Bug 1560354 - Transform some nss types into gecko types. r=keeler
☠☠ backed out by a3480699468f ☠ ☠
authorDragana Damjanovic <dd.mozilla@gmail.com>
Tue, 02 Jul 2019 21:26:36 +0000
changeset 488157 5d42edca79d4b5a1a13647d151dfb989dd9bb507
parent 488156 c928408c3402f71c9a1bf795147bfb4bfa21b580
child 488158 386589f99ae841ba002bc8e67fef45ad6f84fd66
push id36437
push userncsoregi@mozilla.com
push dateThu, 15 Aug 2019 19:33:18 +0000
treeherdermozilla-central@44aac6fc3352 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1560354
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1560354 - Transform some nss types into gecko types. r=keeler Differential Revision: https://phabricator.services.mozilla.com/D35566
security/certverifier/CertVerifier.cpp
security/certverifier/CertVerifier.h
security/manager/ssl/SSLServerCertVerification.cpp
security/manager/ssl/nsNSSCallbacks.cpp
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/nsNSSIOLayer.cpp
security/manager/ssl/nsSiteSecurityService.cpp
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -442,18 +442,18 @@ bool CertVerifier::SHA1ModeMoreRestricti
 static const unsigned int MIN_RSA_BITS = 2048;
 static const unsigned int MIN_RSA_BITS_WEAK = 1024;
 
 Result CertVerifier::VerifyCert(
     CERTCertificate* cert, SECCertificateUsage usage, Time time, void* pinArg,
     const char* hostname,
     /*out*/ UniqueCERTCertList& builtChain,
     /*optional*/ const Flags flags,
-    /*optional*/ const SECItem* stapledOCSPResponseSECItem,
-    /*optional*/ const SECItem* sctsFromTLSSECItem,
+    /*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg,
+    /*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS,
     /*optional*/ const OriginAttributes& originAttributes,
     /*optional out*/ SECOidTag* evOidPolicy,
     /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
     /*optional out*/ KeySizeStatus* keySizeStatus,
     /*optional out*/ SHA1ModeResult* sha1ModeResult,
     /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo,
     /*optional out*/ CertificateTransparencyInfo* ctInfo) {
   MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("Top of VerifyCert\n"));
@@ -511,33 +511,33 @@ Result CertVerifier::VerifyCert(
       (mOCSPDownloadConfig == ocspOff) || (mOCSPDownloadConfig == ocspEVOnly) ||
               (flags & FLAG_LOCAL_ONLY)
           ? NSSCertDBTrustDomain::NeverFetchOCSP
           : !mOCSPStrict ? NSSCertDBTrustDomain::FetchOCSPForDVSoftFail
                          : NSSCertDBTrustDomain::FetchOCSPForDVHardFail;
 
   Input stapledOCSPResponseInput;
   const Input* stapledOCSPResponse = nullptr;
-  if (stapledOCSPResponseSECItem) {
-    rv = stapledOCSPResponseInput.Init(stapledOCSPResponseSECItem->data,
-                                       stapledOCSPResponseSECItem->len);
+  if (stapledOCSPResponseArg) {
+    rv = stapledOCSPResponseInput.Init(stapledOCSPResponseArg->Elements(),
+                                       stapledOCSPResponseArg->Length());
     if (rv != Success) {
       // The stapled OCSP response was too big.
       return Result::ERROR_OCSP_MALFORMED_RESPONSE;
     }
     stapledOCSPResponse = &stapledOCSPResponseInput;
   }
 
   Input sctsFromTLSInput;
-  if (sctsFromTLSSECItem) {
-    rv = sctsFromTLSInput.Init(sctsFromTLSSECItem->data,
-                               sctsFromTLSSECItem->len);
-    // Silently discard the error of the extension being too big,
-    // do not fail the verification.
-    MOZ_ASSERT(rv == Success);
+  if (sctsFromTLS) {
+    rv = sctsFromTLSInput.Init(sctsFromTLS->Elements(),
+                               sctsFromTLS->Length());
+    if (rv != Success && sctsFromTLSInput.GetLength() != 0) {
+      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    }
   }
 
   switch (usage) {
     case certificateUsageSSLClient: {
       // XXX: We don't really have a trust bit for SSL client authentication so
       // just use trustEmail as it is the closest alternative.
       NSSCertDBTrustDomain trustDomain(
           trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
@@ -849,18 +849,18 @@ static bool CertIsSelfSigned(const Uniqu
     return false;
   }
 
