Bug 767241, Part 2: Replace almost all uses of NSSCleanupAutoPtrClass with ScopedNSSTypes, r=honzab
authorBrian Smith <bsmith@mozilla.com>
Mon, 12 Nov 2012 09:42:28 -0800
changeset 115135 57e047e6401989a7b04528f75ab095bb40b27b9f
parent 115134 9f24c48b21e3a7787a2cd11e760136c37fe1c824
child 115136 a2da6577872b0df1930730c3e2bd6c1791eae8f5
push id23973
push useremorley@mozilla.com
push dateThu, 06 Dec 2012 10:04:18 +0000
treeherdermozilla-central@ddda5400c826 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershonzab
bugs767241
milestone20.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 767241, Part 2: Replace almost all uses of NSSCleanupAutoPtrClass with ScopedNSSTypes, r=honzab
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/src/TransportSecurityInfo.cpp
security/manager/ssl/src/nsCMS.cpp
security/manager/ssl/src/nsCertOverrideService.cpp
security/manager/ssl/src/nsCertPicker.cpp
security/manager/ssl/src/nsCertTree.cpp
security/manager/ssl/src/nsClientAuthRemember.cpp
security/manager/ssl/src/nsCrypto.cpp
security/manager/ssl/src/nsIdentityChecking.cpp
security/manager/ssl/src/nsKeyModule.cpp
security/manager/ssl/src/nsNSSCallbacks.cpp
security/manager/ssl/src/nsNSSCallbacks.h
security/manager/ssl/src/nsNSSCertificate.cpp
security/manager/ssl/src/nsNSSCertificate.h
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/src/nsPKCS12Blob.cpp
security/manager/ssl/src/nsRecentBadCerts.cpp
security/manager/ssl/src/nsSDR.cpp
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -106,33 +106,33 @@
 
 #include "mozilla/Assertions.h"
 #include "nsIThreadPool.h"
 #include "nsXPCOMCIDInternal.h"
 #include "nsComponentManagerUtils.h"
 #include "nsServiceManagerUtils.h"
 #include "nsIConsoleService.h"
 #include "PSMRunnable.h"
+#include "ScopedNSSTypes.h"
 
 #include "ssl.h"
 #include "secerr.h"
 #include "secport.h"
 #include "sslerr.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 namespace mozilla { namespace psm {
 
 namespace {
 
 NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
 NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
 
 // do not use a nsCOMPtr to avoid static initializer/destructor
 nsIThreadPool * gCertVerificationThreadPool = nullptr;
 } // unnamed namespace
 
 // Called when the socket transport thread starts, to initialize the SSL cert
 // verification thread pool. By tying the thread pool startup/shutdown directly
@@ -610,37 +610,30 @@ public:
                             CERTCertificate * serverCert);
 private:
   NS_DECL_NSIRUNNABLE
 
   // Must be called only on the socket transport thread
   SSLServerCertVerificationJob(const void * fdForLogging,
                                TransportSecurityInfo * infoObject, 
                                CERTCertificate * cert);
-  ~SSLServerCertVerificationJob();
-
   const void * const mFdForLogging;
   const RefPtr<TransportSecurityInfo> mInfoObject;
-  CERTCertificate * const mCert;
+  const ScopedCERTCertificate mCert;
 };
 
 SSLServerCertVerificationJob::SSLServerCertVerificationJob(
     const void * fdForLogging, TransportSecurityInfo * infoObject,
     CERTCertificate * cert)
   : mFdForLogging(fdForLogging)
   , mInfoObject(infoObject)
   , mCert(CERT_DupCertificate(cert))
 {
 }
 
-SSLServerCertVerificationJob::~SSLServerCertVerificationJob()
-{
-  CERT_DestroyCertificate(mCert);
-}
-
 SECStatus
 PSM_SSL_PKIX_AuthCertificate(CERTCertificate *peerCert, void * pinarg,
                              const char * hostname)
 {
     SECStatus          rv;
     
     if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
         rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert, true,
@@ -813,20 +806,19 @@ BlockServerCertChangeForSpdy(nsNSSSocket
 
   // If GetNegotiatedNPN() failed we will assume spdy for safety's safe
   if (NS_FAILED(rv))
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
            ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call."
             " Assuming spdy.\n"));
 
   // Check to see if the cert has actually changed
-  CERTCertificate * c = cert2->GetCert();
+  ScopedCERTCertificate c(cert2->GetCert());
   NS_ASSERTION(c, "very bad and hopefully impossible state");
   bool sameCert = CERT_CompareCerts(c, serverCert);
-  CERT_DestroyCertificate(c);
   if (sameCert)
     return SECSuccess;
 
   // Report an error - changed cert is confirmed
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
          ("SPDY Refused to allow new cert during renegotiation\n"));
   PR_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, 0);
   return SECFailure;
@@ -882,18 +874,18 @@ AuthCertificate(TransportSecurityInfo * 
 
   RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
   RefPtr<nsNSSCertificate> nsc;
 
   if (!status || !status->mServerCert) {
     nsc = nsNSSCertificate::Create(cert);
   }
 
-  CERTCertList *certList = nullptr;
-  certList = CERT_GetCertChainFromCert(cert, PR_Now(), certUsageSSLCA);
+  ScopedCERTCertList certList(CERT_GetCertChainFromCert(cert, PR_Now(),
+                                                        certUsageSSLCA));
   if (!certList) {
     rv = SECFailure;
   } else {
     PRErrorCode blacklistErrorCode;
     if (rv == SECSuccess) { // PSM_SSL_PKIX_AuthCertificate said "valid cert"
       blacklistErrorCode = PSM_SSL_BlacklistDigiNotar(cert, certList);
     } else { // PSM_SSL_PKIX_AuthCertificate said "invalid cert"
       PRErrorCode savedErrorCode = PORT_GetError();
@@ -938,30 +930,25 @@ AuthCertificate(TransportSecurityInfo * 
         // We don't want to remember the server cert, 
         // the code that cares for displaying page info does this already.
         continue;
       }
 
       // We have found a signer cert that we want to remember.
       char* nickname = nsNSSCertificate::defaultServerNickname(node->cert);
       if (nickname && *nickname) {
-        PK11SlotInfo *slot = PK11_GetInternalKeySlot();
+        ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
         if (slot) {
           PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE, 
                           nickname, false);
-          PK11_FreeSlot(slot);
         }
       }
       PR_FREEIF(nickname);
     }
 
-    if (certList) {
-      CERT_DestroyCertList(certList);
-    }
-
     // The connection may get terminated, for example, if the server requires
     // a client cert. Let's provide a minimal SSLStatus
     // to the caller that contains at least the cert and its status.
     if (!status) {
       status = new nsSSLStatus();
       infoObject->SetSSLStatus(status);
     }
 
@@ -1120,18 +1107,17 @@ AuthCertificateHook(void *arg, PRFileDes
 
   nsNSSSocketInfo *socketInfo = static_cast<nsNSSSocketInfo*>(arg);
   
   if (socketInfo) {
     // This is the first callback during full handshakes.
     socketInfo->SetFirstServerHelloReceived();
   }
 
-  CERTCertificate *serverCert = SSL_PeerCertificate(fd);
-  CERTCertificateCleaner serverCertCleaner(serverCert);
+  ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
 
   if (!checkSig || isServer || !socketInfo || !serverCert) {
       PR_SetError(PR_INVALID_STATE_ERROR, 0);
       return SECFailure;
   }
       
   if (BlockServerCertChangeForSpdy(socketInfo, serverCert) != SECSuccess)
     return SECFailure;
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -10,37 +10,35 @@
 #include "nsNSSCertificate.h"
 #include "nsIX509CertValidity.h"
 #include "nsIDateTimeFormat.h"
 #include "nsDateTimeFormatCID.h"
 #include "nsICertOverrideService.h"
 #include "nsIObjectInputStream.h"
 #include "nsIObjectOutputStream.h"
 #include "nsNSSCertHelper.h"
-#include "nsNSSCleaner.h"
 #include "nsIProgrammingLanguage.h"
 #include "nsIArray.h"
 #include "PSMRunnable.h"
+#include "ScopedNSSTypes.h"
 
 #include "secerr.h"
 
 //#define DEBUG_SSL_VERBOSE //Enable this define to get minimal 
                             //reports when doing SSL read/write
                             
 //#define DUMP_BUFFER  //Enable this define along with
                        //DEBUG_SSL_VERBOSE to dump SSL
                        //read/write buffer to a log.
                        //Uses PR_LOG except on Mac where
                        //we always write out to our own
                        //file.
 
 namespace {
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
 } // unnamed namespace
 
 namespace mozilla { namespace psm {
 
 TransportSecurityInfo::TransportSecurityInfo()
   : mMutex("TransportSecurityInfo::mMutex"),
@@ -775,18 +773,17 @@ AppendErrorTextMismatch(const nsString &
                         nsIX509Cert* ix509,
                         nsINSSComponent *component,
                         bool wantsHtml,
                         nsString &returnedMessage)
 {
   const PRUnichar *params[1];
   nsresult rv;
 
-  CERTCertificate *nssCert = nullptr;
-  CERTCertificateCleaner nssCertCleaner(nssCert);
+  ScopedCERTCertificate nssCert;
 
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
   if (cert2)
     nssCert = cert2->GetCert();
 
   if (!nssCert) {
     // We are unable to extract the valid names, say "not valid for name".
     params[0] = host.get();
--- a/security/manager/ssl/src/nsCMS.cpp
+++ b/security/manager/ssl/src/nsCMS.cpp
@@ -9,32 +9,30 @@
 #include "nsNSSCertificate.h"
 #include "smime.h"
 #include "cms.h"
 #include "nsICMSMessageErrors.h"
 #include "nsIArray.h"
 #include "nsArrayUtils.h"
 #include "nsCertVerificationThread.h"
 #include "nsCERTValInParamWrapper.h"
+#include "ScopedNSSTypes.h"
 
 #include "prlog.h"
 
-#include "nsNSSCleaner.h"
 #include "nsNSSComponent.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 using namespace mozilla;
 
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-
 NS_IMPL_THREADSAFE_ISUPPORTS2(nsCMSMessage, nsICMSMessage, 
                                             nsICMSMessage2)
 
 nsCMSMessage::nsCMSMessage()
 {
   m_cmsMsg = nullptr;
 }
 nsCMSMessage::nsCMSMessage(NSSCMSMessage *aCMSMsg)
@@ -535,18 +533,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp
   for (i=0; i<recipientCertCount; i++) {
     nsCOMPtr<nsIX509Cert> x509cert = do_QueryElementAt(aRecipientCerts, i);
 
     nssRecipientCert = do_QueryInterface(x509cert);
 
     if (!nssRecipientCert)
       return NS_ERROR_FAILURE;
 
-    CERTCertificate *c = nssRecipientCert->GetCert();
-    CERTCertificateCleaner rcCleaner(c);
+    ScopedCERTCertificate c(nssRecipientCert->GetCert());
     recipientCerts.set(i, c);
   }
   
   // Find a bulk key algorithm //
   if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipientCerts.getRawArray(), &bulkAlgTag,
                                             &keySize) != SECSuccess) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't find bulk alg for recipients\n"));
     rv = NS_ERROR_CMS_ENCRYPT_NO_BULK_ALG;
@@ -574,18 +571,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp
   cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd);
   if (NSS_CMSContentInfo_SetContent_Data(m_cmsMsg, cinfo, nullptr, false) != SECSuccess) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't set content data\n"));
     goto loser;
   }
 
   // Create and attach recipient information //
   for (i=0; i < recipientCertCount; i++) {
-    CERTCertificate *rc = recipientCerts.get(i);
-    CERTCertificateCleaner rcCleaner(rc);
+    ScopedCERTCertificate rc(recipientCerts.get(i));
     if ((recipientInfo = NSS_CMSRecipientInfo_Create(m_cmsMsg, rc)) == nullptr) {
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't create recipient info\n"));
       goto loser;
     }
     if (NSS_CMSEnvelopedData_AddRecipient(envd, recipientInfo) != SECSuccess) {
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't add recipient info\n"));
       goto loser;
     }
@@ -606,17 +602,18 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateSigned\n"));
   NSSCMSContentInfo *cinfo;
   NSSCMSSignedData *sigd;
   NSSCMSSignerInfo *signerinfo;
-  CERTCertificate *scert = nullptr, *ecert = nullptr;
+  ScopedCERTCertificate scert;
+  ScopedCERTCertificate ecert;
   nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert);
   nsresult rv = NS_ERROR_FAILURE;
 
   /* Get the certs */
   if (aSigningCert2) {
     scert = aSigningCert2->GetCert();
   }
   if (!scert) {
@@ -625,19 +622,16 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned
 
   if (aEncryptCert) {
     nsCOMPtr<nsIX509Cert2> aEncryptCert2 = do_QueryInterface(aEncryptCert);
     if (aEncryptCert2) {
       ecert = aEncryptCert2->GetCert();
     }
   }
 
