bug 1461803 - minor cleanup in PSM: (re)move nsNSSErrors to NSSErrorsService r?jcj draft
authorDavid Keeler <dkeeler@mozilla.com>
Fri, 01 Jun 2018 16:23:17 -0700
changeset 803860 741918e1528ec6bff350149173fcc36c345f2a26
parent 803743 d8f180ab74921fd07a66d6868914a48e5f9ea797
push id112217
push userbmo:dkeeler@mozilla.com
push dateMon, 04 Jun 2018 22:40:56 +0000
reviewersjcj
bugs1461803
milestone62.0a1
bug 1461803 - minor cleanup in PSM: (re)move nsNSSErrors to NSSErrorsService r?jcj Also removes displayUnknownCertErrorAlert, which was declared but never used. Also removes some unnecessary ns(I)CertOverrideService OID stuff. MozReview-Commit-ID: 4o7c1TkKeKJ
security/manager/ssl/NSSErrorsService.cpp
security/manager/ssl/moz.build
security/manager/ssl/nsCertOverrideService.cpp
security/manager/ssl/nsCertOverrideService.h
security/manager/ssl/nsICertOverrideService.idl
security/manager/ssl/nsNSSComponent.h
security/manager/ssl/nsNSSErrors.cpp
security/manager/ssl/nsNSSIOLayer.h
security/manager/ssl/tests/unit/test_js_cert_override_service.js
--- a/security/manager/ssl/NSSErrorsService.cpp
+++ b/security/manager/ssl/NSSErrorsService.cpp
@@ -164,44 +164,61 @@ ErrorIsOverridable(PRErrorCode code)
     case SSL_ERROR_BAD_CERT_DOMAIN:
       return true;
     // Non-overridable errors.
     default:
       return false;
   }
 }
 
+static const char*
+getOverrideErrorStringName(PRErrorCode aErrorCode)
+{
+  switch (aErrorCode) {
+    case SSL_ERROR_SSL_DISABLED:
+      return "PSMERR_SSL_Disabled";
+    case SSL_ERROR_SSL2_DISABLED:
+      return "PSMERR_SSL2_Disabled";
+    case SEC_ERROR_REUSED_ISSUER_AND_SERIAL:
+      return "PSMERR_HostReusedIssuerSerial";
+    case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
+      return "certErrorTrust_MitM";
+    default:
+      return nullptr;
+  }
+}
+
 NS_IMETHODIMP
 NSSErrorsService::GetErrorMessage(nsresult aXPCOMErrorCode, nsAString &aErrorMessage)
 {
   if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY ||
       NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) {
     return NS_ERROR_FAILURE;
   }
 
   int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode);
 
   if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIStringBundle> theBundle = mPIPNSSBundle;
-  const char *id_str = nsNSSErrors::getOverrideErrorStringName(aNSPRCode);
+  const char* idStr = getOverrideErrorStringName(aNSPRCode);
 
-  if (!id_str) {
-    id_str = nsNSSErrors::getDefaultErrorStringName(aNSPRCode);
+  if (!idStr) {
+    idStr = PR_ErrorToName(aNSPRCode);
     theBundle = mNSSErrorsBundle;
   }
 
-  if (!id_str || !theBundle) {
+  if (!idStr || !theBundle) {
     return NS_ERROR_FAILURE;
   }
 
   nsAutoString msg;
-  nsresult rv = theBundle->GetStringFromName(id_str, msg);
+  nsresult rv = theBundle->GetStringFromName(idStr, msg);
   if (NS_SUCCEEDED(rv)) {
     aErrorMessage = msg;
   }
   return rv;
 }
 
