Backed out changeset 01b407d8a5af (bug 1453795) for build bustages on CertVerifier.h . CLOSED TREE
authorNarcis Beleuzu <nbeleuzu@mozilla.com>
Tue, 19 Jun 2018 07:38:57 +0300
changeset 422958 224fbf6776658105ad0ae21e8571ac7e50079431
parent 422957 e149fb41c712fb6e5236ca192d326451a41b0a82
child 422959 4cde573c283a56269a37bcb60066c863ba04ddd9
push id34160
push userdluca@mozilla.com
push dateTue, 19 Jun 2018 21:55:15 +0000
treeherdermozilla-central@e429320fcdd2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1453795
milestone62.0a1
backs out01b407d8a5afabe4fd3da80e3f586c26dc9bc901
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset 01b407d8a5af (bug 1453795) for build bustages on CertVerifier.h . CLOSED TREE
security/certverifier/CertVerifier.h
security/manager/ssl/PublicKeyPinningService.cpp
security/manager/ssl/SSLServerCertVerification.cpp
security/pkix/lib/pkixbuild.cpp
security/pkix/lib/pkixcheck.cpp
security/pkix/lib/pkixder.h
security/pkix/lib/pkixutil.h
security/pkix/lib/pkixverify.cpp
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -6,17 +6,16 @@
 
 #ifndef CertVerifier_h
 #define CertVerifier_h
 
 #include "BRNameMatchingPolicy.h"
 #include "CTPolicyEnforcer.h"
 #include "CTVerifyResult.h"
 #include "OCSPCache.h"
-#include "RootCertificateTelemetryUtils.h"
 #include "ScopedNSSTypes.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/UniquePtr.h"
 #include "nsString.h"
 #include "pkix/pkixtypes.h"
 
 #if defined(_MSC_VER)
@@ -74,43 +73,33 @@ enum DistrustedCAPolicy : uint32_t {
 // update this to account for new entries in DistrustedCAPolicy.
 const uint32_t DistrustedCAPolicyMaxAllowedValueMask = 0b0011;
 
 enum class NetscapeStepUpPolicy : uint32_t;
 
 class PinningTelemetryInfo
 {
 public:
-  PinningTelemetryInfo()
-    : certPinningResultBucket(0)
-    , rootBucket(ROOT_CERTIFICATE_UNKNOWN)
-  {
-    Reset();
-  }
+  PinningTelemetryInfo() { Reset(); }
 
   // Should we accumulate pinning telemetry for the result?
   bool accumulateResult;
-  Maybe<Telemetry::HistogramID> certPinningResultHistogram;
+  Telemetry::HistogramID certPinningResultHistogram;
   int32_t certPinningResultBucket;
   // Should we accumulate telemetry for the root?
   bool accumulateForRoot;
   int32_t rootBucket;
 
   void Reset() { accumulateForRoot = false; accumulateResult = false; }
 };
 
 class CertificateTransparencyInfo
 {
 public:
-  CertificateTransparencyInfo()
-    : enabled(false)
-    , policyCompliance(mozilla::ct::CTPolicyCompliance::Unknown)
-  {
-    Reset();
-  }
+  CertificateTransparencyInfo() { Reset(); }
 
   // Was CT enabled?
   bool enabled;
   // Verification result of the processed SCTs.
   mozilla::ct::CTVerifyResult verifyResult;
   // Connection compliance to the CT Policy.
   mozilla::ct::CTPolicyCompliance policyCompliance;
 
--- a/security/manager/ssl/PublicKeyPinningService.cpp
+++ b/security/manager/ssl/PublicKeyPinningService.cpp
@@ -300,17 +300,17 @@ CheckPinsForHostname(const RefPtr<nsNSSC
           ? Telemetry::CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST
           : Telemetry::CERT_PINNING_MOZ_RESULTS_BY_HOST;
         pinningTelemetryInfo->certPinningResultBucket = bucket;
       } else {
         pinningTelemetryInfo->certPinningResultBucket =
             enforceTestModeResult ? 1 : 0;
       }
       pinningTelemetryInfo->accumulateResult = true;
-      pinningTelemetryInfo->certPinningResultHistogram = Some(histogram);
+      pinningTelemetryInfo->certPinningResultHistogram = histogram;
     }
 
     // We only collect per-CA pinning statistics upon failures.
     nsCOMPtr<nsIX509Cert> rootCert;
     rv = certList->GetRootCertificate(rootCert);
     if (NS_FAILED(rv)) {
       return rv;
     }
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -1426,18 +1426,17 @@ AuthCertificate(CertVerifier& certVerifi
   }
 
   if (pinningTelemetryInfo.accumulateForRoot) {
     Telemetry::Accumulate(Telemetry::CERT_PINNING_FAILURES_BY_CA,
                           pinningTelemetryInfo.rootBucket);
   }
 
   if (pinningTelemetryInfo.accumulateResult) {
-    MOZ_ASSERT(pinningTelemetryInfo.certPinningResultHistogram.isSome());
-    Telemetry::Accumulate(pinningTelemetryInfo.certPinningResultHistogram.value(),
+    Telemetry::Accumulate(pinningTelemetryInfo.certPinningResultHistogram,
                           pinningTelemetryInfo.certPinningResultBucket);
   }
 
