Bug 1118599 - Remove now-unneeded MOZILLA_PKIX_ENUM_CLASS workaround for GCC enum class bugs. r=mmc
authorBrian Smith <brian@briansmith.org>
Tue, 06 Jan 2015 18:28:09 -0800
changeset 248433 2880e05d5e3241105c1874fd364a7f50e0d334c3
parent 248432 9f3ee2b72d354e303500e9773a6b6072c54fd4c9
child 248443 f90dccb788edcd7e311bc52986dbaa70668b776f
child 248554 eff1149c52dc923783a9490315181c4c35a7f632
push id4489
push userraliiev@mozilla.com
push dateMon, 23 Feb 2015 15:17:55 +0000
treeherdermozilla-beta@fd7c3dc24146 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmmc
bugs1118599
milestone37.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1118599 - Remove now-unneeded MOZILLA_PKIX_ENUM_CLASS workaround for GCC enum class bugs. r=mmc
security/pkix/include/pkix/Result.h
security/pkix/include/pkix/enumclass.h
security/pkix/include/pkix/pkixtypes.h
security/pkix/lib/pkixder.h
security/pkix/lib/pkixnames.cpp
security/pkix/lib/pkixocsp.cpp
security/pkix/test/gtest/pkixbuild_tests.cpp
security/pkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
security/pkix/test/lib/pkixtestutil.cpp
security/pkix/test/lib/pkixtestutil.h
--- a/security/pkix/include/pkix/Result.h
+++ b/security/pkix/include/pkix/Result.h
@@ -22,18 +22,16 @@
  * limitations under the License.
  */
 
 #ifndef mozilla_pkix__Result_h
 #define mozilla_pkix__Result_h
 
 #include <cassert>
 
-#include "pkix/enumclass.h"
-
 namespace mozilla { namespace pkix {
 
 static const unsigned int FATAL_ERROR_FLAG = 0x800;
 
 // ----------------------------------------------------------------------------
 // SELECTED ERROR CODE EXPLANATIONS
 //
 // Result::ERROR_UNTRUSTED_CERT
@@ -178,37 +176,31 @@ static const unsigned int FATAL_ERROR_FL
     MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \
                      PR_INVALID_STATE_ERROR) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_LIBRARY_FAILURE, FATAL_ERROR_FLAG | 3, \
                      SEC_ERROR_LIBRARY_FAILURE) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_NO_MEMORY, FATAL_ERROR_FLAG | 4, \
                      SEC_ERROR_NO_MEMORY) \
     /* nothing here */
 
-MOZILLA_PKIX_ENUM_CLASS Result
+enum class Result
 {
 #define MOZILLA_PKIX_MAP(name, value, nss_name) name = value,
   MOZILLA_PKIX_MAP_LIST
 #undef MOZILLA_PKIX_MAP
 };
 
 // Returns the stringified name of the given result, e.g. "Result::Success",
 // or nullptr if result is unknown (invalid).
 const char* MapResultToName(Result result);
 
 // We write many comparisons as (x != Success), and this shortened name makes
 // those comparisons clearer, especially because the shortened name often
 // results in less line wrapping.
-//
-// If MOZILLA_PKIX_ENUM_CLASS doesn't expand to "enum class" then
-// Result::Success will already be in scope, and compilation would fail if we
-// were to try to define a variable named "Success" here.
-#ifdef MOZILLA_PKIX_ENUM_CLASS_REALLY_IS_ENUM_CLASS
 static const Result Success = Result::Success;
-#endif
 
 inline bool
 IsFatalError(Result rv)
 {
   return (static_cast<unsigned int>(rv) & FATAL_ERROR_FLAG) != 0;
 }
 
 inline Result
deleted file mode 100644
--- a/security/pkix/include/pkix/enumclass.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This code is made available to you under your choice of the following sets
- * of licensing terms:
- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-/* Copyright 2013 Mozilla Contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef mozilla_pkix__enumclass_h
-#define mozilla_pkix__enumclass_h
-
-#if defined(__GNUC__) && (__GNUC__ * 100 + __GNUC_MINOR__ < 407)
-// GCC before version 4.7 may crash when compiling code that static_casts a
-// value of scoped typed enum type. See
-// https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48106.
-#define MOZILLA_PKIX_ENUM_CLASS enum
-#else
-#define MOZILLA_PKIX_ENUM_CLASS enum class
-#define MOZILLA_PKIX_ENUM_CLASS_REALLY_IS_ENUM_CLASS
-#endif
-
-#endif // mozilla_pkix__enumclass_h
--- a/security/pkix/include/pkix/pkixtypes.h
+++ b/security/pkix/include/pkix/pkixtypes.h
@@ -26,29 +26,29 @@
 #define mozilla_pkix__pkixtypes_h
 
 #include "pkix/Input.h"
 #include "pkix/Time.h"
 #include "stdint.h"
 
 namespace mozilla { namespace pkix {
 
-MOZILLA_PKIX_ENUM_CLASS DigestAlgorithm
+enum class DigestAlgorithm
 {
   sha512 = 1,
   sha384 = 2,
   sha256 = 3,
   sha1 = 4,
 };
 