-  CERTCertificateCleaner ecertCleaner(ecert);
-  CERTCertificateCleaner scertCleaner(scert);
-
   /*
    * create the message object
    */
   m_cmsMsg = NSS_CMSMessage_Create(nullptr); /* create a message on its own pool */
   if (!m_cmsMsg) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateSigned - can't create new message\n"));
     rv = NS_ERROR_OUT_OF_MEMORY;
     goto loser;
--- a/security/manager/ssl/src/nsCertOverrideService.cpp
+++ b/security/manager/ssl/src/nsCertOverrideService.cpp
@@ -13,25 +13,24 @@
 #include "nsNetUtil.h"
 #include "nsILineInputStream.h"
 #include "nsIObserver.h"
 #include "nsIObserverService.h"
 #include "nsISupportsPrimitives.h"
 #include "nsPromiseFlatString.h"
 #include "nsThreadUtils.h"
 #include "nsStringBuffer.h"
+#include "ScopedNSSTypes.h"
+
 #include "nspr.h"
 #include "pk11pub.h"
 #include "certdb.h"
 #include "sechash.h"
 #include "ssl.h" // For SSL_ClearSessionCache
 
-#include "nsNSSCleaner.h"
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-
 using namespace mozilla;
 
 static const char kCertOverrideFileName[] = "cert_override.txt";
 
 void
 nsCertOverride::convertBitsToString(OverrideBits ob, nsACString &str)
 {
   str.Truncate();
@@ -409,21 +408,20 @@ static nsresult
 GetCertFingerprintByOidTag(nsIX509Cert *aCert,
                            SECOidTag aOidTag, 
                            nsCString &fp)
 {
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
   if (!cert2)
     return NS_ERROR_FAILURE;
 
-  CERTCertificate* nsscert = cert2->GetCert();
+  ScopedCERTCertificate nsscert(cert2->GetCert());
   if (!nsscert)
     return NS_ERROR_FAILURE;
 
-  CERTCertificateCleaner nsscertCleaner(nsscert);
   return GetCertFingerprintByOidTag(nsscert, aOidTag, fp);
 }
 
 static nsresult
 GetCertFingerprintByDottedOidString(CERTCertificate* nsscert,
                                     const nsCString &dottedOid, 
                                     nsCString &fp)
 {
@@ -448,21 +446,20 @@ static nsresult
 GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
                                     const nsCString &dottedOid, 
                                     nsCString &fp)
 {
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
   if (!cert2)
     return NS_ERROR_FAILURE;
 
-  CERTCertificate* nsscert = cert2->GetCert();
+  ScopedCERTCertificate nsscert(cert2->GetCert());
   if (!nsscert)
     return NS_ERROR_FAILURE;
 
-  CERTCertificateCleaner nsscertCleaner(nsscert);
   return GetCertFingerprintByDottedOidString(nsscert, dottedOid, fp);
 }
 
 NS_IMETHODIMP
 nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, int32_t aPort, 
                                                 nsIX509Cert *aCert,
                                                 uint32_t aOverrideBits, 
                                                 bool aTemporary)
@@ -472,35 +469,31 @@ nsCertOverrideService::RememberValidityO
     return NS_ERROR_INVALID_ARG;
   if (aPort < -1)
     return NS_ERROR_INVALID_ARG;
 
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
   if (!cert2)
     return NS_ERROR_FAILURE;
 
-  CERTCertificate* nsscert = cert2->GetCert();
+  ScopedCERTCertificate nsscert(cert2->GetCert());
   if (!nsscert)
     return NS_ERROR_FAILURE;
 
-  CERTCertificateCleaner nsscertCleaner(nsscert);
-
   char* nickname = nsNSSCertificate::defaultServerNickname(nsscert);
   if (!aTemporary && nickname && *nickname)
   {
-    PK11SlotInfo *slot = PK11_GetInternalKeySlot();
+    ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
     if (!slot) {
       PR_Free(nickname);
       return NS_ERROR_FAILURE;
     }
   
     SECStatus srv = PK11_ImportCert(slot, nsscert, CK_INVALID_HANDLE, 
                                     nickname, false);
-    PK11_FreeSlot(slot);
-  
     if (srv != SECSuccess) {
       PR_Free(nickname);
       return NS_ERROR_FAILURE;
     }
   }
   PR_FREEIF(nickname);
 
   nsAutoCString fpStr;
--- a/security/manager/ssl/src/nsCertPicker.cpp
+++ b/security/manager/ssl/src/nsCertPicker.cpp
@@ -6,26 +6,25 @@
 #include "nsCertPicker.h"
 #include "nsMemory.h"
 #include "nsCOMPtr.h"
 #include "nsXPIDLString.h"
 #include "nsIServiceManager.h"
 #include "nsNSSComponent.h"
 #include "nsNSSCertificate.h"
 #include "nsReadableUtils.h"
-#include "nsNSSCleaner.h"
 #include "nsICertPickDialogs.h"
 #include "nsNSSShutDown.h"
 #include "nsNSSCertHelper.h"
-
-NSSCleanupAutoPtrClass(CERTCertNicknames, CERT_FreeNicknames)
-NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
+#include "ScopedNSSTypes.h"
 
 #include "cert.h"
 
+using namespace mozilla;
+
 NS_IMPL_ISUPPORTS1(nsCertPicker, nsIUserCertPicker)
 
 nsCertPicker::nsCertPicker()
 {
 }
 
 nsCertPicker::~nsCertPicker()
 {
@@ -44,41 +43,34 @@ NS_IMETHODIMP nsCertPicker::PickByUsage(
   bool selectionFound = false;
   PRUnichar **certNicknameList = nullptr;
   PRUnichar **certDetailsList = nullptr;
   CERTCertListNode* node = nullptr;
   nsresult rv = NS_OK;
 
   {
     // Iterate over all certs. This assures that user is logged in to all hardware tokens.
-    CERTCertList *allcerts = nullptr;
     nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
-    allcerts = PK11_ListCerts(PK11CertListUnique, ctx);
-    CERT_DestroyCertList(allcerts);
+    ScopedCERTCertList allcerts(PK11_ListCerts(PK11CertListUnique, ctx));
   }
 
   /* find all user certs that are valid and for SSL */
   /* note that we are allowing expired certs in this list */
 
-  CERTCertList *certList = 
+  ScopedCERTCertList certList( 
     CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), 
                               (SECCertUsage)certUsage,
                               !allowDuplicateNicknames,
                               !allowInvalid,
-                              ctx);
-  CERTCertListCleaner clc(certList);
-
+                              ctx));
   if (!certList) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
-  CERTCertNicknames *nicknames = getNSSCertNicknamesFromCertList(certList);
-
-  CERTCertNicknamesCleaner cnc(nicknames);
-
+  ScopedCERTCertNicknames nicknames(getNSSCertNicknamesFromCertList(certList));
   if (!nicknames) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   certNicknameList = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nicknames->numnicknames);
   certDetailsList = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nicknames->numnicknames);
 
   if (!certNicknameList || !certDetailsList) {
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -15,28 +15,26 @@
 #include "nsNSSCertHelper.h"
 #include "nsINSSCertCache.h"
 #include "nsIMutableArray.h"
 #include "nsArrayUtils.h"
 #include "nsISupportsPrimitives.h"
 #include "nsXPCOMCID.h"
 #include "nsTHashtable.h"
 #include "nsHashKeys.h"
-
+#include "ScopedNSSTypes.h"
+ 
 #include "prlog.h"
-#include "nsNSSCleaner.h"
 
 using namespace mozilla;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 static NS_DEFINE_CID(kCertOverrideCID, NS_CERTOVERRIDE_CID);
 
 // treeArrayElStr
 //
 // structure used to hold map of tree.  Each thread (an organization
 // field from a cert) has an element in the array.  The numChildren field
 // stores the number of certs corresponding to that thread.
@@ -636,22 +634,19 @@ nsCertTree::GetCertsByTypeFromCertList(C
 }
 
 nsresult 
 nsCertTree::GetCertsByType(uint32_t           aType,
                            nsCertCompareFunc  aCertCmpFn,
                            void              *aCertCmpFnArg)
 {
   nsNSSShutDownPreventionLock locker;
-  CERTCertList *certList = nullptr;
   nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
-  certList = PK11_ListCerts(PK11CertListUnique, cxt);
+  ScopedCERTCertList certList(PK11_ListCerts(PK11CertListUnique, cxt));
   nsresult rv = GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg);
-  if (certList)
-    CERT_DestroyCertList(certList);
   return rv;
 }
 
 nsresult 
 nsCertTree::GetCertsByTypeFromCache(nsINSSCertCache   *aCache,
                                     uint32_t           aType,
                                     nsCertCompareFunc  aCertCmpFn,
                                     void              *aCertCmpFnArg)
@@ -810,18 +805,17 @@ nsCertTree::DeleteEntryObject(uint32_t i
           } 
         }
         else {
           if (addonInfo && addonInfo->mUsageCount > 1) {
             // user is trying to delete a perm trusted cert,
             // although there are still overrides stored,
             // so, we keep the cert, but remove the trust
 
-            CERTCertificate *nsscert = nullptr;
-            CERTCertificateCleaner nsscertCleaner(nsscert);
+            ScopedCERTCertificate nsscert;
 
             nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
             if (cert2) {
               nsscert = cert2->GetCert();
             }
 
             if (nsscert) {
               CERTCertTrust trust;
--- a/security/manager/ssl/src/nsClientAuthRemember.cpp
+++ b/security/manager/ssl/src/nsClientAuthRemember.cpp
@@ -17,22 +17,18 @@
 #include "nsThreadUtils.h"
 #include "nsStringBuffer.h"
 #include "cert.h"
 #include "nspr.h"
 #include "pk11pub.h"
 #include "certdb.h"
 #include "sechash.h"
 
-#include "nsNSSCleaner.h"
-
 using namespace mozilla;
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-
 NS_IMPL_THREADSAFE_ISUPPORTS2(nsClientAuthRememberService, 
                               nsIObserver,
                               nsISupportsWeakReference)
 
 nsClientAuthRememberService::nsClientAuthRememberService()
   : monitor("nsClientAuthRememberService.monitor")
 {
 }
--- a/security/manager/ssl/src/nsCrypto.cpp
+++ b/security/manager/ssl/src/nsCrypto.cpp
@@ -54,32 +54,28 @@
 #include "cmmf.h"
 #include "nssb64.h"
 #include "base64.h"
 #include "cert.h"
 #include "certdb.h"
 #include "secmod.h"
 #include "nsISaveAsCharset.h"
 #include "nsNativeCharsetUtils.h"
+#include "ScopedNSSTypes.h"
 
 #include "ssl.h" // For SSL_ClearSessionCache
 
 #include "nsNSSCleaner.h"
 
 #include "nsNSSShutDown.h"
 #include "nsNSSCertHelper.h"
 
 using namespace mozilla;
 
-NSSCleanupAutoPtrClass(SECKEYPrivateKey, SECKEY_DestroyPrivateKey)
-NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot)
-NSSCleanupAutoPtrClass(CERTCertNicknames, CERT_FreeNicknames)
-NSSCleanupAutoPtrClass(PK11SymKey, PK11_FreeSymKey)
 NSSCleanupAutoPtrClass_WithParam(PK11Context, PK11_DestroyContext, TrueParam, true)
-NSSCleanupAutoPtrClass_WithParam(SECItem, SECITEM_FreeItem, TrueParam, true)
 
 /*
  * These are the most common error strings that are returned
  * by the JavaScript methods in case of error.
  */
 
 #define JS_ERROR       "error:"
 #define JS_ERROR_INTERNAL  JS_ERROR"internalError"
@@ -693,26 +689,24 @@ cryptojs_generateOneKeyPair(JSContext *c
   // the destination token, with the EXTRACTABLE flag set.
   // If it works, we'll extract, escrow, done.
   // If it failed, then we're unable to escrow and return failure.
   // NOTE: We call PK11_GetInternalSlot instead of PK11_GetInternalKeySlot
   //       so that the key has zero chance of being store in the
   //       user's key3.db file.  Which the slot returned by
   //       PK11_GetInternalKeySlot has access to and PK11_GetInternalSlot
   //       does not.
-  PK11SlotInfo *intSlot = nullptr;
-  PK11SlotInfoCleaner siCleaner(intSlot);
+  ScopedPK11SlotInfo intSlot;
   
   if (willEscrow && !PK11_IsInternal(slot)) {
     intSlot = PK11_GetInternalSlot();
     NS_ASSERTION(intSlot,"Couldn't get the internal slot");
     
     if (!PK11_DoesMechanism(intSlot, mechanism)) {
       // Set to null, and the subsequent code will not attempt to use it.
-      PK11_FreeSlot(intSlot);
       intSlot = nullptr;
     }
   }
 
   rv = getNSSDialogs((void**)&dialogs,
                      NS_GET_IID(nsIGeneratingKeypairInfoDialogs),
                      NS_GENERATINGKEYPAIRINFODIALOGS_CONTRACTID);
 