   return true;
 }
 
 Result CertVerifier::VerifySSLServerCert(
     const UniqueCERTCertificate& peerCert,
-    /*optional*/ const SECItem* stapledOCSPResponse,
-    /*optional*/ const SECItem* sctsFromTLS, Time time,
+    /*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+    /*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS, Time time,
     /*optional*/ void* pinarg, const nsACString& hostname,
     /*out*/ UniqueCERTCertList& builtChain,
     /*optional*/ bool saveIntermediatesInPermanentDatabase,
     /*optional*/ Flags flags,
     /*optional*/ const OriginAttributes& originAttributes,
     /*optional out*/ SECOidTag* evOidPolicy,
     /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
     /*optional out*/ KeySizeStatus* keySizeStatus,
@@ -919,18 +919,18 @@ Result CertVerifier::VerifySSLServerCert
   rv = peerCertInput.Init(peerCert->derCert.data, peerCert->derCert.len);
   if (rv != Success) {
     return rv;
   }
 
   Input stapledOCSPResponseInput;
   Input* responseInputPtr = nullptr;
   if (stapledOCSPResponse) {
-    rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->data,
-                                       stapledOCSPResponse->len);
+    rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->Elements(),
+                                       stapledOCSPResponse->Length());
     if (rv != Success) {
       // The stapled OCSP response was too big.
       return Result::ERROR_OCSP_MALFORMED_RESPONSE;
     }
     responseInputPtr = &stapledOCSPResponseInput;
   }
 
   if (!(flags & FLAG_TLS_IGNORE_STATUS_REQUEST)) {
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -141,31 +141,31 @@ class CertVerifier {
   };
 
   // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
   // Only one usage per verification is supported.
   mozilla::pkix::Result VerifyCert(
       CERTCertificate* cert, SECCertificateUsage usage,
       mozilla::pkix::Time time, void* pinArg, const char* hostname,
       /*out*/ UniqueCERTCertList& builtChain, Flags flags = 0,
-      /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
-      /*optional in*/ const SECItem* sctsFromTLS = nullptr,
+      /*optional in*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg = Maybe<nsTArray<uint8_t>>(),
+      /*optional in*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS = Maybe<nsTArray<uint8_t>>(),
       /*optional in*/ const OriginAttributes& originAttributes =
           OriginAttributes(),
       /*optional out*/ SECOidTag* evOidPolicy = nullptr,
       /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr,
       /*optional out*/ KeySizeStatus* keySizeStatus = nullptr,
       /*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
       /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
       /*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
 
   mozilla::pkix::Result VerifySSLServerCert(
       const UniqueCERTCertificate& peerCert,
-      /*optional*/ const SECItem* stapledOCSPResponse,
-      /*optional*/ const SECItem* sctsFromTLS, mozilla::pkix::Time time,
+      /*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+      /*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS, mozilla::pkix::Time time,
       /*optional*/ void* pinarg, const nsACString& hostname,
       /*out*/ UniqueCERTCertList& builtChain,
       /*optional*/ bool saveIntermediatesInPermanentDatabase = false,
       /*optional*/ Flags flags = 0,
       /*optional*/ const OriginAttributes& originAttributes =
           OriginAttributes(),
       /*optional out*/ SECOidTag* evOidPolicy = nullptr,
       /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr,
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -726,61 +726,63 @@ class CertErrorRunnableRunnable : public
 class SSLServerCertVerificationJob : public Runnable {
  public:
   // Must be called only on the socket transport thread
   static SECStatus Dispatch(const RefPtr<SharedCertVerifier>& certVerifier,
                             const void* fdForLogging,
                             nsNSSSocketInfo* infoObject,
                             const UniqueCERTCertificate& serverCert,
                             const UniqueCERTCertList& peerCertChain,
-                            const SECItem* stapledOCSPResponse,
-                            const SECItem* sctsFromTLSExtension,
+                            Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+                            Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
                             uint32_t providerFlags, Time time, PRTime prtime);
 