 // Named ECC Curves:
 //   * secp521r1 (OID 1.3.132.0.35, RFC 5480)
 //   * secp384r1 (OID 1.3.132.0.34, RFC 5480)
 //   * secp256r1 (OID 1.2.840.10045.3.17, RFC 5480)
-MOZILLA_PKIX_ENUM_CLASS SignatureAlgorithm
+enum class SignatureAlgorithm
 {
   // ecdsa-with-SHA512 (OID 1.2.840.10045.4.3.4, RFC 5758 Section 3.2)
   ecdsa_with_sha512 = 1,
 
   // ecdsa-with-SHA384 (OID 1.2.840.10045.4.3.3, RFC 5758 Section 3.2)
   ecdsa_with_sha384 = 4,
 
   // ecdsa-with-SHA256 (OID 1.2.840.10045.4.3.2, RFC 5758 Section 3.2)
@@ -79,32 +79,32 @@ public:
   Input data;
   SignatureAlgorithm algorithm;
   Input signature;
 
 private:
   void operator=(const SignedDataWithSignature&) /*= delete*/;
 };
 
-MOZILLA_PKIX_ENUM_CLASS EndEntityOrCA { MustBeEndEntity = 0, MustBeCA = 1 };
+enum class EndEntityOrCA { MustBeEndEntity = 0, MustBeCA = 1 };
 
-MOZILLA_PKIX_ENUM_CLASS KeyUsage : uint8_t {
+enum class KeyUsage : uint8_t {
   digitalSignature = 0,
   nonRepudiation   = 1,
   keyEncipherment  = 2,
   dataEncipherment = 3,
   keyAgreement     = 4,
   keyCertSign      = 5,
   // cRLSign       = 6,
   // encipherOnly  = 7,
   // decipherOnly  = 8,
   noParticularKeyUsageRequired = 0xff,
 };
 
-MOZILLA_PKIX_ENUM_CLASS KeyPurposeId {
+enum class KeyPurposeId {
   anyExtendedKeyUsage = 0,
   id_kp_serverAuth = 1,           // id-kp-serverAuth
   id_kp_clientAuth = 2,           // id-kp-clientAuth
   id_kp_codeSigning = 3,          // id-kp-codeSigning
   id_kp_emailProtection = 4,      // id-kp-emailProtection
   id_kp_OCSPSigning = 9,          // id-kp-OCSPSigning
 };
 
@@ -113,17 +113,17 @@ struct CertPolicyId {
   static const uint16_t MAX_BYTES = 24;
   uint8_t bytes[MAX_BYTES];
 
   bool IsAnyPolicy() const;
 
   static const CertPolicyId anyPolicy;
 };
 
-MOZILLA_PKIX_ENUM_CLASS TrustLevel {
+enum class TrustLevel {
   TrustAnchor = 1,        // certificate is a trusted root CA certificate or
                           // equivalent *for the given policy*.
   ActivelyDistrusted = 2, // certificate is known to be bad
   InheritsTrust = 3       // certificate must chain to a trust anchor
 };
 
 // CertID references the information needed to do revocation checking for the
 // certificate issued by the given issuer with the given serial number.
--- a/security/pkix/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@@ -69,17 +69,17 @@ enum Tag
   SET = UNIVERSAL | CONSTRUCTED | 0x11, // 0x31
   PrintableString = UNIVERSAL | 0x13,
   TeletexString = UNIVERSAL | 0x14,
   IA5String = UNIVERSAL | 0x16,
   UTCTime = UNIVERSAL | 0x17,
   GENERALIZED_TIME = UNIVERSAL | 0x18,
 };
 
-MOZILLA_PKIX_ENUM_CLASS EmptyAllowed { No = 0, Yes = 1 };
+enum class EmptyAllowed { No = 0, Yes = 1 };
 
 Result ReadTagAndGetValue(Reader& input, /*out*/ uint8_t& tag,
                           /*out*/ Input& value);
 Result End(Reader& input);
 
 inline Result
 ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Input& value)
 {
@@ -469,17 +469,17 @@ CertificateSerialNumber(Reader& input, /
     }
   }
 
   return Success;
 }
 
 // x.509 and OCSP both use this same version numbering scheme, though OCSP
 // only supports v1.
-MOZILLA_PKIX_ENUM_CLASS Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3 };
+enum class Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3 };
 