@@ -827,33 +821,27 @@ cryptojs_generateOneKeyPair(JSContext *c
 
   if (!keyPairInfo->privKey || !keyPairInfo->pubKey) {
     return NS_ERROR_FAILURE;
   }
  
   //If we generated the key pair on the internal slot because the
   // keys were going to be escrowed, move the keys over right now.
   if (mustMoveKey) {
-    SECKEYPrivateKey *newPrivKey = PK11_LoadPrivKey(slot, 
+    ScopedSECKEYPrivateKey newPrivKey(PK11_LoadPrivKey(slot,
                                                     keyPairInfo->privKey,
                                                     keyPairInfo->pubKey,
-                                                    true, true);
-    SECKEYPrivateKeyCleaner pkCleaner(newPrivKey);
-
+                                                    true, true));
     if (!newPrivKey)
       return NS_ERROR_FAILURE;
 
     // The private key is stored on the selected slot now, and the copy we
     // ultimately use for escrowing when the time comes lives 
     // in the internal slot.  We will delete it from that slot
-    // after the requests are made.  This call only gives up
-    // our reference to the key object and does not actually 
-    // physically remove it from the card itself.
-    // The actual delete calls are being made in the destructors
-    // of the cleaner helper instances.
+    // after the requests are made.
   }  
 
   return NS_OK;
 }
 
 /*
  * FUNCTION: cryptojs_ReadArgsAndGenerateKey
  * -------------------------------------
@@ -1008,23 +996,22 @@ nsFreeCertReqMessages(CRMFCertReqMsg **c
 static nsresult
 nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo,
                      nsNSSCertificate *wrappingCert)
 {
   if (!wrappingCert ||
       CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){
     return NS_ERROR_FAILURE;
   }
-  CERTCertificate *cert = wrappingCert->GetCert();
+  ScopedCERTCertificate cert(wrappingCert->GetCert());
   if (!cert)
     return NS_ERROR_FAILURE;
 
   CRMFEncryptedKey *encrKey = 
       CRMF_CreateEncryptedKeyWithEncryptedValue(keyInfo->privKey, cert);
-  CERT_DestroyCertificate(cert);
   if (!encrKey)
     return NS_ERROR_FAILURE;
 
   CRMFPKIArchiveOptions *archOpt = 
       CRMF_CreatePKIArchiveOptions(crmfEncryptedPrivateKey, encrKey);
   if (!archOpt) {
     CRMF_DestroyEncryptedKey(encrKey);
     return NS_ERROR_FAILURE;
@@ -1041,24 +1028,23 @@ nsSetEscrowAuthority(CRMFCertRequest *ce
 //Set the Distinguished Name (Subject Name) for the cert
 //being requested.
 static nsresult
 nsSetDNForRequest(CRMFCertRequest *certReq, char *reqDN)
 {
   if (!reqDN || CRMF_CertRequestIsFieldPresent(certReq, crmfSubject)) {
     return NS_ERROR_FAILURE;
   }
-  CERTName *subjectName = CERT_AsciiToName(reqDN);
+  ScopedCERTName subjectName(CERT_AsciiToName(reqDN));
   if (!subjectName) {
     return NS_ERROR_FAILURE;
   }
   SECStatus srv = CRMF_CertRequestSetTemplateField(certReq, crmfSubject,
                                                    static_cast<void*>
                                                               (subjectName));
-  CERT_DestroyName(subjectName);
   return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
 }
 
 //Set Registration Token Control on the request.
 static nsresult
 nsSetRegToken(CRMFCertRequest *certReq, char *regToken)
 {
   // this should never happen, but might as well add this.
@@ -1483,18 +1469,17 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCer
   // the "text" input for HMAC shall be the DER encoded version of
   // of the single cert request.
   // We'll produce that encoding and destroy it afterwards,
   // because when sending the complete package to the CA,
   // we'll use a different encoding, one that includes POP and
   // allows multiple requests to be sent in one step.
 
   unsigned long der_request_len = 0;
-  SECItem *der_request = nullptr;
-  SECItemCleanerTrueParam der_request_cleaner(der_request);
+  ScopedSECItem der_request;
 
   if (SECSuccess != CRMF_EncodeCertRequest(certReq, 
                                            nsCRMFEncoderItemCount, 
                                            &der_request_len))
     return NS_ERROR_FAILURE;
 
   der_request = SECITEM_AllocItem(nullptr, nullptr, der_request_len);
   if (!der_request)
@@ -1511,27 +1496,20 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCer
                                            der_request))
     return NS_ERROR_FAILURE;
 
   // RFC 2511 Appendix A section 2 c):
   // "A key K is derived from the shared secret Kec and the subject and
   //  issuer names in the CA's certificate as follows:
   //  K = SHA1(DER-encoded-subjectName | Kec | DER-encoded-issuerName)"
 
-  PK11SymKey *shared_secret = nullptr;
-  PK11SymKeyCleaner shared_secret_cleaner(shared_secret);
-
-  PK11SymKey *subject_and_secret = nullptr;
-  PK11SymKeyCleaner subject_and_secret_cleaner(subject_and_secret);
-
-  PK11SymKey *subject_and_secret_and_issuer = nullptr;
-  PK11SymKeyCleaner subject_and_secret_and_issuer_cleaner(subject_and_secret_and_issuer);
-
-  PK11SymKey *sha1_of_subject_and_secret_and_issuer = nullptr;
-  PK11SymKeyCleaner sha1_of_subject_and_secret_and_issuer_cleaner(sha1_of_subject_and_secret_and_issuer);
+  ScopedPK11SymKey shared_secret;
+  ScopedPK11SymKey subject_and_secret;
+  ScopedPK11SymKey subject_and_secret_and_issuer;
+  ScopedPK11SymKey sha1_of_subject_and_secret_and_issuer;
 
   shared_secret = 
     PK11_PubDeriveWithKDF(keyInfo->privKey, // SECKEYPrivateKey *privKey
                           keyInfo->ecPopPubKey,  // SECKEYPublicKey *pubKey
                           false, // bool isSender
                           nullptr, // SECItem *randomA
                           nullptr, // SECItem *randomB
                           CKM_ECDH1_DERIVE, // CK_MECHANISM_TYPE derive
@@ -1610,33 +1588,28 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCer
 
   if (SECSuccess != PK11_DigestBegin(context))
     return NS_ERROR_FAILURE;
 
   if (SECSuccess != 
       PK11_DigestOp(context, der_request->data, der_request->len))
     return NS_ERROR_FAILURE;
 
-  SECItem *result_hmac_sha1_item = nullptr;
-  SECItemCleanerTrueParam result_hmac_sha1_item_cleaner(result_hmac_sha1_item);
-
-  result_hmac_sha1_item = SECITEM_AllocItem(nullptr, nullptr, SHA1_LENGTH);
-  if (!result_hmac_sha1_item)
-    return NS_ERROR_FAILURE;
+  ScopedAutoSECItem result_hmac_sha1_item(SHA1_LENGTH);
 
   if (SECSuccess !=
       PK11_DigestFinal(context, 
-                       result_hmac_sha1_item->data, 
-                       &result_hmac_sha1_item->len, 
+                       result_hmac_sha1_item.data, 
+                       &result_hmac_sha1_item.len, 
                        SHA1_LENGTH))
     return NS_ERROR_FAILURE;
 
   if (SECSuccess !=
       CRMF_CertReqMsgSetKeyAgreementPOP(certReqMsg, crmfDHMAC,
-                                        crmfNoSubseqMess, result_hmac_sha1_item))
+                                        crmfNoSubseqMess, &result_hmac_sha1_item))
     return NS_ERROR_FAILURE;
 
   return NS_OK;
 }
 
 static nsresult
 nsSetProofOfPossession(CRMFCertReqMsg *certReqMsg, 
                        nsKeyPairInfo  *keyInfo,
@@ -1945,24 +1918,23 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMF
   nsCOMPtr<nsIX509Cert> nssCert;
   bool willEscrow = false;
   if (!!eaCert) {
     SECItem certDer = {siBuffer, nullptr, 0};
     SECStatus srv = ATOB_ConvertAsciiToItem(&certDer, eaCert.ptr());
     if (srv != SECSuccess) {
       return NS_ERROR_FAILURE;
     }
-    CERTCertificate *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                                                    &certDer, nullptr, false,
-                                                    true);
+    ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+                                                       &certDer, nullptr,
+                                                       false, true));
     if (!cert)
       return NS_ERROR_FAILURE;
 
     escrowCert = nsNSSCertificate::Create(cert);
-    CERT_DestroyCertificate(cert);
     nssCert = escrowCert;
     if (!nssCert)
       return NS_ERROR_OUT_OF_MEMORY;
 
     nsCOMPtr<nsIDOMCryptoDialogs> dialogs;
     nsresult rv = getNSSDialogs(getter_AddRefs(dialogs),
                                 NS_GET_IID(nsIDOMCryptoDialogs),
                                 NS_DOMCRYPTODIALOGS_CONTRACTID);
@@ -2212,29 +2184,27 @@ nsCryptoRunnable::Run()
 }
 
 //Quick helper function to check if a newly issued cert
 //already exists in the user's database.
 static bool
 nsCertAlreadyExists(SECItem *derCert)
 {
   CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
-  CERTCertificate *cert;
   bool retVal = false;
 
-  cert = CERT_FindCertByDERCert(handle, derCert);
+  ScopedCERTCertificate cert(CERT_FindCertByDERCert(handle, derCert));
   if (cert) {
     if (cert->isperm && !cert->nickname && !cert->emailAddr) {
       //If the cert doesn't have a nickname or email addr, it is
       //bogus cruft, so delete it.
       SEC_DeletePermCertificate(cert);
     } else if (cert->isperm) {
       retVal = true;
     }
-    CERT_DestroyCertificate(cert);
   }
   return retVal;
 }
 
 static int32_t
 nsCertListCount(CERTCertList *certList)
 {
   int32_t numCerts = 0;
@@ -2265,17 +2235,16 @@ nsCrypto::ImportUserCertificates(const n
   int i;
   CMMFCertResponse *currResponse;
   CMMFPKIStatus reqStatus;
   CERTCertificate *currCert;
   PK11SlotInfo *slot;
   nsAutoCString localNick;
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   nsresult rv = NS_OK;
-  CERTCertList *caPubs = nullptr;
   nsCOMPtr<nsIPK11Token> token;
 
   nickname = ToNewCString(aNickname);
   cmmfResponse = ToNewCString(aCmmfResponse);
   if (nsCRT::strcmp("null", nickname) == 0) {
     nsMemory::Free(nickname);
     nickname = nullptr;
   }
@@ -2377,17 +2346,18 @@ nsCrypto::ImportUserCertificates(const n
     PK11_FreeSlot(slot);
     CMMF_DestroyCertResponse(currResponse);
   }
   //Let the loser: label take care of freeing up our reference to
   //nickname (This way we don't free it twice and avoid crashing.
   //That would be a good thing.
 
   //Import the root chain into the cert db.
-  caPubs = CMMF_CertRepContentGetCAPubs(certRepContent);
+ {
+  ScopedCERTCertList caPubs(CMMF_CertRepContentGetCAPubs(certRepContent));
   if (caPubs) {
     int32_t numCAs = nsCertListCount(caPubs);
     
     NS_ASSERTION(numCAs > 0, "Invalid number of CA's");
     if (numCAs > 0) {
       CERTCertListNode *node;
       SECItem *derCerts;
 
@@ -2400,19 +2370,18 @@ nsCrypto::ImportUserCertificates(const n
       for (node = CERT_LIST_HEAD(caPubs), i=0; 
            !CERT_LIST_END(node, caPubs);
            node = CERT_LIST_NEXT(node), i++) {
         derCerts[i] = node->cert->derCert;
       }
       nsNSSCertificateDB::ImportValidCACerts(numCAs, derCerts, ctx);
       nsMemory::Free(derCerts);
     }
-    
-    CERT_DestroyCertList(caPubs);
   }
+ }
 
   if (aDoForcedBackup) {
     // I can't pop up a file picker from the depths of JavaScript,
     // so I'll just post an event on the UI queue to do the backups
     // later.
     nsCOMPtr<nsIRunnable> p12Runnable = new nsP12Runnable(certArr, numResponses,
                                                           token);
     if (!p12Runnable) {
@@ -2634,26 +2603,24 @@ nsCrypto::SignText(const nsAString& aStr
 
   int32_t numberOfCerts = 0;
   CERTCertListNode* node;
   for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
        node = CERT_LIST_NEXT(node)) {
     ++numberOfCerts;
   }
 