  private:
   NS_DECL_NSIRUNNABLE
 
   // Must be called only on the socket transport thread
   SSLServerCertVerificationJob(
       const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
       nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert,
-      UniqueCERTCertList peerCertChain, const SECItem* stapledOCSPResponse,
-      const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
-      PRTime prtime);
+      UniqueCERTCertList peerCertChain,
+      Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+      Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
+      uint32_t providerFlags, Time time, PRTime prtime);
   const RefPtr<SharedCertVerifier> mCertVerifier;
   const void* const mFdForLogging;
   const RefPtr<nsNSSSocketInfo> mInfoObject;
   const UniqueCERTCertificate mCert;
   UniqueCERTCertList mPeerCertChain;
   const uint32_t mProviderFlags;
   const Time mTime;
   const PRTime mPRTime;
   const TimeStamp mJobStartTime;
-  const UniqueSECItem mStapledOCSPResponse;
-  const UniqueSECItem mSCTsFromTLSExtension;
+  Maybe<nsTArray<uint8_t>> mStapledOCSPResponse;
+  Maybe<nsTArray<uint8_t>> mSCTsFromTLSExtension;
 };
 
 SSLServerCertVerificationJob::SSLServerCertVerificationJob(
     const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
     nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert,
-    UniqueCERTCertList peerCertChain, const SECItem* stapledOCSPResponse,
-    const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
-    PRTime prtime)
+    UniqueCERTCertList peerCertChain,
+    Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+    Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
+    Time time, PRTime prtime)
     : Runnable("psm::SSLServerCertVerificationJob"),
       mCertVerifier(certVerifier),
       mFdForLogging(fdForLogging),
       mInfoObject(infoObject),
       mCert(CERT_DupCertificate(cert.get())),
       mPeerCertChain(std::move(peerCertChain)),
       mProviderFlags(providerFlags),
       mTime(time),
       mPRTime(prtime),
       mJobStartTime(TimeStamp::Now()),
-      mStapledOCSPResponse(SECITEM_DupItem(stapledOCSPResponse)),
-      mSCTsFromTLSExtension(SECITEM_DupItem(sctsFromTLSExtension)) {}
+      mStapledOCSPResponse(std::move(stapledOCSPResponse)),
+      mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)) {}
 
 // This function assumes that we will only use the SPDY connection coalescing
 // feature on connections where we have negotiated SPDY using NPN. If we ever
 // talk SPDY without having negotiated it with SPDY, this code will give wrong
 // and perhaps unsafe results.
 //
 // Returns SECSuccess on the initial handshake of all connections, on
 // renegotiations for any connections where we did not negotiate SPDY, or on any
@@ -1270,18 +1272,18 @@ void GatherCertificateTransparencyTeleme
   }
 }
 
 // Note: Takes ownership of |peerCertChain| if SECSuccess is not returned.
 SECStatus AuthCertificate(CertVerifier& certVerifier,
                           nsNSSSocketInfo* infoObject,
                           const UniqueCERTCertificate& cert,
                           UniqueCERTCertList& peerCertChain,
-                          const SECItem* stapledOCSPResponse,
-                          const SECItem* sctsFromTLSExtension,
+                          const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+                          const Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
                           uint32_t providerFlags, Time time) {
   MOZ_ASSERT(infoObject);
   MOZ_ASSERT(cert);
 
   // We want to avoid storing any intermediate cert information when browsing
   // in private, transient contexts.
   bool saveIntermediates =
       !(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE);
@@ -1374,19 +1376,20 @@ SECStatus AuthCertificate(CertVerifier& 
 
   return rv == Success ? SECSuccess : SECFailure;
 }
 
 /*static*/
 SECStatus SSLServerCertVerificationJob::Dispatch(
     const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
     nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& serverCert,
-    const UniqueCERTCertList& peerCertChain, const SECItem* stapledOCSPResponse,
-    const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
-    PRTime prtime) {
+    const UniqueCERTCertList& peerCertChain,
+    Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+    Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
+    Time time, PRTime prtime) {
   // Runs on the socket transport thread
   if (!certVerifier || !infoObject || !serverCert) {
     NS_ERROR("Invalid parameters for SSL server cert validation");
     PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
     return SECFailure;
   }
 
   if (!gCertVerificationThreadPool) {
@@ -1440,17 +1443,17 @@ SSLServerCertVerificationJob::Run() {
   Telemetry::HistogramID failureTelemetry =
       Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
 