 // X.509 Certificate and OCSP ResponseData both use this
 // "[0] EXPLICIT Version DEFAULT <defaultVersion>" construct, but with
 // different default versions.
 inline Result
 OptionalVersion(Reader& input, /*out*/ Version& version)
 {
   static const uint8_t TAG = CONTEXT_SPECIFIC | CONSTRUCTED | 0;
--- a/security/pkix/lib/pkixnames.cpp
+++ b/security/pkix/lib/pkixnames.cpp
@@ -47,17 +47,17 @@ namespace {
 //      rfc822Name                      [1]     IA5String,
 //      dNSName                         [2]     IA5String,
 //      x400Address                     [3]     ORAddress,
 //      directoryName                   [4]     Name,
 //      ediPartyName                    [5]     EDIPartyName,
 //      uniformResourceIdentifier       [6]     IA5String,
 //      iPAddress                       [7]     OCTET STRING,
 //      registeredID                    [8]     OBJECT IDENTIFIER }
-MOZILLA_PKIX_ENUM_CLASS GeneralNameType : uint8_t
+enum class GeneralNameType : uint8_t
 {
   // Note that these values are NOT contiguous. Some values have the
   // der::CONSTRUCTED bit set while others do not.
   // (The der::CONSTRUCTED bit is for types where the value is a SEQUENCE.)
   otherName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
   rfc822Name = der::CONTEXT_SPECIFIC | 1,
   dNSName = der::CONTEXT_SPECIFIC | 2,
   x400Address = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3,
@@ -110,19 +110,19 @@ ReadGeneralName(Reader& reader,
       generalNameType = GeneralNameType::registeredID;
       break;
     default:
       return Result::ERROR_BAD_DER;
   }
   return Success;
 }
 
-MOZILLA_PKIX_ENUM_CLASS FallBackToSearchWithinSubject { No = 0, Yes = 1 };
+enum class FallBackToSearchWithinSubject { No = 0, Yes = 1 };
 
-MOZILLA_PKIX_ENUM_CLASS MatchResult
+enum class MatchResult
 {
   NoNamesOfGivenType = 0,
   Mismatch = 1,
   Match = 2
 };
 
 Result SearchNames(const Input* subjectAltName, Input subject,
                    GeneralNameType referenceIDType,
@@ -154,46 +154,39 @@ Result MatchPresentedIDWithReferenceID(G
                                        /*in/out*/ MatchResult& matchResult);
 Result CheckPresentedIDConformsToConstraints(GeneralNameType referenceIDType,
                                              Input presentedID,
                                              Input nameConstraints);
 
 uint8_t LocaleInsensitveToLower(uint8_t a);
 bool StartsWithIDNALabel(Input id);
 
-MOZILLA_PKIX_ENUM_CLASS IDRole
+enum class IDRole
 {
   ReferenceID = 0,
   PresentedID = 1,
   NameConstraint = 2,
 };
 
-MOZILLA_PKIX_ENUM_CLASS Wildcards
-{
-  AllowWildcards = 0,
-  DisallowWildcards = 1
-};
+enum class AllowWildcards { No = 0, Yes = 1 };
 
 // DNSName constraints implicitly allow subdomain matching when there is no
 // leading dot ("foo.example.com" matches a constraint of "example.com"), but
 // RFC822Name constraints only allow subdomain matching when there is a leading
 // dot ("foo.example.com" does not match "example.com" but does match
 // ".example.com").
-MOZILLA_PKIX_ENUM_CLASS DotlessSubdomainMatches
-{
-  DisallowDotlessSubdomainMatches = 0,
-  AllowDotlessSubdomainMatches = 1
-};
+enum class AllowDotlessSubdomainMatches { No = 0, Yes = 1 };
 
-bool IsValidDNSID(Input hostname, IDRole idRole, Wildcards allowWildcards);
+bool IsValidDNSID(Input hostname, IDRole idRole,
+                  AllowWildcards allowWildcards);
 
 Result MatchPresentedDNSIDWithReferenceDNSID(
          Input presentedDNSID,
-         Wildcards allowWildcards,
-         DotlessSubdomainMatches allowDotlessSubdomainMatches,
+         AllowWildcards allowWildcards,
+         AllowDotlessSubdomainMatches allowDotlessSubdomainMatches,
          IDRole referenceDNSIDRole,
          Input referenceDNSID,
          /*out*/ bool& matches);
 
 Result MatchPresentedRFC822NameWithReferenceRFC822Name(
          Input presentedRFC822Name, IDRole referenceRFC822NameRole,
          Input referenceRFC822Name, /*out*/ bool& matches);
 
@@ -206,19 +199,18 @@ bool ParseIPv6Address(Input hostname, /*
 
 // This is used by the pkixnames_tests.cpp tests.
 Result
 MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
                                       Input referenceDNSID,
                                       /*out*/ bool& matches)
 {
   return MatchPresentedDNSIDWithReferenceDNSID(
-           presentedDNSID, Wildcards::AllowWildcards,
-           DotlessSubdomainMatches::AllowDotlessSubdomainMatches,
-           IDRole::ReferenceID,
+           presentedDNSID, AllowWildcards::Yes,
+           AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID,
            referenceDNSID, matches);
 }
 
 // Verify that the given end-entity cert, which is assumed to have been already
 // validated with BuildCertChain, is valid for the given hostname. hostname is
 // assumed to be a string representation of an IPv4 address, an IPv6 addresss,
 // or a normalized ASCII (possibly punycode) DNS name.
 Result
@@ -696,19 +688,19 @@ MatchPresentedIDWithReferenceID(GeneralN
   }
 
