Bug 1077859: Make ENCODING_FAILED safe to use in static initializers, r=mmc
☠☠ backed out by 8847ac2e2a53 ☠ ☠
authorBrian Smith <brian@briansmith.org>
Fri, 03 Oct 2014 15:52:38 -0700
changeset 233658 76000f9f12dac768085ef3370c4717bb4178cf11
parent 233626 f65726bd726555bd7cab954c3347931f4c9d4c00
child 233659 16fe1b9eb9e6f66d787cbcc72cdfa5328f08f6fa
push id611
push userraliiev@mozilla.com
push dateMon, 05 Jan 2015 23:23:16 +0000
treeherdermozilla-release@345cd3b9c445 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmmc
bugs1077859
milestone35.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1077859: Make ENCODING_FAILED safe to use in static initializers, r=mmc
security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
security/pkix/test/gtest/pkixbuild_tests.cpp
security/pkix/test/gtest/pkixcert_extension_tests.cpp
security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
security/pkix/test/lib/pkixtestnss.cpp
security/pkix/test/lib/pkixtestutil.cpp
security/pkix/test/lib/pkixtestutil.h
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -194,17 +194,17 @@ GetOCSPResponseForType(OCSPResponseType 
   }
   context.signerKeyPair = CreateTestKeyPairFromCert(*signerCert);
   if (!context.signerKeyPair) {
     PrintPRError("PK11_FindKeyByAnyCert failed");
     return nullptr;
   }
 
   ByteString response(CreateEncodedOCSPResponse(context));
-  if (response == ENCODING_FAILED) {
+  if (ENCODING_FAILED(response)) {
     PrintPRError("CreateEncodedOCSPResponse failed");
     return nullptr;
   }
 
   SECItem item = {
     siBuffer,
     const_cast<uint8_t*>(response.data()),
     static_cast<unsigned int>(response.length())
--- a/security/pkix/test/gtest/pkixbuild_tests.cpp
+++ b/security/pkix/test/gtest/pkixbuild_tests.cpp
@@ -42,39 +42,37 @@ CreateCert(const char* issuerCN,
            EndEntityOrCA endEntityOrCA,
            /*optional*/ TestKeyPair* issuerKey,
            /*out*/ ScopedTestKeyPair& subjectKey,
            /*out*/ ScopedCERTCertificate* subjectCert = nullptr)
 {
   static long serialNumberValue = 0;
   ++serialNumberValue;
   ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
-  EXPECT_NE(ENCODING_FAILED, serialNumber);
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
 
   ByteString issuerDER(CNToDERName(issuerCN));
-  EXPECT_NE(ENCODING_FAILED, issuerDER);
   ByteString subjectDER(CNToDERName(subjectCN));
-  EXPECT_NE(ENCODING_FAILED, subjectDER);
 
   ByteString extensions[2];
   if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
     extensions[0] =
       CreateEncodedBasicConstraints(true, nullptr,
                                     ExtensionCriticality::Critical);
-    EXPECT_NE(ENCODING_FAILED, extensions[0]);
+    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
   }
 
   ByteString certDER(CreateEncodedCertificate(
                        v3, sha256WithRSAEncryption,
                        serialNumber, issuerDER,
                        oneDayBeforeNow, oneDayAfterNow,
                        subjectDER, extensions, issuerKey,
                        SignatureAlgorithm::rsa_pkcs1_with_sha256,
                        subjectKey));
-  EXPECT_NE(ENCODING_FAILED, certDER);
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
   if (subjectCert) {
     SECItem certDERItem = {
       siBuffer,
       const_cast<uint8_t*>(certDER.data()),
       static_cast<unsigned int>(certDER.length())
     };
     *subjectCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                            &certDERItem, nullptr, false, true);
@@ -240,17 +238,17 @@ TEST_F(pkixbuild, MaxAcceptableCertChain
   }
 
   {
     ScopedTestKeyPair unusedKeyPair;
     ScopedCERTCertificate cert;
     ByteString certDER(CreateCert("CA7", "Direct End-Entity",
                                   EndEntityOrCA::MustBeEndEntity,
                                   trustDomain.leafCAKey.get(), unusedKeyPair));
-    ASSERT_NE(ENCODING_FAILED, certDER);
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
     Input certDERInput;
     ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
     ASSERT_EQ(Success,
               BuildCertChain(trustDomain, certDERInput, Now(),
                              EndEntityOrCA::MustBeEndEntity,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
@@ -266,34 +264,34 @@ TEST_F(pkixbuild, BeyondMaxAcceptableCer
   // We need a CERTCertificate for caCert so that the trustdomain's FindIssuer
   // method can find it through the NSS cert DB.
   ScopedCERTCertificate caCert;
 
   {
     ByteString certDER(CreateCert("CA7", caCertName, EndEntityOrCA::MustBeCA,
                                   trustDomain.leafCAKey.get(), caKeyPair,
                                   &caCert));
-    ASSERT_NE(ENCODING_FAILED, certDER);
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
     Input certDERInput;
     ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
     ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
               BuildCertChain(trustDomain, certDERInput, Now(),
                              EndEntityOrCA::MustBeCA,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
                              nullptr/*stapledOCSPResponse*/));
   }
 
