Bug 643041 - Merge nsIX509Cert2 and nsIX509Cert3 into nsIX509Cert, and merge nsIX509CertDB2 into nsIX509CertDB. r=keeler
authorHarsh Pathak <hpathak@mozilla.com>
Thu, 03 Jul 2014 22:09:24 -0700
changeset 192353 240a0b085725d132fa9616a78d0ceebe8255c1db
parent 192352 7231daefbb2857793fafdb9e5a37488f31db87df
child 192354 95020e2c631dc467aa4de467e3c78ec22a654374
push id27081
push usercbook@mozilla.com
push dateFri, 04 Jul 2014 11:44:24 +0000
treeherdermozilla-central@0bcf1102e943 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs643041
milestone33.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 643041 - Merge nsIX509Cert2 and nsIX509Cert3 into nsIX509Cert, and merge nsIX509CertDB2 into nsIX509CertDB. r=keeler
dom/wifi/WifiWorker.js
security/apps/AppSignatureVerification.cpp
security/manager/pki/resources/content/pippki.js
security/manager/pki/resources/content/viewCertDetails.js
security/manager/ssl/public/moz.build
security/manager/ssl/public/nsISSLStatus.idl
security/manager/ssl/public/nsIX509Cert.idl
security/manager/ssl/public/nsIX509Cert2.idl
security/manager/ssl/public/nsIX509Cert3.idl
security/manager/ssl/public/nsIX509CertDB.idl
security/manager/ssl/public/nsIX509CertDB2.idl
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/src/TransportSecurityInfo.cpp
security/manager/ssl/src/nsCertOverrideService.cpp
security/manager/ssl/src/nsCertTree.cpp
security/manager/ssl/src/nsCertVerificationThread.cpp
security/manager/ssl/src/nsNSSCertificate.cpp
security/manager/ssl/src/nsNSSCertificate.h
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/src/nsNSSCertificateDB.h
security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/src/nsVerificationJob.h
security/manager/ssl/tests/unit/test_getchain.js
security/manager/tools/genHPKPStaticPins.js
toolkit/modules/CertUtils.jsm
--- a/dom/wifi/WifiWorker.js
+++ b/dom/wifi/WifiWorker.js
@@ -3304,40 +3304,40 @@ WifiWorker.prototype = {
     const message = "WifiManager:getImportedCerts:Return";
     let self = this;
 
     if (!WifiManager.enabled) {
       this._sendMessage(message, false, "Wifi is disabled", msg);
       return;
     }
 
-    let certDB2 = Cc["@mozilla.org/security/x509certdb;1"]
-                  .getService(Ci.nsIX509CertDB2);
-    if (!certDB2) {
+    let certDB = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+    if (!certDB) {
       self._sendMessage(message, false, "Failed to query NSS DB service", msg);
     }
 
-    let certList = certDB2.getCerts();
+    let certList = certDB.getCerts();
     if (!certList) {
       self._sendMessage(message, false, "Failed to get certificate List", msg);
     }
 
     let certListEnum = certList.getEnumerator();
     if (!certListEnum) {
       self._sendMessage(message, false, "Failed to get certificate List enumerator", msg);
     }
     let importedCerts = {
       ServerCert: [],
     };
     let UsageMapping = {
       SERVERCERT: "ServerCert",
     };
 
     while (certListEnum.hasMoreElements()) {
-      let certInfo = certListEnum.getNext().QueryInterface(Ci.nsIX509Cert3);
+      let certInfo = certListEnum.getNext().QueryInterface(Ci.nsIX509Cert);
       let certNicknameInfo = /WIFI\_([A-Z]*)\_(.*)/.exec(certInfo.nickname);
       if (!certNicknameInfo) {
         continue;
       }
       importedCerts[UsageMapping[certNicknameInfo[1]]].push(certNicknameInfo[2]);
     }
 
     self._sendMessage(message, true, importedCerts, msg);
--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -564,17 +564,17 @@ VerifySignature(AppTrustedRoot trustedRo
   return VerifyCMSDetachedSignatureIncludingCertificate(buffer, detachedDigest,
                                                         VerifyCertificate,
                                                         &context, nullptr);
 }
 
 NS_IMETHODIMP
 OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
                   /*out, optional */ nsIZipReader** aZipReader,
-                  /*out, optional */ nsIX509Cert3** aSignerCert)
+                  /*out, optional */ nsIX509Cert** aSignerCert)
 {
   NS_ENSURE_ARG_POINTER(aJarFile);
 
   if (aZipReader) {
     *aZipReader = nullptr;
   }
 
   if (aSignerCert) {
@@ -723,17 +723,17 @@ OpenSignedAppFile(AppTrustedRoot aTruste
     zip.forget(aZipReader);
   }
 
   // Return the signer's certificate to the reader if they want it.
   // XXX: We should return an nsIX509CertList with the whole validated chain,
   //      but we can't do that until we switch to libpkix.
   if (aSignerCert) {
     MOZ_ASSERT(CERT_LIST_HEAD(builtChain));
-    nsCOMPtr<nsIX509Cert3> signerCert =
+    nsCOMPtr<nsIX509Cert> signerCert =
       nsNSSCertificate::Create(CERT_LIST_HEAD(builtChain)->cert);
     NS_ENSURE_TRUE(signerCert, NS_ERROR_OUT_OF_MEMORY);
     signerCert.forget(aSignerCert);
   }
 
   return NS_OK;
 }
 
@@ -764,17 +764,17 @@ private:
   {
     (void) mCallback->OpenSignedAppFileFinished(rv, mZipReader, mSignerCert);
   }
 
   const AppTrustedRoot mTrustedRoot;
   const nsCOMPtr<nsIFile> mJarFile;
   nsMainThreadPtrHandle<nsIOpenSignedAppFileCallback> mCallback;
   nsCOMPtr<nsIZipReader> mZipReader; // out
-  nsCOMPtr<nsIX509Cert3> mSignerCert; // out
+  nsCOMPtr<nsIX509Cert> mSignerCert; // out
 };
 
 } // unnamed namespace
 
 NS_IMETHODIMP
 nsNSSCertificateDB::OpenSignedAppFileAsync(
   AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
   nsIOpenSignedAppFileCallback* aCallback)
--- a/security/manager/pki/resources/content/pippki.js
+++ b/security/manager/pki/resources/content/pippki.js
@@ -38,17 +38,16 @@ function getDERString(cert)
     derString += String.fromCharCode(derArray[i]);
   }
   return derString;
 }
 
 function getPKCS7String(cert, chainMode)
 {
   var length = {};
-  cert.QueryInterface(Components.interfaces.nsIX509Cert3);
   var pkcs7Array = cert.exportAsCMS(chainMode, length);
   var pkcs7String = '';
   for (var i = 0; i < pkcs7Array.length; i++) {
     pkcs7String += String.fromCharCode(pkcs7Array[i]);
   }
   return pkcs7String;
 }
 
@@ -105,20 +104,20 @@ function exportToFile(parent, cert)
       var chain = cert.getChain();
       for (var i = 1; i < chain.length; i++)
         content += getPEMString(chain.queryElementAt(i, Components.interfaces.nsIX509Cert));
       break;
     case 2:
       content = getDERString(cert);
       break;
     case 3:
-      content = getPKCS7String(cert, Components.interfaces.nsIX509Cert3.CMS_CHAIN_MODE_CertOnly);
+      content = getPKCS7String(cert, Components.interfaces.nsIX509Cert.CMS_CHAIN_MODE_CertOnly);
       break;
     case 4:
-      content = getPKCS7String(cert, Components.interfaces.nsIX509Cert3.CMS_CHAIN_MODE_CertChainWithRoot);
+      content = getPKCS7String(cert, Components.interfaces.nsIX509Cert.CMS_CHAIN_MODE_CertChainWithRoot);
       break;
     case 0:
     default:
       content = getPEMString(cert);
       break;
   }
   var msg;
   var written = 0;
--- a/security/manager/pki/resources/content/viewCertDetails.js
+++ b/security/manager/pki/resources/content/viewCertDetails.js
@@ -1,14 +1,13 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 const nsIX509Cert = Components.interfaces.nsIX509Cert;
-const nsIX509Cert3 = Components.interfaces.nsIX509Cert3;
 const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
 const nsIX509CertDB = Components.interfaces.nsIX509CertDB;
 const nsPK11TokenDB = "@mozilla.org/security/pk11tokendb;1";
 const nsIPK11TokenDB = Components.interfaces.nsIPK11TokenDB;
 const nsIPKIParamBlock = Components.interfaces.nsIPKIParamBlock;
 const nsIASN1Object = Components.interfaces.nsIASN1Object;
 const nsIASN1Sequence = Components.interfaces.nsIASN1Sequence;
 const nsIASN1PrintableItem = Components.interfaces.nsIASN1PrintableItem;
@@ -89,24 +88,19 @@ function setWindowName()
   //  Set the cert attributes for viewing
   //
 
