bug 1147085 - remove nsINSSCertCache (replace it with nsIX509CertDB.getCerts()) r=Cykesiopka
authorDavid Keeler <dkeeler@mozilla.com>
Fri, 03 Apr 2015 14:01:05 -0700
changeset 238186 1dfe22ca4abee887d5c87dfed633795393e506ad
parent 238185 f345912dc20cfa1f91a8627ad412c35aac336d88
child 238187 3ccd83f8e32b5eb921f80389282c51380be2b70c
push id28557
push userkwierso@gmail.com
push dateThu, 09 Apr 2015 00:04:16 +0000
treeherdermozilla-central@9a29065e2311 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCykesiopka
bugs1147085
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1147085 - remove nsINSSCertCache (replace it with nsIX509CertDB.getCerts()) r=Cykesiopka
security/manager/pki/resources/content/certManager.js
security/manager/ssl/public/moz.build
security/manager/ssl/public/nsICertTree.idl
security/manager/ssl/public/nsINSSCertCache.idl
security/manager/ssl/src/moz.build
security/manager/ssl/src/nsCertTree.cpp
security/manager/ssl/src/nsCertTree.h
security/manager/ssl/src/nsNSSCertCache.cpp
security/manager/ssl/src/nsNSSCertCache.h
security/manager/ssl/src/nsNSSCertificate.cpp
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/src/nsNSSModule.cpp
security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
--- a/security/manager/pki/resources/content/certManager.js
+++ b/security/manager/pki/resources/content/certManager.js
@@ -8,18 +8,16 @@ const nsIX509CertDB = Components.interfa
 const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
 const nsIX509Cert = Components.interfaces.nsIX509Cert;
 const nsICertTree = Components.interfaces.nsICertTree;
 const nsCertTree = "@mozilla.org/security/nsCertTree;1";
 const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
 const nsDialogParamBlock = "@mozilla.org/embedcomp/dialogparam;1";
 const nsIPKIParamBlock    = Components.interfaces.nsIPKIParamBlock;
 const nsPKIParamBlock    = "@mozilla.org/security/pkiparamblock;1";
-const nsINSSCertCache = Components.interfaces.nsINSSCertCache;
-const nsNSSCertCache = "@mozilla.org/security/nsscertcache;1";
 
 const gCertFileTypes = "*.p7b; *.crt; *.cert; *.cer; *.pem; *.der";
 
 let { NetUtil } = Components.utils.import("resource://gre/modules/NetUtil.jsm", {});
 let { Services } = Components.utils.import("resource://gre/modules/Services.jsm", {});
 
 var key;
 
@@ -47,19 +45,17 @@ function DeregisterSmartCardObservers()
 }
 
 function LoadCerts()
 {
   Services.obs.addObserver(smartCardObserver, "smartcard-insert", false);
   Services.obs.addObserver(smartCardObserver, "smartcard-remove", false);
 
   certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
-  var certcache = Components.classes[nsNSSCertCache].createInstance(nsINSSCertCache);
-  
-  certcache.cacheAllCerts();
+  var certcache = certdb.getCerts();
 
   caTreeView = Components.classes[nsCertTree]
                     .createInstance(nsICertTree);
   caTreeView.loadCertsFromCache(certcache, nsIX509Cert.CA_CERT);
   document.getElementById('ca-tree').view = caTreeView;
 
   serverTreeView = Components.classes[nsCertTree]
                         .createInstance(nsICertTree);
@@ -373,18 +369,17 @@ function restoreCerts()
         }
       };
       certdb.importUserCertificate(dataArray, dataArray.length, interfaceRequestor);
     } else {
       // Otherwise, assume it's a PKCS12 file and import it that way.
       certdb.importPKCS12File(null, fp.file);
     }
 
-    var certcache = Components.classes[nsNSSCertCache].createInstance(nsINSSCertCache);
-    certcache.cacheAllCerts();
+    var certcache = certdb.getCerts();
     userTreeView.loadCertsFromCache(certcache, nsIX509Cert.USER_CERT);
     userTreeView.selection.clearSelection();
     caTreeView.loadCertsFromCache(certcache, nsIX509Cert.CA_CERT);
     caTreeView.selection.clearSelection();
     enableBackupAllButton();
   }
 }
 