   Result rv;
   bool foundMatch;
 
   switch (referenceIDType) {
     case GeneralNameType::dNSName:
       rv = MatchPresentedDNSIDWithReferenceDNSID(
-             presentedID, Wildcards::AllowWildcards,
-             DotlessSubdomainMatches::AllowDotlessSubdomainMatches,
-             IDRole::ReferenceID, referenceID, foundMatch);
+             presentedID, AllowWildcards::Yes,
+             AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID,
+             referenceID, foundMatch);
       break;
 
     case GeneralNameType::iPAddress:
       foundMatch = InputsAreEqual(presentedID, referenceID);
       rv = Success;
       break;
 
     case GeneralNameType::rfc822Name:
@@ -736,17 +728,17 @@ MatchPresentedIDWithReferenceID(GeneralN
 
   if (rv != Success) {
     return rv;
   }
   matchResult = foundMatch ? MatchResult::Match : MatchResult::Mismatch;
   return Success;
 }
 
-MOZILLA_PKIX_ENUM_CLASS NameConstraintsSubtrees : uint8_t
+enum class NameConstraintsSubtrees : uint8_t
 {
   permittedSubtrees = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0,
   excludedSubtrees  = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1
 };
 
 Result CheckPresentedIDConformsToNameConstraintsSubtrees(
          GeneralNameType presentedIDType,
          Input presentedID,
@@ -853,19 +845,19 @@ CheckPresentedIDConformsToNameConstraint
     }
 
     if (presentedIDType == nameConstraintType) {
       bool matches;
 
       switch (presentedIDType) {
         case GeneralNameType::dNSName:
           rv = MatchPresentedDNSIDWithReferenceDNSID(
-                 presentedID, Wildcards::AllowWildcards,
-                 DotlessSubdomainMatches::AllowDotlessSubdomainMatches,
-                 IDRole::NameConstraint, base, matches);
+                 presentedID, AllowWildcards::Yes,
+                 AllowDotlessSubdomainMatches::Yes, IDRole::NameConstraint,
+                 base, matches);
           if (rv != Success) {
             return rv;
           }
           break;
 
         case GeneralNameType::iPAddress:
           rv = MatchPresentedIPAddressWithConstraint(presentedID, base,
                                                      matches);
@@ -1062,28 +1054,27 @@ CheckPresentedIDConformsToNameConstraint
 //     http://www.mail-archive.com/openssl-dev%40openssl.org/msg36204.html
 //     https://rt.openssl.org/Ticket/Display.html?id=3562
 // [4] Feedback on the lack of clarify in the definition that never got
 //     incorporated into the spec:
 //     https://www.ietf.org/mail-archive/web/pkix/current/msg21192.html
 Result
 MatchPresentedDNSIDWithReferenceDNSID(
   Input presentedDNSID,
-  Wildcards allowWildcards,
-  DotlessSubdomainMatches allowDotlessSubdomainMatches,
+  AllowWildcards allowWildcards,
+  AllowDotlessSubdomainMatches allowDotlessSubdomainMatches,
   IDRole referenceDNSIDRole,
   Input referenceDNSID,
   /*out*/ bool& matches)
 {
   if (!IsValidDNSID(presentedDNSID, IDRole::PresentedID, allowWildcards)) {
     return Result::ERROR_BAD_DER;
   }
 
-  if (!IsValidDNSID(referenceDNSID, referenceDNSIDRole,
-                    Wildcards::DisallowWildcards)) {
+  if (!IsValidDNSID(referenceDNSID, referenceDNSIDRole, AllowWildcards::No)) {
     return Result::ERROR_BAD_DER;
   }
 
   Reader presented(presentedDNSID);
   Reader reference(referenceDNSID);
 
   switch (referenceDNSIDRole)
   {
@@ -1124,17 +1115,17 @@ MatchPresentedDNSIDWithReferenceDNSID(
         if (reference.Peek('.')) {
           if (presented.Skip(static_cast<Input::size_type>(
                                presentedDNSID.GetLength() -
                                  referenceDNSID.GetLength())) != Success) {
             return NotReached("skipping subdomain failed",
                               Result::FATAL_ERROR_LIBRARY_FAILURE);
           }
         } else if (allowDotlessSubdomainMatches ==
-                   DotlessSubdomainMatches::AllowDotlessSubdomainMatches) {
+                   AllowDotlessSubdomainMatches::Yes) {
           if (presented.Skip(static_cast<Input::size_type>(
                                presentedDNSID.GetLength() -
                                  referenceDNSID.GetLength() - 1)) != Success) {
             return NotReached("skipping subdomains failed",
                               Result::FATAL_ERROR_LIBRARY_FAILURE);
           }
           uint8_t b;
           if (presented.Read(b) != Success) {
@@ -1448,18 +1439,17 @@ IsValidRFC822Name(Input input)
 
       case '@':
       {
         if (startOfAtom) {
           return false;
         }
         Input domain;
         reader.SkipToEnd(domain);
-        return IsValidDNSID(domain, IDRole::PresentedID,
-                            Wildcards::DisallowWildcards);
+        return IsValidDNSID(domain, IDRole::PresentedID, AllowWildcards::No);
       }
 
       default:
         return false;
     }
   }
 }
 
@@ -1501,19 +1491,19 @@ MatchPresentedRFC822NameWithReferenceRFC
           break;
         }
       }
 