   //  The chain of trust
   var chain = cert.getChain();
   AddCertChain("treesetDump", chain, "dump_");
   DisplayGeneralDataFromCert(cert);
   BuildPrettyPrint(cert);
-  
-  if (cert instanceof nsIX509Cert3)
-  {
-    cert.requestUsagesArrayAsync(new listener());
-  }
+  cert.requestUsagesArrayAsync(new listener());
 }
 
- 
 function addChildrenToTree(parentTree,label,value,addTwistie)
 {
   var treeChild1 = document.createElement("treechildren");
   var treeElement = addTreeItemToTreeChild(treeChild1,label,value,addTwistie);
   parentTree.appendChild(treeChild1);
   return treeElement;
 }
 
@@ -244,17 +238,17 @@ function DisplayGeneralDataFromCert(cert
   // SHA-256 Fingerprint
   addAttributeFromCert('sha256fingerprint', cert.sha256Fingerprint);
   //  SHA1 Fingerprint
   addAttributeFromCert('sha1fingerprint',cert.sha1Fingerprint);
   // Validity start
   addAttributeFromCert('validitystart', cert.validity.notBeforeLocalDay);
   // Validity end
   addAttributeFromCert('validityend', cert.validity.notAfterLocalDay);
-  
+
   //Now to populate the fields that correspond to the issuer.
   var issuerCommonname, issuerOrg, issuerOrgUnit;
   issuerCommonname = cert.issuerCommonName;
   issuerOrg = cert.issuerOrganization;
   issuerOrgUnit = cert.issuerOrganizationUnit;
   addAttributeFromCert('issuercommonname', issuerCommonname);
   addAttributeFromCert('issuerorganization', issuerOrg);
   addAttributeFromCert('issuerorgunit', issuerOrgUnit);
@@ -282,17 +276,17 @@ function updateCertDump()
 function getCurrentCert()
 {
   var realIndex;
   var tree = document.getElementById('treesetDump');
   if (tree.view.selection.isSelected(tree.currentIndex)
       && document.getElementById('prettyprint_tab').selected) {
     /* if the user manually selected a cert on the Details tab,
        then take that one  */
-    realIndex = tree.currentIndex;    
+    realIndex = tree.currentIndex;
   } else {
     /* otherwise, take the one at the bottom of the chain
        (i.e. the one of the end-entity, unless we're displaying
        CA certs) */
     realIndex = tree.view.rowCount - 1;
   }
   if (realIndex >= 0) {
     var item = tree.contentView.getItemAtIndex(realIndex);
--- a/security/manager/ssl/public/moz.build
+++ b/security/manager/ssl/public/moz.build
@@ -34,20 +34,17 @@ XPIDL_SOURCES += [
     'nsIRecentBadCertsService.idl',
     'nsISSLErrorListener.idl',
     'nsISSLStatus.idl',
     'nsIStreamCipher.idl',
     'nsITokenDialogs.idl',
     'nsITokenPasswordDialogs.idl',
     'nsIUserCertPicker.idl',
     'nsIX509Cert.idl',
-    'nsIX509Cert2.idl',
-    'nsIX509Cert3.idl',
     'nsIX509CertDB.idl',
-    'nsIX509CertDB2.idl',
     'nsIX509CertList.idl',
     'nsIX509CertValidity.idl',
 ]
 
 if CONFIG['MOZ_XUL']:
     XPIDL_SOURCES += [
         'nsICertTree.idl',
     ]
--- a/security/manager/ssl/public/nsISSLStatus.idl
+++ b/security/manager/ssl/public/nsISSLStatus.idl
@@ -18,17 +18,17 @@ interface nsISSLStatus : nsISupports {
 
   readonly attribute boolean isDomainMismatch;
   readonly attribute boolean isNotValidAtThisTime;
 
   /* Note: To distinguish between 
    *         "unstrusted because missing or untrusted issuer"
    *       and 
    *         "untrusted because self signed"
-   *       query nsIX509Cert3::isSelfSigned 
+   *       query nsIX509Cert::isSelfSigned
    */
   readonly attribute boolean isUntrusted;
 
   /**
    * True only if (and after) serverCert was successfully validated as
    * Extended Validation (EV).
    */
   readonly attribute boolean isExtendedValidation;
--- a/security/manager/ssl/public/nsIX509Cert.idl
+++ b/security/manager/ssl/public/nsIX509Cert.idl
@@ -4,21 +4,28 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
 interface nsIArray;
 interface nsIX509CertValidity;
 interface nsIASN1Object;
+interface nsICertVerificationListener;
+
+%{ C++
+ /* forward declaration */
+ typedef struct CERTCertificateStr CERTCertificate;
+%}
+[ptr] native CERTCertificatePtr(CERTCertificate);
 
 /**
  * This represents a X.509 certificate.
  */
-[scriptable, uuid(891d2009-b9ba-4a0d-bebe-6b3a30e33191)]
+[scriptable, uuid(f8ed8364-ced9-4c6e-86ba-48af53c393e6)]
 interface nsIX509Cert : nsISupports {
 
   /**
    *  A nickname for the certificate.
    */
   readonly attribute AString nickname;
 
   /**
@@ -28,26 +35,26 @@ interface nsIX509Cert : nsISupports {
 
   /**
    *  Obtain a list of all email addresses
    *  contained in the certificate.
    *
    *  @param length The number of strings in the returned array.
    *  @return An array of email addresses.
    */
-  void getEmailAddresses(out unsigned long length, 
+  void getEmailAddresses(out unsigned long length,
                          [retval, array, size_is(length)] out wstring addresses);
 
   /**
    *  Check whether a given address is contained in the certificate.
    *  The comparison will convert the email address to lowercase.
    *  The behaviour for non ASCII characters is undefined.
    *
    *  @param aEmailAddress The address to search for.
-   *                
+   *
    *  @return True if the address is contained in the certificate.
    */
   boolean containsEmailAddress(in AString aEmailAddress);
 
   /**
    *  The subject owning the certificate.
    */
   readonly attribute AString subjectName;
@@ -133,31 +140,43 @@ interface nsIX509Cert : nsISupports {
   /**
    *  Constants to classify the type of a certificate.
    */
   const unsigned long UNKNOWN_CERT =      0;
   const unsigned long CA_CERT      = 1 << 0;
   const unsigned long USER_CERT    = 1 << 1;
   const unsigned long EMAIL_CERT   = 1 << 2;
   const unsigned long SERVER_CERT  = 1 << 3;
+  const unsigned long ANY_CERT     = 0xffff;
+
+  /**
+   * Type of this certificate
+   */
+  readonly attribute unsigned long certType;
+
+  /**
+   *  True if the certificate is self-signed. CA issued
+   *  certificates are always self-signed.
+   */
+  readonly attribute boolean isSelfSigned;
 
   /**
    *  Constants for certificate verification results.
    */
   const unsigned long VERIFIED_OK          =      0;
   const unsigned long NOT_VERIFIED_UNKNOWN = 1 << 0;
   const unsigned long CERT_REVOKED         = 1 << 1;
   const unsigned long CERT_EXPIRED         = 1 << 2;
   const unsigned long CERT_NOT_TRUSTED     = 1 << 3;
   const unsigned long ISSUER_NOT_TRUSTED   = 1 << 4;
   const unsigned long ISSUER_UNKNOWN       = 1 << 5;
   const unsigned long INVALID_CA           = 1 << 6;
   const unsigned long USAGE_NOT_ALLOWED    = 1 << 7;
   const unsigned long SIGNATURE_ALGORITHM_DISABLED = 1 << 8;
-  
+
   /**
    *  Constants that describe the certified usages of a certificate.
    *
    *  Deprecated and unused
    */
   const unsigned long CERT_USAGE_SSLClient = 0;
   const unsigned long CERT_USAGE_SSLServer = 1;
   const unsigned long CERT_USAGE_SSLServerWithStepUp = 2;
@@ -167,17 +186,24 @@ interface nsIX509Cert : nsISupports {
   const unsigned long CERT_USAGE_ObjectSigner = 6;
   const unsigned long CERT_USAGE_UserCertImport = 7;
   const unsigned long CERT_USAGE_VerifyCA = 8;
   const unsigned long CERT_USAGE_ProtectedObjectSigner = 9;
   const unsigned long CERT_USAGE_StatusResponder = 10;
   const unsigned long CERT_USAGE_AnyCA = 11;
 
   /**
-   *  Obtain a list of certificates that contains this certificate 
+   *  Constants for specifying the chain mode when exporting a certificate
+   */
+  const unsigned long CMS_CHAIN_MODE_CertOnly = 1;
+  const unsigned long CMS_CHAIN_MODE_CertChain = 2;
+  const unsigned long CMS_CHAIN_MODE_CertChainWithRoot = 3;
+
+  /**
+   *  Obtain a list of certificates that contains this certificate
    *  and the issuing certificates of all involved issuers,
    *  up to the root issuer.
    *
    *  @return The chain of certifficates including the issuers.
    */
   nsIArray getChain();
 