-  CERTCertNicknames* nicknames = getNSSCertNicknamesFromCertList(certList);
+  ScopedCERTCertNicknames nicknames(getNSSCertNicknamesFromCertList(certList));
 
   if (!nicknames) {
     aResult.Append(internalError);
 
     return NS_OK;
   }
 
-  CERTCertNicknamesCleaner cnc(nicknames);
-
   NS_ASSERTION(nicknames->numnicknames == numberOfCerts,
                "nicknames->numnicknames != numberOfCerts");
 
   nsAutoArrayPtr<PRUnichar*> certNicknameList(new PRUnichar*[nicknames->numnicknames * 2]);
   if (!certNicknameList) {
     aResult.Append(internalError);
 
     return NS_OK;
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -11,32 +11,30 @@
 #include "nsPromiseFlatString.h"
 #include "nsTArray.h"
 
 #include "cert.h"
 #include "base64.h"
 #include "nsNSSComponent.h"
 #include "nsSSLStatus.h"
 #include "nsNSSCertificate.h"
-#include "nsNSSCleaner.h"
+#include "ScopedNSSTypes.h"
+
+using namespace mozilla;
 
 #ifdef DEBUG
 #ifndef PSM_ENABLE_TEST_EV_ROOTS
 #define PSM_ENABLE_TEST_EV_ROOTS
 #endif
 #endif
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
-NSSCleanupAutoPtrClass_WithParam(SECItem, SECITEM_FreeItem, TrueParam, true)
-
 #define CONST_OID static const unsigned char
 #define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
 
 struct nsMyTrustedEVInfo
 {
   const char *dotted_oid;
   const char *oid_name; // Set this to null to signal an invalid structure,
                   // (We can't have an empty list, so we'll use a dummy entry)
@@ -1212,18 +1210,17 @@ nsNSSCertificate::hasValidEVOidTag(SECOi
   SECOidTag oid_tag;
   SECStatus rv = getFirstEVPolicy(mCert, oid_tag);
   if (rv != SECSuccess)
     return NS_OK;
 
   if (oid_tag == SEC_OID_UNKNOWN) // not in our list of OIDs accepted for EV
     return NS_OK;
 
-  CERTCertList *rootList = getRootsForOid(oid_tag);
-  CERTCertListCleaner rootListCleaner(rootList);
+  ScopedCERTCertList rootList(getRootsForOid(oid_tag));
 
   CERTRevocationMethodIndex preferedRevMethods[1] = { 
     cert_revocation_method_ocsp
   };
 
   uint64_t revMethodFlags = 
     CERT_REV_M_TEST_USING_THIS_METHOD
     | CERT_REV_M_ALLOW_NETWORK_FETCHING
@@ -1272,24 +1269,23 @@ nsNSSCertificate::hasValidEVOidTag(SECOi
 
   cvin[3].type = cert_pi_end;
 
   CERTValOutParam cvout[2];
   cvout[0].type = cert_po_trustAnchor;
   cvout[0].value.pointer.cert = nullptr;
   cvout[1].type = cert_po_end;
 
-  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("calling CERT_PKIXVerifyCert nss cert %p\n", mCert));
+  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("calling CERT_PKIXVerifyCert nss cert %p\n", mCert.get()));
   rv = CERT_PKIXVerifyCert(mCert, certificateUsageSSLServer,
                            cvin, cvout, nullptr);
   if (rv != SECSuccess)
     return NS_OK;
 
-  CERTCertificate *issuerCert = cvout[0].value.pointer.cert;
-  CERTCertificateCleaner issuerCleaner(issuerCert);
+  ScopedCERTCertificate issuerCert(cvout[0].value.pointer.cert);
 
 #ifdef PR_LOGGING
   if (PR_LOG_TEST(gPIPNSSLog, PR_LOG_DEBUG)) {
     nsNSSCertificate ic(issuerCert);
     nsAutoString fingerprint;
     ic.GetSha1Fingerprint(fingerprint);
     NS_LossyConvertUTF16toASCII fpa(fingerprint);
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("CERT_PKIXVerifyCert returned success, issuer: %s, SHA1: %s\n", 
--- a/security/manager/ssl/src/nsKeyModule.cpp
+++ b/security/manager/ssl/src/nsKeyModule.cpp
@@ -1,16 +1,20 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsComponentManagerUtils.h"
 #include "nsCOMPtr.h"
 #include "nsKeyModule.h"
 #include "nsString.h"
+#include "ScopedNSSTypes.h"
+
+using namespace mozilla;
+using namespace mozilla::psm;
 
 NS_IMPL_ISUPPORTS1(nsKeyObject, nsIKeyObject)
 
 nsKeyObject::nsKeyObject()
   : mKeyType(0), mSymKey(nullptr), mPrivateKey(nullptr),
     mPublicKey(nullptr)
 {
 }
@@ -169,29 +173,24 @@ nsKeyObjectFactory::KeyFromString(int16_
   NS_ENSURE_SUCCESS(rv, rv);
 
   // Convert the raw string into a SECItem
   const nsCString& flatKey = PromiseFlatCString(aKey);
   SECItem keyItem;
   keyItem.data = (unsigned char*)flatKey.get();
   keyItem.len = flatKey.Length();
 
-  PK11SlotInfo *slot = nullptr;
-  slot = PK11_GetBestSlot(cipherMech, nullptr);
+  ScopedPK11SlotInfo slot(PK11_GetBestSlot(cipherMech, nullptr));
   if (!slot) {
     NS_ERROR("no slot");
     return NS_ERROR_FAILURE;
   }
 
   PK11SymKey* symKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap,
                                          cipherOperation, &keyItem, nullptr);
-  // cleanup code
-  if (slot)
-    PK11_FreeSlot(slot);
-
   if (!symKey) {
     return NS_ERROR_FAILURE;
   }
   
   rv = key->InitKey(aAlgorithm, (void*)symKey);
   NS_ENSURE_SUCCESS(rv, rv);
 
   key.swap(*_retval);
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -1,29 +1,30 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "nsNSSComponent.h"
+
 #include "nsNSSCallbacks.h"
 
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
-
+#include "nsNSSComponent.h"
 #include "nsNSSIOLayer.h"
 #include "nsIWebProgressListener.h"
 #include "nsProtectedAuthThread.h"
 #include "nsITokenDialogs.h"
 #include "nsNSSShutDown.h"
 #include "nsIUploadChannel.h"
 #include "nsThreadUtils.h"
 #include "nsIPrompt.h"
 #include "nsProxyRelease.h"
 #include "PSMRunnable.h"
+#include "ScopedNSSTypes.h"
 #include "nsIConsoleService.h"
 #include "nsIHttpChannelInternal.h"
 #include "nsCRT.h"
 
 #include "ssl.h"
 #include "sslproto.h"
 #include "ocsp.h"
 #include "nssb64.h"
@@ -875,20 +876,19 @@ void HandshakeCallback(PRFileDesc* fd, v
       }
     }
     if (nsSSLIOLayerHelpers::treatUnsafeNegotiationAsBroken()) {
       secStatus = nsIWebProgressListener::STATE_IS_BROKEN;
     }
   }
 
 
-  CERTCertificate *peerCert = SSL_PeerCertificate(fd);
+  ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
   const char* caName = nullptr; // caName is a pointer only, no ownership
-  char* certOrgName = CERT_GetOrgName(&peerCert->issuer);
-  CERT_DestroyCertificate(peerCert);
+  char* certOrgName = CERT_GetOrgName(&serverCert->issuer);
   caName = certOrgName ? certOrgName : signer;
 
   const char* verisignName = "Verisign, Inc.";
   // If the CA name is RSA Data Security, then change the name to the real
   // name of the company i.e. VeriSign, Inc.
   if (nsCRT::strcmp((const char*)caName, "RSA Data Security, Inc.") == 0) {
     caName = verisignName;
   }
@@ -912,22 +912,18 @@ void HandshakeCallback(PRFileDesc* fd, v
     if (!status) {
       status = new nsSSLStatus();
       infoObject->SetSSLStatus(status);
     }
 
     RememberCertErrorsTable::GetInstance().LookupCertErrorBits(infoObject,
                                                                status);
 
-    CERTCertificate *serverCert = SSL_PeerCertificate(fd);
     if (serverCert) {
       RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(serverCert));
-      CERT_DestroyCertificate(serverCert);
-      serverCert = nullptr;
-
       nsCOMPtr<nsIX509Cert> prevcert;
       infoObject->GetPreviousCert(getter_AddRefs(prevcert));
 
       bool equals_previous = false;
       if (prevcert && nssc) {
         nsresult rv = nssc->Equals(prevcert, &equals_previous);
         if (NS_FAILED(rv)) {
           equals_previous = false;
--- a/security/manager/ssl/src/nsNSSCallbacks.h
+++ b/security/manager/ssl/src/nsNSSCallbacks.h
@@ -2,23 +2,27 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef _NSNSSCALLBACKS_H_
 #define _NSNSSCALLBACKS_H_
 
+#include "nsCOMPtr.h"
 #include "pk11func.h"
 #include "nspr.h"
 #include "ocspt.h"
 #include "nsIStreamLoader.h"
 #include "mozilla/CondVar.h"
 #include "mozilla/Mutex.h"
 #include "mozilla/Attributes.h"
+#include "nsString.h"
+
+class nsILoadGroup;
 
 char*
 PK11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void* arg);
 
 void HandshakeCallback(PRFileDesc *fd, void *client_data);
 
 SECStatus RegisterMyOCSPAIAInfoCallback();
 SECStatus UnregisterMyOCSPAIAInfoCallback();
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -29,47 +29,38 @@
 #include "nsNSSCertHelper.h"
 #include "nsISupportsPrimitives.h"
 #include "nsUnicharUtils.h"
 #include "nsThreadUtils.h"
 #include "nsCertVerificationThread.h"
 #include "nsIObjectOutputStream.h"
 #include "nsIObjectInputStream.h"
 #include "nsIProgrammingLanguage.h"
-
 #include "nsXULAppAPI.h"
+#include "ScopedNSSTypes.h"
 
 #include "nspr.h"
-#include "pk11func.h"
 #include "certdb.h"
-#include "cert.h"
 #include "secerr.h"
 #include "nssb64.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "ssl.h"
 #include "ocsp.h"
 #include "plbase64.h"
-#include "cms.h"
-#include "cert.h"
 
 using namespace mozilla;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
-NSSCleanupAutoPtrClass(CERTCertificateList, CERT_DestroyCertificateList)
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-NSSCleanupAutoPtrClass(NSSCMSMessage, NSS_CMSMessage_Destroy)
 NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
-NSSCleanupAutoPtrClass(NSSCMSSignedData, NSS_CMSSignedData_Destroy)
-NSSCleanupAutoPtrClass(PK11SlotList, PK11_FreeSlotList)
 
 // This is being stored in an uint32_t that can otherwise
 // only take values from nsIX509Cert's list of cert types.
 // As nsIX509Cert is frozen, we choose a value not contained
 // in the list to mean not yet initialized.
 #define CERT_TYPE_NOT_YET_INITIALIZED (1 << 30)
 
 /* nsNSSCertificate */
@@ -193,17 +184,16 @@ void nsNSSCertificate::destructorSafeDes
       // If the list of built-ins does contain a non-removable
       // copy of this certificate, our call will not remove
       // the certificate permanently, but rather remove all trust.
       SEC_DeletePermCertificate(mCert);
     }
   }
 
   if (mCert) {
-    CERT_DestroyCertificate(mCert);
     mCert = nullptr;
   }
 }
 
 nsresult
 nsNSSCertificate::GetCertType(uint32_t *aCertType)
 {
   if (mCertType == CERT_TYPE_NOT_YET_INITIALIZED) {
@@ -771,25 +761,24 @@ NS_IMETHODIMP
 nsNSSCertificate::GetIssuer(nsIX509Cert * *aIssuer)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(aIssuer);
   *aIssuer = nullptr;
-  CERTCertificate *issuer;
+  ScopedCERTCertificate issuer;
   issuer = CERT_FindCertIssuer(mCert, PR_Now(), certUsageSSLClient);
   if (issuer) {
     nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(issuer);
     if (cert) {
       *aIssuer = cert;
       NS_ADDREF(*aIssuer);
     }
-    CERT_DestroyCertificate(issuer);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetOrganizationalUnit(nsAString &aOrganizationalUnit)
 {
   nsNSSShutDownPreventionLock locker;
@@ -817,18 +806,18 @@ nsNSSCertificate::GetChain(nsIArray **_r
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(_rvChain);
   nsresult rv;
   /* Get the cert chain from NSS */
-  CERTCertList *nssChain = nullptr;
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname));
+  ScopedCERTCertList nssChain;
   nssChain = CERT_GetCertChainFromCert(mCert, PR_Now(), certUsageSSLClient);
   if (!nssChain)
     return NS_ERROR_FAILURE;
   /* enumerate the chain for scripting purposes */
   nsCOMPtr<nsIMutableArray> array =
     do_CreateInstance(NS_ARRAY_CONTRACTID, &rv);
   if (NS_FAILED(rv)) { 
     goto done; 
@@ -840,36 +829,33 @@ nsNSSCertificate::GetChain(nsIArray **_r
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("adding %s to chain\n", node->cert->nickname));
     nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert);
     array->AppendElement(cert, false);
   }
   *_rvChain = array;
   NS_IF_ADDREF(*_rvChain);
   rv = NS_OK;
 done:
-  if (nssChain)
-    CERT_DestroyCertList(nssChain);
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetAllTokenNames(uint32_t *aLength, PRUnichar*** aTokenNames)
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(aLength);
   NS_ENSURE_ARG(aTokenNames);
   *aLength = 0;
   *aTokenNames = nullptr;
 