 } // namespace psm
 } // namespace mozilla
--- a/security/manager/ssl/moz.build
+++ b/security/manager/ssl/moz.build
@@ -103,17 +103,16 @@ UNIFIED_SOURCES += [
     'nsNSSASN1Object.cpp',
     'nsNSSCallbacks.cpp',
     'nsNSSCertHelper.cpp',
     'nsNSSCertificate.cpp',
     'nsNSSCertificateDB.cpp',
     'nsNSSCertTrust.cpp',
     'nsNSSCertValidity.cpp',
     'nsNSSComponent.cpp',
-    'nsNSSErrors.cpp',
     'nsNSSIOLayer.cpp',
     'nsNSSModule.cpp',
     'nsNSSVersion.cpp',
     'nsNTLMAuthModule.cpp',
     'nsPK11TokenDB.cpp',
     'nsPKCS11Slot.cpp',
     'nsPKCS12Blob.cpp',
     'nsProtectedAuthThread.cpp',
--- a/security/manager/ssl/nsCertOverrideService.cpp
+++ b/security/manager/ssl/nsCertOverrideService.cpp
@@ -98,22 +98,16 @@ nsCertOverrideService::~nsCertOverrideSe
 nsresult
 nsCertOverrideService::Init()
 {
   if (!NS_IsMainThread()) {
     MOZ_ASSERT_UNREACHABLE("nsCertOverrideService initialized off main thread");
     return NS_ERROR_NOT_SAME_THREAD;
   }
 
-  // Note that the names of these variables would seem to indicate that at one
-  // point another hash algorithm was used and is still supported for backwards
-  // compatibility. This is not the case. It has always been SHA256.
-  mOidTagForStoringNewHashes = SEC_OID_SHA256;
-  mDottedOidForStoringNewHashes.AssignLiteral("OID.2.16.840.1.101.3.4.2.1");
-
   nsCOMPtr<nsIObserverService> observerService =
       mozilla::services::GetObserverService();
 
   // If we cannot add ourselves as a profile change observer, then we will not
   // attempt to read/write any settings file. Otherwise, we would end up
   // reading/writing the wrong settings file after a profile change.
   if (observerService) {
     observerService->AddObserver(this, "profile-before-change", true);
@@ -225,17 +219,17 @@ nsCertOverrideService::Read(const MutexA
     if ((algoIndex         = buffer.FindChar('\t', hostIndex)         + 1) == 0 ||
         (fingerprintIndex  = buffer.FindChar('\t', algoIndex)         + 1) == 0 ||
         (overrideBitsIndex = buffer.FindChar('\t', fingerprintIndex)  + 1) == 0 ||
         (dbKeyIndex        = buffer.FindChar('\t', overrideBitsIndex) + 1) == 0) {
       continue;
     }
 
     const nsACString& tmp = Substring(buffer, hostIndex, algoIndex - hostIndex - 1);
-    const nsACString& algo_string = Substring(buffer, algoIndex, fingerprintIndex - algoIndex - 1);
+    // We just ignore the algorithm string.
     const nsACString& fingerprint = Substring(buffer, fingerprintIndex, overrideBitsIndex - fingerprintIndex - 1);
     const nsACString& bits_string = Substring(buffer, overrideBitsIndex, dbKeyIndex - overrideBitsIndex - 1);
     const nsACString& db_key = Substring(buffer, dbKeyIndex, buffer.Length() - dbKeyIndex);
 
     nsAutoCString host(tmp);
     nsCertOverride::OverrideBits bits;
     nsCertOverride::convertStringToBits(bits_string, bits);
 
@@ -250,22 +244,23 @@ nsCertOverrideService::Read(const MutexA
     if (NS_FAILED(portParseError))
       continue; // Ignore broken entries
 
     host.Truncate(portIndex);
 
     AddEntryToList(host, port,
                    nullptr, // don't have the cert
                    false, // not temporary
-                   algo_string, fingerprint, bits, db_key, aProofOfLock);
+                   fingerprint, bits, db_key, aProofOfLock);
   }
 
   return NS_OK;
 }
 
+static const char sSHA256OIDString[] = "OID.2.16.840.1.101.3.4.2.1";
 nsresult
 nsCertOverrideService::Write(const MutexAutoLock& aProofOfLock)
 {
   // If we don't have any profile, then we won't try to write any file
   if (!mSettingsFile) {
     return NS_OK;
   }
 