   /**
@@ -187,20 +213,28 @@ interface nsIX509Cert : nsISupports {
    *  @param localOnly Do not hit the network, even if revocation information
    *                   downloading is currently activated.
    *  @param verified The certificate verification result, see constants.
    *  @param count The number of human readable usages returned.
    *  @param usages The array of human readable usages.
    */
   void getUsagesArray(in boolean localOnly,
                       out uint32_t verified,
-                      out uint32_t count, 
+                      out uint32_t count,
                       [array, size_is(count)] out wstring usages);
 
   /**
+   *  Async version of nsIX509Cert::getUsagesArray()
+   *
+   *  Will not block, will request results asynchronously,
+   *  availability of results will be notified on the main thread.
+   */
+  void requestUsagesArrayAsync(in nsICertVerificationListener cvl);
+
+  /**
    *  Obtain a single comma separated human readable string describing
    *  the certificate's certified usages.
    *
    *  @param localOnly Do not hit the network, even if revocation information
    *                   downloading is currently activated.
    *  @param verified The certificate verification result, see constants.
    *  @param purposes The string listing the usages.
    */
@@ -219,21 +253,98 @@ interface nsIX509Cert : nsISupports {
    *
    *  @param length The number of bytes in the binary encoding.
    *  @param data The bytes representing the DER encoded certificate.
    */
   void getRawDER(out unsigned long length,
 	               [retval, array, size_is(length)] out octet data);
 
   /**
-   *  Test whether two certificate instances represent the 
+   *  Test whether two certificate instances represent the
    *  same certificate.
    *
    *  @return Whether the certificates are equal
    */
   boolean equals(in nsIX509Cert other);
 
   /**
    * The base64 encoding of the DER encoded public key info using the specified
    * digest.
    */
   readonly attribute ACString sha256SubjectPublicKeyInfoDigest;
+
+  /**
+   *  Obtain the certificate wrapped in a PKCS#7 SignedData structure,
+   *  with or without the certificate chain
+   *
+   *  @param chainMode Whether to include the chain (with or without the root),
+                       see CMS_CHAIN_MODE constants.
+   *  @param length The number of bytes of the PKCS#7 data.
+   *  @param data The bytes representing the PKCS#7 wrapped certificate.
+   */
+  void exportAsCMS(in unsigned long chainMode,
+                   out unsigned long length,
+                   [retval, array, size_is(length)] out octet data);
+
+  /**
+   * Retrieves the NSS certificate object wrapped by this interface
+   */
+   [notxpcom, noscript] CERTCertificatePtr getCert();
+
+  /**
+   * Human readable names identifying all hardware or
+   * software tokens the certificate is stored on.
+   *
+   * @param length On success, the number of entries in the returned array.
+   * @return On success, an array containing the names of all tokens
+   *         the certificate is stored on (may be empty).
+   *         On failure the function throws/returns an error.
+   */
+  void getAllTokenNames(out unsigned long length,
+                       [retval, array, size_is(length)] out wstring
+                       tokenNames);
+
+  /**
+   * Either delete the certificate from all cert databases,
+   * or mark it as untrusted.
+   */
+  void markForPermDeletion();
 };
+
+[scriptable, uuid(2fd0a785-9f2d-4327-8871-8c3e0783891d)]
+interface nsICertVerificationResult : nsISupports {
+
+  /**
+   *  This interface reflects a container of
+   *  verification results. Call will not block.
+   *
+   *  Obtain an array of human readable strings describing
+   *  the certificate's certified usages.
+   *
+   *  Mirrors the results produced by
+   *  nsIX509Cert::getUsagesArray()
+   *
+   *  As of today, this function is a one-shot object,
+   *  only the first call will succeed.
+   *  This allows an optimization in the implementation,
+   *  ownership of result data will be transfered to caller.
+   *
+   *  @param cert The certificate that was verified.
+   *  @param verified The certificate verification result,
+   *         see constants in nsIX509Cert.
+   *  @param count The number of human readable usages returned.
+   *  @param usages The array of human readable usages.
+   */
+  void getUsagesArrayResult(out uint32_t verified,
+                            out uint32_t count,
+                            [array, size_is(count)] out wstring usages);
+};
+
+[scriptable, uuid(6684bce9-50db-48e1-81b7-98102bf81357)]
+interface nsICertVerificationListener : nsISupports {
+
+  /**
+   *  Notify that results are ready, that have been requested
+   *  using nsIX509Cert::requestUsagesArrayAsync()
+   */
+  void notify(in nsIX509Cert verifiedCert,
+              in nsICertVerificationResult result);
+};
deleted file mode 100644
--- a/security/manager/ssl/public/nsIX509Cert2.idl
+++ /dev/null
@@ -1,30 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsIX509Cert.idl"
-
-interface nsIArray;
-interface nsIASN1Object;
-
-%{ C++
- /* forward declaration */
- typedef struct CERTCertificateStr CERTCertificate;
-%}
-[ptr] native CERTCertificatePtr(CERTCertificate);
-
-/**
- * This represents additional interfaces to X.509 certificates
- */
-[scriptable, uuid(5b62c61c-f898-4dab-8ace-51109bb459b4)]
-interface nsIX509Cert2 : nsIX509Cert {
-  /**
-   *  Additional constants to classify the type of a certificate.
-   */
-  const unsigned long ANY_CERT  = 0xffff;
-  readonly attribute unsigned long certType;
-  void markForPermDeletion();
-  [notxpcom, noscript] CERTCertificatePtr getCert();
-};
deleted file mode 100644
--- a/security/manager/ssl/public/nsIX509Cert3.idl
+++ /dev/null
@@ -1,98 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsIX509Cert2.idl"
-
-interface nsICertVerificationListener;
-
-/**
- * Extending nsIX509Cert
- */
-[scriptable, uuid(399004d8-b8c7-4eb9-8362-d99f4c0161fd)]
-interface nsIX509Cert3 : nsIX509Cert2 {
-
-  /**
-   *  Constants for specifying the chain mode when exporting a certificate
-   */
-  const unsigned long CMS_CHAIN_MODE_CertOnly = 1;
-  const unsigned long CMS_CHAIN_MODE_CertChain = 2;
-  const unsigned long CMS_CHAIN_MODE_CertChainWithRoot = 3;
-
-  /**
-   *  Async version of nsIX509Cert::getUsagesArray()
-   *
-   *  Will not block, will request results asynchronously,
-   *  availability of results will be notified on the main thread.
-   */ 
-  void requestUsagesArrayAsync(in nsICertVerificationListener cvl);
-
-  /**
-   *  Obtain the certificate wrapped in a PKCS#7 SignedData structure,
-   *  with or without the certificate chain
-   *
-   *  @param chainMode Whether to include the chain (with or without the root),
-                       see CMS_CHAIN_MODE constants.
-   *  @param length The number of bytes of the PKCS#7 data.
-   *  @param data The bytes representing the PKCS#7 wrapped certificate.
-   */
-  void exportAsCMS(in unsigned long chainMode,
-                   out unsigned long length,
-                   [retval, array, size_is(length)] out octet data);
-
-  readonly attribute boolean isSelfSigned;
-
-  /**
-   * Human readable names identifying all hardware or
-   * software tokens the certificate is stored on.
-   *
-   * @param length On success, the number of entries in the returned array.
-   * @return On success, an array containing the names of all tokens 
-   *         the certificate is stored on (may be empty).
-   *         On failure the function throws/returns an error.
-   */
-  void getAllTokenNames(out unsigned long length,
-                       [retval, array, size_is(length)] out wstring
-                       tokenNames);
-};
-
-[scriptable, uuid(2fd0a785-9f2d-4327-8871-8c3e0783891d)]
-interface nsICertVerificationResult : nsISupports {
-
-  /**
-   *  This interface reflects a container of
-   *  verification results. Call will not block.
-   *
-   *  Obtain an array of human readable strings describing
-   *  the certificate's certified usages.
-   *
-   *  Mirrors the results produced by 
-   *  nsIX509Cert::getUsagesArray()
-   *
-   *  As of today, this function is a one-shot object,
-   *  only the first call will succeed.
-   *  This allows an optimization in the implementation, 
-   *  ownership of result data will be transfered to caller.
-   *
-   *  @param cert The certificate that was verified.
-   *  @param verified The certificate verification result, 
-   *         see constants in nsIX509Cert.
-   *  @param count The number of human readable usages returned.
-   *  @param usages The array of human readable usages.
-   */ 
-  void getUsagesArrayResult(out uint32_t verified,
-                            out uint32_t count, 
-                            [array, size_is(count)] out wstring usages);
-};
-
-
-[scriptable, uuid(6684bce9-50db-48e1-81b7-98102bf81357)]
-interface nsICertVerificationListener : nsISupports {
-
-  /**
-   *  Notify that results are ready, that have been requested
-   *  using nsIX509Cert3::requestUsagesArrayAsync()
-   */
-  void notify(in nsIX509Cert3 verifiedCert,
-              in nsICertVerificationResult result);
-};
--- a/security/manager/ssl/public/nsIX509CertDB.idl
+++ b/security/manager/ssl/public/nsIX509CertDB.idl
@@ -3,39 +3,38 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
 interface nsIArray;
 interface nsIX509Cert;
-interface nsIX509Cert3;
 interface nsIFile;
 interface nsIInterfaceRequestor;
 interface nsIZipReader;
 interface nsIRecentBadCerts;
 interface nsIX509CertList;
 
