| author | Cykesiopka <cykesiopka.bmo@gmail.com> |
| Wed, 20 Apr 2016 01:14:22 -0700 | |
| changeset 294042 | 9c98c0300a89bfe655a1213c91ceb57c517e8bf7 |
| parent 294041 | 22521e3f311e86f38ffa5eace729820413e977dc |
| child 294043 | 4825464462039a9e5202e9e05a1662110b8f05e6 |
| push id | 30196 |
| push user | kwierso@gmail.com |
| push date | Wed, 20 Apr 2016 20:55:01 +0000 |
| treeherder | mozilla-central@93090fa30653 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | keeler |
| bugs | 1260643 |
| milestone | 48.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/apps/AppTrustDomain.cpp +++ b/security/apps/AppTrustDomain.cpp @@ -160,18 +160,18 @@ AppTrustDomain::SetTrustedRoot(AppTruste break; } default: PR_SetError(SEC_ERROR_INVALID_ARGS, 0); return SECFailure; } - mTrustedRoot = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), - &trustedDER, nullptr, false, true); + mTrustedRoot.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), + &trustedDER, nullptr, false, true)); if (!mTrustedRoot) { return SECFailure; } return SECSuccess; } Result @@ -239,17 +239,17 @@ AppTrustDomain::GetCertTrust(EndEntityOr // Handle active distrust of the certificate. // XXX: This would be cleaner and more efficient if we could get the trust // information without constructing a CERTCertificate here, but NSS doesn't // expose it in any other easy-to-use fashion. SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER); - ScopedCERTCertificate candidateCert( + UniqueCERTCertificate candidateCert( CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem, nullptr, false, true)); if (!candidateCert) { return MapPRErrorCodeToResult(PR_GetError()); } CERTCertTrust trust; if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {
--- a/security/apps/AppTrustDomain.h +++ b/security/apps/AppTrustDomain.h @@ -64,17 +64,17 @@ public: virtual Result DigestBuf(mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg, /*out*/ uint8_t* digestBuf, size_t digestBufLen) override; private: /*out*/ ScopedCERTCertList& mCertChain; void* mPinArg; // non-owning! - ScopedCERTCertificate mTrustedRoot; + UniqueCERTCertificate mTrustedRoot; unsigned int mMinRSABits; static StaticMutex sMutex; static UniquePtr<unsigned char[]> sDevImportedDERData; static unsigned int sDevImportedDERLen; }; } } // namespace mozilla::psm
--- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -640,17 +640,17 @@ CertVerifier::VerifyCert(CERTCertificate PR_SetError(MapResultToPRErrorCode(rv), 0); return SECFailure; } return SECSuccess; } SECStatus -CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert, +CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert, /*optional*/ const SECItem* stapledOCSPResponse, Time time, /*optional*/ void* pinarg, const char* hostname, /*out*/ ScopedCERTCertList& builtChain, /*optional*/ bool saveIntermediatesInPermanentDatabase, /*optional*/ Flags flags, /*optional out*/ SECOidTag* evOidPolicy, @@ -670,19 +670,20 @@ CertVerifier::VerifySSLServerCert(CERTCe if (!hostname || !hostname[0]) { PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0); return SECFailure; } // CreateCertErrorRunnable assumes that CheckCertHostname is only called // if VerifyCert succeeded. - SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg, - hostname, builtChain, flags, stapledOCSPResponse, - evOidPolicy, ocspStaplingStatus, keySizeStatus, + SECStatus rv = VerifyCert(peerCert.get(), certificateUsageSSLServer, time, + pinarg, hostname, builtChain, flags, + stapledOCSPResponse, evOidPolicy, + ocspStaplingStatus, keySizeStatus, sha1ModeResult, pinningTelemetryInfo); if (rv != SECSuccess) { return rv; } Input peerCertInput; Result result = peerCertInput.Init(peerCert->derCert.data, peerCert->derCert.len);
--- a/security/certverifier/CertVerifier.h +++ b/security/certverifier/CertVerifier.h @@ -79,17 +79,17 @@ public: /*optional in*/ const SECItem* stapledOCSPResponse = nullptr, /*optional out*/ SECOidTag* evOidPolicy = nullptr, /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr, /*optional out*/ KeySizeStatus* keySizeStatus = nullptr, /*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr, /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr); SECStatus VerifySSLServerCert( - CERTCertificate* peerCert, + const UniqueCERTCertificate& peerCert, /*optional*/ const SECItem* stapledOCSPResponse, mozilla::pkix::Time time, /*optional*/ void* pinarg, const char* hostname, /*out*/ ScopedCERTCertList& builtChain, /*optional*/ bool saveIntermediatesInPermanentDatabase = false, /*optional*/ Flags flags = 0, /*optional out*/ SECOidTag* evOidPolicy = nullptr,
--- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -174,17 +174,17 @@ NSSCertDBTrustDomain::GetCertTrust(EndEn // XXX: This would be cleaner and more efficient if we could get the trust // information without constructing a CERTCertificate here, but NSS doesn't // expose it in any other easy-to-use fashion. The use of // CERT_NewTempCertificate to get a CERTCertificate shouldn't be a // performance problem because NSS will just find the existing // CERTCertificate in its in-memory cache and return it. SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER); - ScopedCERTCertificate candidateCert( + UniqueCERTCertificate candidateCert( CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem, nullptr, false, true)); if (!candidateCert) { return MapPRErrorCodeToResult(PR_GetError()); } // Check the certificate against the OneCRL cert blocklist if (!mCertBlocklist) {
--- a/security/manager/ssl/SSLServerCertVerification.cpp +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -343,17 +343,18 @@ MapCertErrorToProbeValue(PRErrorCode err if (probeValue & FATAL_ERROR_FLAG) { probeValue ^= FATAL_ERROR_FLAG; probeValue += 90; } return probeValue; } SECStatus -DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName, +DetermineCertOverrideErrors(const UniqueCERTCertificate& cert, + const char* hostName, PRTime now, PRErrorCode defaultErrorCodeToReport, /*out*/ uint32_t& collectedErrors, /*out*/ PRErrorCode& errorCodeTrust, /*out*/ PRErrorCode& errorCodeMismatch, /*out*/ PRErrorCode& errorCodeTime) { MOZ_ASSERT(cert); MOZ_ASSERT(hostName); @@ -373,17 +374,18 @@ DetermineCertOverrideErrors(CERTCertific case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE: case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA: case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE: { collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED; errorCodeTrust = defaultErrorCodeToReport; - SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, now, false); + SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert.get(), now, + false); if (validity == secCertTimeUndetermined) { // This only happens if cert is null. CERT_CheckCertValidTimes will // have set the error code to SEC_ERROR_INVALID_ARGS. We should really // be using mozilla::pkix here anyway. MOZ_ASSERT(PR_GetError() == SEC_ERROR_INVALID_ARGS); return SECFailure; } if (validity == secCertTimeExpired) { @@ -633,17 +635,17 @@ CertErrorRunnable::RunOnTargetThread() } // Returns null with the error code (PR_GetError()) set if it does not create // the CertErrorRunnable. CertErrorRunnable* CreateCertErrorRunnable(CertVerifier& certVerifier, PRErrorCode defaultErrorCodeToReport, nsNSSSocketInfo* infoObject, - CERTCertificate* cert, + const UniqueCERTCertificate& cert, const void* fdForLogging, uint32_t providerFlags, PRTime now) { MOZ_ASSERT(infoObject); MOZ_ASSERT(cert); uint32_t probeValue = MapCertErrorToProbeValue(defaultErrorCodeToReport); @@ -662,17 +664,17 @@ CreateCertErrorRunnable(CertVerifier& ce // return from CreateCertErrorRunnable without calling // infoObject->SetStatusErrorBits, we won't have the required information // to actually add a certificate error override. This results in a broken // UI which is annoying but not a security disaster. MOZ_ASSERT(!ErrorIsOverridable(PR_GetError())); return nullptr; } - RefPtr<nsNSSCertificate> nssCert(nsNSSCertificate::Create(cert)); + RefPtr<nsNSSCertificate> nssCert(nsNSSCertificate::Create(cert.get())); if (!nssCert) { NS_ERROR("nsNSSCertificate::Create failed"); PR_SetError(SEC_ERROR_NO_MEMORY, 0); return nullptr; } if (!collected_errors) { // This will happen when CERT_*Verify* only returned error(s) that are @@ -726,56 +728,56 @@ private: class SSLServerCertVerificationJob : public nsRunnable { public: // Must be called only on the socket transport thread static SECStatus Dispatch(const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging, nsNSSSocketInfo* infoObject, - CERTCertificate* serverCert, + const UniqueCERTCertificate& serverCert, ScopedCERTCertList& peerCertChain, SECItem* stapledOCSPResponse, uint32_t providerFlags, Time time, PRTime prtime); private: NS_DECL_NSIRUNNABLE // Must be called only on the socket transport thread SSLServerCertVerificationJob(const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging, nsNSSSocketInfo* infoObject, - CERTCertificate* cert, + const UniqueCERTCertificate& cert, CERTCertList* peerCertChain, SECItem* stapledOCSPResponse, uint32_t providerFlags, Time time, PRTime prtime); const RefPtr<SharedCertVerifier> mCertVerifier; const void* const mFdForLogging; const RefPtr<nsNSSSocketInfo> mInfoObject; - const ScopedCERTCertificate mCert; + const UniqueCERTCertificate mCert; ScopedCERTCertList mPeerCertChain; const uint32_t mProviderFlags; const Time mTime; const PRTime mPRTime; const TimeStamp mJobStartTime; const ScopedSECItem mStapledOCSPResponse; }; SSLServerCertVerificationJob::SSLServerCertVerificationJob( const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging, - nsNSSSocketInfo* infoObject, CERTCertificate* cert, + nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert, CERTCertList* peerCertChain, SECItem* stapledOCSPResponse, uint32_t providerFlags, Time time, PRTime prtime) : mCertVerifier(certVerifier) , mFdForLogging(fdForLogging) , mInfoObject(infoObject) - , mCert(CERT_DupCertificate(cert)) + , mCert(CERT_DupCertificate(cert.get())) , mPeerCertChain(peerCertChain) , mProviderFlags(providerFlags) , mTime(time) , mPRTime(prtime) , mJobStartTime(TimeStamp::Now()) , mStapledOCSPResponse(SECITEM_DupItem(stapledOCSPResponse)) { } @@ -788,17 +790,17 @@ SSLServerCertVerificationJob::SSLServerC // Returns SECSuccess on the initial handshake of all connections, on // renegotiations for any connections where we did not negotiate SPDY, or on any // SPDY connection where the server's certificate did not change. // // Prohibit changing the server cert only if we negotiated SPDY, // in order to support SPDY's cross-origin connection pooling. static SECStatus BlockServerCertChangeForSpdy(nsNSSSocketInfo* infoObject, - CERTCertificate* serverCert) + const UniqueCERTCertificate& serverCert) { // Get the existing cert. If there isn't one, then there is // no cert change to worry about. nsCOMPtr<nsIX509Cert> cert; RefPtr<nsSSLStatus> status(infoObject->SSLStatus()); if (!status) { // If we didn't have a status, then this is the @@ -828,19 +830,19 @@ BlockServerCertChangeForSpdy(nsNSSSocket // If GetNegotiatedNPN() failed we will assume spdy for safety's safe if (NS_FAILED(rv)) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call." " Assuming spdy.\n")); } // Check to see if the cert has actually changed - ScopedCERTCertificate c(cert->GetCert()); + UniqueCERTCertificate c(cert->GetCert()); NS_ASSERTION(c, "very bad and hopefully impossible state"); - bool sameCert = CERT_CompareCerts(c, serverCert); + bool sameCert = CERT_CompareCerts(c.get(), serverCert.get()); if (sameCert) { return SECSuccess; } // Report an error - changed cert is confirmed MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("SPDY Refused to allow new cert during renegotiation\n")); PR_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, 0); @@ -1210,17 +1212,17 @@ GatherSuccessfulValidationTelemetry(cons GatherEKUTelemetry(certList); GatherRootCATelemetry(certList); GatherEndEntityTelemetry(certList); } SECStatus AuthCertificate(CertVerifier& certVerifier, nsNSSSocketInfo* infoObject, - CERTCertificate* cert, + const UniqueCERTCertificate& cert, ScopedCERTCertList& peerCertChain, SECItem* stapledOCSPResponse, uint32_t providerFlags, Time time) { MOZ_ASSERT(infoObject); MOZ_ASSERT(cert); @@ -1288,20 +1290,20 @@ AuthCertificate(CertVerifier& certVerifi // complete chain at any time it might need it. // But we keep only those CA certs in the temp db, that we didn't already know. RefPtr<nsSSLStatus> status(infoObject->SSLStatus()); RefPtr<nsNSSCertificate> nsc; if (!status || !status->HasServerCert()) { if( rv == SECSuccess ){ - nsc = nsNSSCertificate::Create(cert, &evOidPolicy); + nsc = nsNSSCertificate::Create(cert.get(), &evOidPolicy); } else { - nsc = nsNSSCertificate::Create(cert); + nsc = nsNSSCertificate::Create(cert.get()); } } if (rv == SECSuccess) { GatherSuccessfulValidationTelemetry(certList); // The connection may get terminated, for example, if the server requires // a client cert. Let's provide a minimal SSLStatus @@ -1348,17 +1350,17 @@ AuthCertificate(CertVerifier& certVerifi return rv; } /*static*/ SECStatus SSLServerCertVerificationJob::Dispatch( const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging, nsNSSSocketInfo* infoObject, - CERTCertificate* serverCert, + const UniqueCERTCertificate& serverCert, ScopedCERTCertList& peerCertChain, SECItem* stapledOCSPResponse, uint32_t providerFlags, Time time, PRTime prtime) { // Runs on the socket transport thread if (!certVerifier || !infoObject || !serverCert) { @@ -1422,17 +1424,17 @@ SSLServerCertVerificationJob::Run() Telemetry::ID successTelemetry = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX; Telemetry::ID failureTelemetry = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX; // Reset the error code here so we can detect if AuthCertificate fails to // set the error code if/when it fails. PR_SetError(0, 0); - SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert.get(), + SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert, mPeerCertChain, mStapledOCSPResponse, mProviderFlags, mTime); if (rv == SECSuccess) { uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds()); RefPtr<SSLServerCertVerificationResult> restart( new SSLServerCertVerificationResult(mInfoObject, 0, successTelemetry, interval)); restart->Dispatch(); @@ -1445,19 +1447,18 @@ SSLServerCertVerificationJob::Run() error = PR_GetError(); { TimeStamp now = TimeStamp::Now(); MutexAutoLock telemetryMutex(*gSSLVerificationTelemetryMutex); Telemetry::AccumulateTimeDelta(failureTelemetry, mJobStartTime, now); } if (error != 0) { RefPtr<CertErrorRunnable> runnable( - CreateCertErrorRunnable(*mCertVerifier, error, mInfoObject, - mCert.get(), mFdForLogging, mProviderFlags, - mPRTime)); + CreateCertErrorRunnable(*mCertVerifier, error, mInfoObject, mCert, + mFdForLogging, mProviderFlags, mPRTime)); if (!runnable) { // CreateCertErrorRunnable set a new error code error = PR_GetError(); } else { // We must block the the socket transport service thread while the // main thread executes the CertErrorRunnable. The CertErrorRunnable // will dispatch the result asynchronously, so we don't have to block // this thread waiting for it. @@ -1518,17 +1519,17 @@ AuthCertificateHook(void* arg, PRFileDes NS_ASSERTION(checkSig, "AuthCertificateHook: checkSig unexpectedly false"); // PSM never causes libssl to call this function with PR_TRUE for isServer, // and many things in PSM assume that we are a client. NS_ASSERTION(!isServer, "AuthCertificateHook: isServer unexpectedly true"); nsNSSSocketInfo* socketInfo = static_cast<nsNSSSocketInfo*>(arg); - ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd)); + UniqueCERTCertificate serverCert(SSL_PeerCertificate(fd)); if (!checkSig || isServer || !socketInfo || !serverCert) { PR_SetError(PR_INVALID_STATE_ERROR, 0); return SECFailure; } // Get the peer certificate chain for error reporting ScopedCERTCertList peerCertChain(SSL_PeerCertificateChain(fd));
--- a/security/manager/ssl/TransportSecurityInfo.cpp +++ b/security/manager/ssl/TransportSecurityInfo.cpp @@ -714,17 +714,17 @@ AppendErrorTextMismatch(const nsString& params[0] = host.get(); nsresult rv = component->PIPBundleFormatStringFromName( "certErrorMismatch", params, 1, notValidForHostnameString); if (NS_FAILED(rv)) { return rv; } notValidForHostnameString.Append('\n'); - ScopedCERTCertificate nssCert(ix509->GetCert()); + UniqueCERTCertificate nssCert(ix509->GetCert()); if (!nssCert) { returnedMessage.Append(notValidForHostnameString); return NS_OK; } nsAutoString allNames; uint32_t nameCount = GetSubjectAltNames(nssCert.get(), allNames); if (nameCount == 0) {
--- a/security/manager/ssl/nsCertOverrideService.cpp +++ b/security/manager/ssl/nsCertOverrideService.cpp @@ -343,18 +343,17 @@ nsCertOverrideService::Write() return NS_OK; } static nsresult GetCertFingerprintByOidTag(nsIX509Cert *aCert, SECOidTag aOidTag, nsCString &fp) { - - ScopedCERTCertificate nsscert(aCert->GetCert()); + UniqueCERTCertificate nsscert(aCert->GetCert()); if (!nsscert) { return NS_ERROR_FAILURE; } return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp); } NS_IMETHODIMP nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName, @@ -364,17 +363,17 @@ nsCertOverrideService::RememberValidityO bool aTemporary) { NS_ENSURE_ARG_POINTER(aCert); if (aHostName.IsEmpty()) return NS_ERROR_INVALID_ARG; if (aPort < -1) return NS_ERROR_INVALID_ARG; - ScopedCERTCertificate nsscert(aCert->GetCert()); + UniqueCERTCertificate nsscert(aCert->GetCert()); if (!nsscert) { return NS_ERROR_FAILURE; } char* nickname = DefaultServerNicknameForCert(nsscert.get()); if (!aTemporary && nickname && *nickname) { ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
--- a/security/manager/ssl/nsCertTree.cpp +++ b/security/manager/ssl/nsCertTree.cpp @@ -1,14 +1,15 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsCertTree.h" +#include "ScopedNSSTypes.h" #include "mozilla/Logging.h" #include "nsArray.h" #include "nsArrayUtils.h" #include "nsHashKeys.h" #include "nsISupportsPrimitives.h" #include "nsITreeColumns.h" #include "nsIX509CertDB.h" #include "nsIX509Cert.h" @@ -786,22 +787,22 @@ nsCertTree::DeleteEntryObject(uint32_t i } } else { if (addonInfo && addonInfo->mUsageCount > 1) { // user is trying to delete a perm trusted cert, // although there are still overrides stored, // so, we keep the cert, but remove the trust - ScopedCERTCertificate nsscert(cert->GetCert()); + UniqueCERTCertificate nsscert(cert->GetCert()); if (nsscert) { CERTCertTrust trust; memset((void*)&trust, 0, sizeof(trust)); - + SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override if (srv == SECSuccess) { CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert.get(), &trust); } } } else {
--- a/security/manager/ssl/nsNSSCallbacks.cpp +++ b/security/manager/ssl/nsNSSCallbacks.cpp @@ -18,16 +18,17 @@ #include "nsIWebProgressListener.h" #include "nsNetUtil.h" #include "nsNSSComponent.h" #include "nsNSSIOLayer.h" #include "nsProtectedAuthThread.h" #include "nsProxyRelease.h" #include "pkix/pkixtypes.h" #include "PSMRunnable.h" +#include "ScopedNSSTypes.h" #include "SharedSSLState.h" #include "ssl.h" #include "sslproto.h" using namespace mozilla; using namespace mozilla::psm; extern LazyLogModule gPIPNSSLog; @@ -1224,17 +1225,17 @@ void HandshakeCallback(PRFileDesc* fd, v infoObject->GetPort()); } } if (status->HasServerCert()) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("HandshakeCallback KEEPING existing cert\n")); } else { - ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd)); + UniqueCERTCertificate serverCert(SSL_PeerCertificate(fd)); RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(serverCert.get())); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("HandshakeCallback using NEW cert %p\n", nssc.get())); status->SetServerCert(nssc, nsNSSCertificate::ev_status_unknown); } nsCOMPtr<nsICertOverrideService> overrideService = do_GetService(NS_CERTOVERRIDE_CONTRACTID);