@@ -307,18 +302,18 @@ nsCertOverrideService::Write(const Mutex
     }
 
     nsAutoCString bits_string;
     nsCertOverride::convertBitsToString(settings.mOverrideBits, bits_string);
 
     bufferedOutputStream->Write(entry->mHostWithPort.get(),
                                 entry->mHostWithPort.Length(), &unused);
     bufferedOutputStream->Write(kTab, sizeof(kTab) - 1, &unused);
-    bufferedOutputStream->Write(settings.mFingerprintAlgOID.get(),
-                                settings.mFingerprintAlgOID.Length(), &unused);
+    bufferedOutputStream->Write(sSHA256OIDString, sizeof(sSHA256OIDString) - 1,
+                                &unused);
     bufferedOutputStream->Write(kTab, sizeof(kTab) - 1, &unused);
     bufferedOutputStream->Write(settings.mFingerprint.get(),
                                 settings.mFingerprint.Length(), &unused);
     bufferedOutputStream->Write(kTab, sizeof(kTab) - 1, &unused);
     bufferedOutputStream->Write(bits_string.get(),
                                 bits_string.Length(), &unused);
     bufferedOutputStream->Write(kTab, sizeof(kTab) - 1, &unused);
     bufferedOutputStream->Write(settings.mDBKey.get(),
@@ -384,34 +379,33 @@ nsCertOverrideService::RememberValidityO
     // certificate rather than the full certificate. It makes the display a bit
     // less informative (since we won't have a certificate to display), but it's
     // better than failing the entire operation.
     Unused << PK11_ImportCert(slot.get(), nsscert.get(), CK_INVALID_HANDLE,
                               nickname.get(), false);
   }
 
   nsAutoCString fpStr;
-  rv = GetCertFingerprintByOidTag(nsscert.get(), mOidTagForStoringNewHashes,
-                                  fpStr);
+  rv = GetCertFingerprintByOidTag(nsscert.get(), SEC_OID_SHA256, fpStr);
   if (NS_FAILED(rv))
     return rv;
 
   nsAutoCString dbkey;
   rv = aCert->GetDbKey(dbkey);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   {
     MutexAutoLock lock(mMutex);
     AddEntryToList(aHostName, aPort,
                    aTemporary ? aCert : nullptr,
                      // keep a reference to the cert for temporary overrides
                    aTemporary,
-                   mDottedOidForStoringNewHashes, fpStr,
+                   fpStr,
                    (nsCertOverride::OverrideBits)aOverrideBits,
                    dbkey, lock);
     if (!aTemporary) {
       Write(lock);
     }
   }
 
   return NS_OK;
@@ -427,17 +421,16 @@ nsCertOverrideService::RememberTemporary
   if(aCertFingerprint.IsEmpty() || aHostName.IsEmpty() || (aPort < -1)) {
     return NS_ERROR_INVALID_ARG;
   }
 
   MutexAutoLock lock(mMutex);
   AddEntryToList(aHostName, aPort,
                  nullptr, // No cert to keep alive
                  true, // temporary
-                 mDottedOidForStoringNewHashes,
                  aCertFingerprint,
                  (nsCertOverride::OverrideBits)aOverrideBits,
                  EmptyCString(),  // dbkey
                  lock);
 
   return NS_OK;
 }
 
@@ -475,75 +468,29 @@ nsCertOverrideService::HasMatchingOverri
   }
 
   *aOverrideBits = static_cast<uint32_t>(settings.mOverrideBits);
   *aIsTemporary = settings.mIsTemporary;
 
   nsAutoCString fpStr;
   nsresult rv;
 
-  // This code was originally written in a way that suggested that other hash
-  // algorithms are supported for backwards compatibility. However, this was
-  // always unnecessary, because only SHA256 has ever been used here.
-  if (settings.mFingerprintAlgOID.Equals(mDottedOidForStoringNewHashes)) {
-    rv = GetCertFingerprintByOidTag(aCert, mOidTagForStoringNewHashes, fpStr);
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-  } else {
-    return NS_ERROR_UNEXPECTED;
+  rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, fpStr);
+  if (NS_FAILED(rv)) {
+    return rv;
   }
 