 %{C++
 #define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1"
 %}
 
 typedef uint32_t AppTrustedRoot;
 
-[scriptable, function, uuid(0927baea-622d-4e41-a76d-255af426e7fb)]
+[scriptable, function, uuid(5984db62-d0e5-4671-a082-799cf7271e24)]
 interface nsIOpenSignedAppFileCallback : nsISupports
 {
   void openSignedAppFileFinished(in nsresult rv,
                                  in nsIZipReader aZipReader,
-                                 in nsIX509Cert3 aSignerCert);
+                                 in nsIX509Cert aSignerCert);
 };
 
 /**
- * This represents a service to access and manipulate 
+ * This represents a service to access and manipulate
  * X.509 certificates stored in a database.
  */
 [scriptable, uuid(7446a5b1-84ca-491f-a2fe-0bc60a71ffa5)]
 interface nsIX509CertDB : nsISupports {
 
   /**
    *  Constants that define which usages a certificate
    *  is trusted for.
@@ -44,88 +43,88 @@ interface nsIX509CertDB : nsISupports {
   const unsigned long TRUSTED_SSL     = 1 << 0;
   const unsigned long TRUSTED_EMAIL   = 1 << 1;
   const unsigned long TRUSTED_OBJSIGN = 1 << 2;
 
   /**
    *  Given a nickname and optionally a token,
    *  locate the matching certificate.
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aNickname The nickname to be used as the key
    *                   to find a certificate.
-   *                
+   *
    *  @return The matching certificate if found.
    */
   nsIX509Cert findCertByNickname(in nsISupports aToken,
                                  in AString aNickname);
 
   /**
    *  Will find a certificate based on its dbkey
    *  retrieved by getting the dbKey attribute of
    *  the certificate.
    *
    *  @param aDBkey Database internal key, as obtained using
    *                attribute dbkey in nsIX509Cert.
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    */
   nsIX509Cert findCertByDBKey(in string aDBkey, in nsISupports aToken);
 
   /**
    *  Obtain a list of certificate nicknames from the database.
    *  What the name is depends on type:
    *    user, ca, or server cert - the nickname
    *    email cert - the email address
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aType Type of certificate to obtain
    *               See certificate type constants in nsIX509Cert.
    *  @param count The number of nicknames in the returned array
    *  @param certNameList The returned array of certificate nicknames.
    */
-  void findCertNicknames(in nsISupports aToken, 
+  void findCertNicknames(in nsISupports aToken,
                          in unsigned long aType,
                          out unsigned long count,
                          [array, size_is(count)] out wstring certNameList);
 
   /**
    *  Find user's own email encryption certificate by nickname.
    *
    *  @param aNickname The nickname to be used as the key
    *                   to find the certificate.
-   *                
+   *
    *  @return The matching certificate if found.
    */
   nsIX509Cert findEmailEncryptionCert(in AString aNickname);
 
   /**
    *  Find user's own email signing certificate by nickname.
    *
    *  @param aNickname The nickname to be used as the key
    *                   to find the certificate.
-   *                
+   *
    *  @return The matching certificate if found.
    */
   nsIX509Cert findEmailSigningCert(in AString aNickname);
 
   /**
    *  Find a certificate by email address.
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aEmailAddress The email address to be used as the key
    *                       to find the certificate.
-   *                
+   *
    *  @return The matching certificate if found.
    */
   nsIX509Cert findCertByEmailAddress(in nsISupports aToken,
                                      in string aEmailAddress);
 
   /**
    *  Use this to import a stream sent down as a mime type into
    *  the certificate database on the default token.
@@ -159,17 +158,17 @@ interface nsIX509CertDB : nsISupports {
    *  @param length The length of the data to be imported
    *  @param ctx A UI context.
    */
   void importServerCertificate([array, size_is(length)] in octet data,
                                in unsigned long length,
                                in nsIInterfaceRequestor ctx);
 
   /**
-   *  Import a personal certificate into the database, assuming 
+   *  Import a personal certificate into the database, assuming
    *  the database already contains the private key for this certificate.
    *
    *  @param data The raw data to be imported
    *  @param length The length of the data to be imported
    *  @param ctx A UI context.
    */
   void importUserCertificate([array, size_is(length)] in octet data,
                              in unsigned long length,
@@ -179,17 +178,17 @@ interface nsIX509CertDB : nsISupports {
    *  Delete a certificate stored in the database.
    *
    *  @param aCert Delete this certificate.
    */
   void deleteCertificate(in nsIX509Cert aCert);
 
   /**
    *  Modify the trust that is stored and associated to a certificate within
-   *  a database. Separate trust is stored for 
+   *  a database. Separate trust is stored for
    *  One call manipulates the trust for one trust type only.
    *  See the trust type constants defined within this interface.
    *
    *  @param cert Change the stored trust of this certificate.
    *  @param type The type of the certificate. See nsIX509Cert.
    *  @param trust A bitmask. The new trust for the possible usages.
    *               See the trust constants defined within this interface.
    */
@@ -198,63 +197,63 @@ interface nsIX509CertDB : nsISupports {
                     in unsigned long trust);
 
   /**
    * @param cert        The certificate for which to modify trust.
    * @param trustString decoded by CERT_DecodeTrustString. 3 comma separated
    *                    characters, indicating SSL, Email, and Obj signing
    *                    trust.
    */
-  void setCertTrustFromString(in nsIX509Cert3 cert, in string trustString);
+  void setCertTrustFromString(in nsIX509Cert cert, in string trustString);
 
   /**
    *  Query whether a certificate is trusted for a particular use.
    *
    *  @param cert Obtain the stored trust of this certificate.
    *  @param certType The type of the certificate. See nsIX509Cert.
-   *  @param trustType A single bit from the usages constants defined 
+   *  @param trustType A single bit from the usages constants defined
    *                   within this interface.
    *
    *  @return Returns true if the certificate is trusted for the given use.
    */
   boolean isCertTrusted(in nsIX509Cert cert,
                        in unsigned long certType,
                        in unsigned long trustType);
 
   /**
    *  Import certificate(s) from file
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aFile Identifies a file that contains the certificate
    *               to be imported.
    *  @param aType Describes the type of certificate that is going to
    *               be imported. See type constants in nsIX509Cert.
    */
   void importCertsFromFile(in nsISupports aToken,
                          in nsIFile aFile,
                          in unsigned long aType);
 
   /**
    *  Import a PKCS#12 file containing cert(s) and key(s) into the database.
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aFile Identifies a file that contains the data
    *               to be imported.
    */
   void importPKCS12File(in nsISupports aToken,
                         in nsIFile aFile);
 
   /**
    *  Export a set of certs and keys from the database to a PKCS#12 file.
    *
-   *  @param aToken Optionally limits the scope of 
+   *  @param aToken Optionally limits the scope of
    *                this function to a token device.
    *                Can be null to mean any token.
    *  @param aFile Identifies a file that will be filled with the data
    *               to be exported.
    *  @param count The number of certificates to be exported.
    *  @param aCerts The array of all certificates to be exported.
    */
   void exportPKCS12File(in nsISupports aToken,
@@ -311,17 +310,17 @@ interface nsIX509CertDB : nsISupports {
   const AppTrustedRoot AppMarketplaceProdReviewersRoot = 2;
   const AppTrustedRoot AppMarketplaceDevPublicRoot = 3;
   const AppTrustedRoot AppMarketplaceDevReviewersRoot = 4;
   const AppTrustedRoot AppXPCShellRoot = 5;
   void openSignedAppFileAsync(in AppTrustedRoot trustedRoot,
                               in nsIFile aJarFile,
                               in nsIOpenSignedAppFileCallback callback);
 
-  /* 
+  /*
    * Add a cert to a cert DB from a binary string.
    *
    * @param certDER The raw DER encoding of a certificate.
    * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters,
    *                indicating SSL, Email, and Obj signing trust
    * @param aName name of the cert for display purposes.
    */
   void addCert(in ACString certDER, in string aTrust, in string aName);
@@ -356,9 +355,25 @@ interface nsIX509CertDB : nsISupports {
                   in int64_t /*SECCertificateUsage*/ aUsage,
                   in uint32_t aFlags,
                   out nsIX509CertList verifiedChain,
                   out bool aHasEVPolicy);
 