   if (rv == Success) {
     // Certificate verification succeeded. Delete any potential record of
     // certificate error bits.
     RememberCertErrorsTable::GetInstance().RememberCertHasError(infoObject,
                                                                 nullptr,
--- a/security/pkix/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@@ -56,17 +56,16 @@ public:
     : trustDomain(aTrustDomain)
     , subject(aSubject)
     , time(aTime)
     , requiredEKUIfPresent(aRequiredEKUIfPresent)
     , requiredPolicy(aRequiredPolicy)
     , stapledOCSPResponse(aStapledOCSPResponse)
     , subCACount(aSubCACount)
     , deferredSubjectError(aDeferredSubjectError)
-    , subjectSignaturePublicKeyAlg(der::PublicKeyAlgorithm::Uninitialized)
     , result(Result::FATAL_ERROR_LIBRARY_FAILURE)
     , resultWasSet(false)
     , buildForwardCallBudget(aBuildForwardCallBudget)
   {
   }
 
   Result Check(Input potentialIssuerDER,
                /*optional*/ const Input* additionalNameConstraints,
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -113,20 +113,16 @@ CheckSignatureAlgorithm(TrustDomain& tru
 
     case der::PublicKeyAlgorithm::ECDSA:
       // In theory, we could implement a similar early-pruning optimization for
       // ECDSA curves. However, since there has been no similar deprecation for
       // for any curve that we support, the chances of us encountering a curve
       // during path building is too low to be worth bothering with.
       break;
 
-    case der::PublicKeyAlgorithm::Uninitialized:
-      assert(false);
-      return Result::FATAL_ERROR_LIBRARY_FAILURE;
-
     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
   }
 
   return Success;
 }
 
 // 4.1.2.4 Issuer
 
--- a/security/pkix/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@@ -452,17 +452,17 @@ CertificateSerialNumber(Reader& input, /
   //   gracefully handle such certificates."
   return internal::IntegralBytes(
            input, INTEGER, internal::IntegralValueRestriction::NoRestriction,
            value);
 }
 
 // x.509 and OCSP both use this same version numbering scheme, though OCSP
 // only supports v1.
-enum class Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3, Uninitialized = 255 };
+enum class Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3 };
 
 // X.509 Certificate and OCSP ResponseData both use
 // "[0] EXPLICIT Version DEFAULT v1". Although an explicit encoding of v1 is
 // illegal, we support it because some real-world OCSP responses explicitly
 // encode it.
 Result OptionalVersion(Reader& input, /*out*/ Version& version);
 
 template <typename ExtensionHandler>
@@ -517,17 +517,16 @@ OptionalExtensions(Reader& input, uint8_
 
 Result DigestAlgorithmIdentifier(Reader& input,
                                  /*out*/ DigestAlgorithm& algorithm);
 
 enum class PublicKeyAlgorithm
 {
   RSA_PKCS1,
   ECDSA,
-  Uninitialized
 };
 
 Result SignatureAlgorithmIdentifierValue(
          Reader& input,
          /*out*/ PublicKeyAlgorithm& publicKeyAlgorithm,
          /*out*/ DigestAlgorithm& digestAlgorithm);
 
 struct SignedDataWithSignature final
--- a/security/pkix/lib/pkixutil.h
+++ b/security/pkix/lib/pkixutil.h
@@ -37,23 +37,21 @@ namespace mozilla { namespace pkix {
 //
 // Each BackCert contains pointers to all the given certificate's extensions
 // so that we can parse the extension block once and then process the
 // extensions in an order that may be different than they appear in the cert.
 class BackCert final
 {
 public:
   // certDER and childCert must be valid for the lifetime of BackCert.
-  BackCert(Input aCertDER,
-           EndEntityOrCA aEndEntityOrCA,
+  BackCert(Input aCertDER, EndEntityOrCA aEndEntityOrCA,
            const BackCert* aChildCert)
     : der(aCertDER)
     , endEntityOrCA(aEndEntityOrCA)
     , childCert(aChildCert)
-    , version(der::Version::Uninitialized)
   {
   }
 
   Result Init();
 
   const Input GetDER() const { return der; }
   const der::SignedDataWithSignature& GetSignedData() const {
     return signedData;
--- a/security/pkix/lib/pkixverify.cpp
+++ b/security/pkix/lib/pkixverify.cpp
@@ -74,19 +74,16 @@ VerifySignedDigest(TrustDomain& trustDom
 {
   switch (publicKeyAlg) {
     case der::PublicKeyAlgorithm::ECDSA:
       return trustDomain.VerifyECDSASignedDigest(signedDigest,
                                                  signerSubjectPublicKeyInfo);
     case der::PublicKeyAlgorithm::RSA_PKCS1:
       return trustDomain.VerifyRSAPKCS1SignedDigest(signedDigest,
                                                     signerSubjectPublicKeyInfo);
-    case der::PublicKeyAlgorithm::Uninitialized:
-      assert(false);
-      return Result::FATAL_ERROR_LIBRARY_FAILURE;
     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
   }
 }
 
 Result
 VerifySignedData(TrustDomain& trustDomain,
                  const der::SignedDataWithSignature& signedData,
                  Input signerSubjectPublicKeyInfo)