cxt); + case nsIX509Cert::EMAIL_CERT: + return ImportEmailCertificate(buf.get(), bytesObtained, cxt); + default: + MOZ_ASSERT(false, "Unsupported type should have been filtered out"); + break; + } + + return NS_ERROR_FAILURE; } NS_IMETHODIMP nsNSSCertificateDB::ImportPKCS12File(nsISupports* aToken, nsIFile* aFile) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE;
--- a/security/manager/ssl/nsNSSCertificateDB.h +++ b/security/manager/ssl/nsNSSCertificateDB.h @@ -1,20 +1,21 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#ifndef __NSNSSCERTIFICATEDB_H__ -#define __NSNSSCERTIFICATEDB_H__ +#ifndef nsNSSCertificateDB_h +#define nsNSSCertificateDB_h +#include "certt.h" +#include "mozilla/Mutex.h" +#include "mozilla/RefPtr.h" +#include "mozilla/UniquePtr.h" #include "nsIX509CertDB.h" #include "nsNSSShutDown.h" -#include "mozilla/RefPtr.h" -#include "mozilla/Mutex.h" -#include "certt.h" class nsCString; class nsIArray; class nsNSSCertificateDB final : public nsIX509CertDB , public nsNSSShutDownObject { @@ -65,9 +66,9 @@ private: #define NS_X509CERTDB_CID { /* fb0bbc5c-452e-4783-b32c-80124693d871 */ \ 0xfb0bbc5c, \ 0x452e, \ 0x4783, \ {0xb3, 0x2c, 0x80, 0x12, 0x46, 0x93, 0xd8, 0x71} \ } -#endif +#endif // nsNSSCertificateDB_h