   // Reset the error code here so we can detect if AuthCertificate fails to
   // set the error code if/when it fails.
   PR_SetError(0, 0);
   SECStatus rv =
       AuthCertificate(*mCertVerifier, mInfoObject, mCert, mPeerCertChain,
-                      mStapledOCSPResponse.get(), mSCTsFromTLSExtension.get(),
+                      mStapledOCSPResponse, mSCTsFromTLSExtension,
                       mProviderFlags, mTime);
   MOZ_ASSERT((mPeerCertChain && rv == SECSuccess) ||
                  (!mPeerCertChain && rv != SECSuccess),
              "AuthCertificate() should take ownership of chain on failure");
   if (rv == SECSuccess) {
     uint32_t interval =
         (uint32_t)((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
     RefPtr<SSLServerCertVerificationResult> restart(
@@ -1585,28 +1588,31 @@ SECStatus AuthCertificateHook(void* arg,
     return SECFailure;
   }
 
   // SSL_PeerStapledOCSPResponses will never return a non-empty response if
   // OCSP stapling wasn't enabled because libssl wouldn't have let the server
   // return a stapled OCSP response.
   // We don't own these pointers.
   const SECItemArray* csa = SSL_PeerStapledOCSPResponses(fd);
-  SECItem* stapledOCSPResponse = nullptr;
+  Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
   // we currently only support single stapled responses
   if (csa && csa->len == 1) {
-    stapledOCSPResponse = &csa->items[0];
+    stapledOCSPResponse.emplace();
+    stapledOCSPResponse->SetCapacity(csa->items[0].len);
+    stapledOCSPResponse->AppendElements(csa->items[0].data, csa->items[0].len);
   }
 
-  const SECItem* sctsFromTLSExtension = SSL_PeerSignedCertTimestamps(fd);
-  if (sctsFromTLSExtension && sctsFromTLSExtension->len == 0) {
-    // SSL_PeerSignedCertTimestamps returns null on error and empty item
-    // when no extension was returned by the server. We always use null when
-    // no extension was received (for whatever reason), ignoring errors.
-    sctsFromTLSExtension = nullptr;
+  Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
+  const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd);
+  if (sctsFromTLSExtensionSECItem) {
+    stapledOCSPResponse.emplace();
+    sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len);
+    sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data,
+        sctsFromTLSExtensionSECItem->len);
   }
 
   uint32_t providerFlags = 0;
   socketInfo->GetProviderFlags(&providerFlags);
 
   if (onSTSThread) {
     // We *must* do certificate verification on a background thread because
     // we need the socket transport thread to be free for our OCSP requests,
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -1039,43 +1039,48 @@ static void RebuildVerifiedCertificateIn
   MOZ_ASSERT(certVerifier,
              "Certificate verifier uninitialized in TLS handshake callback?");
   if (!certVerifier) {
     return;
   }
 
   // We don't own these pointers.
   const SECItemArray* stapledOCSPResponses = SSL_PeerStapledOCSPResponses(fd);
-  const SECItem* stapledOCSPResponse = nullptr;
+  Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
   // we currently only support single stapled responses
   if (stapledOCSPResponses && stapledOCSPResponses->len == 1) {
-    stapledOCSPResponse = &stapledOCSPResponses->items[0];
+    stapledOCSPResponse.emplace();
+    stapledOCSPResponse->SetCapacity(stapledOCSPResponses->items[0].len);
+    stapledOCSPResponse->AppendElements(stapledOCSPResponses->items[0].data,
+        stapledOCSPResponses->items[0].len);
   }
-  const SECItem* sctsFromTLSExtension = SSL_PeerSignedCertTimestamps(fd);
-  if (sctsFromTLSExtension && sctsFromTLSExtension->len == 0) {
-    // SSL_PeerSignedCertTimestamps returns null on error and empty item
-    // when no extension was returned by the server. We always use null when
-    // no extension was received (for whatever reason), ignoring errors.
-    sctsFromTLSExtension = nullptr;
+
+  Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
+  const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd);
+  if (sctsFromTLSExtensionSECItem) {
+    sctsFromTLSExtension.emplace();
+    sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len);
+    sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data,
+        sctsFromTLSExtensionSECItem->len);
   }
 
   int flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY;
   if (!infoObject->SharedState().IsOCSPStaplingEnabled() ||
       !infoObject->SharedState().IsOCSPMustStapleEnabled()) {
     flags |= CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
   }
 