       Input presentedDNSID;
       presented.SkipToEnd(presentedDNSID);
 
       return MatchPresentedDNSIDWithReferenceDNSID(
-               presentedDNSID, Wildcards::DisallowWildcards,
-               DotlessSubdomainMatches::DisallowDotlessSubdomainMatches,
-               IDRole::NameConstraint, referenceRFC822Name, matches);
+               presentedDNSID, AllowWildcards::No,
+               AllowDotlessSubdomainMatches::No, IDRole::NameConstraint,
+               referenceRFC822Name, matches);
     }
 
     default:
       return NotReached("invalid referenceRFC822NameRole",
                         Result::FATAL_ERROR_INVALID_ARGS);
   }
 
   if (!IsValidRFC822Name(referenceRFC822Name)) {
@@ -1812,31 +1802,29 @@ ParseIPv6Address(Input hostname, /*out*/
       }
     }
   }
 }
 
 bool
 IsValidReferenceDNSID(Input hostname)
 {
-  return IsValidDNSID(hostname, IDRole::ReferenceID,
-                      Wildcards::DisallowWildcards);
+  return IsValidDNSID(hostname, IDRole::ReferenceID, AllowWildcards::No);
 }
 
 bool
 IsValidPresentedDNSID(Input hostname)
 {
-  return IsValidDNSID(hostname, IDRole::PresentedID,
-                      Wildcards::AllowWildcards);
+  return IsValidDNSID(hostname, IDRole::PresentedID, AllowWildcards::Yes);
 }
 
 namespace {
 
 bool
-IsValidDNSID(Input hostname, IDRole idRole, Wildcards allowWildcards)
+IsValidDNSID(Input hostname, IDRole idRole, AllowWildcards allowWildcards)
 {
   if (hostname.GetLength() > 253) {
     return false;
   }
 
   Reader input(hostname);
 
   if (idRole == IDRole::NameConstraint && input.AtEnd()) {
@@ -1846,18 +1834,17 @@ IsValidDNSID(Input hostname, IDRole idRo
   size_t dotCount = 0;
   size_t labelLength = 0;
   bool labelIsAllNumeric = false;
   bool labelEndsWithHyphen = false;
 
   // Only presented IDs are allowed to have wildcard labels. And, like
   // Chromium, be stricter than RFC 6125 requires by insisting that a
   // wildcard label consist only of '*'.
-  bool isWildcard = allowWildcards == Wildcards::AllowWildcards &&
-                    input.Peek('*');
+  bool isWildcard = allowWildcards == AllowWildcards::Yes && input.Peek('*');
   bool isFirstByte = !isWildcard;
   if (isWildcard) {
     Result rv = input.Skip(1);
     if (rv != Success) {
       assert(false);
       return false;
     }
 
--- a/security/pkix/lib/pkixocsp.cpp
+++ b/security/pkix/lib/pkixocsp.cpp
@@ -28,17 +28,17 @@
 #include "pkix/pkix.h"
 #include "pkixcheck.h"
 #include "pkixutil.h"
 #include "pkixder.h"
 
 namespace mozilla { namespace pkix {
 
 // These values correspond to the tag values in the ASN.1 CertStatus
-MOZILLA_PKIX_ENUM_CLASS CertStatus : uint8_t {
+enum class CertStatus : uint8_t {
   Good = der::CONTEXT_SPECIFIC | 0,
   Revoked = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
   Unknown = der::CONTEXT_SPECIFIC | 2
 };
 
 class Context
 {
 public:
@@ -135,17 +135,17 @@ CheckOCSPResponseSignerCert(TrustDomain&
 
   // TODO: check for revocation of the OCSP responder certificate unless no-check
   // or the caller forcing no-check. To properly support the no-check policy, we'd
   // need to enforce policy constraints from the issuerChain.
 
   return rv;
 }
 
-MOZILLA_PKIX_ENUM_CLASS ResponderIDType : uint8_t
+enum class ResponderIDType : uint8_t
 {
   byName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
   byKey = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 2
 };
 
 static inline Result OCSPResponse(Reader&, Context&);
 static inline Result ResponseBytes(Reader&, Context&);
 static inline Result BasicResponse(Reader&, Context&);
--- a/security/pkix/test/gtest/pkixbuild_tests.cpp
+++ b/security/pkix/test/gtest/pkixbuild_tests.cpp
@@ -44,18 +44,17 @@ CreateCert(const char* issuerCN, // null
   EXPECT_FALSE(ENCODING_FAILED(serialNumber));
 