   // Clears the OCSP cache for the current certificate verification
   // implementation.
   void clearOCSPCache();
+
+  /*
+   * Add a cert to a cert DB from a base64 encoded string.
+   *
+   * @param base64 The raw representation of a certificate,
+   *                encoded as Base 64.
+   * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters,
+   *                indicating SSL, Email, and Obj signing trust
+   * @param aName name of the cert for display purposes.
+   */
+  void addCertFromBase64(in string base64, in string aTrust, in string aName);
+
+  /*
+   * Get all the known certs in the database
+   */
+  nsIX509CertList getCerts();
 };
deleted file mode 100644
--- a/security/manager/ssl/public/nsIX509CertDB2.idl
+++ /dev/null
@@ -1,36 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-interface nsIX509CertList;
-
-/**
- * This represents a service to access and manipulate 
- * X.509 certificates stored in a database through methods
- * not in nsIX509CertDB, which is frozen
- *
- */
-[scriptable, uuid(e0df4784-6560-45bf-b1b7-86076a0e8381)]
-interface nsIX509CertDB2 : nsISupports {
-
-  /* 
-   * Add a cert to a cert DB from a base64 encoded string.
-   *
-   * @param base64 The raw representation of a certificate,
-   *                encoded as Base 64.
-   * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters,
-   *                indicating SSL, Email, and Obj signing trust
-   * @param aName name of the cert for display purposes.
-   */
-  void addCertFromBase64(in string base64, in string aTrust, in string aName);
-
-  /*
-   * Get all the known certs in the database
-   */
-  nsIX509CertList getCerts();
-};
-
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -684,58 +684,57 @@ SSLServerCertVerificationJob::SSLServerC
 // in order to support SPDY's cross-origin connection pooling.
 static SECStatus
 BlockServerCertChangeForSpdy(nsNSSSocketInfo* infoObject,
                              CERTCertificate* serverCert)
 {
   // Get the existing cert. If there isn't one, then there is
   // no cert change to worry about.
   nsCOMPtr<nsIX509Cert> cert;
-  nsCOMPtr<nsIX509Cert2> cert2;
 
   RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
   if (!status) {
     // If we didn't have a status, then this is the
     // first handshake on this connection, not a
     // renegotiation.
     return SECSuccess;
   }
 
   status->GetServerCert(getter_AddRefs(cert));
-  cert2 = do_QueryInterface(cert);
-  if (!cert2) {
+  if (!cert) {
     NS_NOTREACHED("every nsSSLStatus must have a cert"
-                  "that implements nsIX509Cert2");
+                  "that implements nsIX509Cert");
     PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
     return SECFailure;
   }
 
   // Filter out sockets that did not neogtiate SPDY via NPN
   nsAutoCString negotiatedNPN;
   nsresult rv = infoObject->GetNegotiatedNPN(negotiatedNPN);
   NS_ASSERTION(NS_SUCCEEDED(rv),
                "GetNegotiatedNPN() failed during renegotiation");
 
   if (NS_SUCCEEDED(rv) && !StringBeginsWith(negotiatedNPN,
-                                            NS_LITERAL_CSTRING("spdy/")))
+                                            NS_LITERAL_CSTRING("spdy/"))) {
     return SECSuccess;
-
+  }
   // If GetNegotiatedNPN() failed we will assume spdy for safety's safe
   if (NS_FAILED(rv)) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
            ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call."
             " Assuming spdy.\n"));
   }
 
   // Check to see if the cert has actually changed
-  ScopedCERTCertificate c(cert2->GetCert());
+  ScopedCERTCertificate c(cert->GetCert());
   NS_ASSERTION(c, "very bad and hopefully impossible state");
   bool sameCert = CERT_CompareCerts(c, serverCert);
-  if (sameCert)
+  if (sameCert) {
     return SECSuccess;
+  }
 
   // Report an error - changed cert is confirmed
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
          ("SPDY Refused to allow new cert during renegotiation\n"));
   PR_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, 0);
   return SECFailure;
 }
 
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -530,23 +530,19 @@ formatPlainErrorMessage(const nsXPIDLCSt
 static void
 AppendErrorTextUntrusted(PRErrorCode errTrust,
                          const nsString &host,
                          nsIX509Cert* ix509,
                          nsINSSComponent *component,
                          nsString &returnedMessage)
 {
   const char *errorID = nullptr;
-  nsCOMPtr<nsIX509Cert3> cert3 = do_QueryInterface(ix509);
-  if (cert3) {
-    bool isSelfSigned;
-    if (NS_SUCCEEDED(cert3->GetIsSelfSigned(&isSelfSigned))
-        && isSelfSigned) {
-      errorID = "certErrorTrust_SelfSigned";
-    }
+  bool isSelfSigned;
+  if (NS_SUCCEEDED(ix509->GetIsSelfSigned(&isSelfSigned)) && isSelfSigned) {
+    errorID = "certErrorTrust_SelfSigned";
   }
 
   if (!errorID) {
     switch (errTrust) {
       case SEC_ERROR_UNKNOWN_ISSUER:
       {
         nsCOMPtr<nsIArray> chain;
         ix509->GetChain(getter_AddRefs(chain));
@@ -685,21 +681,17 @@ AppendErrorTextMismatch(const nsString &
                         nsIX509Cert* ix509,
                         nsINSSComponent *component,
                         bool wantsHtml,
                         nsString &returnedMessage)
 {
   const char16_t *params[1];
   nsresult rv;
 
-  mozilla::pkix::ScopedCERTCertificate nssCert;
-
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
-  if (cert2)
-    nssCert = cert2->GetCert();
+  mozilla::pkix::ScopedCERTCertificate nssCert(ix509->GetCert());
 
   if (!nssCert) {
     // We are unable to extract the valid names, say "not valid for name".
     params[0] = host.get();
     nsString formattedString;
     rv = component->PIPBundleFormatStringFromName("certErrorMismatch", 
                                                   params, 1, 
                                                   formattedString);
--- a/security/manager/ssl/src/nsCertOverrideService.cpp
+++ b/security/manager/ssl/src/nsCertOverrideService.cpp
@@ -385,24 +385,21 @@ nsCertOverrideService::Write()
   return NS_OK;
 }
 
 static nsresult
 GetCertFingerprintByOidTag(nsIX509Cert *aCert,
                            SECOidTag aOidTag, 
                            nsCString &fp)
 {
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
-  if (!cert2)
+
+  mozilla::pkix::ScopedCERTCertificate nsscert(aCert->GetCert());
+  if (!nsscert) {
     return NS_ERROR_FAILURE;
-
-  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
-  if (!nsscert)
-    return NS_ERROR_FAILURE;
-
+  }
   return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
 }
 
 static nsresult
 GetCertFingerprintByDottedOidString(CERTCertificate* nsscert,
                                     const nsCString &dottedOid, 
                                     nsCString &fp)
 {
@@ -420,49 +417,45 @@ GetCertFingerprintByDottedOidString(CERT
   if (oid_tag == SEC_OID_UNKNOWN)
     return NS_ERROR_FAILURE;
 
   return GetCertFingerprintByOidTag(nsscert, oid_tag, fp);
 }
 
 static nsresult
 GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
-                                    const nsCString &dottedOid, 
+                                    const nsCString &dottedOid,
                                     nsCString &fp)
 {
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
-  if (!cert2)
+
+  mozilla::pkix::ScopedCERTCertificate nsscert(aCert->GetCert());
+  if (!nsscert) {
     return NS_ERROR_FAILURE;
-
-  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
-  if (!nsscert)
-    return NS_ERROR_FAILURE;
+  }
 
   return GetCertFingerprintByDottedOidString(nsscert.get(), dottedOid, fp);
 }
 
 NS_IMETHODIMP
-nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, int32_t aPort, 
-                                                nsIX509Cert *aCert,
-                                                uint32_t aOverrideBits, 
+nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
+                                                int32_t aPort,
+                                                nsIX509Cert* aCert,
+                                                uint32_t aOverrideBits,
                                                 bool aTemporary)
 {
   NS_ENSURE_ARG_POINTER(aCert);
   if (aHostName.IsEmpty())
     return NS_ERROR_INVALID_ARG;
   if (aPort < -1)
     return NS_ERROR_INVALID_ARG;
 
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
-  if (!cert2)
+  mozilla::pkix::ScopedCERTCertificate nsscert(aCert->GetCert());
+  if (!nsscert) {
     return NS_ERROR_FAILURE;
-
-  mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
-  if (!nsscert)
-    return NS_ERROR_FAILURE;
+  }
 
   char* nickname = DefaultServerNicknameForCert(nsscert.get());
   if (!aTemporary && nickname && *nickname)
   {
     ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
     if (!slot) {
       PR_Free(nickname);
       return NS_ERROR_FAILURE;
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -325,17 +325,17 @@ nsCertTree::GetDispInfoAtIndex(int32_t i
   }
   return nullptr;
 }
 
 nsCertTree::nsCertCompareFunc
 nsCertTree::GetCompareFuncFromCertType(uint32_t aType)
 {
   switch (aType) {
-    case nsIX509Cert2::ANY_CERT:
+    case nsIX509Cert::ANY_CERT:
     case nsIX509Cert::USER_CERT:
       return CmpUserCert;
     case nsIX509Cert::CA_CERT:
       return CmpCACert;
     case nsIX509Cert::EMAIL_CERT:
       return CmpEmailCert;
     case nsIX509Cert::SERVER_CERT:
     default:
@@ -472,17 +472,17 @@ nsCertTree::GetCertsByTypeFromCertList(C
   }
 