   /* Get the slots from NSS */
-  PK11SlotList *slots = nullptr;
-  PK11SlotListCleaner slotCleaner(slots);
+  ScopedPK11SlotList slots;
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting slots for \"%s\"\n", mCert->nickname));
   slots = PK11_GetAllSlotsForCert(mCert, nullptr);
   if (!slots) {
     if (PORT_GetError() == SEC_ERROR_NO_TOKEN)
       return NS_OK; // List of slots is empty, return empty array
     else
       return NS_ERROR_FAILURE;
   }
@@ -1077,84 +1063,83 @@ nsNSSCertificate::ExportAsCMS(uint32_t c
   PLArenaPool *arena = PORT_NewArena(1024);
   PLArenaPoolCleanerFalseParam arenaCleaner(arena);
   if (!arena) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
            ("nsNSSCertificate::ExportAsCMS - out of memory\n"));
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
-  NSSCMSMessage *cmsg = NSS_CMSMessage_Create(nullptr);
-  NSSCMSMessageCleaner cmsgCleaner(cmsg);
+  ScopedNSSCMSMessage cmsg(NSS_CMSMessage_Create(nullptr));
   if (!cmsg) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
            ("nsNSSCertificate::ExportAsCMS - can't create CMS message\n"));
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   /*
    * first, create SignedData with the certificate only (no chain)
    */
-  NSSCMSSignedData *sigd = NSS_CMSSignedData_CreateCertsOnly(cmsg, mCert, false);
-  NSSCMSSignedDataCleaner sigdCleaner(sigd);
+  ScopedNSSCMSSignedData sigd(NSS_CMSSignedData_CreateCertsOnly(cmsg, mCert,
+                                                                false));
   if (!sigd) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
            ("nsNSSCertificate::ExportAsCMS - can't create SignedData\n"));
     return NS_ERROR_FAILURE;
   }
 
   /*
    * Calling NSS_CMSSignedData_CreateCertsOnly() will not allow us
    * to specify the inclusion of the root, but CERT_CertChainFromCert() does.
    * Since CERT_CertChainFromCert() also includes the certificate itself,
    * we have to start at the issuing cert (to avoid duplicate certs
    * in the SignedData).
    */
   if (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChain ||
       chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot) {
-    CERTCertificate *issuerCert = CERT_FindCertIssuer(mCert, PR_Now(), certUsageAnyCA);
-    CERTCertificateCleaner issuerCertCleaner(issuerCert);
+    ScopedCERTCertificate issuerCert(
+        CERT_FindCertIssuer(mCert, PR_Now(), certUsageAnyCA));
     /*
      * the issuerCert of a self signed root is the cert itself,
      * so make sure we're not adding duplicates, again
      */
     if (issuerCert && issuerCert != mCert) {
       bool includeRoot = 
         (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot);
-      CERTCertificateList *certChain = CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot);
-      CERTCertificateListCleaner certChainCleaner(certChain);
+      ScopedCERTCertificateList certChain(
+          CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot));
       if (certChain) {
         if (NSS_CMSSignedData_AddCertList(sigd, certChain) == SECSuccess) {
-          certChainCleaner.detach();
+          certChain.forget();
         }
         else {
           PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
                  ("nsNSSCertificate::ExportAsCMS - can't add chain\n"));
           return NS_ERROR_FAILURE;
         }
       }
       else { 
         /* try to add the issuerCert, at least */
         if (NSS_CMSSignedData_AddCertificate(sigd, issuerCert)
             == SECSuccess) {
-          issuerCertCleaner.detach();
+          issuerCert.forget();
         }
         else {
           PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
                  ("nsNSSCertificate::ExportAsCMS - can't add issuer cert\n"));
           return NS_ERROR_FAILURE;
         }
       }
     }
   }
 
   NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
   if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd)
        == SECSuccess) {
-    sigdCleaner.detach();
+    sigd.forget();
   }
   else {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
            ("nsNSSCertificate::ExportAsCMS - can't attach SignedData\n"));
     return NS_ERROR_FAILURE;
   }
 
   SECItem certP7 = { siBuffer, nullptr, 0 };
@@ -1502,21 +1487,18 @@ nsNSSCertificate::Equals(nsIX509Cert *ot
 
   NS_ENSURE_ARG(other);
   NS_ENSURE_ARG(result);
 
   nsCOMPtr<nsIX509Cert2> other2 = do_QueryInterface(other);
   if (!other2)
     return NS_ERROR_FAILURE;
  
-  CERTCertificate *cert = other2->GetCert();
+  ScopedCERTCertificate cert(other2->GetCert());
   *result = (mCert == cert);
-  if (cert) {
-    CERT_DestroyCertificate(cert);
-  }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::SaveSMimeProfile()
 {
   nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
@@ -1595,23 +1577,16 @@ nsNSSCertList::nsNSSCertList(CERTCertLis
     } else {
       mCertList = DupCertList(certList);
     }
   } else {
     mCertList = CERT_NewCertList();
   }
 }
 
-nsNSSCertList::~nsNSSCertList()
-{
-  if (mCertList) {
-    CERT_DestroyCertList(mCertList);
-  }
-}
-
 /* void addCert (in nsIX509Cert cert); */
 NS_IMETHODIMP
 nsNSSCertList::AddCert(nsIX509Cert *aCert) 
 {
   /* This should be a query interface, but currently this his how the
    * rest of PSM is working */
   nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
   CERTCertificate *cert;
@@ -1701,23 +1676,16 @@ nsNSSCertList::GetEnumerator(nsISimpleEn
 NS_IMPL_THREADSAFE_ISUPPORTS1(nsNSSCertListEnumerator, 
                               nsISimpleEnumerator)
 
 nsNSSCertListEnumerator::nsNSSCertListEnumerator(CERTCertList *certList)
 {
   mCertList = nsNSSCertList::DupCertList(certList);
 }
 
-nsNSSCertListEnumerator::~nsNSSCertListEnumerator()
-{
-  if (mCertList) {
-    CERT_DestroyCertList(mCertList);
-  }
-}
-
 /* boolean hasMoreElements (); */
 NS_IMETHODIMP
 nsNSSCertListEnumerator::HasMoreElements(bool *_retval)
 { 
   NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE);
 
   *_retval = !CERT_LIST_EMPTY(mCertList);
   return NS_OK;
--- a/security/manager/ssl/src/nsNSSCertificate.h
+++ b/security/manager/ssl/src/nsNSSCertificate.h
@@ -14,16 +14,17 @@
 #include "nsIASN1Object.h"
 #include "nsISMimeCert.h"
 #include "nsIIdentityInfo.h"
 #include "nsCOMPtr.h"
 #include "nsNSSShutDown.h"
 #include "nsISimpleEnumerator.h"
 #include "nsISerializable.h"
 #include "nsIClassInfo.h"
+#include "ScopedNSSTypes.h"
 #include "certt.h"
 
 class nsAutoString;
 class nsINSSComponent;
 class nsIASN1Sequence;
 
 /* Certificate */
 class nsNSSCertificate : public nsIX509Cert3,
@@ -51,17 +52,17 @@ public:
   static nsNSSCertificate* Create(CERTCertificate *cert = nullptr);
   static nsNSSCertificate* ConstructFromDER(char *certDER, int derLen);
 
   // It is the responsibility of the caller of this method to free the returned
   // string using PR_Free.
   static char* defaultServerNickname(CERTCertificate* cert);
 
 private:
-  CERTCertificate *mCert;
+  mozilla::ScopedCERTCertificate mCert;
   bool             mPermDelete;
   uint32_t         mCertType;
   nsCOMPtr<nsIASN1Object> mASN1Structure;
   nsresult CreateASN1Struct();
   nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence **retSequence,
                                           nsINSSComponent *nssComponent);
   nsresult GetSortableDate(PRTime aTime, nsAString &_aSortableDate);
   virtual void virtualDestroyNSSReference();
@@ -78,33 +79,41 @@ private:
 
 class nsNSSCertList: public nsIX509CertList
 {
 public:
   NS_DECL_ISUPPORTS
   NS_DECL_NSIX509CERTLIST
 
   nsNSSCertList(CERTCertList *certList = nullptr, bool adopt = false);
-  virtual ~nsNSSCertList();
 
   static CERTCertList *DupCertList(CERTCertList *aCertList);
 private:
-  CERTCertList *mCertList;
+   virtual ~nsNSSCertList() { }
+
+   mozilla::ScopedCERTCertList mCertList;
+
+   nsNSSCertList(const nsNSSCertList &) MOZ_DELETE;
+   void operator=(const nsNSSCertList &) MOZ_DELETE;
 };
 
 class nsNSSCertListEnumerator: public nsISimpleEnumerator
 {
 public:
    NS_DECL_ISUPPORTS
    NS_DECL_NSISIMPLEENUMERATOR
 
    nsNSSCertListEnumerator(CERTCertList *certList);
-   virtual ~nsNSSCertListEnumerator();
 private:
-   CERTCertList *mCertList;
+   virtual ~nsNSSCertListEnumerator() { }
+
+   mozilla::ScopedCERTCertList mCertList;
+
+   nsNSSCertListEnumerator(const nsNSSCertListEnumerator &) MOZ_DELETE;
+   void operator=(const nsNSSCertListEnumerator &) MOZ_DELETE;
 };
 
 
 #define NS_NSS_LONG 4
 #define NS_NSS_GET_LONG(x) ((((unsigned long)((x)[0])) << 24) | \
                             (((unsigned long)((x)[1])) << 16) | \
                             (((unsigned long)((x)[2])) <<  8) | \
                              ((unsigned long)((x)[3])) )
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -24,42 +24,34 @@
 #include "nsIMutableArray.h"
 #include "nsArrayUtils.h"
 #include "nsNSSShutDown.h"
 #include "nsIPrefService.h"
 #include "nsIPrefBranch.h"
 #include "nsComponentManagerUtils.h"
 #include "nsIPrompt.h"
 #include "nsThreadUtils.h"
+#include "ScopedNSSTypes.h"
 
 #include "nspr.h"
-#include "pk11func.h"
 #include "certdb.h"
-#include "cert.h"
 #include "secerr.h"
 #include "nssb64.h"
 #include "secasn1.h"
 #include "secder.h"
 #include "ssl.h"
 #include "ocsp.h"
 #include "plbase64.h"
 
-#include "nsNSSCleaner.h"
-
 using namespace mozilla;
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
-NSSCleanupAutoPtrClass(CERTCertificateList, CERT_DestroyCertificateList)
-NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot)
-
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
 
 NS_IMPL_THREADSAFE_ISUPPORTS2(nsNSSCertificateDB, nsIX509CertDB, nsIX509CertDB2)
 
 nsNSSCertificateDB::nsNSSCertificateDB()
 {
 }
@@ -68,18 +60,21 @@ nsNSSCertificateDB::~nsNSSCertificateDB(
 {
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::FindCertByNickname(nsISupports *aToken,
                                       const nsAString &nickname,
                                       nsIX509Cert **_rvCert)
 {
+  NS_ENSURE_ARG_POINTER(_rvCert);
+  *_rvCert = nullptr;
+
   nsNSSShutDownPreventionLock locker;
-  CERTCertificate *cert = nullptr;
+  ScopedCERTCertificate cert;
   char *asciiname = nullptr;
   NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
   asciiname = const_cast<char*>(aUtf8Nickname.get());
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting \"%s\"\n", asciiname));
 #if 0
   // what it should be, but for now...
   if (aToken) {
     cert = PK11_FindCertFromNickname(asciiname, nullptr);
@@ -89,48 +84,48 @@ nsNSSCertificateDB::FindCertByNickname(n
 #endif
   cert = PK11_FindCertFromNickname(asciiname, nullptr);
   if (!cert) {
     cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname);
   }
   if (cert) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("got it\n"));
     nsCOMPtr<nsIX509Cert> pCert = nsNSSCertificate::Create(cert);
-    CERT_DestroyCertificate(cert);
     if (pCert) {
-      *_rvCert = pCert;
-      NS_ADDREF(*_rvCert);
+      pCert.forget(_rvCert);
       return NS_OK;
     }
   }
-  *_rvCert = nullptr;
   return NS_ERROR_FAILURE;
 }
 