   {
     ScopedTestKeyPair unusedKeyPair;
     ByteString certDER(CreateCert(caCertName, "End-Entity Too Far",
                                   EndEntityOrCA::MustBeEndEntity,
                                   caKeyPair.get(), unusedKeyPair));
-    ASSERT_NE(ENCODING_FAILED, certDER);
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
     Input certDERInput;
     ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
     ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
               BuildCertChain(trustDomain, certDERInput, Now(),
                              EndEntityOrCA::MustBeEndEntity,
                              KeyUsage::noParticularKeyUsageRequired,
                              KeyPurposeId::id_kp_serverAuth,
                              CertPolicyId::anyPolicy,
@@ -383,35 +381,33 @@ private:
 };
 
 TEST_F(pkixbuild, NoRevocationCheckingForExpiredCert)
 {
   const char* rootCN = "Root CA";
   ScopedTestKeyPair rootKey;
   ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
                                 nullptr, rootKey, nullptr));
-  EXPECT_NE(ENCODING_FAILED, rootDER);
+  EXPECT_FALSE(ENCODING_FAILED(rootDER));
   ExpiredCertTrustDomain expiredCertTrustDomain(rootDER);
 
   ByteString serialNumber(CreateEncodedSerialNumber(100));
-  EXPECT_NE(ENCODING_FAILED, serialNumber);
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
   ByteString issuerDER(CNToDERName(rootCN));
-  EXPECT_NE(ENCODING_FAILED, issuerDER);
   ByteString subjectDER(CNToDERName("Expired End-Entity Cert"));
-  EXPECT_NE(ENCODING_FAILED, subjectDER);
   ScopedTestKeyPair unusedSubjectKey;
   ByteString certDER(CreateEncodedCertificate(
                        v3, sha256WithRSAEncryption,
                        serialNumber, issuerDER,
                        oneDayBeforeNow - Time::ONE_DAY_IN_SECONDS,
                        oneDayBeforeNow,
                        subjectDER, nullptr, rootKey.get(),
                        SignatureAlgorithm::rsa_pkcs1_with_sha256,
                        unusedSubjectKey));
-  EXPECT_NE(ENCODING_FAILED, certDER);
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
 
   Input cert;
   ASSERT_EQ(Success, cert.Init(certDER.data(), certDER.length()));
   ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE,
             BuildCertChain(expiredCertTrustDomain, cert, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::id_kp_serverAuth,
--- a/security/pkix/test/gtest/pkixcert_extension_tests.cpp
+++ b/security/pkix/test/gtest/pkixcert_extension_tests.cpp
@@ -33,21 +33,21 @@ using namespace mozilla::pkix::test;
 static ByteString
 CreateCert(const char* subjectCN,
            const ByteString* extensions, // empty-string-terminated array
            /*out*/ ScopedTestKeyPair& subjectKey)
 {
   static long serialNumberValue = 0;
   ++serialNumberValue;
   ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
-  EXPECT_NE(ENCODING_FAILED, serialNumber);
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
   ByteString issuerDER(CNToDERName(subjectCN));
-  EXPECT_NE(ENCODING_FAILED, issuerDER);
+  EXPECT_FALSE(ENCODING_FAILED(issuerDER));
   ByteString subjectDER(CNToDERName(subjectCN));
-  EXPECT_NE(ENCODING_FAILED, subjectDER);
+  EXPECT_FALSE(ENCODING_FAILED(subjectDER));
   return CreateEncodedCertificate(v3, sha256WithRSAEncryption,
                                   serialNumber, issuerDER,
                                   oneDayBeforeNow, oneDayAfterNow,
                                   subjectDER, extensions,
                                   nullptr,
                                   SignatureAlgorithm::rsa_pkcs1_with_sha256,
                                   subjectKey);
 }
@@ -133,17 +133,17 @@ TEST_F(pkixcert_extension, UnknownCritic
       0x04, 0x00 // OCTET STRING (length = 0)
   };
   static const ByteString
     unknownCriticalExtension(unknownCriticalExtensionBytes,
                              sizeof(unknownCriticalExtensionBytes));
   const char* certCN = "Cert With Unknown Critical Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, unknownCriticalExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -163,17 +163,17 @@ TEST_F(pkixcert_extension, UnknownNonCri
       0x04, 0x00 // OCTET STRING (length = 0)
   };
   static const ByteString
     unknownNonCriticalExtension(unknownNonCriticalExtensionBytes,
                                 sizeof(unknownNonCriticalExtensionBytes));
   const char* certCN = "Cert With Unknown NonCritical Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, unknownNonCriticalExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Success,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -194,17 +194,17 @@ TEST_F(pkixcert_extension, WrongOIDCriti
       0x04, 0x00 // OCTET STRING (length = 0)
   };
   static const ByteString
     wrongOIDCriticalExtension(wrongOIDCriticalExtensionBytes,
                               sizeof(wrongOIDCriticalExtensionBytes));
   const char* certCN = "Cert With Critical Wrong OID Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, wrongOIDCriticalExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -227,17 +227,17 @@ TEST_F(pkixcert_extension, CriticalAIAEx
         0x30, 0x00, // SEQUENCE (length = 0)
   };
   static const ByteString
     criticalAIAExtension(criticalAIAExtensionBytes,
                          sizeof(criticalAIAExtensionBytes));
   const char* certCN = "Cert With Critical AIA Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, criticalAIAExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Success,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -257,17 +257,17 @@ TEST_F(pkixcert_extension, UnknownCritic
       0x04, 0x00 // OCTET STRING (length = 0)
   };
   static const ByteString
     unknownCriticalCEExtension(unknownCriticalCEExtensionBytes,
                                sizeof(unknownCriticalCEExtensionBytes));
   const char* certCN = "Cert With Unknown Critical id-ce Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, unknownCriticalCEExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -287,17 +287,17 @@ TEST_F(pkixcert_extension, KnownCritical
         0x02, 0x01, 0x00, // INTEGER (length = 1, value = 0)
   };
   static const ByteString
     criticalCEExtension(criticalCEExtensionBytes,
                         sizeof(criticalCEExtensionBytes));
   const char* certCN = "Cert With Known Critical id-ce Extension";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, criticalCEExtension, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Success,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
@@ -316,17 +316,17 @@ TEST_F(pkixcert_extension, DuplicateSubj
           0x82, 11, // [2] (dNSName) (length = 11)
             'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm'
   };
   static const ByteString DER(DER_BYTES, sizeof(DER_BYTES));
   static const ByteString extensions[] = { DER, DER, ByteString() };
   static const char* certCN = "Cert With Duplicate subjectAltName";
   ScopedTestKeyPair key;
   ByteString cert(CreateCert(certCN, extensions, key));
-  ASSERT_NE(ENCODING_FAILED, cert);
+  ASSERT_FALSE(ENCODING_FAILED(cert));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
   ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
             BuildCertChain(trustDomain, certInput, Now(),
                            EndEntityOrCA::MustBeEndEntity,
                            KeyUsage::noParticularKeyUsageRequired,
                            KeyPurposeId::anyExtendedKeyUsage,
                            CertPolicyId::anyPolicy,
--- a/security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
+++ b/security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
@@ -82,17 +82,17 @@ private:
 class pkixocsp_CreateEncodedOCSPRequest : public ::testing::Test
 {
 protected:
   void MakeIssuerCertIDComponents(const char* issuerASCII,
                                   /*out*/ ByteString& issuerDER,
                                   /*out*/ ByteString& issuerSPKI)
   {
     issuerDER = CNToDERName(issuerASCII);
-    ASSERT_NE(ENCODING_FAILED, issuerDER);
+    ASSERT_FALSE(ENCODING_FAILED(issuerDER));
 