   CERTCertListNode *node;
   int count = 0;
   for (node = CERT_LIST_HEAD(aCertList);
        !CERT_LIST_END(node, aCertList);
        node = CERT_LIST_NEXT(node)) {
 
-    bool wantThisCert = (aWantedType == nsIX509Cert2::ANY_CERT);
+    bool wantThisCert = (aWantedType == nsIX509Cert::ANY_CERT);
     bool wantThisCertIfNoOverrides = false;
     bool wantThisCertIfHaveOverrides = false;
     bool addOverrides = false;
 
     if (!wantThisCert) {
       uint32_t thisCertType = getCertType(node->cert);
 
       // The output from getCertType is a "guess", which can be wrong.
@@ -804,22 +804,17 @@ nsCertTree::DeleteEntryObject(uint32_t i
           } 
         }
         else {
           if (addonInfo && addonInfo->mUsageCount > 1) {
             // user is trying to delete a perm trusted cert,
             // although there are still overrides stored,
             // so, we keep the cert, but remove the trust
 
-            mozilla::pkix::ScopedCERTCertificate nsscert;
-
-            nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
-            if (cert2) {
-              nsscert = cert2->GetCert();
-            }
+            mozilla::pkix::ScopedCERTCertificate nsscert(cert->GetCert());
 
             if (nsscert) {
               CERTCertTrust trust;
               memset((void*)&trust, 0, sizeof(trust));
             
               SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override 
               if (srv == SECSuccess) {
                 CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert.get(),
@@ -1230,22 +1225,18 @@ nsCertTree::GetCellText(int32_t row, nsI
     else {
       _retval = NS_LITERAL_STRING("*");
     }
   } else if (NS_LITERAL_STRING("lifetimecol").Equals(colID)) {
     const char *stringID = 
       (certdi->mIsTemporary) ? "CertExceptionTemporary" : "CertExceptionPermanent";
     rv = mNSSComponent->GetPIPNSSBundleString(stringID, _retval);
   } else if (NS_LITERAL_STRING("typecol").Equals(colID) && cert) {
-    nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
     uint32_t type = nsIX509Cert::UNKNOWN_CERT;
-
-    if (pipCert) {
-	rv = pipCert->GetCertType(&type);
-    }
+    rv = cert->GetCertType(&type);
 
     switch (type) {
     case nsIX509Cert::USER_CERT:
         rv = mNSSComponent->GetPIPNSSBundleString("CertUser", _retval);
 	break;
     case nsIX509Cert::CA_CERT:
         rv = mNSSComponent->GetPIPNSSBundleString("CertCA", _retval);
 	break;
--- a/security/manager/ssl/src/nsCertVerificationThread.cpp
+++ b/security/manager/ssl/src/nsCertVerificationThread.cpp
@@ -12,31 +12,31 @@ nsCertVerificationThread *nsCertVerifica
 
 NS_IMPL_ISUPPORTS(nsCertVerificationResult, nsICertVerificationResult)
 
 namespace {
 class DispatchCertVerificationResult : public nsRunnable
 {
 public:
   DispatchCertVerificationResult(const nsMainThreadPtrHandle<nsICertVerificationListener>& aListener,
-                                 nsIX509Cert3* aCert,
+                                 nsIX509Cert* aCert,
                                  nsICertVerificationResult* aResult)
     : mListener(aListener)
     , mCert(aCert)
     , mResult(aResult)
   { }
 
   NS_IMETHOD Run() {
     mListener->Notify(mCert, mResult);
     return NS_OK;
   }
 
 private:
   nsMainThreadPtrHandle<nsICertVerificationListener> mListener;
-  nsCOMPtr<nsIX509Cert3> mCert;
+  nsCOMPtr<nsIX509Cert> mCert;
   nsCOMPtr<nsICertVerificationResult> mResult;
 };
 } // anonymous namespace
 
 void nsCertVerificationJob::Run()
 {
   if (!mListener || !mCert)
     return;
@@ -58,19 +58,18 @@ void nsCertVerificationJob::Run()
     {
       vres->mVerified = verified;
       vres->mCount = count;
       vres->mUsages = usages;
     }
 
     ires = vres;
   }
-  
-  nsCOMPtr<nsIX509Cert3> c3 = do_QueryInterface(mCert);
-  nsCOMPtr<nsIRunnable> r = new DispatchCertVerificationResult(mListener, c3, ires);
+
+  nsCOMPtr<nsIRunnable> r = new DispatchCertVerificationResult(mListener, mCert, ires);
   NS_DispatchToMainThread(r);
 }
 
 nsCertVerificationThread::nsCertVerificationThread()
 : mJobQ(nullptr)
 {
   NS_ASSERTION(!verification_thread_singleton, 
                "nsCertVerificationThread is a singleton, caller attempts"
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -14,17 +14,16 @@
 #include "nsNSSComponent.h" // for PIPNSS string bundle calls.
 #include "nsNSSCleaner.h"
 #include "nsCOMPtr.h"
 #include "nsIMutableArray.h"
 #include "nsNSSCertValidity.h"
 #include "nsPKCS12Blob.h"
 #include "nsPK11TokenDB.h"
 #include "nsIX509Cert.h"
-#include "nsIX509Cert3.h"
 #include "nsNSSASN1Object.h"
 #include "nsString.h"
 #include "nsXPIDLString.h"
 #include "nsReadableUtils.h"
 #include "nsIURI.h"
 #include "nsCRT.h"
 #include "nsUsageArrayHelper.h"
 #include "nsICertificateDialogs.h"
@@ -63,18 +62,16 @@ NSSCleanupAutoPtrClass_WithParam(PLArena
 // This is being stored in an uint32_t that can otherwise
 // only take values from nsIX509Cert's list of cert types.
 // As nsIX509Cert is frozen, we choose a value not contained
 // in the list to mean not yet initialized.
 #define CERT_TYPE_NOT_YET_INITIALIZED (1 << 30)
 
 NS_IMPL_ISUPPORTS(nsNSSCertificate,
                   nsIX509Cert,
-                  nsIX509Cert2,
-                  nsIX509Cert3,
                   nsIIdentityInfo,
                   nsISerializable,
                   nsIClassInfo)
 
 /*static*/ nsNSSCertificate*
 nsNSSCertificate::Create(CERTCertificate* cert, SECOidTag* evOidPolicy)
 {
   if (GeckoProcessType_Default != XRE_GetProcessType()) {
@@ -1136,19 +1133,19 @@ nsNSSCertificate::ExportAsCMS(uint32_t c
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   if (!mCert)
     return NS_ERROR_FAILURE;
 
   switch (chainMode) {
-    case nsIX509Cert3::CMS_CHAIN_MODE_CertOnly:
-    case nsIX509Cert3::CMS_CHAIN_MODE_CertChain:
-    case nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot:
+    case nsIX509Cert::CMS_CHAIN_MODE_CertOnly:
+    case nsIX509Cert::CMS_CHAIN_MODE_CertChain:
+    case nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot:
       break;
     default:
       return NS_ERROR_INVALID_ARG;
   };
 
   PLArenaPool* arena = PORT_NewArena(1024);
   PLArenaPoolCleanerFalseParam arenaCleaner(arena);
   if (!arena) {
@@ -1173,25 +1170,25 @@ nsNSSCertificate::ExportAsCMS(uint32_t c
     return NS_ERROR_FAILURE;
   }
 
   // Calling NSS_CMSSignedData_CreateCertsOnly() will not allow us
   // to specify the inclusion of the root, but CERT_CertChainFromCert() does.
   // Since CERT_CertChainFromCert() also includes the certificate itself,
   // we have to start at the issuing cert (to avoid duplicate certs
   // in the SignedData).
-  if (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChain ||
-      chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot) {
+  if (chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChain ||
+      chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot) {
     ScopedCERTCertificate issuerCert(
         CERT_FindCertIssuer(mCert.get(), PR_Now(), certUsageAnyCA));
     // the issuerCert of a self signed root is the cert itself,
     // so make sure we're not adding duplicates, again
     if (issuerCert && issuerCert != mCert.get()) {
       bool includeRoot =
-        (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot);
+        (chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot);
       ScopedCERTCertificateList certChain(
           CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot));
       if (certChain) {
         if (NSS_CMSSignedData_AddCertList(sigd, certChain) == SECSuccess) {
           certChain.forget();
         }
         else {
           PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
@@ -1372,21 +1369,17 @@ nsNSSCertificate::Equals(nsIX509Cert* ot
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(other);
   NS_ENSURE_ARG(result);
 