 NS_IMETHODIMP 
 nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken,
                                    nsIX509Cert **_cert)
 {
+  NS_ENSURE_ARG_POINTER(aDBkey);
+  NS_ENSURE_ARG(aDBkey[0]);
+  NS_ENSURE_ARG_POINTER(aToken);
+  NS_ENSURE_ARG_POINTER(_cert);
+  *_cert = nullptr;
+
   nsNSSShutDownPreventionLock locker;
   SECItem keyItem = {siBuffer, nullptr, 0};
   SECItem *dummy;
   CERTIssuerAndSN issuerSN;
   //unsigned long moduleID,slotID;
-  *_cert = nullptr; 
-  if (!aDBkey || !*aDBkey)
-    return NS_ERROR_INVALID_ARG;
 
   dummy = NSSBase64_DecodeBuffer(nullptr, &keyItem, aDBkey,
                                  (uint32_t)PL_strlen(aDBkey)); 
   if (!dummy || keyItem.len < NS_NSS_LONG*4) {
     PR_FREEIF(keyItem.data);
     return NS_ERROR_INVALID_ARG;
   }
 
-  CERTCertificate *cert;
+  ScopedCERTCertificate cert;
   // someday maybe we can speed up the search using the moduleID and slotID
   // moduleID = NS_NSS_GET_LONG(keyItem.data);
   // slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]);
 
   // build the issuer/SN structure
   issuerSN.serialNumber.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*2]);
   issuerSN.derIssuer.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*3]);
   if (issuerSN.serialNumber.len == 0 || issuerSN.derIssuer.len == 0
@@ -141,38 +136,36 @@ nsNSSCertificateDB::FindCertByDBKey(cons
   }
   issuerSN.serialNumber.data= &keyItem.data[NS_NSS_LONG*4];
   issuerSN.derIssuer.data= &keyItem.data[NS_NSS_LONG*4+
                                               issuerSN.serialNumber.len];
 
   cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), &issuerSN);
   PR_FREEIF(keyItem.data);
   if (cert) {
-    nsNSSCertificate *nssCert = nsNSSCertificate::Create(cert);
-    CERT_DestroyCertificate(cert);
+    nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
     if (!nssCert)
       return NS_ERROR_OUT_OF_MEMORY;
-    NS_ADDREF(nssCert);
-    *_cert = static_cast<nsIX509Cert*>(nssCert);
+    nssCert.forget(_cert);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP 
 nsNSSCertificateDB::FindCertNicknames(nsISupports *aToken, 
                                      uint32_t      aType,
                                      uint32_t     *_count,
                                      PRUnichar  ***_certNames)
 {
   nsNSSShutDownPreventionLock locker;
   nsresult rv = NS_ERROR_FAILURE;
   /*
    * obtain the cert list from NSS
    */
-  CERTCertList *certList = nullptr;
+  ScopedCERTCertList certList;
   PK11CertListType pk11type;
 #if 0
   // this would seem right, but it didn't work...
   // oh, I know why - bonks out on internal slot certs
   if (aType == nsIX509Cert::USER_CERT)
     pk11type = PK11CertListUser;
   else 
 #endif
@@ -185,18 +178,16 @@ nsNSSCertificateDB::FindCertNicknames(ns
    * XXX also cull the list (NSS only distinguishes based on user/non-user
    */
   getCertNames(certList, aType, _count, _certNames);
   rv = NS_OK;
   /*
    * finish up
    */
 cleanup:
-  if (certList)
-    CERT_DestroyCertList(certList);
   return rv;
 }
 
 SECStatus
 collect_certs(void *arg, SECItem **certs, int numcerts)
 {
   CERTDERCerts *collectArgs;
   SECItem *cert;
@@ -329,34 +320,32 @@ nsNSSCertificateDB::handleCACertDownload
  
   SECItem der;
   rv=certToShow->GetRawDER(&der.len, (uint8_t **)&der.data);
 
   if (NS_FAILED(rv))
     return rv;
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
-  CERTCertificate *tmpCert;
+  ScopedCERTCertificate tmpCert;
   CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
   tmpCert = CERT_FindCertByDERCert(certdb, &der);
   if (!tmpCert) {
     tmpCert = CERT_NewTempCertificate(certdb, &der,
                                       nullptr, false, true);
   }
   nsMemory::Free(der.data);
   der.data = nullptr;
   der.len = 0;
   
   if (!tmpCert) {
     NS_ERROR("Couldn't create cert from DER blob");
     return NS_ERROR_FAILURE;
   }
 
-  CERTCertificateCleaner tmpCertCleaner(tmpCert);
-
   if (!CERT_IsCACert(tmpCert, nullptr)) {
     DisplayCertificateAlert(ctx, "NotACACert", certToShow);
     return NS_ERROR_FAILURE;
   }
 
   if (tmpCert->isperm) {
     DisplayCertificateAlert(ctx, "CaCertExists", certToShow);
     return NS_ERROR_FAILURE;
@@ -388,23 +377,21 @@ nsNSSCertificateDB::handleCACertDownload
                                            trust.GetTrust());
 
   if (srv != SECSuccess)
     return NS_ERROR_FAILURE;
 
   // Import additional delivered certificates that can be verified.
 
   // build a CertList for filtering
-  CERTCertList *certList = CERT_NewCertList();
+  ScopedCERTCertList certList(CERT_NewCertList());
   if (!certList) {
     return NS_ERROR_FAILURE;
   }
 
-  CERTCertListCleaner listCleaner(certList);
-
   // get all remaining certs into temp store
 
   for (uint32_t i=0; i<numCerts; i++) {
     if (i == selCertIndex) {
       // we already processed that one
       continue;
     }
 
@@ -494,17 +481,17 @@ nsNSSCertificateDB::ImportEmailCertifica
                                        nsIInterfaceRequestor *ctx)
 
 {
   nsNSSShutDownPreventionLock locker;
   SECStatus srv = SECFailure;
   nsresult nsrv = NS_OK;
   CERTCertDBHandle *certdb;
   CERTCertificate **certArray = nullptr;
-  CERTCertList *certList = nullptr;
+  ScopedCERTCertList certList;
   CERTCertListNode *node;
   PRTime now;
   SECCertUsage certusage;
   SECCertificateUsage certificateusage;
   SECItem **rawArray;
   int numcerts;
   int i;
   CERTValOutParam cvout[1];
@@ -594,18 +581,17 @@ nsNSSCertificateDB::ImportEmailCertifica
       if (CERT_PKIXVerifyCert(node->cert, certificateusage,
                               survivingParams->GetRawPointerForNSS(),
                               cvout, ctx)
           != SECSuccess) {
         alert_and_skip = true;
       }
     }
 
-    CERTCertificateList *certChain = nullptr;
-    CERTCertificateListCleaner chainCleaner(certChain);
+    ScopedCERTCertificateList certChain;
 
     if (!alert_and_skip) {
       certChain = CERT_CertChainFromCert(node->cert, certusage, false);
       if (!certChain) {
         alert_and_skip = true;
       }
     }
 
@@ -634,33 +620,30 @@ nsNSSCertificateDB::ImportEmailCertifica
 
     PORT_Free(rawArray);
   }
 
 loser:
   if (certArray) {
     CERT_DestroyCertArray(certArray, numcerts);
   }
-  if (certList) {
-    CERT_DestroyCertList(certList);
-  }
   if (arena) 
     PORT_FreeArena(arena, true);
   return nsrv;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportServerCertificate(uint8_t * data, uint32_t length, 
                                             nsIInterfaceRequestor *ctx)
 
 {
   nsNSSShutDownPreventionLock locker;
   SECStatus srv = SECFailure;
   nsresult nsrv = NS_OK;
-  CERTCertificate * cert;
+  ScopedCERTCertificate cert;
   SECItem **rawCerts = nullptr;
   int numcerts;
   int i;
   nsNSSCertTrust trust;
   char *serverNickname = nullptr;
  
   PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   if (!arena)
@@ -701,37 +684,33 @@ nsNSSCertificateDB::ImportServerCertific
   trust.SetValidServerPeer();
   srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert, trust.GetTrust());
   if ( srv != SECSuccess ) {
     nsrv = NS_ERROR_FAILURE;
     goto loser;
   }
 loser:
   PORT_Free(rawCerts);
-  if (cert)
-    CERT_DestroyCertificate(cert);
   if (arena) 
     PORT_FreeArena(arena, true);
   return nsrv;
 }
 
 nsresult
 nsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInterfaceRequestor *ctx)
 {
-  CERTCertList *certList = nullptr;
+  ScopedCERTCertList certList;
   SECItem **rawArray;
 
   // build a CertList for filtering
   certList = CERT_NewCertList();
   if (!certList) {
     return NS_ERROR_FAILURE;
   }
 
-  CERTCertListCleaner listCleaner(certList);
-
   // get all certs into temp store
   SECStatus srv = SECFailure;
   CERTCertificate **certArray = nullptr;
 
   rawArray = (SECItem **) PORT_Alloc(sizeof(SECItem *) * numCACerts);
   if ( !rawArray ) {
     return NS_ERROR_FAILURE;
   }
@@ -805,18 +784,17 @@ nsNSSCertificateDB::ImportValidCACertsIn
       if (CERT_PKIXVerifyCert(node->cert, certificateUsageVerifyCA,
                               survivingParams->GetRawPointerForNSS(),
                               cvout, ctx)
           != SECSuccess) {
         alert_and_skip = true;
       }
     }
 
-    CERTCertificateList *certChain = nullptr;
-    CERTCertificateListCleaner chainCleaner(certChain);
+    ScopedCERTCertificateList certChain;
 
     if (!alert_and_skip) {    
       certChain = CERT_CertChainFromCert(node->cert, certUsageAnyCA, false);
       if (!certChain) {
         alert_and_skip = true;
       }
     }
 
@@ -886,24 +864,24 @@ NS_IMETHODIMP
 nsNSSCertificateDB::ImportUserCertificate(uint8_t *data, uint32_t length, nsIInterfaceRequestor *ctx)
 {
   if (!NS_IsMainThread()) {
     NS_ERROR("nsNSSCertificateDB::ImportUserCertificate called off the main thread");
     return NS_ERROR_NOT_SAME_THREAD;
   }
   
   nsNSSShutDownPreventionLock locker;
-  PK11SlotInfo *slot;
+  ScopedPK11SlotInfo slot;
   nsAutoCString nickname;
   nsresult rv = NS_ERROR_FAILURE;
   int numCACerts;
   SECItem *CACerts;
   CERTDERCerts * collectArgs;
   PLArenaPool *arena;
-  CERTCertificate * cert = nullptr;
+  ScopedCERTCertificate cert;
 
   arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   if (!arena) {
     goto loser;
   }
 
   collectArgs = getCertsFromPackage(arena, data, length);
   if (!collectArgs) {
@@ -917,17 +895,17 @@ nsNSSCertificateDB::ImportUserCertificat
   }
 
   slot = PK11_KeyForCertExists(cert, nullptr, ctx);
   if (!slot) {
     nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert);
     DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow);
     goto loser;
   }
-  PK11_FreeSlot(slot);
+  slot = nullptr;
 
   /* pick a nickname for the cert */
   if (cert->nickname) {
 	/* sigh, we need a call to look up other certs with this subject and
 	 * identify nicknames from them. We can no longer walk down internal
 	 * database structures  rjr */
   	nickname = cert->nickname;
   }
@@ -938,17 +916,17 @@ nsNSSCertificateDB::ImportUserCertificat
   /* user wants to import the cert */
   {
     char *cast_const_away = const_cast<char*>(nickname.get());
     slot = PK11_ImportCertForKey(cert, cast_const_away, ctx);
   }
   if (!slot) {
     goto loser;
   }
-  PK11_FreeSlot(slot);
+  slot = nullptr;
 
   {
     nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert);
     DisplayCertificateAlert(ctx, "UserCertImported", certToShow);
   }
   rv = NS_OK;
 
   numCACerts = collectArgs->numcerts - 1;
@@ -956,33 +934,29 @@ nsNSSCertificateDB::ImportUserCertificat
     CACerts = collectArgs->rawCerts+1;
     rv = ImportValidCACerts(numCACerts, CACerts, ctx);
   }
   
 loser:
   if (arena) {
     PORT_FreeArena(arena, false);
   }
-  if ( cert ) {
-    CERT_DestroyCertificate(cert);
-  }
   return rv;
 }
 