@@ -516,20 +511,19 @@ function addCACerts()
     certdb.importCertsFromFile(null, fp.file, nsIX509Cert.CA_CERT);
     caTreeView.loadCerts(nsIX509Cert.CA_CERT);
     caTreeView.selection.clearSelection();
   }
 }
 
 function onSmartCardChange()
 {
-  var certcache = Components.classes[nsNSSCertCache].createInstance(nsINSSCertCache);
+  var certcache = certdb.getCerts();
   // We've change the state of the smart cards inserted or removed
   // that means the available certs may have changed. Update the display
-  certcache.cacheAllCerts();
   userTreeView.loadCertsFromCache(certcache, nsIX509Cert.USER_CERT);
   userTreeView.selection.clearSelection();
   caTreeView.loadCertsFromCache(certcache, nsIX509Cert.CA_CERT);
   caTreeView.selection.clearSelection();
   serverTreeView.loadCertsFromCache(certcache, nsIX509Cert.SERVER_CERT);
   serverTreeView.selection.clearSelection();
   emailTreeView.loadCertsFromCache(certcache, nsIX509Cert.EMAIL_CERT);
   emailTreeView.selection.clearSelection();
@@ -544,18 +538,17 @@ function addEmailCert()
   fp.init(window,
           bundle.getString("importEmailCertPrompt"),
           nsIFilePicker.modeOpen);
   fp.appendFilter(bundle.getString("file_browse_Certificate_spec"),
                   gCertFileTypes);
   fp.appendFilters(nsIFilePicker.filterAll);
   if (fp.show() == nsIFilePicker.returnOK) {
     certdb.importCertsFromFile(null, fp.file, nsIX509Cert.EMAIL_CERT);
-    var certcache = Components.classes[nsNSSCertCache].createInstance(nsINSSCertCache);
-    certcache.cacheAllCerts();
+    var certcache = certdb.getCerts();
     emailTreeView.loadCertsFromCache(certcache, nsIX509Cert.EMAIL_CERT);
     emailTreeView.selection.clearSelection();
     caTreeView.loadCertsFromCache(certcache, nsIX509Cert.CA_CERT);
     caTreeView.selection.clearSelection();
   }
 }
 
 function addWebSiteCert()
@@ -566,28 +559,26 @@ function addWebSiteCert()
           bundle.getString("importServerCertPrompt"),
           nsIFilePicker.modeOpen);
   fp.appendFilter(bundle.getString("file_browse_Certificate_spec"),
                   gCertFileTypes);
   fp.appendFilters(nsIFilePicker.filterAll);
   if (fp.show() == nsIFilePicker.returnOK) {
     certdb.importCertsFromFile(null, fp.file, nsIX509Cert.SERVER_CERT);
 
-    var certcache = Components.classes[nsNSSCertCache].createInstance(nsINSSCertCache);
-    certcache.cacheAllCerts();
+    var certcache = certdb.getCerts();
     serverTreeView.loadCertsFromCache(certcache, nsIX509Cert.SERVER_CERT);
     serverTreeView.selection.clearSelection();
     caTreeView.loadCertsFromCache(certcache, nsIX509Cert.CA_CERT);
     caTreeView.selection.clearSelection();
   }
 }
 
 function addException()
 {
   window.openDialog('chrome://pippki/content/exceptionDialog.xul', "",
                     'chrome,centerscreen,modal');
-  var certcache = Components.classes[nsNSSCertCache].createInstance(nsINSSCertCache);
-  certcache.cacheAllCerts();
+  var certcache = certdb.getCerts();
   serverTreeView.loadCertsFromCache(certcache, nsIX509Cert.SERVER_CERT);
   serverTreeView.selection.clearSelection();
   orphanTreeView.loadCertsFromCache(certcache, nsIX509Cert.UNKNOWN_CERT);
   orphanTreeView.selection.clearSelection();
 }
--- a/security/manager/ssl/public/moz.build
+++ b/security/manager/ssl/public/moz.build
@@ -13,17 +13,16 @@ XPIDL_SOURCES += [
     'nsICertificateDialogs.idl',
     'nsICertOverrideService.idl',
     'nsICertPickDialogs.idl',
     'nsIClientAuthDialogs.idl',
     'nsIDataSignatureVerifier.idl',
     'nsIGenKeypairInfoDlg.idl',
     'nsIKeygenThread.idl',
     'nsIKeyModule.idl',
-    'nsINSSCertCache.idl',
     'nsINSSVersion.idl',
     'nsIPK11Token.idl',
     'nsIPK11TokenDB.idl',
     'nsIPKCS11.idl',
     'nsIPKCS11Module.idl',
     'nsIPKCS11ModuleDB.idl',
     'nsIPKCS11Slot.idl',
     'nsIProtectedAuthThread.idl',
--- a/security/manager/ssl/public/nsICertTree.idl
+++ b/security/manager/ssl/public/nsICertTree.idl
@@ -2,35 +2,35 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 #include "nsITreeView.idl"
 