--- a/security/manager/ssl/nsNSSCertificate.cpp +++ b/security/manager/ssl/nsNSSCertificate.cpp @@ -113,17 +113,17 @@ nsNSSCertificate::InitFromDER(char* cert if (!aCert) return false; if (!aCert->dbhandle) { aCert->dbhandle = CERT_GetDefaultCertDB(); } - mCert = aCert; + mCert.reset(aCert); return true; } nsNSSCertificate::nsNSSCertificate(CERTCertificate* cert, SECOidTag* evOidPolicy) : mCert(nullptr) , mPermDelete(false) , mCertType(CERT_TYPE_NOT_YET_INITIALIZED) @@ -134,17 +134,17 @@ nsNSSCertificate::nsNSSCertificate(CERTC NS_ERROR("Trying to initialize nsNSSCertificate in a non-chrome process!"); #endif nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return; if (cert) { - mCert = CERT_DupCertificate(cert); + mCert.reset(CERT_DupCertificate(cert)); if (evOidPolicy) { if (*evOidPolicy == SEC_OID_UNKNOWN) { mCachedEVStatus = ev_status_invalid; } else { mCachedEVStatus = ev_status_valid; } mCachedEVOidTag = *evOidPolicy; @@ -222,17 +222,17 @@ NS_IMETHODIMP nsNSSCertificate::GetIsBuiltInRoot(bool* aIsBuiltInRoot) { NS_ENSURE_ARG(aIsBuiltInRoot); nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } - pkix::Result rv = IsCertBuiltInRoot(mCert, *aIsBuiltInRoot); + pkix::Result rv = IsCertBuiltInRoot(mCert.get(), *aIsBuiltInRoot); if (rv != pkix::Result::Success) { return NS_ERROR_FAILURE; } return NS_OK; } nsresult nsNSSCertificate::MarkForPermDeletion() @@ -510,17 +510,17 @@ nsNSSCertificate::GetDbKey(nsACString& a nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } return GetDbKey(mCert, aDbKey); } nsresult -nsNSSCertificate::GetDbKey(CERTCertificate* cert, nsACString& aDbKey) +nsNSSCertificate::GetDbKey(const UniqueCERTCertificate& cert, nsACString& aDbKey) { static_assert(sizeof(uint64_t) == 8, "type size sanity check"); static_assert(sizeof(uint32_t) == 4, "type size sanity check"); // The format of the key is the base64 encoding of the following: // 4 bytes: {0, 0, 0, 0} (this was intended to be the module ID, but it was // never implemented) // 4 bytes: {0, 0, 0, 0} (this was intended to be the slot ID, but it was // never implemented) @@ -1171,41 +1171,41 @@ nsNSSCertificate::ExportAsCMS(uint32_t c // Calling NSS_CMSSignedData_CreateCertsOnly() will not allow us // to specify the inclusion of the root, but CERT_CertChainFromCert() does. // Since CERT_CertChainFromCert() also includes the certificate itself, // we have to start at the issuing cert (to avoid duplicate certs // in the SignedData). if (chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChain || chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot) { - ScopedCERTCertificate issuerCert( - CERT_FindCertIssuer(mCert.get(), PR_Now(), certUsageAnyCA)); + UniqueCERTCertificate issuerCert( + CERT_FindCertIssuer(mCert.get(), PR_Now(), certUsageAnyCA)); // the issuerCert of a self signed root is the cert itself, // so make sure we're not adding duplicates, again - if (issuerCert && issuerCert != mCert.get()) { + if (issuerCert && issuerCert != mCert) { bool includeRoot = (chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot); UniqueCERTCertificateList certChain( - CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot)); + CERT_CertChainFromCert(issuerCert.get(), certUsageAnyCA, includeRoot)); if (certChain) { if (NSS_CMSSignedData_AddCertList(sigd.get(), certChain.get()) == SECSuccess) { Unused << certChain.release(); } else { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSCertificate::ExportAsCMS - can't add chain\n")); return NS_ERROR_FAILURE; } } else { // try to add the issuerCert, at least - if (NSS_CMSSignedData_AddCertificate(sigd.get(), issuerCert) - == SECSuccess) { - issuerCert.forget(); + if (NSS_CMSSignedData_AddCertificate(sigd.get(), issuerCert.get()) + == SECSuccess) { + Unused << issuerCert.release(); } else { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSCertificate::ExportAsCMS - can't add issuer cert\n")); return NS_ERROR_FAILURE; } } } @@ -1375,17 +1375,17 @@ nsNSSCertificate::Equals(nsIX509Cert* ot { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(other); NS_ENSURE_ARG(result); - ScopedCERTCertificate cert(other->GetCert()); + UniqueCERTCertificate cert(other->GetCert()); *result = (mCert.get() == cert.get()); return NS_OK; } #ifndef MOZ_NO_EV_CERTS nsresult nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV) @@ -1485,27 +1485,27 @@ ConstructCERTCertListFromReversedDERArra return SECFailure; } CERTCertDBHandle* certDB(CERT_GetDefaultCertDB()); // non-owning size_t numCerts = certArray.GetLength(); for (size_t i = 0; i < numCerts; ++i) { SECItem certDER(UnsafeMapInputToSECItem(*certArray.GetDER(i))); - ScopedCERTCertificate cert(CERT_NewTempCertificate(certDB, &certDER, + UniqueCERTCertificate cert(CERT_NewTempCertificate(certDB, &certDER, nullptr, false, true)); if (!cert) { return SECFailure; } // certArray is ordered with the root first, but we want the resulting // certList to have the root last. - if (CERT_AddCertToListHead(certList, cert) != SECSuccess) { + if (CERT_AddCertToListHead(certList.get(), cert.get()) != SECSuccess) { return SECFailure; } - cert.forget(); // cert is now owned by certList. + Unused << cert.release(); // cert is now owned by certList. } return SECSuccess; } } // namespace mozilla NS_IMPL_CLASSINFO(nsNSSCertList,
--- a/security/manager/ssl/nsNSSCertificate.h +++ b/security/manager/ssl/nsNSSCertificate.h @@ -50,22 +50,23 @@ public: enum EVStatus { ev_status_invalid = 0, ev_status_valid = 1, ev_status_unknown = 2 }; // This is a separate static method so nsNSSComponent can use it during NSS // initialization. Other code should probably not use it. - static nsresult GetDbKey(CERTCertificate* cert, nsACString& aDbKey); + static nsresult GetDbKey(const mozilla::UniqueCERTCertificate& cert, + nsACString& aDbKey); private: virtual ~nsNSSCertificate(); - mozilla::ScopedCERTCertificate mCert; + mozilla::UniqueCERTCertificate mCert; bool mPermDelete; uint32_t mCertType; nsresult CreateASN1Struct(nsIASN1Object** aRetVal); nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence, nsINSSComponent* nssComponent); nsresult GetSortableDate(PRTime aTime, nsAString& _aSortableDate); virtual void virtualDestroyNSSReference() override; void destructorSafeDestroyNSSReference();
--- a/security/manager/ssl/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/nsNSSCertificateDB.cpp @@ -97,24 +97,23 @@ nsNSSCertificateDB::FindCertByNickname(c { NS_ENSURE_ARG_POINTER(_rvCert); *_rvCert = nullptr; nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } - ScopedCERTCertificate cert; char *asciiname = nullptr; NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting \"%s\"\n", asciiname)); - cert = PK11_FindCertFromNickname(asciiname, nullptr); + UniqueCERTCertificate cert(PK11_FindCertFromNickname(asciiname, nullptr)); if (!cert) { - cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname); + cert.reset(CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname)); } if (cert) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("got it\n")); nsCOMPtr<nsIX509Cert> pCert = nsNSSCertificate::Create(cert.get()); if (pCert) { pCert.forget(_rvCert); return NS_OK; } @@ -339,25 +338,24 @@ nsNSSCertificateDB::handleCACertDownload SECItem der; rv=certToShow->GetRawDER(&der.len, (uint8_t **)&der.data); if (NS_FAILED(rv)) return rv; MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Creating temp cert\n")); CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der)); + UniqueCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der)); if (!tmpCert) { - tmpCert = CERT_NewTempCertificate(certdb, &der, - nullptr, false, true); + tmpCert.reset(CERT_NewTempCertificate(certdb, &der, nullptr, false, true)); } free(der.data); der.data = nullptr; der.len = 0; - + if (!tmpCert) { NS_ERROR("Couldn't create cert from DER blob"); return NS_ERROR_FAILURE; } if (!CERT_IsCACert(tmpCert.get(), nullptr)) { DisplayCertificateAlert(ctx, "NotACACert", certToShow, proofOfLock); return NS_ERROR_FAILURE; @@ -814,17 +812,17 @@ nsNSSCertificateDB::ImportUserCertificat NS_IMETHODIMP nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert) { NS_ENSURE_ARG_POINTER(aCert); nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } - ScopedCERTCertificate cert(aCert->GetCert()); + UniqueCERTCertificate cert(aCert->GetCert()); if (!cert) { return NS_ERROR_FAILURE; } SECStatus srv = SECSuccess; uint32_t certType; aCert->GetCertType(&certType); if (NS_FAILED(aCert->MarkForPermDeletion())) @@ -855,17 +853,17 @@ nsNSSCertificateDB::SetCertTrust(nsIX509 { NS_ENSURE_ARG_POINTER(cert); nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsNSSCertTrust trust; nsresult rv; - ScopedCERTCertificate nsscert(cert->GetCert()); + UniqueCERTCertificate nsscert(cert->GetCert()); rv = attemptToLogInWithDefaultPassword(); if (NS_WARN_IF(rv != NS_OK)) { return rv; } SECStatus srv; if (type == nsIX509Cert::CA_CERT) { @@ -907,17 +905,17 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50 NS_ENSURE_ARG_POINTER(_isTrusted); *_isTrusted = false; nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } SECStatus srv; - ScopedCERTCertificate nsscert(cert->GetCert()); + UniqueCERTCertificate nsscert(cert->GetCert()); CERTCertTrust nsstrust; srv = CERT_GetCertTrust(nsscert.get(), &nsstrust); if (srv != SECSuccess) return NS_ERROR_FAILURE; nsNSSCertTrust trust(&nsstrust); if (certType == nsIX509Cert::CA_CERT) { if (trustType & nsIX509CertDB::TRUSTED_SSL) { @@ -1074,17 +1072,17 @@ nsNSSCertificateDB::FindEmailEncryptionC } nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); char *asciiname = nullptr; NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); /* Find a good cert in the user's database */ - ScopedCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), + UniqueCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, certUsageEmailRecipient, true, ctx)); if (!cert) { return NS_OK; } nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get()); @@ -1111,17 +1109,17 @@ nsNSSCertificateDB::FindEmailSigningCert } nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); char *asciiname = nullptr; NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); /* Find a good cert in the user's database */ - ScopedCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), + UniqueCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, certUsageEmailSigner, true, ctx)); if (!cert) { return NS_OK; } nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get()); @@ -1238,17 +1236,17 @@ nsNSSCertificateDB::ConstructX509(const return NS_ERROR_INVALID_POINTER; } SECItem secitem_cert; secitem_cert.type = siDERCertBuffer; secitem_cert.data = (unsigned char*)certDER; secitem_cert.len = lengthDER; - ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), + UniqueCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert, nullptr, false, true)); if (!cert) return (PORT_GetError() == SEC_ERROR_NO_MEMORY) ? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE; nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get()); if (!nssCert) { @@ -1332,28 +1330,27 @@ nsNSSCertificateDB::get_default_nickname if (!tmp) { nickname.Truncate(); return; } nickname = tmp; PR_smprintf_free(tmp); } - ScopedCERTCertificate dummycert; + UniqueCERTCertificate dummycert; if (PK11_IsInternal(slot)) { /* look up the nickname to make sure it isn't in use already */ - dummycert = CERT_FindCertByNickname(defaultcertdb, nickname.get()); - + dummycert.reset(CERT_FindCertByNickname(defaultcertdb, nickname.get())); } else { /* * Check the cert against others that already live on the smart * card. */ - dummycert = PK11_FindCertFromNickname(nickname.get(), ctx); + dummycert.reset(PK11_FindCertFromNickname(nickname.get(), ctx)); if (dummycert) { /* * Make sure the subject names are different. */ if (CERT_CompareName(&cert->subject, &dummycert->subject) == SECEqual) { /* * There is another certificate with the same nickname and @@ -1395,20 +1392,20 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCer NS_ENSURE_SUCCESS(rv, rv); SECItem der; rv = newCert->GetRawDER(&der.len, (uint8_t **)&der.data); NS_ENSURE_SUCCESS(rv, rv); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Creating temp cert\n")); CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der)); - if (!tmpCert) - tmpCert = CERT_NewTempCertificate(certdb, &der, - nullptr, false, true); + UniqueCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der)); + if (!tmpCert) { + tmpCert.reset(CERT_NewTempCertificate(certdb, &der, nullptr, false, true)); + } free(der.data); der.data = nullptr; der.len = 0; if (!tmpCert) { NS_ERROR("Couldn't create cert from DER blob"); return MapSECStatus(SECFailure); } @@ -1452,17 +1449,17 @@ nsNSSCertificateDB::SetCertTrustFromStri CERTCertTrust trust; // need to calculate the trust bits from the aTrust string. SECStatus srv = CERT_DecodeTrustString(&trust, const_cast<char *>(trustString)); if (srv != SECSuccess) { return MapSECStatus(SECFailure); } - ScopedCERTCertificate nssCert(cert->GetCert()); + UniqueCERTCertificate nssCert(cert->GetCert()); nsresult rv = attemptToLogInWithDefaultPassword(); if (NS_WARN_IF(rv != NS_OK)) { return rv; } srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nssCert.get(), &trust); return MapSECStatus(srv); @@ -1507,17 +1504,17 @@ VerifyCertAtTime(nsIX509Cert* aCert, *aVerifiedChain = nullptr; *aHasEVPolicy = false; *_retval = PR_UNKNOWN_ERROR; #ifndef MOZ_NO_EV_CERTS EnsureIdentityInfoLoaded(); #endif - ScopedCERTCertificate nssCert(aCert->GetCert()); + UniqueCERTCertificate nssCert(aCert->GetCert()); if (!nssCert) { return NS_ERROR_INVALID_ARG; } RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE); ScopedCERTCertList resultChain; @@ -1530,17 +1527,17 @@ VerifyCertAtTime(nsIX509Cert* aCert, aTime, nullptr, // Assume no context aHostname, resultChain, false, // don't save intermediates aFlags, &evOidPolicy); } else { - srv = certVerifier->VerifyCert(nssCert, aUsage, aTime, + srv = certVerifier->VerifyCert(nssCert.get(), aUsage, aTime, nullptr, // Assume no context aHostname, resultChain, aFlags, nullptr, // stapledOCSPResponse &evOidPolicy); }
--- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -695,17 +695,17 @@ MaybeImportFamilySafetyRoot(PCCERT_CONTE SECStatus srv = __CERT_AddTempCertToPerm( nssCertificate.get(), "Microsoft Family Safety", &trust); if (srv != SECSuccess) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't permanently add certificate")); return NS_ERROR_FAILURE; } nsAutoCString dbKey; - nsresult rv = nsNSSCertificate::GetDbKey(nssCertificate.get(), dbKey); + nsresult rv = nsNSSCertificate::GetDbKey(nssCertificate, dbKey); if (NS_FAILED(rv)) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("GetDbKey failed")); return rv; } Preferences::SetCString(kImportedFamilySafetyRootPref, dbKey); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("added Family Safety root")); } return NS_OK;
--- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -13,16 +13,17 @@ #include "PSMRunnable.h" #include "SSLServerCertVerification.h" #include "ScopedNSSTypes.h" #include "SharedSSLState.h" #include "keyhi.h" #include "mozilla/Casting.h" #include "mozilla/DebugOnly.h" #include "mozilla/Logging.h" +#include "mozilla/Move.h" #include "mozilla/Preferences.h" #include "mozilla/Telemetry.h" #include "nsCharSeparatedTokenizer.h" #include "nsClientAuthRemember.h" #include "nsContentUtils.h" #include "nsIClientAuthDialogs.h" #include "nsIConsoleService.h" #include "nsIPrefService.h" @@ -331,24 +332,24 @@ nsNSSSocketInfo::IsAcceptableForHost(con // because the user decides on whether to send client certs to hosts on a // per-domain basis. if (mSentClientCert) return NS_OK; // Ensure that the server certificate covers the hostname that would // like to join this connection - ScopedCERTCertificate nssCert; + UniqueCERTCertificate nssCert; nsCOMPtr<nsIX509Cert> cert; if (NS_FAILED(SSLStatus()->GetServerCert(getter_AddRefs(cert)))) { return NS_OK; } if (cert) { - nssCert = cert->GetCert(); + nssCert.reset(cert->GetCert()); } if (!nssCert) { return NS_OK; } // Attempt to verify the joinee's certificate using the joining hostname. // This ensures that any hostname-specific verification logic (e.g. key @@ -1985,24 +1986,24 @@ hasExplicitKeyUsageNonRepudiation(CERTCe class ClientAuthDataRunnable : public SyncRunnableBase { public: ClientAuthDataRunnable(CERTDistNames* caNames, CERTCertificate** pRetCert, SECKEYPrivateKey** pRetKey, nsNSSSocketInfo* info, - CERTCertificate* serverCert) + const UniqueCERTCertificate& serverCert) : mRV(SECFailure) , mErrorCodeToReport(SEC_ERROR_NO_MEMORY) , mPRetCert(pRetCert) , mPRetKey(pRetKey) , mCANames(caNames) , mSocketInfo(info) - , mServerCert(serverCert) + , mServerCert(serverCert.get()) { } SECStatus mRV; // out PRErrorCode mErrorCodeToReport; // out CERTCertificate** const mPRetCert; // in/out SECKEYPrivateKey** const mPRetKey; // in/out protected: @@ -2033,17 +2034,17 @@ nsNSS_SSLGetClientAuthData(void* arg, PR if (!socket || !caNames || !pRetCert || !pRetKey) { PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0); return SECFailure; } RefPtr<nsNSSSocketInfo> info( reinterpret_cast<nsNSSSocketInfo*>(socket->higher->secret)); - ScopedCERTCertificate serverCert(SSL_PeerCertificate(socket)); + UniqueCERTCertificate serverCert(SSL_PeerCertificate(socket)); if (!serverCert) { NS_NOTREACHED("Missing server certificate should have been detected during " "server cert authentication."); PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0); return SECFailure; } if (info->GetJoined()) { @@ -2081,44 +2082,44 @@ void ClientAuthDataRunnable::RunOnTargetThread() { // We check the value of a pref in this runnable, so this runnable should only // be run on the main thread. MOZ_ASSERT(NS_IsMainThread()); UniquePLArenaPool arena; char** caNameStrings; - ScopedCERTCertificate cert; + UniqueCERTCertificate cert; UniqueSECKEYPrivateKey privKey; ScopedCERTCertList certList; CERTCertListNode* node; UniqueCERTCertNicknames nicknames; int keyError = 0; // used for private key retrieval error int32_t NumberOfCerts = 0; void* wincx = mSocketInfo; nsresult rv; nsCOMPtr<nsIX509Cert> socketClientCert; mSocketInfo->GetClientCert(getter_AddRefs(socketClientCert)); // If a client cert preference was set on the socket info, use that and skip // the client cert UI and/or search of the user's past cert decisions. if (socketClientCert) { - cert = socketClientCert->GetCert(); + cert.reset(socketClientCert->GetCert()); if (!cert) { goto loser; } // Get the private key privKey.reset(PK11_FindKeyByAnyCert(cert.get(), wincx)); if (!privKey) { goto loser; } - *mPRetCert = cert.forget(); + *mPRetCert = cert.release(); *mPRetKey = privKey.release(); mRV = SECSuccess; return; } // create caNameStrings arena.reset(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { @@ -2156,47 +2157,47 @@ ClientAuthDataRunnable::RunOnTargetThrea } // make sure the list is not empty node = CERT_LIST_HEAD(certList); if (CERT_LIST_END(node, certList)) { goto noCert; } - ScopedCERTCertificate low_prio_nonrep_cert; + UniqueCERTCertificate lowPrioNonrepCert; // loop through the list until we find a cert with a key while (!CERT_LIST_END(node, certList)) { // if the certificate has restriction and we do not satisfy it we do not // use it privKey.reset(PK11_FindKeyByAnyCert(node->cert, wincx)); if (privKey) { if (hasExplicitKeyUsageNonRepudiation(node->cert)) { privKey = nullptr; - // Not a prefered cert - if (!low_prio_nonrep_cert) { // did not yet find a low prio cert - low_prio_nonrep_cert = CERT_DupCertificate(node->cert); + // Not a preferred cert + if (!lowPrioNonrepCert) { // did not yet find a low prio cert + lowPrioNonrepCert.reset(CERT_DupCertificate(node->cert)); } } else { // this is a good cert to present - cert = CERT_DupCertificate(node->cert); + cert.reset(CERT_DupCertificate(node->cert)); break; } } keyError = PR_GetError(); if (keyError == SEC_ERROR_BAD_PASSWORD) { // problem with password: bail goto loser; } node = CERT_LIST_NEXT(node); } - if (!cert && low_prio_nonrep_cert) { - cert = low_prio_nonrep_cert.forget(); + if (!cert && lowPrioNonrepCert) { + cert = Move(lowPrioNonrepCert); privKey.reset(PK11_FindKeyByAnyCert(cert.get(), wincx)); } if (!cert) { goto noCert; } } else { // Not Auto => ask // Get the SSL Certificate @@ -2230,17 +2231,17 @@ ClientAuthDataRunnable::RunOnTargetThrea nsCOMPtr<nsIX509Cert> found_cert; nsresult find_rv = certdb->FindCertByDBKey(rememberedDBKey.get(), getter_AddRefs(found_cert)); if (NS_SUCCEEDED(find_rv) && found_cert) { nsNSSCertificate* obj_cert = reinterpret_cast<nsNSSCertificate*>(found_cert.get()); if (obj_cert) { - cert = obj_cert->GetCert(); + cert.reset(obj_cert->GetCert()); } } if (!cert) { hasRemembered = false; } } } @@ -2390,17 +2391,17 @@ ClientAuthDataRunnable::RunOnTargetThrea int i; if (!canceled) for (i = 0, node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); ++i, node = CERT_LIST_NEXT(node)) { if (i == selectedIndex) { - cert = CERT_DupCertificate(node->cert); + cert.reset(CERT_DupCertificate(node->cert)); break; } } if (cars && wantRemember) { cars->RememberDecision(hostname, mServerCert, canceled ? nullptr : cert.get()); } @@ -2429,17 +2430,17 @@ ClientAuthDataRunnable::RunOnTargetThrea noCert: loser: if (mRV == SECSuccess) { mRV = SECFailure; } done: int error = PR_GetError(); - *mPRetCert = cert.forget(); + *mPRetCert = cert.release(); *mPRetKey = privKey.release(); if (mRV == SECFailure) { mErrorCodeToReport = error; } } static PRFileDesc*