 /*
  * void deleteCertificate(in nsIX509Cert aCert);
  */
 NS_IMETHODIMP 
 nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
 {
   nsNSSShutDownPreventionLock locker;
   nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
-  CERTCertificate *cert = nssCert->GetCert();
+  ScopedCERTCertificate cert(nssCert->GetCert());
   if (!cert) return NS_ERROR_FAILURE;
-  CERTCertificateCleaner certCleaner(cert);
   SECStatus srv = SECSuccess;
 
   uint32_t certType;
   nssCert->GetCertType(&certType);
   if (NS_FAILED(nssCert->MarkForPermDeletion()))
   {
     return NS_ERROR_FAILURE;
   }
@@ -1014,18 +988,18 @@ nsNSSCertificateDB::SetCertTrust(nsIX509
                                  uint32_t trusted)
 {
   nsNSSShutDownPreventionLock locker;
   SECStatus srv;
   nsNSSCertTrust trust;
   nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
   if (!pipCert)
     return NS_ERROR_FAILURE;
-  CERTCertificate *nsscert = pipCert->GetCert();
-  CERTCertificateCleaner certCleaner(nsscert);
+  ScopedCERTCertificate nsscert(pipCert->GetCert());
+
   if (type == nsIX509Cert::CA_CERT) {
     // always start with untrusted and move up
     trust.SetValidCA();
     trust.AddCATrust(!!(trusted & nsIX509CertDB::TRUSTED_SSL),
                      !!(trusted & nsIX509CertDB::TRUSTED_EMAIL),
                      !!(trusted & nsIX509CertDB::TRUSTED_OBJSIGN));
     srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), 
                                nsscert,
@@ -1058,24 +1032,23 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50
                                   bool *_isTrusted)
 {
   NS_ENSURE_ARG_POINTER(_isTrusted);
   *_isTrusted = false;
 
   nsNSSShutDownPreventionLock locker;
   SECStatus srv;
   nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
-  CERTCertificate *nsscert = pipCert->GetCert();
+  ScopedCERTCertificate nsscert(pipCert->GetCert());
   CERTCertTrust nsstrust;
   srv = CERT_GetCertTrust(nsscert, &nsstrust);
   if (srv != SECSuccess)
     return NS_ERROR_FAILURE;
 
   nsNSSCertTrust trust(&nsstrust);
-  CERT_DestroyCertificate(nsscert);
   if (certType == nsIX509Cert::CA_CERT) {
     if (trustType & nsIX509CertDB::TRUSTED_SSL) {
       *_isTrusted = trust.HasTrustedCA(true, false, false);
     } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
       *_isTrusted = trust.HasTrustedCA(false, true, false);
     } else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
       *_isTrusted = trust.HasTrustedCA(false, false, true);
     } else {
@@ -1192,20 +1165,19 @@ nsNSSCertificateDB::ExportPKCS12File(nsI
                                      //const PRUnichar **aCertNames)
 {
   nsNSSShutDownPreventionLock locker;
   NS_ENSURE_ARG(aFile);
   nsPKCS12Blob blob;
   if (count == 0) return NS_OK;
   nsCOMPtr<nsIPK11Token> localRef;
   if (!aToken) {
-    PK11SlotInfo *keySlot = PK11_GetInternalKeySlot();
+    ScopedPK11SlotInfo keySlot(PK11_GetInternalKeySlot());
     NS_ASSERTION(keySlot,"Failed to get the internal key slot");
     localRef = new nsPK11Token(keySlot);
-    PK11_FreeSlot(keySlot);
   }
   else {
     localRef = do_QueryInterface(aToken);
   }
   blob.SetToken(localRef);
   //blob.LoadCerts(aCertNames, count);
   //return blob.ExportToFile(aFile);
   return blob.ExportToFile(aFile, certs, count);
@@ -1290,90 +1262,74 @@ nsNSSCertificateDB::GetIsOcspOn(bool *aO
   *aOcspOn = ( ocspEnabled == 0 ) ? false : true; 
   return NS_OK;
 }
 
 /* nsIX509Cert getDefaultEmailEncryptionCert (); */
 NS_IMETHODIMP
 nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString &aNickname, nsIX509Cert **_retval)
 {
-  if (!_retval)
-    return NS_ERROR_FAILURE;
-
-  *_retval = 0;
+  NS_ENSURE_ARG_POINTER(_retval);
+  *_retval = nullptr;
 
   if (aNickname.IsEmpty())
     return NS_OK;
 
   nsNSSShutDownPreventionLock locker;
-  nsresult rv = NS_OK;
-  CERTCertificate *cert = 0;
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
-  nsNSSCertificate *nssCert = nullptr;
   char *asciiname = nullptr;
   NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
   asciiname = const_cast<char*>(aUtf8Nickname.get());
 
   /* Find a good cert in the user's database */
+  ScopedCERTCertificate cert;
   cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, 
            certUsageEmailRecipient, true, ctx);
-
-  if (!cert) { goto loser; }  
-
-  nssCert = nsNSSCertificate::Create(cert);
-  if (!nssCert) {
-    rv = NS_ERROR_OUT_OF_MEMORY;
+  if (!cert) {
+    return NS_OK;
   }
-  NS_ADDREF(nssCert);
 
-  *_retval = static_cast<nsIX509Cert*>(nssCert);
-
-loser:
-  if (cert) CERT_DestroyCertificate(cert);
-  return rv;
+  nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
+  if (!nssCert) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+  nssCert.forget(_retval);
+  return NS_OK;
 }
 
 /* nsIX509Cert getDefaultEmailSigningCert (); */
 NS_IMETHODIMP
 nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert **_retval)
 {
-  if (!_retval)
-    return NS_ERROR_FAILURE;
-
-  *_retval = 0;
+  NS_ENSURE_ARG_POINTER(_retval);
+  *_retval = nullptr;
 
   if (aNickname.IsEmpty())
     return NS_OK;
 
   nsNSSShutDownPreventionLock locker;
-  nsresult rv = NS_OK;
-  CERTCertificate *cert = 0;
+  ScopedCERTCertificate cert;
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
-  nsNSSCertificate *nssCert = nullptr;
   char *asciiname = nullptr;
   NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
   asciiname = const_cast<char*>(aUtf8Nickname.get());
 
   /* Find a good cert in the user's database */
   cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, 
            certUsageEmailSigner, true, ctx);
-
-  if (!cert) { goto loser; }  
-
-  nssCert = nsNSSCertificate::Create(cert);
-  if (!nssCert) {
-    rv = NS_ERROR_OUT_OF_MEMORY;
+  if (!cert) {
+    return NS_OK;
   }
-  NS_ADDREF(nssCert);
 
-  *_retval = static_cast<nsIX509Cert*>(nssCert);
-
-loser:
-  if (cert) CERT_DestroyCertificate(cert);
-  return rv;
+  nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
+  if (!nssCert) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+  nssCert.forget(_retval);
+  return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::FindCertByEmailAddress(nsISupports *aToken, const char *aEmailAddress, nsIX509Cert **_retval)
 {
   nsNSSShutDownPreventionLock locker;
   
   nsCOMPtr<nsINSSComponent> inss;
@@ -1384,25 +1340,24 @@ nsNSSCertificateDB::FindCertByEmailAddre
     inss = do_GetService(kNSSComponentCID, &nsrv);
     if (!inss)
       return nsrv;
     nsrv = inss->GetDefaultCERTValInParam(survivingParams);
     if (NS_FAILED(nsrv))
       return nsrv;
   }
 
-  CERTCertList *certlist = PK11_FindCertsFromEmailAddress(aEmailAddress, nullptr);
+  ScopedCERTCertList certlist(
+      PK11_FindCertsFromEmailAddress(aEmailAddress, nullptr));
   if (!certlist)
     return NS_ERROR_FAILURE;  
 
   // certlist now contains certificates with the right email address,
   // but they might not have the correct usage or might even be invalid
 
-  CERTCertListCleaner listCleaner(certlist);
-
   if (CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist))
     return NS_ERROR_FAILURE; // no certs found
 
   CERTCertListNode *node;
   // search for a valid certificate
   for (node = CERT_LIST_HEAD(certlist);
        !CERT_LIST_END(node, certlist);
        node = CERT_LIST_NEXT(node)) {
@@ -1471,32 +1426,32 @@ nsNSSCertificateDB::ConstructX509FromBas
   }
 
   nsNSSShutDownPreventionLock locker;
   SECItem secitem_cert;
   secitem_cert.type = siDERCertBuffer;
   secitem_cert.data = (unsigned char*)certDER;
   secitem_cert.len = lengthDER;
 
-  CERTCertificate *cert =
+  ScopedCERTCertificate cert;
+  cert =
     CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert,
                             nullptr, false, true);
   PL_strfree(certDER);
 
   if (!cert)
     return (PORT_GetError() == SEC_ERROR_NO_MEMORY)
       ? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE;
 
-  nsNSSCertificate *nsNSS = nsNSSCertificate::Create(cert);
-  CERT_DestroyCertificate(cert);
-
-  if (!nsNSS)
+  nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
+  if (!nssCert) {
     return NS_ERROR_OUT_OF_MEMORY;
-
-  return CallQueryInterface(nsNSS, _retval);
+  }
+  nssCert.forget(_retval);
+  return NS_OK;
 }
 
 void
 nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert, 
                                          nsIInterfaceRequestor* ctx,
                                          nsCString &nickname)
 {
   nickname.Truncate();
@@ -1542,18 +1497,17 @@ nsNSSCertificateDB::get_default_nickname
 
   nickname = baseName;
 
   /*
    * We need to see if the private key exists on a token, if it does
    * then we need to check for nicknames that already exist on the smart
    * card.
    */
-  PK11SlotInfo *slot = PK11_KeyForCertExists(cert, &keyHandle, ctx);
-  PK11SlotInfoCleaner slotCleaner(slot);
+  ScopedPK11SlotInfo slot(PK11_KeyForCertExists(cert, &keyHandle, ctx));
   if (!slot)
     return;
 
   if (!PK11_IsInternal(slot)) {
     char *tmp = PR_smprintf("%s:%s", PK11_GetTokenName(slot), baseName.get());
     if (!tmp) {
       nickname.Truncate();
       return;
@@ -1571,18 +1525,17 @@ nsNSSCertificateDB::get_default_nickname
       if (!tmp) {
         nickname.Truncate();
         return;
       }
       nickname = tmp;
       PR_smprintf_free(tmp);
     }
 
-    CERTCertificate *dummycert = nullptr;
-    CERTCertificateCleaner dummycertCleaner(dummycert);
+    ScopedCERTCertificate dummycert;
 
     if (PK11_IsInternal(slot)) {
       /* look up the nickname to make sure it isn't in use already */
       dummycert = CERT_FindCertByNickname(defaultcertdb, nickname.get());
 
     } else {
       /*
        * Check the cert against others that already live on the smart 
@@ -1595,17 +1548,16 @@ nsNSSCertificateDB::get_default_nickname
 	 */ 
 	if (CERT_CompareName(&cert->subject, &dummycert->subject) == SECEqual)
 	{
 	  /*
 	   * There is another certificate with the same nickname and
 	   * the same subject name on the smart card, so let's use this
 	   * nickname.
 	   */
-	  CERT_DestroyCertificate(dummycert);
 	  dummycert = nullptr;
 	}
       }
     }
     if (!dummycert) 
       break;
     
     count++;
@@ -1628,38 +1580,34 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCer
   nsresult rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert));
   NS_ENSURE_SUCCESS(rv, rv);
 
   SECItem der;
   rv = newCert->GetRawDER(&der.len, (uint8_t **)&der.data);
   NS_ENSURE_SUCCESS(rv, rv);
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
-  CERTCertificate *tmpCert;
   CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-  tmpCert = CERT_FindCertByDERCert(certdb, &der);
+  ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
   if (!tmpCert) 
     tmpCert = CERT_NewTempCertificate(certdb, &der,
                                       nullptr, false, true);
   nsMemory::Free(der.data);
   der.data = nullptr;
   der.len = 0;
 
   if (!tmpCert) {
     NS_ERROR("Couldn't create cert from DER blob");
     return NS_ERROR_FAILURE;
   }
 
   if (tmpCert->isperm) {
-    CERT_DestroyCertificate(tmpCert);
     return NS_OK;
   }
 
-  CERTCertificateCleaner tmpCertCleaner(tmpCert);
-
   nsXPIDLCString nickname;
   nickname.Adopt(CERT_MakeCANickname(tmpCert));
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get()));
 
   SECStatus srv = __CERT_AddTempCertToPerm(tmpCert,
                                            const_cast<char*>(nickname.get()),
                                            trust.GetTrust());
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -22,16 +22,17 @@
 #include "nsNSSCleaner.h"
 #include "nsIDocShell.h"
 #include "nsIDocShellTreeItem.h"
 #include "nsISecureBrowserUI.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsCharSeparatedTokenizer.h"
 #include "nsIConsoleService.h"
 #include "PSMRunnable.h"
+#include "ScopedNSSTypes.h"
 
 #include "ssl.h"
 #include "secerr.h"
 #include "sslerr.h"
 #include "secder.h"
 #include "keyhi.h"
 
 using namespace mozilla;
@@ -44,17 +45,16 @@ using namespace mozilla::psm;
                        //DEBUG_SSL_VERBOSE to dump SSL
                        //read/write buffer to a log.
                        //Uses PR_LOG except on Mac where
                        //we always write out to our own
                        //file.
 
 namespace {
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
 NSSCleanupAutoPtrClass(void, PR_FREEIF)
 
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
 /* SSM_UserCertChoice: enum for cert choice info */
 typedef enum {ASK, AUTO} SSM_UserCertChoice;
 