-interface nsINSSCertCache;
 interface nsIX509Cert;
+interface nsIX509CertList;
 
 [scriptable, uuid(d0180863-606e-49e6-8324-cf45ed4dd891)]
 interface nsICertTreeItem : nsISupports {
   readonly attribute nsIX509Cert cert;
   readonly attribute AString hostPort;
 };
 
-[scriptable, uuid(a8cd1c89-a901-4735-831b-7198b7b8b6b1)]
+[scriptable, uuid(55d5ad6b-5572-47fe-941c-f01fe723659e)]
 interface nsICertTree : nsITreeView {
 
   void loadCerts(in unsigned long type);
-  void loadCertsFromCache(in nsINSSCertCache cache, in unsigned long type);
+  void loadCertsFromCache(in nsIX509CertList cache, in unsigned long type);
 
   nsIX509Cert getCert(in unsigned long index);
   nsICertTreeItem getTreeItem(in unsigned long index);
   boolean isHostPortOverride(in unsigned long index);
-  
+
   void deleteEntryObject(in unsigned long index);
 };
 
 %{C++
 
 #define NS_CERTTREE_CID { 0x4ea60761, 0x31d6, 0x491d, \
                          { 0x9e, 0x34, 0x4b, 0x53, 0xa2, 0x6c, 0x41, 0x6c } }
 
deleted file mode 100644
--- a/security/manager/ssl/public/nsINSSCertCache.idl
+++ /dev/null
@@ -1,44 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-interface nsIX509CertList;
-
-[scriptable, uuid(1b75bdae-1757-4322-9d1e-cfcaa18cb710)]
-interface nsINSSCertCache : nsISupports {
-
-  /*
-   * cacheAllCerts
-   *
-   * Creates a cache of all certificates currently known to NSS.
-   */
-  void cacheAllCerts();
-  void cacheCertList(in nsIX509CertList list); 
-
-  /*
-   * get an X509CertList
-   */
-  nsIX509CertList getX509CachedCerts();
-
-  /*
-   * getCachedCerts
-   *
-   * Returns the cached CERTCertList*
-   */
-  [notxpcom, noscript] voidPtr getCachedCerts();
-};
-
-%{C++
-
-#define NS_NSSCERTCACHE_CID { /* 3f429a14-dffe-417d-8cb8-fdf09bacd09e */ \
-    0x3f429a14,                                                          \
-    0xdffe,                                                              \
-    0x417d,                                                              \
-    {0x8c, 0xb8, 0xfd, 0xf0, 0x9b, 0xac, 0xd0, 0x9e}                     \
-  }
-
-#define NS_NSSCERTCACHE_CONTRACTID "@mozilla.org/security/nsscertcache;1"
-
-%}
--- a/security/manager/ssl/src/moz.build
+++ b/security/manager/ssl/src/moz.build
@@ -33,17 +33,16 @@ UNIFIED_SOURCES += [
     'nsCryptoHash.cpp',
     'nsDataSignatureVerifier.cpp',
     'nsKeygenHandler.cpp',
     'nsKeygenHandlerContent.cpp',
     'nsKeygenThread.cpp',
     'nsKeyModule.cpp',
     'nsNSSASN1Object.cpp',
     'nsNSSCallbacks.cpp',
-    'nsNSSCertCache.cpp',
     'nsNSSCertHelper.cpp',
     'nsNSSCertificate.cpp',
     'nsNSSCertificateFakeTransport.cpp',
     'nsNSSCertTrust.cpp',
     'nsNSSCertValidity.cpp',
     'nsNSSComponent.cpp',
     'nsNSSErrors.cpp',
     'nsNSSIOLayer.cpp',
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -10,24 +10,23 @@
 #include "nsIX509Cert.h"
 #include "nsIX509CertValidity.h"
 #include "nsIX509CertDB.h"
 #include "nsXPIDLString.h"
 #include "nsReadableUtils.h"
 #include "nsUnicharUtils.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSCertHelper.h"
-#include "nsINSSCertCache.h"
 #include "nsIMutableArray.h"
 #include "nsArrayUtils.h"
 #include "nsISupportsPrimitives.h"
 #include "nsXPCOMCID.h"
 #include "nsTHashtable.h"
 #include "nsHashKeys.h"
- 
+
 #include "prlog.h"
 