-  nsCOMPtr<nsIX509Cert2> other2 = do_QueryInterface(other);
-  if (!other2)
-    return NS_ERROR_FAILURE;
-
-  ScopedCERTCertificate cert(other2->GetCert());
+  ScopedCERTCertificate cert(other->GetCert());
   *result = (mCert.get() == cert.get());
   return NS_OK;
 }
 
 #ifndef MOZ_NO_EV_CERTS
 
 nsresult
 nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
@@ -1547,20 +1540,17 @@ void nsNSSCertList::destructorSafeDestro
 
 NS_IMETHODIMP
 nsNSSCertList::AddCert(nsIX509Cert* aCert)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
-  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
-  CERTCertificate* cert;
-
-  cert = nssCert->GetCert();
+  CERTCertificate* cert = aCert->GetCert();
   if (!cert) {
     NS_ERROR("Somehow got nullptr for mCertificate in nsNSSCertificate.");
     return NS_ERROR_FAILURE;
   }
 
   if (!mCertList) {
     NS_ERROR("Somehow got nullptr for mCertList in nsNSSCertList.");
     return NS_ERROR_FAILURE;
@@ -1572,18 +1562,17 @@ nsNSSCertList::AddCert(nsIX509Cert* aCer
 
 NS_IMETHODIMP
 nsNSSCertList::DeleteCert(nsIX509Cert* aCert)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
-  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
-  CERTCertificate* cert = nssCert->GetCert();
+  CERTCertificate* cert = aCert->GetCert();
   CERTCertListNode* node;
 
   if (!cert) {
     NS_ERROR("Somehow got nullptr for mCertificate in nsNSSCertificate.");
     return NS_ERROR_FAILURE;
   }
 
   if (!mCertList) {
@@ -1600,18 +1589,19 @@ nsNSSCertList::DeleteCert(nsIX509Cert* a
   }
   return NS_OK; // XXX Should we fail if we couldn't find it?
 }
 
 CERTCertList*
 nsNSSCertList::DupCertList(CERTCertList* aCertList,
                            const nsNSSShutDownPreventionLock& /*proofOfLock*/)
 {
-  if (!aCertList)
+  if (!aCertList) {
     return nullptr;
+  }
 
   CERTCertList* newList = CERT_NewCertList();
 
   if (!newList) {
     return nullptr;
   }
 
   CERTCertListNode* node;
--- a/security/manager/ssl/src/nsNSSCertificate.h
+++ b/security/manager/ssl/src/nsNSSCertificate.h
@@ -2,45 +2,41 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef _NS_NSSCERTIFICATE_H_
 #define _NS_NSSCERTIFICATE_H_
 
 #include "nsIX509Cert.h"
-#include "nsIX509Cert2.h"
-#include "nsIX509Cert3.h"
 #include "nsIX509CertDB.h"
 #include "nsIX509CertList.h"
 #include "nsIASN1Object.h"
 #include "nsIIdentityInfo.h"
 #include "nsCOMPtr.h"
 #include "nsNSSShutDown.h"
 #include "nsISimpleEnumerator.h"
 #include "nsISerializable.h"
 #include "nsIClassInfo.h"
 #include "pkix/pkixtypes.h"
 #include "certt.h"
 
 class nsAutoString;
 class nsINSSComponent;
 class nsIASN1Sequence;
 
-class nsNSSCertificate : public nsIX509Cert3,
+class nsNSSCertificate : public nsIX509Cert,
                          public nsIIdentityInfo,
                          public nsISerializable,
                          public nsIClassInfo,
                          public nsNSSShutDownObject
 {
 public:
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIX509CERT
-  NS_DECL_NSIX509CERT2
-  NS_DECL_NSIX509CERT3
   NS_DECL_NSIIDENTITYINFO
   NS_DECL_NSISERIALIZABLE
   NS_DECL_NSICLASSINFO
 
   friend class nsNSSCertificateFakeTransport;
 
   nsNSSCertificate(CERTCertificate* cert, SECOidTag* evOidPolicy = nullptr);
   nsNSSCertificate();
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -77,17 +77,17 @@ attemptToLogInWithDefaultPassword()
     // has a non-default password.
     (void) PK11_InitPin(slot, nullptr, nullptr);
   }
 #endif
 
   return NS_OK;
 }
 
-NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB, nsIX509CertDB2)
+NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB)
 
 nsNSSCertificateDB::nsNSSCertificateDB()
 : mBadCertsLock("nsNSSCertificateDB::mBadCertsLock")
 {
   SharedSSLState::NoteCertDBServiceInstantiated();
 }
 
 nsNSSCertificateDB::~nsNSSCertificateDB()
@@ -949,24 +949,25 @@ loser:
  */
 NS_IMETHODIMP 
 nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
-  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
-  mozilla::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
-  if (!cert) return NS_ERROR_FAILURE;
+  mozilla::pkix::ScopedCERTCertificate cert(aCert->GetCert());
+  if (!cert) {
+    return NS_ERROR_FAILURE;
+  }
   SECStatus srv = SECSuccess;
 
   uint32_t certType;
-  nssCert->GetCertType(&certType);
-  if (NS_FAILED(nssCert->MarkForPermDeletion()))
+  aCert->GetCertType(&certType);
+  if (NS_FAILED(aCert->MarkForPermDeletion()))
   {
     return NS_ERROR_FAILURE;
   }
 
   if (cert->slot && certType != nsIX509Cert::USER_CERT) {
     // To delete a cert of a slot (builtin, most likely), mark it as
     // completely untrusted.  This way we keep a copy cached in the
     // local database, and next time we try to load it off of the 
@@ -993,21 +994,17 @@ nsNSSCertificateDB::SetCertTrust(nsIX509
                                  uint32_t trusted)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   nsNSSCertTrust trust;
   nsresult rv;
-  nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert, &rv);
-  if (!pipCert) {
-    return rv;
-  }
-  mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert->GetCert());
 
   rv = attemptToLogInWithDefaultPassword();
   if (NS_WARN_IF(rv != NS_OK)) {
     return rv;
   }
 
   SECStatus srv;
   if (type == nsIX509Cert::CA_CERT) {
@@ -1049,18 +1046,17 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50
   NS_ENSURE_ARG_POINTER(_isTrusted);
   *_isTrusted = false;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   SECStatus srv;
-  nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
-  mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+  mozilla::pkix::ScopedCERTCertificate nsscert(cert->GetCert());
   CERTCertTrust nsstrust;
   srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
   if (srv != SECSuccess)
     return NS_ERROR_FAILURE;
 
   nsNSSCertTrust trust(&nsstrust);
   if (certType == nsIX509Cert::CA_CERT) {
     if (trustType & nsIX509CertDB::TRUSTED_SSL) {
@@ -1279,17 +1275,18 @@ nsNSSCertificateDB::getCertNames(CERTCer
   }
 finish:
   *_count = numcerts;
   *_certNames = tmpArray;
 }
 
 /* nsIX509Cert getDefaultEmailEncryptionCert (); */
 NS_IMETHODIMP
-nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString &aNickname, nsIX509Cert **_retval)
+nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString& aNickname,
+                                            nsIX509Cert** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
   *_retval = nullptr;
 
   if (aNickname.IsEmpty())
     return NS_OK;
 
   nsNSSShutDownPreventionLock locker;
@@ -1315,17 +1312,18 @@ nsNSSCertificateDB::FindEmailEncryptionC
     return NS_ERROR_OUT_OF_MEMORY;
   }
   nssCert.forget(_retval);
   return NS_OK;
 }
 
 /* nsIX509Cert getDefaultEmailSigningCert (); */
 NS_IMETHODIMP
-nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert **_retval)
+nsNSSCertificateDB::FindEmailSigningCert(const nsAString& aNickname,
+                                         nsIX509Cert** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
   *_retval = nullptr;
 
   if (aNickname.IsEmpty())
     return NS_OK;
 
   nsNSSShutDownPreventionLock locker;
@@ -1585,24 +1583,26 @@ nsNSSCertificateDB::get_default_nickname
 	   * There is another certificate with the same nickname and
 	   * the same subject name on the smart card, so let's use this
 	   * nickname.
 	   */
 	  dummycert = nullptr;
 	}
       }
     }
-    if (!dummycert) 
+    if (!dummycert) {
       break;
-    
+    }
     count++;
   }
 }
 
-NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const char *aTrust, const char *aName)
+NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char* aBase64,
+                                                    const char* aTrust,
+                                                    const char* aName)
 {
   NS_ENSURE_ARG_POINTER(aBase64);
   nsCOMPtr <nsIX509Cert> newCert;
 
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
@@ -1663,17 +1663,17 @@ nsNSSCertificateDB::AddCert(const nsACSt
 {
   nsCString base64;
   nsresult rv = Base64Encode(aCertDER, base64);
   NS_ENSURE_SUCCESS(rv, rv);
   return AddCertFromBase64(base64.get(), aTrust, aName);
 }
 