   *_retval = settings.mFingerprint.Equals(fpStr);
   return NS_OK;
 }
 
-NS_IMETHODIMP
-nsCertOverrideService::GetValidityOverride(const nsACString & aHostName, int32_t aPort,
-                                           nsACString & aHashAlg,
-                                           nsACString & aFingerprint,
-                                           uint32_t *aOverrideBits,
-                                           bool *aIsTemporary,
-                                           bool *_found)
-{
-  NS_ENSURE_ARG_POINTER(_found);
-  NS_ENSURE_ARG_POINTER(aIsTemporary);
-  NS_ENSURE_ARG_POINTER(aOverrideBits);
-  *_found = false;
-  *aOverrideBits = static_cast<uint32_t>(nsCertOverride::OverrideBits::None);
-
-  nsAutoCString hostPort;
-  GetHostWithPort(aHostName, aPort, hostPort);
-  nsCertOverride settings;
-
-  {
-    MutexAutoLock lock(mMutex);
-    nsCertOverrideEntry *entry = mSettingsTable.GetEntry(hostPort.get());
-
-    if (entry) {
-      *_found = true;
-      settings = entry->mSettings; // copy
-    }
-  }
-
-  if (*_found) {
-    *aOverrideBits = static_cast<uint32_t>(settings.mOverrideBits);
-    *aIsTemporary = settings.mIsTemporary;
-    aFingerprint = settings.mFingerprint;
-    aHashAlg = settings.mFingerprintAlgOID;
-  }
-
-  return NS_OK;
-}
-
 nsresult
 nsCertOverrideService::AddEntryToList(const nsACString &aHostName, int32_t aPort,
                                       nsIX509Cert *aCert,
                                       const bool aIsTemporary,
-                                      const nsACString &fingerprintAlgOID,
                                       const nsACString &fingerprint,
                                       nsCertOverride::OverrideBits ob,
                                       const nsACString &dbKey,
                                       const MutexAutoLock& aProofOfLock)
 {
   nsAutoCString hostPort;
   GetHostWithPort(aHostName, aPort, hostPort);
 
@@ -555,17 +502,16 @@ nsCertOverrideService::AddEntryToList(co
   }
 
   entry->mHostWithPort = hostPort;
 
   nsCertOverride &settings = entry->mSettings;
   settings.mAsciiHost = aHostName;
   settings.mPort = aPort;
   settings.mIsTemporary = aIsTemporary;
-  settings.mFingerprintAlgOID = fingerprintAlgOID;
   settings.mFingerprint = fingerprint;
   settings.mOverrideBits = ob;
   settings.mDBKey = dbKey;
   // remove whitespace from stored dbKey for backwards compatibility
   settings.mDBKey.StripWhitespace();
   settings.mCert = aCert;
 
   return NS_OK;
@@ -641,21 +587,18 @@ nsCertOverrideService::IsCertUsedForOver
 
       if (( settings.mIsTemporary && !aCheckTemporaries) ||
           (!settings.mIsTemporary && !aCheckPermanents)) {
         continue;
       }
 
       if (matchesDBKey(aCert, settings.mDBKey)) {
         nsAutoCString cert_fingerprint;
-        nsresult rv = NS_ERROR_UNEXPECTED;
-        if (settings.mFingerprintAlgOID.Equals(mDottedOidForStoringNewHashes)) {
-          rv = GetCertFingerprintByOidTag(aCert,
-                 mOidTagForStoringNewHashes, cert_fingerprint);
-        }
+        nsresult rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256,
+                                                 cert_fingerprint);
         if (NS_SUCCEEDED(rv) &&
             settings.mFingerprint.Equals(cert_fingerprint)) {
           counter++;
         }
       }
     }
   }
   *_retval = counter;
@@ -671,21 +614,18 @@ nsCertOverrideService::EnumerateCertOver
   for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) {
     const nsCertOverride &settings = iter.Get()->mSettings;
 