 using namespace mozilla;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
@@ -626,35 +625,44 @@ nsCertTree::GetCertsByType(uint32_t     
 {
   nsNSSShutDownPreventionLock locker;
   nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
   ScopedCERTCertList certList(PK11_ListCerts(PK11CertListUnique, cxt));
   return GetCertsByTypeFromCertList(certList.get(), aType, aCertCmpFn,
                                     aCertCmpFnArg);
 }
 
-nsresult 
-nsCertTree::GetCertsByTypeFromCache(nsINSSCertCache   *aCache,
+nsresult
+nsCertTree::GetCertsByTypeFromCache(nsIX509CertList   *aCache,
                                     uint32_t           aType,
                                     nsCertCompareFunc  aCertCmpFn,
                                     void              *aCertCmpFnArg)
 {
   NS_ENSURE_ARG_POINTER(aCache);
-  CERTCertList *certList = reinterpret_cast<CERTCertList*>(aCache->GetCachedCerts());
+  // GetRawCertList checks for NSS shutdown since we can't do it ourselves here
+  // easily. We still have to acquire a shutdown prevention lock to prevent NSS
+  // shutting down after GetRawCertList has returned. While cumbersome, this is
+  // at least mostly correct. The rest of this implementation doesn't even go
+  // this far in attempting to check for or prevent NSS shutdown at the
+  // appropriate times. If this were reimplemented at a higher level using
+  // more encapsulated types that handled NSS shutdown themselves, we wouldn't
+  // be having these kinds of problems.
+  nsNSSShutDownPreventionLock locker;
+  CERTCertList *certList = reinterpret_cast<CERTCertList*>(aCache->GetRawCertList());
   if (!certList)
     return NS_ERROR_FAILURE;
   return GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg);
 }
 
 // LoadCerts
 //
 // Load all of the certificates in the DB for this type.  Sort them
 // by token, organization, then common name.
-NS_IMETHODIMP 
-nsCertTree::LoadCertsFromCache(nsINSSCertCache *aCache, uint32_t aType)
+NS_IMETHODIMP
+nsCertTree::LoadCertsFromCache(nsIX509CertList *aCache, uint32_t aType)
 {
   if (mTreeArray) {
     FreeCertArray();
     delete [] mTreeArray;
     mTreeArray = nullptr;
     mNumRows = 0;
   }
   nsresult rv = InitCompareHash();
--- a/security/manager/ssl/src/nsCertTree.h
+++ b/security/manager/ssl/src/nsCertTree.h
@@ -109,17 +109,17 @@ protected:
   static int32_t CmpUserCert(void *cache, nsIX509Cert *a, nsIX509Cert *b);
   static int32_t CmpEmailCert(void *cache, nsIX509Cert *a, nsIX509Cert *b);
   nsCertCompareFunc GetCompareFuncFromCertType(uint32_t aType);
   int32_t CountOrganizations();
 
   nsresult GetCertsByType(uint32_t aType, nsCertCompareFunc aCertCmpFn,
                           void *aCertCmpFnArg);
 