 } // unnamed namespace
@@ -254,18 +254,17 @@ nsNSSSocketInfo::JoinConnection(const ns
   // because the user decides on whether to send client certs to hosts on a
   // per-domain basis.
   if (mSentClientCert)
     return NS_OK;
 
   // Ensure that the server certificate covers the hostname that would
   // like to join this connection
 
-  CERTCertificate *nssCert = nullptr;
-  CERTCertificateCleaner nsscertCleaner(nssCert);
+  ScopedCERTCertificate nssCert;
 
   nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(SSLStatus()->mServerCert);
   if (cert2)
     nssCert = cert2->GetCert();
 
   if (!nssCert)
     return NS_OK;
 
@@ -1909,21 +1908,21 @@ SECStatus nsNSS_SSLGetClientAuthData(voi
 
   return runnable->mRV;
 }
 
 void ClientAuthDataRunnable::RunOnTargetThread()
 {
   PLArenaPool* arena = nullptr;
   char** caNameStrings;
-  CERTCertificate* cert = nullptr;
-  SECKEYPrivateKey* privKey = nullptr;
-  CERTCertList* certList = nullptr;
+  ScopedCERTCertificate cert;
+  ScopedSECKEYPrivateKey privKey;
+  ScopedCERTCertList certList;
   CERTCertListNode* node;
-  CERTCertNicknames* nicknames = nullptr;
+  ScopedCERTCertNicknames nicknames;
   char* extracted = nullptr;
   int keyError = 0; /* used for private key retrieval error */
   SSM_UserCertChoice certChoice;
   int32_t NumberOfCerts = 0;
   void * wincx = mSocketInfo;
 
   /* create caNameStrings */
   arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
@@ -1967,18 +1966,17 @@ void ClientAuthDataRunnable::RunOnTarget
     }
 
     /* make sure the list is not empty */
     node = CERT_LIST_HEAD(certList);
     if (CERT_LIST_END(node, certList)) {
       goto noCert;
     }
 
-    CERTCertificate* low_prio_nonrep_cert = nullptr;
-    CERTCertificateCleaner low_prio_cleaner(low_prio_nonrep_cert);
+    ScopedCERTCertificate low_prio_nonrep_cert;
 
     /* loop through the list until we find a cert with a key */
     while (!CERT_LIST_END(node, certList)) {
       /* if the certificate has restriction and we do not satisfy it
        * we do not use it
        */
 #if 0		/* XXX This must be re-enabled */
       if (!CERT_MatchesScopeOfUse(node->cert, mSocketInfo->GetHostName,
@@ -1986,17 +1984,16 @@ void ClientAuthDataRunnable::RunOnTarget
           node = CERT_LIST_NEXT(node);
           continue;
       }
 #endif
 
       privKey = PK11_FindKeyByAnyCert(node->cert, wincx);
       if (privKey) {
         if (hasExplicitKeyUsageNonRepudiation(node->cert)) {
-          SECKEY_DestroyPrivateKey(privKey);
           privKey = nullptr;
           // Not a prefered cert
           if (!low_prio_nonrep_cert) // did not yet find a low prio cert
             low_prio_nonrep_cert = CERT_DupCertificate(node->cert);
         }
         else {
           // this is a good cert to present
           cert = CERT_DupCertificate(node->cert);
@@ -2008,18 +2005,17 @@ void ClientAuthDataRunnable::RunOnTarget
           /* problem with password: bail */
           goto loser;
       }
 
       node = CERT_LIST_NEXT(node);
     }
 
     if (!cert && low_prio_nonrep_cert) {
-      cert = low_prio_nonrep_cert;
-      low_prio_nonrep_cert = nullptr; // take it away from the cleaner
+      cert = low_prio_nonrep_cert.forget();
       privKey = PK11_FindKeyByAnyCert(cert, wincx);
     }
 
     if (!cert) {
         goto noCert;
     }
   }
   else { // Not Auto => ask
@@ -2265,17 +2261,18 @@ if (!hasRemembered)
 
       if (i == selectedIndex) {
         cert = CERT_DupCertificate(node->cert);
         break;
       }
     }
 
     if (cars && wantRemember) {
-      cars->RememberDecision(hostname, mServerCert, canceled ? 0 : cert);
+      cars->RememberDecision(hostname, mServerCert,
+                             canceled ? nullptr : cert.get());
     }
 }
 
     if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
 
     if (!cert) {
       goto loser;
     }
@@ -2295,38 +2292,28 @@ if (!hasRemembered)
   }
   goto done;
 
 noCert:
 loser:
   if (mRV == SECSuccess) {
     mRV = SECFailure;
   }
-  if (cert) {
-    CERT_DestroyCertificate(cert);
-    cert = nullptr;
-  }
 done:
   int error = PR_GetError();
 
   if (extracted) {
     PR_Free(extracted);
   }
-  if (nicknames) {
-    CERT_FreeNicknames(nicknames);
-  }
-  if (certList) {
-    CERT_DestroyCertList(certList);
-  }
   if (arena) {
     PORT_FreeArena(arena, false);
   }
 
-  *mPRetCert = cert;
-  *mPRetKey = privKey;
+  *mPRetCert = cert.forget();
+  *mPRetKey = privKey.forget();
 
   if (mRV == SECFailure) {
     mErrorCodeToReport = error;
   }
 }
 
 static PRFileDesc*
 nsSSLIOLayerImportFD(PRFileDesc *fd,
--- a/security/manager/ssl/src/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/src/nsPKCS12Blob.cpp
@@ -21,25 +21,25 @@
 #include "nsDirectoryServiceDefs.h"
 #include "nsNSSHelper.h"
 #include "nsNSSCertificate.h"
 #include "nsKeygenHandler.h" //For GetSlotWithMechanism
 #include "nsPK11TokenDB.h"
 #include "nsICertificateDialogs.h"
 #include "nsNSSShutDown.h"
 #include "nsCRT.h"
-#include "pk11func.h"
+#include "ScopedNSSTypes.h"
+
 #include "secerr.h"
 
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 
-#include "nsNSSCleaner.h"
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
+using namespace mozilla;
 
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
 #define PIP_PKCS12_TMPFILENAME   NS_LITERAL_CSTRING(".pip_p12tmp")
 #define PIP_PKCS12_BUFFER_SIZE   2048
 #define PIP_PKCS12_RESTORE_OK          1
 #define PIP_PKCS12_BACKUP_OK           2
 #define PIP_PKCS12_USER_CANCELED       3
@@ -355,19 +355,17 @@ nsPKCS12Blob::ExportToFile(nsIFile *file
     nsCOMPtr<nsIX509Cert> cert;
     nrv = mCertArray->GetElementAt(i, getter_AddRefs(cert));
     if (NS_FAILED(nrv)) goto finish;
 #endif
   for (i=0; i<numCerts; i++) {
 //    nsNSSCertificate *cert = reinterpret_cast<nsNSSCertificate *>(certs[i]);
     nsNSSCertificate *cert = (nsNSSCertificate *)certs[i];
     // get it as a CERTCertificate XXX
-    CERTCertificate *nssCert = NULL;
-    CERTCertificateCleaner nssCertCleaner(nssCert);
-    nssCert = cert->GetCert();
+    ScopedCERTCertificate nssCert(cert->GetCert());
     if (!nssCert) {
       rv = NS_ERROR_FAILURE;
       goto finish;
     }
     // We can only successfully export certs that are on 
     // internal token.  Most, if not all, smart card vendors
     // won't let you extract the private key (in any way
     // shape or form) from the card.  So let's punt if 
--- a/security/manager/ssl/src/nsRecentBadCerts.cpp
+++ b/security/manager/ssl/src/nsRecentBadCerts.cpp
@@ -13,22 +13,18 @@
 #include "nsCRT.h"
 #include "nsPromiseFlatString.h"
 #include "nsStringBuffer.h"
 #include "nspr.h"
 #include "pk11pub.h"
 #include "certdb.h"
 #include "sechash.h"
 
-#include "nsNSSCleaner.h"
-
 using namespace mozilla;
 
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-
 NS_IMPL_THREADSAFE_ISUPPORTS1(nsRecentBadCertsService, 
                               nsIRecentBadCertsService)
 
 nsRecentBadCertsService::nsRecentBadCertsService()
 :monitor("nsRecentBadCertsService.monitor")
 ,mNextStorePosition(0)
 {
 }
@@ -73,33 +69,30 @@ nsRecentBadCertsService::GetRecentBadCer
         isDomainMismatch = mCerts[i].isDomainMismatch;
         isNotValidAtThisTime = mCerts[i].isNotValidAtThisTime;
         isUntrusted = mCerts[i].isUntrusted;
       }
     }
   }
 
   if (foundDER.len) {
-    CERTCertificate *nssCert;
     CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-    nssCert = CERT_FindCertByDERCert(certdb, &foundDER);
+    ScopedCERTCertificate nssCert(CERT_FindCertByDERCert(certdb, &foundDER));
     if (!nssCert) 
       nssCert = CERT_NewTempCertificate(certdb, &foundDER,
                                         nullptr, // no nickname
                                         false, // not perm
                                         true); // copy der
 
     SECITEM_FreeItem(&foundDER, false);
 
     if (!nssCert)
       return NS_ERROR_FAILURE;
 
     status->mServerCert = nsNSSCertificate::Create(nssCert);
-    CERT_DestroyCertificate(nssCert);
-
     status->mHaveCertErrorBits = true;
     status->mIsDomainMismatch = isDomainMismatch;
     status->mIsNotValidAtThisTime = isNotValidAtThisTime;
     status->mIsUntrusted = isUntrusted;
 
     *aStatus = status;
     NS_IF_ADDREF(*aStatus);
   }
--- a/security/manager/ssl/src/nsSDR.cpp
+++ b/security/manager/ssl/src/nsSDR.cpp
@@ -16,24 +16,24 @@
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsIServiceManager.h"
 #include "nsITokenPasswordDialogs.h"
 
 #include "nsISecretDecoderRing.h"
 #include "nsSDR.h"
 #include "nsNSSComponent.h"
 #include "nsNSSShutDown.h"
+#include "ScopedNSSTypes.h"
 
 #include "pk11func.h"
 #include "pk11sdr.h" // For PK11SDR_Encrypt, PK11SDR_Decrypt
 
 #include "ssl.h" // For SSL_ClearSessionCache
 
-#include "nsNSSCleaner.h"
-NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot)
+using namespace mozilla;
 
 // Standard ISupports implementation
 // NOTE: Should these be the thread-safe versions?
 NS_IMPL_ISUPPORTS2(nsSecretDecoderRing, nsISecretDecoderRing, nsISecretDecoderRingConfig)
 
 // nsSecretDecoderRing constructor
 nsSecretDecoderRing::nsSecretDecoderRing()
 {
@@ -46,18 +46,17 @@ nsSecretDecoderRing::~nsSecretDecoderRin
 }
 
 /* [noscript] long encrypt (in buffer data, in long dataLen, out buffer result); */
 NS_IMETHODIMP nsSecretDecoderRing::
 Encrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t *_retval)
 {
   nsNSSShutDownPreventionLock locker;
   nsresult rv = NS_OK;
-  PK11SlotInfo *slot = 0;
-  PK11SlotInfoCleaner tmpSlotCleaner(slot);
+  ScopedPK11SlotInfo slot;
   SECItem keyid;
   SECItem request;
   SECItem reply;
   SECStatus s;
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
 
   slot = PK11_GetInternalKeySlot();
   if (!slot) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
@@ -89,18 +88,17 @@ loser:
 }
 
 /* [noscript] long decrypt (in buffer data, in long dataLen, out buffer result); */
 NS_IMETHODIMP nsSecretDecoderRing::
 Decrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t *_retval)
 {
   nsNSSShutDownPreventionLock locker;
   nsresult rv = NS_OK;
-  PK11SlotInfo *slot = 0;
-  PK11SlotInfoCleaner tmpSlotCleaner(slot);
+  ScopedPK11SlotInfo slot;
   SECStatus s;
   SECItem request;
   SECItem reply;
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
 
   *result = 0;
   *_retval = 0;
 
@@ -195,26 +193,22 @@ loser:
 }
 
 /* void changePassword(); */
 NS_IMETHODIMP nsSecretDecoderRing::
 ChangePassword()
 {
   nsNSSShutDownPreventionLock locker;
   nsresult rv;
-  PK11SlotInfo *slot;
-
-  slot = PK11_GetInternalKeySlot();
+  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) return NS_ERROR_NOT_AVAILABLE;
 
   /* Convert UTF8 token name to UCS2 */
   NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(slot));
 
-  PK11_FreeSlot(slot);
-
   /* Get the set password dialog handler imlementation */
   nsCOMPtr<nsITokenPasswordDialogs> dialogs;
 
   rv = getNSSDialogs(getter_AddRefs(dialogs),
                      NS_GET_IID(nsITokenPasswordDialogs),
                      NS_TOKENPASSWORDSDIALOG_CONTRACTID);
   if (NS_FAILED(rv)) return rv;