   ByteString issuerDER(issuerCN ? CNToDERName(issuerCN) : Name(ByteString()));
   ByteString subjectDER(subjectCN ? CNToDERName(subjectCN) : Name(ByteString()));
 
   ByteString extensions[2];
   if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
     extensions[0] =
-      CreateEncodedBasicConstraints(true, nullptr,
-                                    ExtensionCriticality::Critical);
+      CreateEncodedBasicConstraints(true, nullptr, Critical::Yes);
     EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
   }
 
   ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
   ByteString certDER(CreateEncodedCertificate(
                        v3, sha256WithRSAEncryption, serialNumber, issuerDER,
                        oneDayBeforeNow, oneDayAfterNow, subjectDER,
                        *reusedKey, extensions, *reusedKey,
--- a/security/pkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
+++ b/security/pkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
@@ -25,18 +25,17 @@ CreateCert(const char* issuerCN,
   ByteString issuerDER(CNToDERName(issuerCN));
   EXPECT_FALSE(ENCODING_FAILED(issuerDER));
   subjectDER = CNToDERName(subjectCN);
   EXPECT_FALSE(ENCODING_FAILED(subjectDER));
 
   ByteString extensions[2];
   if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
     extensions[0] =
-      CreateEncodedBasicConstraints(true, nullptr,
-                                    ExtensionCriticality::Critical);
+      CreateEncodedBasicConstraints(true, nullptr, Critical::Yes);
     EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
   }
 
   ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
   ByteString certDER(CreateEncodedCertificate(v3, signatureAlgorithm,
                                               serialNumber, issuerDER,
                                               oneDayBeforeNow, oneDayAfterNow,
                                               subjectDER, *reusedKey,
--- a/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -472,18 +472,17 @@ protected:
                const ByteString& certSignatureAlgorithm,
                /*optional*/ const Input* signerEKUDER = &OCSPSigningEKUDER,
                /*optional, out*/ ByteString* signerDEROut = nullptr)
   {
     assert(certSubjectName);
 
     const ByteString extensions[] = {
       signerEKUDER
-        ? CreateEncodedEKUExtension(*signerEKUDER,
-                                    ExtensionCriticality::NotCritical)
+        ? CreateEncodedEKUExtension(*signerEKUDER, Critical::No)
         : ByteString(),
       ByteString()
     };
     ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
     ByteString signerDER(CreateEncodedCertificate(
                            ++rootIssuedCount, certSignatureAlgorithm,
                            rootName, oneDayBeforeNow, oneDayAfterNow,
                            certSubjectName, *signerKeyPair,
@@ -623,18 +622,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_expired)
 {
   static const char* signerName = "good_indirect_expired";
 
   const ByteString extensions[] = {
-    CreateEncodedEKUExtension(OCSPSigningEKUDER,
-                              ExtensionCriticality::NotCritical),
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
     ByteString()
   };
 
   ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
   ByteString signerDER(CreateEncodedCertificate(
                           ++rootIssuedCount, sha256WithRSAEncryption, rootName,
                           now - (10 * Time::ONE_DAY_IN_SECONDS),
                           now - (2 * Time::ONE_DAY_IN_SECONDS),
@@ -659,18 +657,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
                                       response, expired));
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_future)
 {
   static const char* signerName = "good_indirect_future";
 
   const ByteString extensions[] = {
-    CreateEncodedEKUExtension(OCSPSigningEKUDER,
-                              ExtensionCriticality::NotCritical),
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
     ByteString()
   };
 
   ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
   ByteString signerDER(CreateEncodedCertificate(
                          ++rootIssuedCount, sha256WithRSAEncryption,
                          rootName,
                          now + (2 * Time::ONE_DAY_IN_SECONDS),
@@ -767,18 +764,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
   static const char* signerName = "good_indirect_unknown_issuer OCSP signer";
 
   // unknown issuer
   ScopedTestKeyPair unknownKeyPair(GenerateKeyPair());
   ASSERT_TRUE(unknownKeyPair);
 
   // Delegated responder cert signed by unknown issuer
   const ByteString extensions[] = {
-    CreateEncodedEKUExtension(OCSPSigningEKUDER,
-                              ExtensionCriticality::NotCritical),
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
     ByteString()
   };
   ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
   ByteString signerDER(CreateEncodedCertificate(
                          1, sha256WithRSAEncryption, subCAName,
                          oneDayBeforeNow, oneDayAfterNow, signerName,
                          *signerKeyPair, extensions, *unknownKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(signerDER));
@@ -808,30 +804,29 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
        good_indirect_subca_1_first)
 {
   static const char* subCAName = "good_indirect_subca_1_first sub-CA";
   static const char* signerName = "good_indirect_subca_1_first OCSP signer";
 