-  nsresult GetCertsByTypeFromCache(nsINSSCertCache *aCache, uint32_t aType,
+  nsresult GetCertsByTypeFromCache(nsIX509CertList *aCache, uint32_t aType,
                                    nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg);
 private:
   nsTArray< mozilla::RefPtr<nsCertTreeDispInfo> > mDispInfo;
   nsCOMPtr<nsITreeBoxObject>  mTree;
   nsCOMPtr<nsITreeSelection>  mSelection;
   treeArrayEl                *mTreeArray;
   int32_t                         mNumOrgs;
   int32_t                         mNumRows;
deleted file mode 100644
--- a/security/manager/ssl/src/nsNSSCertCache.cpp
+++ /dev/null
@@ -1,103 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsNSSCertCache.h"
-#include "nsNSSCertificate.h"
-#include "cert.h"
-#include "nsCOMPtr.h"
-#include "nsIInterfaceRequestor.h"
-#include "nsNSSHelper.h"
-
-using namespace mozilla;
-
-NS_IMPL_ISUPPORTS(nsNSSCertCache, nsINSSCertCache)
-
-nsNSSCertCache::nsNSSCertCache()
-:mutex("nsNSSCertCache.mutex"), mCertList(nullptr)
-{
-}
-
-nsNSSCertCache::~nsNSSCertCache()
-{
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return;
-  }
-  destructorSafeDestroyNSSReference();
-  shutdown(calledFromObject);
-}
-
-void nsNSSCertCache::virtualDestroyNSSReference()
-{
-  destructorSafeDestroyNSSReference();
-}
-
-void nsNSSCertCache::destructorSafeDestroyNSSReference()
-{
-}
-
-NS_IMETHODIMP
-nsNSSCertCache::CacheAllCerts()
-{
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
-  nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
-  
-  ScopedCERTCertList newList(PK11_ListCerts(PK11CertListUnique, cxt));
-
-  if (newList) {
-    MutexAutoLock lock(mutex);
-    mCertList = new nsNSSCertList(newList, locker);
-  }
-  
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsNSSCertCache::CacheCertList(nsIX509CertList *list)
-{
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
-  {
-    MutexAutoLock lock(mutex);
-    mCertList = list;
-    //NS_ADDREF(mCertList);
-  }
-  
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsNSSCertCache::GetX509CachedCerts(nsIX509CertList **list)
-{
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
-  {
-    MutexAutoLock lock(mutex);
-    if (!mCertList) {
-      return NS_ERROR_NOT_AVAILABLE;
-    }
-    *list = mCertList;
-    NS_ADDREF(*list);
-  }
-  
-  return NS_OK;
-}
-
-
-
-void* nsNSSCertCache::GetCachedCerts()
-{
-  if (isAlreadyShutDown())
-    return nullptr;
-
-  MutexAutoLock lock(mutex);
-  return mCertList->GetRawCertList();
-}
deleted file mode 100644
--- a/security/manager/ssl/src/nsNSSCertCache.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef _NSNSSCERTCACHE_H_
-#define _NSNSSCERTCACHE_H_
-
-#include "nsINSSCertCache.h"
-#include "nsIX509CertList.h"
-#include "certt.h"
-#include "mozilla/Mutex.h"
-#include "nsNSSShutDown.h"
-#include "nsCOMPtr.h"
-
-class nsNSSCertCache : public nsINSSCertCache,
-                       public nsNSSShutDownObject
-{
-public:
-  NS_DECL_THREADSAFE_ISUPPORTS
-  NS_DECL_NSINSSCERTCACHE
-
-  nsNSSCertCache();
-
-protected:
-  virtual ~nsNSSCertCache();
-
-private:
-  mozilla::Mutex mutex;
-  nsCOMPtr<nsIX509CertList> mCertList;
-  virtual void virtualDestroyNSSReference() override;
-  void destructorSafeDestroyNSSReference();
-};
-
-#endif
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -1621,18 +1621,27 @@ nsNSSCertList::DupCertList(CERTCertList*
     CERT_AddCertToListTail(newList, cert);
   }
   return newList;
 }
 