--- a/security/manager/ssl/nsPKCS12Blob.cpp +++ b/security/manager/ssl/nsPKCS12Blob.cpp @@ -1,40 +1,35 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -/* $Id: nsPKCS12Blob.cpp,v 1.49 2007/09/05 07:13:46 jwalden%mit.edu Exp $ */ #include "nsPKCS12Blob.h" -#include "pkix/pkixtypes.h" - -#include "prmem.h" -#include "prprf.h" - +#include "ScopedNSSTypes.h" +#include "nsCRT.h" +#include "nsDirectoryServiceDefs.h" +#include "nsICertificateDialogs.h" +#include "nsIDirectoryService.h" #include "nsIFile.h" -#include "nsNetUtil.h" #include "nsIInputStream.h" -#include "nsIDirectoryService.h" -#include "nsThreadUtils.h" - +#include "nsKeygenHandler.h" // For GetSlotWithMechanism +#include "nsNSSCertificate.h" #include "nsNSSComponent.h" #include "nsNSSHelper.h" -#include "nsString.h" +#include "nsNSSHelper.h" +#include "nsNSSShutDown.h" +#include "nsNetUtil.h" +#include "nsPK11TokenDB.h" #include "nsReadableUtils.h" -#include "nsXPIDLString.h" -#include "nsDirectoryServiceDefs.h" -#include "nsNSSHelper.h" -#include "nsNSSCertificate.h" -#include "nsKeygenHandler.h" //For GetSlotWithMechanism -#include "nsPK11TokenDB.h" -#include "nsICertificateDialogs.h" -#include "nsNSSShutDown.h" -#include "nsCRT.h" - +#include "nsString.h" +#include "nsThreadUtils.h" +#include "pkix/pkixtypes.h" +#include "prmem.h" +#include "prprf.h" #include "secerr.h" using namespace mozilla; extern LazyLogModule gPIPNSSLog; #define PIP_PKCS12_TMPFILENAME NS_LITERAL_CSTRING(".pip_p12tmp") #define PIP_PKCS12_BUFFER_SIZE 2048 #define PIP_PKCS12_RESTORE_OK 1 @@ -310,17 +305,17 @@ nsPKCS12Blob::ExportToFile(nsIFile *file goto finish; } // add password integrity srv = SEC_PKCS12AddPasswordIntegrity(ecx, &unicodePw, SEC_OID_SHA1); if (srv) goto finish; for (i=0; i<numCerts; i++) { nsNSSCertificate *cert = (nsNSSCertificate *)certs[i]; // get it as a CERTCertificate XXX - ScopedCERTCertificate nssCert(cert->GetCert()); + UniqueCERTCertificate nssCert(cert->GetCert()); if (!nssCert) { rv = NS_ERROR_FAILURE; goto finish; } // We can only successfully export certs that are on // internal token. Most, if not all, smart card vendors // won't let you extract the private key (in any way // shape or form) from the card. So let's punt if
--- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -690,17 +690,17 @@ nsSiteSecurityService::ProcessPKPHeader( // 2. use this chain to check if things would have broken! nsAutoCString host; nsresult rv = GetHost(aSourceURI, host); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr<nsIX509Cert> cert; rv = aSSLStatus->GetServerCert(getter_AddRefs(cert)); NS_ENSURE_SUCCESS(rv, rv); NS_ENSURE_TRUE(cert, NS_ERROR_FAILURE); - ScopedCERTCertificate nssCert(cert->GetCert()); + UniqueCERTCertificate nssCert(cert->GetCert()); NS_ENSURE_TRUE(nssCert, NS_ERROR_FAILURE); mozilla::pkix::Time now(mozilla::pkix::Now()); ScopedCERTCertList certList; RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED); if (certVerifier->VerifySSLServerCert(nssCert, nullptr, // stapled ocsp now, nullptr, // pinarg
--- a/security/manager/ssl/tests/compiled/TestIsCertBuiltInRoot.cpp +++ b/security/manager/ssl/tests/compiled/TestIsCertBuiltInRoot.cpp @@ -123,29 +123,29 @@ AddCertificate(char* pem, char* nickname return false; } if (!sCertDER) { fail("sCertDER didn't get set as expected"); return false; } - mozilla::ScopedCERTCertificate cert( + mozilla::UniqueCERTCertificate cert( CERT_NewTempCertificate(CERT_GetDefaultCertDB(), sCertDER, nickname, false, true)); if (!cert) { fail("CERT_NewTempCertificate failed"); return false; } CERTCertTrust trust; trust.sslFlags = 0; trust.emailFlags = 0; trust.objectSigningFlags = 0; - if (CERT_AddTempCertToPerm(cert, nickname, &trust) != SECSuccess) { + if (CERT_AddTempCertToPerm(cert.get(), nickname, &trust) != SECSuccess) { fail("CERT_AddTempCertToPerm failed"); return false; } passed("AddCertificate succeeded"); return true; } bool
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp @@ -112,17 +112,17 @@ DoSNISocketConfig(PRFileDesc* aFd, const // a certificate with a matching subject CN. return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize); } if (gDebugLevel >= DEBUG_VERBOSE) { fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); } - ScopedCERTCertificate cert; + UniqueCERTCertificate cert; SSLKEAType certKEA; if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert, &certKEA)) { return SSL_SNI_SEND_ALERT; } return 0; }
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp @@ -140,17 +140,17 @@ main(int argc, char* argv[]) OCSPResponseType ORT; if (!StringToOCSPResponseType(ocspTypeText, &ORT)) { PR_fprintf(PR_STDERR, "Cannot generate OCSP response of type %s\n", ocspTypeText); exit(EXIT_FAILURE); } - ScopedCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr)); + UniqueCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr)); if (!cert) { PrintPRError("PK11_FindCertFromNickname failed"); PR_fprintf(PR_STDERR, "Failed to find certificate with nick '%s'\n", certNick); exit(EXIT_FAILURE); } SECItemArray* response = GetOCSPResponseForType(ORT, cert, arena,
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp @@ -77,17 +77,17 @@ DoSNISocketConfig(PRFileDesc *aFd, const if (gDebugLevel >= DEBUG_VERBOSE) { fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); } const char *certNickname = host->mServerCertName ? host->mServerCertName : DEFAULT_CERT_NICKNAME; - ScopedCERTCertificate cert; + UniqueCERTCertificate cert; SSLKEAType certKEA; if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname, &cert, &certKEA)) { return SSL_SNI_SEND_ALERT; } // If the OCSP response type is "none", don't staple a response. if (host->mORT == ORTNone) {
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp @@ -22,35 +22,35 @@ TestKeyPair* CreateTestKeyPair(const Tes } } } // namespace mozilla::pkix::test using namespace mozilla; using namespace mozilla::pkix; using namespace mozilla::pkix::test; using namespace mozilla::test; static TestKeyPair* -CreateTestKeyPairFromCert(CERTCertificate& cert) +CreateTestKeyPairFromCert(const UniqueCERTCertificate& cert) { - UniqueSECKEYPrivateKey privateKey(PK11_FindKeyByAnyCert(&cert, nullptr)); + UniqueSECKEYPrivateKey privateKey(PK11_FindKeyByAnyCert(cert.get(), nullptr)); if (!privateKey) { return nullptr; } - ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(&cert)); + ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(cert.get())); if (!publicKey) { return nullptr; } return CreateTestKeyPair(RSA_PKCS1(), *publicKey, privateKey.release()); } SECItemArray* -GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate* aCert, +GetOCSPResponseForType(OCSPResponseType aORT, const UniqueCERTCertificate& aCert, const UniquePLArenaPool& aArena, const char* aAdditionalCertName) { - MOZ_ASSERT(aArena.get()); + MOZ_ASSERT(aArena); MOZ_ASSERT(aCert); // Note: |aAdditionalCertName| may or may not need to be non-null depending // on the |aORT| value given. if (aORT == ORTNone) { if (gDebugLevel >= DEBUG_WARNINGS) { fprintf(stderr, "GetOCSPResponseForType called with type ORTNone, " "which makes no sense.