 NS_IMETHODIMP
-nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert3* cert,
+nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert* cert,
                                            const char* trustString)
 {
   CERTCertTrust trust;
 
   // need to calculate the trust bits from the aTrust string.
   SECStatus srv = CERT_DecodeTrustString(&trust,
                                          const_cast<char *>(trustString));
   if (srv != SECSuccess) {
@@ -1756,21 +1756,20 @@ nsNSSCertificateDB::VerifyCertNow(nsIX50
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
 #ifndef MOZ_NO_EV_CERTS
   EnsureIdentityInfoLoaded();
 #endif
 
-  nsCOMPtr<nsIX509Cert2> x509Cert = do_QueryInterface(aCert);
-  if (!x509Cert) {
+  ScopedCERTCertificate nssCert(aCert->GetCert());
+  if (!nssCert) {
     return NS_ERROR_INVALID_ARG;
   }
-  ScopedCERTCertificate nssCert(x509Cert->GetCert());
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
 
   mozilla::pkix::ScopedCERTCertList resultChain;
   SECOidTag evOidPolicy;
   SECStatus srv;
 
--- a/security/manager/ssl/src/nsNSSCertificateDB.h
+++ b/security/manager/ssl/src/nsNSSCertificateDB.h
@@ -1,35 +1,32 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef __NSNSSCERTIFICATEDB_H__
 #define __NSNSSCERTIFICATEDB_H__
 
 #include "nsIX509CertDB.h"
-#include "nsIX509CertDB2.h"
 #include "nsNSSShutDown.h"
 #include "mozilla/RefPtr.h"
 #include "mozilla/Mutex.h"
 #include "certt.h"
 
 class nsCString;
 class nsIArray;
 class nsRecentBadCerts;
 
 class nsNSSCertificateDB : public nsIX509CertDB
-                         , public nsIX509CertDB2
                          , public nsNSSShutDownObject
 
 {
 public:
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIX509CERTDB
-  NS_DECL_NSIX509CERTDB2
 
   nsNSSCertificateDB(); 
 
   // Use this function to generate a default nickname for a user
   // certificate that is to be imported onto a token.
   static void
   get_default_nickname(CERTCertificate *cert, nsIInterfaceRequestor* ctx,
                        nsCString &nickname,
--- a/security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp
@@ -7,17 +7,16 @@
 
 #include "nsCOMPtr.h"
 #include "nsIObjectInputStream.h"
 #include "nsIObjectOutputStream.h"
 #include "nsIProgrammingLanguage.h"
 #include "nsISupportsPrimitives.h"
 #include "nsIX509Cert.h"
 #include "nsNSSCertificate.h"
-#include "nsNSSCertificate.h"
 #include "nsString.h"
 #include "nsXPIDLString.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 /* nsNSSCertificateFakeTransport */
@@ -352,8 +351,60 @@ nsNSSCertificateFakeTransport::GetFlags(
 NS_IMETHODIMP
 nsNSSCertificateFakeTransport::GetClassIDNoAlloc(nsCID *aClassIDNoAlloc)
 {
   static NS_DEFINE_CID(kNSSCertificateCID, NS_X509CERT_CID);
 
   *aClassIDNoAlloc = kNSSCertificateCID;
   return NS_OK;
 }
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::GetCertType(unsigned int*)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::GetIsSelfSigned(bool*)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::RequestUsagesArrayAsync(nsICertVerificationListener*)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::GetAllTokenNames(unsigned int*,
+                                                char16_t***)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+CERTCertificate*
+nsNSSCertificateFakeTransport::GetCert()
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return nullptr;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::ExportAsCMS(unsigned int,
+                                           unsigned int*,
+                                           unsigned char**)
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsNSSCertificateFakeTransport::MarkForPermDeletion()
+{
+  NS_NOTREACHED("Unimplemented on content process");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
\ No newline at end of file
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -382,26 +382,29 @@ nsNSSSocketInfo::JoinConnection(const ns
   if (mSentClientCert)
     return NS_OK;
 
   // Ensure that the server certificate covers the hostname that would
   // like to join this connection
 
   ScopedCERTCertificate nssCert;
 
-  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(SSLStatus()->mServerCert);
-  if (cert2)
-    nssCert = cert2->GetCert();
+  nsCOMPtr<nsIX509Cert> cert(SSLStatus()->mServerCert);
+  if (cert) {
+    nssCert = cert->GetCert();
+  }
 
-  if (!nssCert)
+  if (!nssCert) {
     return NS_OK;
+  }
 
   if (CERT_VerifyCertName(nssCert, PromiseFlatCString(hostname).get()) !=
-      SECSuccess)
-    return NS_OK;
+      SECSuccess) {
+      return NS_OK;
+  }
 
   // All tests pass - this is joinable
   mJoined = true;
   *_retval = true;
   return NS_OK;
 }
 
 bool
--- a/security/manager/ssl/src/nsVerificationJob.h
+++ b/security/manager/ssl/src/nsVerificationJob.h
@@ -5,17 +5,16 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef _INC_NSVERIFICATIONJOB_H
 #define _INC_NSVERIFICATIONJOB_H
 
 #include "nspr.h"
 
 #include "nsIX509Cert.h"
-#include "nsIX509Cert3.h"
 #include "nsProxyRelease.h"
 
 class nsBaseVerificationJob
 {
 public:
   virtual ~nsBaseVerificationJob() {}
   virtual void Run() = 0;
 };
--- a/security/manager/ssl/tests/unit/test_getchain.js
+++ b/security/manager/ssl/tests/unit/test_getchain.js
@@ -3,19 +3,16 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 "use strict";
 
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb  = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
-const certdb2 = Cc["@mozilla.org/security/x509certdb;1"]
-                  .getService(Ci.nsIX509CertDB2);
-
 // This is the list of certificates needed for the test
 // The certificates prefixed by 'int-' are intermediates
 let certList = [
   'ee',
   'ca-1',
   'ca-2',
 ]
 
@@ -24,17 +21,17 @@ function load_cert(cert_name, trust_stri
   addCertFromFile(certdb, "test_getchain/" + cert_filename, trust_string);
 }
 
 // Since all the ca's are identical expect for the serial number
 // I have to grab them by enumerating all the certs and then finding
 // the ones that I am interested in.
 function get_ca_array() {
   let ret_array = new Array();
-  let allCerts = certdb2.getCerts();
+  let allCerts = certdb.getCerts();
   let enumerator = allCerts.getEnumerator();
   while (enumerator.hasMoreElements()) {
     let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
     if (cert.commonName == 'ca') {
       ret_array[parseInt(cert.serialNumber)] = cert;
     }
   }
   return ret_array;
--- a/security/manager/tools/genHPKPStaticPins.js
+++ b/security/manager/tools/genHPKPStaticPins.js
@@ -20,17 +20,17 @@ if (arguments.length != 3) {
 
 const { 'classes': Cc, 'interfaces': Ci, 'utils': Cu, 'results': Cr } = Components;
 
 let { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
 let { FileUtils } = Cu.import("resource://gre/modules/FileUtils.jsm", {});
 let { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
 
 let gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
-                 .getService(Ci.nsIX509CertDB2);
+                .getService(Ci.nsIX509CertDB);
 gCertDB.QueryInterface(Ci.nsIX509CertDB);
 
 const BUILT_IN_NICK_PREFIX = "Builtin Object Token:";
 const SHA1_PREFIX = "sha1/";
 const SHA256_PREFIX = "sha256/";
 const GOOGLE_PIN_PREFIX = "GOOGLE_PIN_";
 
 // Pins expire in 14 weeks (6 weeks on Beta + 8 weeks on stable)
@@ -103,18 +103,17 @@ function stripComments(buf) {
   return data;
 }
 
 function isBuiltinToken(tokenName) {
   return tokenName == "Builtin Object Token";
 }
 
 function isCertBuiltIn(cert) {
-  let cert3 = cert.QueryInterface(Ci.nsIX509Cert3);
-  let tokenNames = cert3.getAllTokenNames({});
+  let tokenNames = cert.getAllTokenNames({});
   if (!tokenNames) {
     return false;
   }
   if (tokenNames.some(isBuiltinToken)) {
     return true;
   }
   return false;
 }
--- a/toolkit/modules/CertUtils.jsm
+++ b/toolkit/modules/CertUtils.jsm
@@ -162,17 +162,16 @@ this.checkCert =
   var issuerCert = cert;
   while (issuerCert.issuer && !issuerCert.issuer.equals(issuerCert))
     issuerCert = issuerCert.issuer;
 
   const certNotBuiltInErr = "Certificate issuer is not built-in.";
   if (!issuerCert)
     throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
 
-  issuerCert = issuerCert.QueryInterface(Ci.nsIX509Cert3);
   var tokenNames = issuerCert.getAllTokenNames({});
 
   if (!tokenNames || !tokenNames.some(isBuiltinToken))
     throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
 }
 
 function isBuiltinToken(tokenName) {
   return tokenName == "Builtin Object Token";