   // sub-CA of root (root is the direct issuer of endEntity)
   const ByteString subCAExtensions[] = {
-    CreateEncodedBasicConstraints(true, 0, ExtensionCriticality::NotCritical),
+    CreateEncodedBasicConstraints(true, 0, Critical::No),
     ByteString()
   };
   ScopedTestKeyPair subCAKeyPair(GenerateKeyPair());
   ByteString subCADER(CreateEncodedCertificate(
                         ++rootIssuedCount, sha256WithRSAEncryption, rootName,
                         oneDayBeforeNow, oneDayAfterNow, subCAName,
                         *subCAKeyPair, subCAExtensions, *rootKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(subCADER));
 
   // Delegated responder cert signed by that sub-CA
   const ByteString extensions[] = {
-    CreateEncodedEKUExtension(OCSPSigningEKUDER,
-                              ExtensionCriticality::NotCritical),
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
     ByteString(),
   };
   ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
   ByteString signerDER(CreateEncodedCertificate(
                          1, sha256WithRSAEncryption, subCAName,
                          oneDayBeforeNow, oneDayAfterNow, signerName,
                          *signerKeyPair, extensions, *subCAKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(signerDER));
@@ -862,32 +857,31 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
        good_indirect_subca_1_second)
 {
   static const char* subCAName = "good_indirect_subca_1_second sub-CA";
   static const char* signerName = "good_indirect_subca_1_second OCSP signer";
 
   // sub-CA of root (root is the direct issuer of endEntity)
   const ByteString subCAExtensions[] = {
-    CreateEncodedBasicConstraints(true, 0, ExtensionCriticality::NotCritical),
+    CreateEncodedBasicConstraints(true, 0, Critical::No),
     ByteString()
   };
   ScopedTestKeyPair subCAKeyPair(GenerateKeyPair());
   ByteString subCADER(CreateEncodedCertificate(++rootIssuedCount,
                                                sha256WithRSAEncryption,
                                                rootName,
                                                oneDayBeforeNow, oneDayAfterNow,
                                                subCAName, *subCAKeyPair,
                                                subCAExtensions, *rootKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(subCADER));
 
   // Delegated responder cert signed by that sub-CA
   const ByteString extensions[] = {
-    CreateEncodedEKUExtension(OCSPSigningEKUDER,
-                              ExtensionCriticality::NotCritical),
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
     ByteString()
   };
   ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
   ByteString signerDER(CreateEncodedCertificate(
                          1, sha256WithRSAEncryption, subCAName,
                          oneDayBeforeNow, oneDayAfterNow, signerName,
                          *signerKeyPair, extensions, *subCAKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(signerDER));
--- a/security/pkix/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -404,42 +404,39 @@ SignedData(const ByteString& tbsData,
 //      extnID      OBJECT IDENTIFIER,
 //      critical    BOOLEAN DEFAULT FALSE,
 //      extnValue   OCTET STRING
 //                  -- contains the DER encoding of an ASN.1 value
 //                  -- corresponding to the extension type identified
 //                  -- by extnID
 //      }
 static ByteString
-Extension(Input extnID, ExtensionCriticality criticality,
-          const ByteString& extnValueBytes)
+Extension(Input extnID, Critical critical, const ByteString& extnValueBytes)
 {
   ByteString encoded;
 
   encoded.append(ByteString(extnID.UnsafeGetData(), extnID.GetLength()));
 
-  if (criticality == ExtensionCriticality::Critical) {
-    ByteString critical(Boolean(true));
-    encoded.append(critical);
+  if (critical == Critical::Yes) {
+    encoded.append(Boolean(true));
   }
 
   ByteString extnValueSequence(TLV(der::SEQUENCE, extnValueBytes));
   ByteString extnValue(TLV(der::OCTET_STRING, extnValueSequence));
   encoded.append(extnValue);
   return TLV(der::SEQUENCE, encoded);
 }
 
 static ByteString
-EmptyExtension(Input extnID, ExtensionCriticality criticality)
+EmptyExtension(Input extnID, Critical critical)
 {
   ByteString encoded(extnID.UnsafeGetData(), extnID.GetLength());
 
-  if (criticality == ExtensionCriticality::Critical) {
-    ByteString critical(Boolean(true));
-    encoded.append(critical);
+  if (critical == Critical::Yes) {
+    encoded.append(Boolean(true));
   }
 
   ByteString extnValue(TLV(der::OCTET_STRING, ByteString()));
   encoded.append(extnValue);
   return TLV(der::SEQUENCE, encoded);
 }
 
 void
@@ -677,17 +674,17 @@ CreateEncodedSerialNumber(long serialNum
 }
 
 // BasicConstraints ::= SEQUENCE {
 //         cA                      BOOLEAN DEFAULT FALSE,
 //         pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
 ByteString
 CreateEncodedBasicConstraints(bool isCA,
                               /*optional*/ long* pathLenConstraintValue,
-                              ExtensionCriticality criticality)
+                              Critical critical)
 {
   ByteString value;
 
   if (isCA) {
     ByteString cA(Boolean(true));
     value.append(cA);
   }
 
@@ -695,51 +692,49 @@ CreateEncodedBasicConstraints(bool isCA,
     ByteString pathLenConstraint(Integer(*pathLenConstraintValue));
     value.append(pathLenConstraint);
   }
 