\n"); @@ -63,28 +63,28 @@ GetOCSPResponseForType(OCSPResponseType arr->items[0].data = nullptr; arr->items[0].len = 0; return arr; } time_t now = time(nullptr); time_t oldNow = now - (8 * Time::ONE_DAY_IN_SECONDS); - mozilla::ScopedCERTCertificate cert(CERT_DupCertificate(aCert)); + mozilla::UniqueCERTCertificate cert(CERT_DupCertificate(aCert.get())); if (aORT == ORTGoodOtherCert) { - cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr); + cert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr)); if (!cert) { PrintPRError("PK11_FindCertFromNickname failed"); return nullptr; } } // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic - mozilla::ScopedCERTCertificate - issuerCert(CERT_FindCertIssuer(aCert, PR_Now(), certUsageSSLCA)); + mozilla::UniqueCERTCertificate + issuerCert(CERT_FindCertIssuer(aCert.get(), PR_Now(), certUsageSSLCA)); if (!issuerCert) { PrintPRError("CERT_FindCertIssuer failed"); return nullptr; } Input issuer; if (issuer.Init(cert->derIssuer.data, cert->derIssuer.len) != Success) { return nullptr; } @@ -96,21 +96,21 @@ GetOCSPResponseForType(OCSPResponseType Input serialNumber; if (serialNumber.Init(cert->serialNumber.data, cert->serialNumber.len) != Success) { return nullptr; } CertID certID(issuer, issuerPublicKey, serialNumber); OCSPResponseContext context(certID, now); - mozilla::ScopedCERTCertificate signerCert; + mozilla::UniqueCERTCertificate signerCert; if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded || aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing || aORT == ORTDelegatedMissingMultiple) { - signerCert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr); + signerCert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr)); if (!signerCert) { PrintPRError("PK11_FindCertFromNickname failed"); return nullptr; } } ByteString certs[5]; @@ -187,19 +187,19 @@ GetOCSPResponseForType(OCSPResponseType extension.next = nullptr; context.extensions = &extension; } if (aORT == ORTEmptyExtensions) { context.includeEmptyExtensions = true; } if (!signerCert) { - signerCert = CERT_DupCertificate(issuerCert.get()); + signerCert.reset(CERT_DupCertificate(issuerCert.get())); } - context.signerKeyPair.reset(CreateTestKeyPairFromCert(*signerCert)); + context.signerKeyPair.reset(CreateTestKeyPairFromCert(signerCert)); if (!context.signerKeyPair) { PrintPRError("PK11_FindKeyByAnyCert failed"); return nullptr; } ByteString response(CreateEncodedOCSPResponse(context)); if (ENCODING_FAILED(response)) { PrintPRError("CreateEncodedOCSPResponse failed");
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h +++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h @@ -48,13 +48,14 @@ struct OCSPHost { const char *mHostName; OCSPResponseType mORT; const char *mAdditionalCertName; // useful for ORTGoodOtherCert, etc. const char *mServerCertName; }; SECItemArray* -GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate* aCert, +GetOCSPResponseForType(OCSPResponseType aORT, + const mozilla::UniqueCERTCertificate& aCert, const mozilla::UniquePLArenaPool& aArena, const char* aAdditionalCertName); #endif // OCSPCommon_h
--- a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp @@ -5,16 +5,17 @@ #include "TLSServer.h" #include <stdio.h> #include <string> #include <vector> #include "ScopedNSSTypes.h" #include "base64.h" +#include "mozilla/Move.h" #include "mozilla/Snprintf.h" #include "nspr.h" #include "nss.h" #include "plarenas.h" #include "prenv.h" #include "prerror.h" #include "prnetdb.h" #include "prtime.h" @@ -184,32 +185,33 @@ AddCertificateFromFile(const char* baseP return rv; } SECItem certDER; rv = CERT_DecodeCertPackage(buf, strlen(buf), DecodeCertCallback, &certDER); if (rv != SECSuccess) { PrintPRError("CERT_DecodeCertPackage failed"); return rv; } - ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), + UniqueCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDER, nullptr, false, true)); PORT_Free(certDER.data); if (!cert) { PrintPRError("CERT_NewTempCertificate failed"); return SECFailure; } ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { PrintPRError("PK11_GetInternalKeySlot failed"); return SECFailure; } // The nickname is the filename without '.pem'. std::string nickname(filename, strlen(filename) - 4); - rv = PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, nickname.c_str(), false); + rv = PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE, + nickname.c_str(), false); if (rv != SECSuccess) { PrintPRError("PK11_ImportCert failed"); return rv; } return SECSuccess; } SECStatus @@ -405,31 +407,31 @@ DoCallback() fprintf(stderr, "PR_Recv eof 1\n"); return 1; } fprintf(stderr, "%s\n", buf); return 0; } SECStatus -ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName, - /*optional*/ ScopedCERTCertificate *certOut, - /*optional*/ SSLKEAType *keaOut) +ConfigSecureServerWithNamedCert(PRFileDesc* fd, const char* certName, + /*optional*/ UniqueCERTCertificate* certOut, + /*optional*/ SSLKEAType* keaOut) { - ScopedCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr)); + UniqueCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr)); if (!cert) { PrintPRError("PK11_FindCertFromNickname failed"); return SECFailure; } // If an intermediate certificate issued the server certificate (rather than // directly by a trust anchor), we want to send it along in the handshake so // we don't encounter unknown issuer errors when that's not what we're // testing. UniqueCERTCertificateList certList; - ScopedCERTCertificate issuerCert( + UniqueCERTCertificate issuerCert( CERT_FindCertByName(CERT_GetDefaultCertDB(), &cert->derIssuer)); // If we can't find the issuer cert, continue without it. if (issuerCert) { // Sadly, CERTCertificateList does not have a CERT_NewCertificateList // utility function, so we must create it ourselves. This consists // of creating an arena, allocating space for the CERTCertificateList, // and then transferring ownership of the arena to that list. UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); @@ -464,26 +466,26 @@ ConfigSecureServerWithNamedCert(PRFileDe ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); UniqueSECKEYPrivateKey key( PK11_FindKeyByDERCert(slot.get(), cert.get(), nullptr)); if (!key) { PrintPRError("PK11_FindKeyByDERCert failed"); return SECFailure; } - SSLKEAType certKEA = NSS_FindCertKEAType(cert); + SSLKEAType certKEA = NSS_FindCertKEAType(cert.get()); if (SSL_ConfigSecureServerWithCertChain(fd, cert.get(), certList.get(), key.get(), certKEA) != SECSuccess) { PrintPRError("SSL_ConfigSecureServer failed"); return SECFailure; } if (certOut) { - *certOut = cert.forget(); + *certOut = Move(cert); } if (keaOut) { *keaOut = certKEA; } return SECSuccess; }
--- a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h +++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h @@ -39,19 +39,19 @@ extern DebugLevel gDebugLevel; void PrintPRError(const char *aPrefix); // The default certificate is trusted for localhost and *.example.com extern const char DEFAULT_CERT_NICKNAME[]; // Pass DEFAULT_CERT_NICKNAME as certName unless you need a specific // certificate. SECStatus -ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName, - /*optional*/ ScopedCERTCertificate *cert, - /*optional*/ SSLKEAType *kea); +ConfigSecureServerWithNamedCert(PRFileDesc* fd, const char* certName, + /*optional*/ UniqueCERTCertificate* cert, + /*optional*/ SSLKEAType* kea); SECStatus InitializeNSS(const char* nssCertDBDir); int StartServer(const char *nssCertDBDir, SSLSNISocketConfig sniSocketConfig, void *sniSocketConfigArg);