 void*
 nsNSSCertList::GetRawCertList()
 {
-  // This function should only be called after adquiring a
-  // nsNSSShutDownPreventionLock
+  // This function should only be called after acquiring a
+  // nsNSSShutDownPreventionLock. It's difficult to enforce this in code since
+  // this is an implementation of an XPCOM interface function (albeit a
+  // C++-only one), so we acquire the (reentrant) lock and check for shutdown
+  // ourselves here. At the moment it appears that only nsCertTree uses this
+  // function. When that gets removed and replaced by a more reasonable
+  // implementation of the certificate manager, this function can be removed.
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return nullptr;
+  }
   return mCertList.get();
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Write(nsIObjectOutputStream* aStream)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -15,17 +15,16 @@
 #include "NSSCertDBTrustDomain.h"
 #include "pkix/pkixtypes.h"
 #include "nsNSSComponent.h"
 #include "mozilla/Base64.h"
 #include "nsCOMPtr.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSHelper.h"
 #include "nsNSSCertHelper.h"
-#include "nsNSSCertCache.h"
 #include "nsCRT.h"
 #include "nsICertificateDialogs.h"
 #include "nsNSSCertTrust.h"
 #include "nsIFile.h"
 #include "nsPKCS12Blob.h"
 #include "nsPK11TokenDB.h"
 #include "nsReadableUtils.h"
 #include "nsIMutableArray.h"
--- a/security/manager/ssl/src/nsNSSModule.cpp
+++ b/security/manager/ssl/src/nsNSSModule.cpp
@@ -13,17 +13,16 @@
 
 #include "nsSDR.h"
 