   SECOidTag evOidPolicy;
   CertificateTransparencyInfo certificateTransparencyInfo;
   UniqueCERTCertList builtChain;
   const bool saveIntermediates = false;
   mozilla::pkix::Result rv = certVerifier->VerifySSLServerCert(
-      cert, stapledOCSPResponse, sctsFromTLSExtension, mozilla::pkix::Now(),
-      infoObject, infoObject->GetHostName(), builtChain, saveIntermediates,
-      flags, infoObject->GetOriginAttributes(), &evOidPolicy,
+      cert, stapledOCSPResponse, sctsFromTLSExtension,
+      mozilla::pkix::Now(), infoObject, infoObject->GetHostName(), builtChain,
+      saveIntermediates, flags, infoObject->GetOriginAttributes(), &evOidPolicy,
       nullptr,  // OCSP stapling telemetry
       nullptr,  // key size telemetry
       nullptr,  // SHA-1 telemetry
       nullptr,  // pinning telemetry
       &certificateTransparencyInfo);
 
   if (rv != Success) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -1138,31 +1138,31 @@ nsresult VerifyCertAtTime(nsIX509Cert* a
 
   UniqueCERTCertList resultChain;
   SECOidTag evOidPolicy;
   mozilla::pkix::Result result;
 
   if (!aHostname.IsVoid() && aUsage == certificateUsageSSLServer) {
     result = certVerifier->VerifySSLServerCert(
         nssCert,
-        nullptr,  // stapledOCSPResponse
-        nullptr,  // sctsFromTLSExtension
+        Maybe<nsTArray<uint8_t>>(),  // stapledOCSPResponse
+        Maybe<nsTArray<uint8_t>>(),  // sctsFromTLSExtension
         aTime,
         nullptr,  // Assume no context
         aHostname, resultChain,
         false,  // don't save intermediates
         aFlags, OriginAttributes(), &evOidPolicy);
   } else {
     const nsCString& flatHostname = PromiseFlatCString(aHostname);
     result = certVerifier->VerifyCert(
         nssCert.get(), aUsage, aTime,
         nullptr,  // Assume no context
         aHostname.IsVoid() ? nullptr : flatHostname.get(), resultChain, aFlags,
-        nullptr,  // stapledOCSPResponse
-        nullptr,  // sctsFromTLSExtension
+        Maybe<nsTArray<uint8_t>>(),  // stapledOCSPResponse
+        Maybe<nsTArray<uint8_t>>(),  // sctsFromTLSExtension
         OriginAttributes(), &evOidPolicy);
   }
 
   nsCOMPtr<nsIX509CertList> nssCertList;
   // This adopts the list
   nssCertList = new nsNSSCertList(std::move(resultChain));
   NS_ENSURE_TRUE(nssCertList, NS_ERROR_FAILURE);
 
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -467,18 +467,18 @@ nsNSSSocketInfo::IsAcceptableForHost(con
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   if (!certVerifier) {
     return NS_OK;
   }
   CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY;
   UniqueCERTCertList unusedBuiltChain;
   mozilla::pkix::Result result =
       certVerifier->VerifySSLServerCert(nssCert,
-                                        nullptr,  // stapledOCSPResponse
-                                        nullptr,  // sctsFromTLSExtension
+                                        Maybe<nsTArray<uint8_t>>(),  // stapledOCSPResponse
+                                        Maybe<nsTArray<uint8_t>>(),  // sctsFromTLSExtension
                                         mozilla::pkix::Now(),
                                         nullptr,  // pinarg
                                         hostname, unusedBuiltChain,
                                         false,  // save intermediates
                                         flags);
   if (result != mozilla::pkix::Success) {
     return NS_OK;
   }
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -1047,20 +1047,20 @@ nsresult nsSiteSecurityService::ProcessP
   // block execution. Also, since we don't have access to the original stapled
   // OCSP response, we can't enforce this aspect of the TLS Feature extension.
   // This is ok, because it will have been enforced when we originally connected
   // to the site (or it's disabled, in which case we wouldn't want to enforce it
   // anyway).
   CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY |
                               CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
   if (certVerifier->VerifySSLServerCert(nssCert,
-                                        nullptr,       // stapledOCSPResponse
-                                        nullptr,       // sctsFromTLSExtension
-                                        now, nullptr,  // pinarg
-                                        host,          // hostname
+                                        Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
+                                        Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
+                                        now, nullptr,               // pinarg
+                                        host,                       // hostname
                                         certList,
                                         false,  // don't store intermediates
                                         flags, aOriginAttributes) !=
       mozilla::pkix::Success) {
     return NS_ERROR_FAILURE;
   }
 
   // This copy to produce an nsNSSCertList should also be removed in Bug