     if (!aCert) {
       aEnumerator(settings, aUserData);
     } else {
       if (matchesDBKey(aCert, settings.mDBKey)) {
         nsAutoCString cert_fingerprint;
-        nsresult rv = NS_ERROR_UNEXPECTED;
-        if (settings.mFingerprintAlgOID.Equals(mDottedOidForStoringNewHashes)) {
-          rv = GetCertFingerprintByOidTag(aCert,
-                 mOidTagForStoringNewHashes, cert_fingerprint);
-        }
+        nsresult rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256,
+                                                 cert_fingerprint);
         if (NS_SUCCEEDED(rv) &&
             settings.mFingerprint.Equals(cert_fingerprint)) {
           aEnumerator(settings, aUserData);
         }
       }
     }
   }
   return NS_OK;
--- a/security/manager/ssl/nsCertOverrideService.h
+++ b/security/manager/ssl/nsCertOverrideService.h
@@ -41,29 +41,27 @@ public:
     this->operator=(other);
   }
 
   nsCertOverride &operator=(const nsCertOverride &other)
   {
     mAsciiHost = other.mAsciiHost;
     mPort = other.mPort;
     mIsTemporary = other.mIsTemporary;
-    mFingerprintAlgOID = other.mFingerprintAlgOID;
     mFingerprint = other.mFingerprint;
     mOverrideBits = other.mOverrideBits;
     mDBKey = other.mDBKey;
     mCert = other.mCert;
     return *this;
   }
 
   nsCString mAsciiHost;
   int32_t mPort;
   bool mIsTemporary; // true: session only, false: stored on disk
   nsCString mFingerprint;
-  nsCString mFingerprintAlgOID;
   OverrideBits mOverrideBits;
   nsCString mDBKey;
   nsCOMPtr <nsIX509Cert> mCert;
 
   static void convertBitsToString(OverrideBits ob, nsACString &str);
   static void convertStringToBits(const nsACString &str, OverrideBits &ob);
 };
 
@@ -162,28 +160,24 @@ public:
 
 protected:
     ~nsCertOverrideService();
 
     mozilla::Mutex mMutex;
     nsCOMPtr<nsIFile> mSettingsFile;
     nsTHashtable<nsCertOverrideEntry> mSettingsTable;
 
-    SECOidTag mOidTagForStoringNewHashes;
-    nsCString mDottedOidForStoringNewHashes;
-
     void CountPermanentOverrideTelemetry(const mozilla::MutexAutoLock& aProofOfLock);
 
     void RemoveAllFromMemory();
     nsresult Read(const mozilla::MutexAutoLock& aProofOfLock);
     nsresult Write(const mozilla::MutexAutoLock& aProofOfLock);
     nsresult AddEntryToList(const nsACString &host, int32_t port,
                             nsIX509Cert *aCert,
                             const bool aIsTemporary,
-                            const nsACString &algo_oid,
                             const nsACString &fingerprint,
                             nsCertOverride::OverrideBits ob,
                             const nsACString &dbKey,
                             const mozilla::MutexAutoLock& aProofOfLock);
 };
 
 #define NS_CERTOVERRIDE_CID { /* 67ba681d-5485-4fff-952c-2ee337ffdcd6 */ \
     0x67ba681d,                                                        \
--- a/security/manager/ssl/nsICertOverrideService.idl
+++ b/security/manager/ssl/nsICertOverrideService.idl
@@ -98,37 +98,16 @@ interface nsICertOverrideService : nsISu
   [must_use]
   boolean hasMatchingOverride(in ACString aHostName,
                               in int32_t aPort,
                               in nsIX509Cert aCert,
                               out uint32_t aOverrideBits,
                               out boolean aIsTemporary);
 