 #include "nsPK11TokenDB.h"
 #include "nsPKCS11Slot.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSCertificateFakeTransport.h"
 #include "nsNSSCertificateDB.h"
-#include "nsNSSCertCache.h"
 #ifdef MOZ_XUL
 #include "nsCertTree.h"
 #endif
 #include "nsCrypto.h"
 #include "nsCryptoHash.h"
 //For the NS_CRYPTO_CONTRACTID define
 #include "nsDOMCID.h"
 #include "nsNetCID.h"
@@ -183,17 +182,16 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEn
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsSecretDecoderRing)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsPK11TokenDB)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsPKCS11ModuleDB)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nssEnsure, PSMContentListener, init)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_BYPROCESS(nssEnsureOnChromeOnly,
                                              nsNSSCertificate,
                                              nsNSSCertificateFakeTransport)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsNSSCertificateDB)
-NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsNSSCertCache)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_BYPROCESS(nssEnsureOnChromeOnly,
                                              nsNSSCertList,
                                              nsNSSCertListFakeTransport)
 #ifdef MOZ_XUL
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsCertTree)
 #endif
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsPkcs11)
 NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsCertPicker)
@@ -217,17 +215,16 @@ NS_DEFINE_NAMED_CID(NS_SSLSOCKETPROVIDER
 NS_DEFINE_NAMED_CID(NS_STARTTLSSOCKETPROVIDER_CID);
 NS_DEFINE_NAMED_CID(NS_SDR_CID);
 NS_DEFINE_NAMED_CID(NS_PK11TOKENDB_CID);
 NS_DEFINE_NAMED_CID(NS_PKCS11MODULEDB_CID);
 NS_DEFINE_NAMED_CID(NS_PSMCONTENTLISTEN_CID);
 NS_DEFINE_NAMED_CID(NS_X509CERT_CID);
 NS_DEFINE_NAMED_CID(NS_X509CERTDB_CID);
 NS_DEFINE_NAMED_CID(NS_X509CERTLIST_CID);
-NS_DEFINE_NAMED_CID(NS_NSSCERTCACHE_CID);
 NS_DEFINE_NAMED_CID(NS_FORMPROCESSOR_CID);
 #ifdef MOZ_XUL
 NS_DEFINE_NAMED_CID(NS_CERTTREE_CID);
 #endif
 NS_DEFINE_NAMED_CID(NS_PKCS11_CID);
 NS_DEFINE_NAMED_CID(NS_CRYPTO_HASH_CID);
 NS_DEFINE_NAMED_CID(NS_CRYPTO_HMAC_CID);
 NS_DEFINE_NAMED_CID(NS_CERT_PICKER_CID);
@@ -248,17 +245,16 @@ static const mozilla::Module::CIDEntry k
   { &kNS_STARTTLSSOCKETPROVIDER_CID, false, nullptr, nsTLSSocketProviderConstructor },
   { &kNS_SDR_CID, false, nullptr, nsSecretDecoderRingConstructor },
   { &kNS_PK11TOKENDB_CID, false, nullptr, nsPK11TokenDBConstructor },
   { &kNS_PKCS11MODULEDB_CID, false, nullptr, nsPKCS11ModuleDBConstructor },
   { &kNS_PSMCONTENTLISTEN_CID, false, nullptr, PSMContentListenerConstructor },
   { &kNS_X509CERT_CID, false, nullptr, nsNSSCertificateConstructor },
   { &kNS_X509CERTDB_CID, false, nullptr, nsNSSCertificateDBConstructor },
   { &kNS_X509CERTLIST_CID, false, nullptr, nsNSSCertListConstructor },
-  { &kNS_NSSCERTCACHE_CID, false, nullptr, nsNSSCertCacheConstructor },
   { &kNS_FORMPROCESSOR_CID, false, nullptr, nsKeygenFormProcessor::Create },
 #ifdef MOZ_XUL
   { &kNS_CERTTREE_CID, false, nullptr, nsCertTreeConstructor },
 #endif
   { &kNS_PKCS11_CID, false, nullptr, nsPkcs11Constructor },
   { &kNS_CRYPTO_HASH_CID, false, nullptr, nsCryptoHashConstructor },
   { &kNS_CRYPTO_HMAC_CID, false, nullptr, nsCryptoHMACConstructor },
   { &kNS_CERT_PICKER_CID, false, nullptr, nsCertPickerConstructor },
@@ -282,17 +278,16 @@ static const mozilla::Module::ContractID
   { NS_SSLSOCKETPROVIDER_CONTRACTID, &kNS_SSLSOCKETPROVIDER_CID },
   { NS_STARTTLSSOCKETPROVIDER_CONTRACTID, &kNS_STARTTLSSOCKETPROVIDER_CID },
   { NS_SDR_CONTRACTID, &kNS_SDR_CID },
   { NS_PK11TOKENDB_CONTRACTID, &kNS_PK11TOKENDB_CID },
   { NS_PKCS11MODULEDB_CONTRACTID, &kNS_PKCS11MODULEDB_CID },
   { NS_PSMCONTENTLISTEN_CONTRACTID, &kNS_PSMCONTENTLISTEN_CID },
   { NS_X509CERTDB_CONTRACTID, &kNS_X509CERTDB_CID },
   { NS_X509CERTLIST_CONTRACTID, &kNS_X509CERTLIST_CID },
-  { NS_NSSCERTCACHE_CONTRACTID, &kNS_NSSCERTCACHE_CID },
   { NS_FORMPROCESSOR_CONTRACTID, &kNS_FORMPROCESSOR_CID },
 #ifdef MOZ_XUL
   { NS_CERTTREE_CONTRACTID, &kNS_CERTTREE_CID },
 #endif
   { NS_PKCS11_CONTRACTID, &kNS_PKCS11_CID },
   { NS_CRYPTO_HASH_CONTRACTID, &kNS_CRYPTO_HASH_CID },
   { NS_CRYPTO_HMAC_CONTRACTID, &kNS_CRYPTO_HMAC_CID },
   { NS_CERT_PICKER_CONTRACTID, &kNS_CERT_PICKER_CID },
--- a/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
@@ -15,20 +15,19 @@ function onUnload() {
   window.focus();
   finish();
 }
 
 // This test opens and then closes the certificate viewer to test that it
 // does not cause assertion failures.
 function test() {
   waitForExplicitFinish();
-  let certCache = Cc["@mozilla.org/security/nsscertcache;1"]
-                    .getService(Ci.nsINSSCertCache);
-  certCache.cacheAllCerts();
-  let certList = certCache.getX509CachedCerts();
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+  let certList = certdb.getCerts();
   let enumerator = certList.getEnumerator();
   ok(enumerator.hasMoreElements(), "we have at least one certificate");
   let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
   ok(cert, "found a certificate to look at");
   info("looking at certificate with nickname " + cert.nickname);
   let arg = {
     QueryInterface: function() this,
     getISupportAtIndex: function() this.cert,