   // python DottedOIDToCode.py --tlv id-ce-basicConstraints 2.5.29.19
   static const uint8_t tlv_id_ce_basicConstraints[] = {
     0x06, 0x03, 0x55, 0x1d, 0x13
   };
-  return Extension(Input(tlv_id_ce_basicConstraints), criticality, value);
+  return Extension(Input(tlv_id_ce_basicConstraints), critical, value);
 }
 
 // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
 // KeyPurposeId ::= OBJECT IDENTIFIER
 ByteString
-CreateEncodedEKUExtension(Input ekuOID, ExtensionCriticality criticality)
+CreateEncodedEKUExtension(Input ekuOID, Critical critical)
 {
   ByteString value(ekuOID.UnsafeGetData(), ekuOID.GetLength());
 
   // python DottedOIDToCode.py --tlv id-ce-extKeyUsage 2.5.29.37
   static const uint8_t tlv_id_ce_extKeyUsage[] = {
     0x06, 0x03, 0x55, 0x1d, 0x25
   };
 
-  return Extension(Input(tlv_id_ce_extKeyUsage), criticality, value);
+  return Extension(Input(tlv_id_ce_extKeyUsage), critical, value);
 }
 
 // python DottedOIDToCode.py --tlv id-ce-subjectAltName 2.5.29.17
 static const uint8_t tlv_id_ce_subjectAltName[] = {
   0x06, 0x03, 0x55, 0x1d, 0x11
 };
 
 ByteString
 CreateEncodedSubjectAltName(const ByteString& names)
 {
-  return Extension(Input(tlv_id_ce_subjectAltName),
-                   ExtensionCriticality::NotCritical, names);
+  return Extension(Input(tlv_id_ce_subjectAltName), Critical::No, names);
 }
 
 ByteString
 CreateEncodedEmptySubjectAltName()
 {
-  return EmptyExtension(Input(tlv_id_ce_subjectAltName),
-                        ExtensionCriticality::NotCritical);
+  return EmptyExtension(Input(tlv_id_ce_subjectAltName), Critical::No);
 }
 
 ///////////////////////////////////////////////////////////////////////////////
 // OCSP responses
 
 ByteString
 CreateEncodedOCSPResponse(OCSPResponseContext& context)
 {
@@ -834,18 +829,17 @@ BasicOCSPResponse(OCSPResponseContext& c
 //   value            OCTET STRING
 // }
 static ByteString
 OCSPExtension(OCSPResponseContext& context, OCSPResponseExtension& extension)
 {
   ByteString encoded;
   encoded.append(extension.id);
   if (extension.critical) {
-    ByteString critical(Boolean(true));
-    encoded.append(critical);
+    encoded.append(Boolean(true));
   }
   ByteString value(TLV(der::OCTET_STRING, extension.value));
   encoded.append(value);
   return TLV(der::SEQUENCE, encoded);
 }
 
 // Extensions ::= [1] {
 //   SEQUENCE OF Extension
--- a/security/pkix/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -24,17 +24,16 @@
 
 #ifndef mozilla_pkix_test__pkixtestutils_h
 #define mozilla_pkix_test__pkixtestutils_h
 
 #include <ctime>
 #include <stdint.h> // Some Mozilla-supported compilers lack <cstdint>
 #include <string>
 
-#include "pkix/enumclass.h"
 #include "pkix/pkixtypes.h"
 #include "pkix/ScopedPtr.h"
 
 static const unsigned int MINIMUM_TEST_KEY_BITS = 1024;
 
 namespace mozilla { namespace pkix { namespace test {
 
 typedef std::basic_string<uint8_t> ByteString;
@@ -298,25 +297,24 @@ ByteString CreateEncodedCertificate(long
                                     const ByteString& subjectNameDER,
                                     const TestKeyPair& subjectKeyPair,
                                     /*optional*/ const ByteString* extensions,
                                     const TestKeyPair& issuerKeyPair,
                                     const ByteString& signatureAlgorithm);
 
 ByteString CreateEncodedSerialNumber(long value);
 
-MOZILLA_PKIX_ENUM_CLASS ExtensionCriticality { NotCritical = 0, Critical = 1 };
+enum class Critical { No = 0, Yes = 1 };
 
 ByteString CreateEncodedBasicConstraints(bool isCA,
                                          /*optional*/ long* pathLenConstraint,
-                                         ExtensionCriticality criticality);
+                                         Critical critical);
 
 // Creates a DER-encoded extKeyUsage extension with one EKU OID.
-ByteString CreateEncodedEKUExtension(Input eku,
-                                     ExtensionCriticality criticality);
+ByteString CreateEncodedEKUExtension(Input eku, Critical critical);
 
 ///////////////////////////////////////////////////////////////////////////////
 // Encode OCSP responses
 
 class OCSPResponseExtension
 {
 public:
   ByteString id;