   /**
-   *  Retrieve the stored override for the given hostname:port.
-   *
-   *  @param aHostName The host (punycode) whose entry should be tested
-   *  @param aPort The port whose entry should be tested, if it is -1 then it
-   *          is internaly treated as 443
-   *  @param aHashAlg On return value True, the fingerprint hash algorithm
-   *                  as an OID value in dotted notation.
-   *  @param aFingerprint On return value True, the stored fingerprint
-   *  @param aOverrideBits The errors that are currently overriden
-   *  @return whether a matching override entry for aHostNameWithPort
-   *          and aFingerprint is currently on file
-   */
-  [must_use]
-  boolean getValidityOverride(in ACString aHostName,
-                              in int32_t aPort,
-                              out ACString aHashAlg,
-                              out ACString aFingerprint,
-                              out uint32_t aOverrideBits,
-                              out boolean aIsTemporary);
-
-  /**
    *  Remove a override for the given hostname:port.
    *
    *  @param aHostName The host (punycode) whose entry should be cleared.
    *  @param aPort The port whose entry should be cleared.
    *               If it is -1, then it is internaly treated as 443.
    *               If it is 0 and aHostName is "all:temporary-certificates",
    *               then all temporary certificates should be cleared.
    */
--- a/security/manager/ssl/nsNSSComponent.h
+++ b/security/manager/ssl/nsNSSComponent.h
@@ -208,16 +208,9 @@ CheckForSmartCardChanges()
     return NS_ERROR_FAILURE;
   }
   return component->CheckForSmartCardChanges();
 #else
   return NS_OK;
 #endif
 }
 
-class nsNSSErrors
-{
-public:
-  static const char* getDefaultErrorStringName(PRErrorCode err);
-  static const char* getOverrideErrorStringName(PRErrorCode aErrorCode);
-};
-
 #endif // _nsNSSComponent_h_
deleted file mode 100644
--- a/security/manager/ssl/nsNSSErrors.cpp
+++ /dev/null
@@ -1,42 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsNSSComponent.h"
-#include "pkix/pkixnss.h"
-#include "secerr.h"
-#include "sslerr.h"
-
-const char *
-nsNSSErrors::getDefaultErrorStringName(PRErrorCode err)
-{
-  return PR_ErrorToName(err);
-}
-
-const char *
-nsNSSErrors::getOverrideErrorStringName(PRErrorCode aErrorCode)
-{
-  const char *id_str = nullptr;
-
-  switch (aErrorCode) {
-    case SSL_ERROR_SSL_DISABLED:
-      id_str = "PSMERR_SSL_Disabled";
-      break;
-
-    case SSL_ERROR_SSL2_DISABLED:
-      id_str = "PSMERR_SSL2_Disabled";
-      break;
-
-    case SEC_ERROR_REUSED_ISSUER_AND_SERIAL:
-      id_str = "PSMERR_HostReusedIssuerSerial";
-      break;
-
-    case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
-      id_str = "certErrorTrust_MitM";
-      break;
-  }
-
-  return id_str;
-}
--- a/security/manager/ssl/nsNSSIOLayer.h
+++ b/security/manager/ssl/nsNSSIOLayer.h
@@ -317,11 +317,10 @@ nsresult nsSSLIOLayerAddToSocket(int32_t
                                  const OriginAttributes& originAttributes,
                                  PRFileDesc* fd,
                                  nsISupports** securityInfo,
                                  bool forSTARTTLS,
                                  uint32_t flags,
                                  uint32_t tlsFlags);
 
 nsresult nsSSLIOLayerFreeTLSIntolerantSites();
-nsresult displayUnknownCertErrorAlert(nsNSSSocketInfo* infoObject, int error);
 
 #endif // nsNSSIOLayer_h
--- a/security/manager/ssl/tests/unit/test_js_cert_override_service.js
+++ b/security/manager/ssl/tests/unit/test_js_cert_override_service.js
@@ -22,20 +22,16 @@ const gCertOverrideService = {
   hasMatchingOverride(hostname, port, cert, overrideBits, isTemporary) {
     Assert.equal(hostname, "expired.example.com",
                  "hasMatchingOverride: hostname should be expired.example.com");
     overrideBits.value = Ci.nsICertOverrideService.ERROR_TIME;
     isTemporary.value = false;
     return true;
   },
 
-  getValidityOverride() {
-    throw Cr.NS_ERROR_NOT_IMPLEMENTED;
-  },
-
   clearValidityOverride() {
     throw Cr.NS_ERROR_NOT_IMPLEMENTED;
   },
 
   isCertUsedForOverrides() {
     throw Cr.NS_ERROR_NOT_IMPLEMENTED;
   },