     ScopedTestKeyPair keyPair(GenerateKeyPair());
     ASSERT_TRUE(keyPair);
     issuerSPKI = keyPair->subjectPublicKeyInfo;
   }
 
   CreateEncodedOCSPRequestTrustDomain trustDomain;
 };
--- a/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -105,27 +105,27 @@ public:
     if (!rootKeyPair) {
       abort();
     }
   }
 
   void SetUp()
   {
     rootNameDER = CNToDERName(rootName);
-    if (rootNameDER == ENCODING_FAILED) {
+    if (ENCODING_FAILED(rootNameDER)) {
       abort();
     }
     Input rootNameDERInput;
     if (rootNameDERInput.Init(rootNameDER.data(), rootNameDER.length())
           != Success) {
       abort();
     }
 
     serialNumberDER = CreateEncodedSerialNumber(++rootIssuedCount);
-    if (serialNumberDER == ENCODING_FAILED) {
+    if (ENCODING_FAILED(serialNumberDER)) {
       abort();
     }
     Input serialNumberDERInput;
     if (serialNumberDERInput.Init(serialNumberDER.data(),
                                   serialNumberDER.length()) != Success) {
       abort();
     }
 
@@ -243,17 +243,17 @@ public:
                     const TestKeyPair& signerKeyPair,
                     time_t producedAt, time_t thisUpdate,
                     /*optional*/ const time_t* nextUpdate,
                     /*optional*/ const ByteString* certs = nullptr)
   {
     OCSPResponseContext context(certID, producedAt);
     if (signerName) {
       context.signerNameDER = CNToDERName(signerName);
-      EXPECT_NE(ENCODING_FAILED, context.signerNameDER);
+      EXPECT_FALSE(ENCODING_FAILED(context.signerNameDER));
     }
     context.signerKeyPair = signerKeyPair.Clone();
     EXPECT_TRUE(context.signerKeyPair);
     context.responseStatus = OCSPResponseContext::successful;
     context.producedAt = producedAt;
     context.certs = certs;
 
     context.certStatus = certStatus;
@@ -393,25 +393,25 @@ protected:
       ByteString()
     };
     ScopedTestKeyPair signerKeyPair;
     ByteString signerDER(CreateEncodedCertificate(
                            ++rootIssuedCount, rootName,
                            oneDayBeforeNow, oneDayAfterNow, certSubjectName,
                            signerEKUDER ? extensions : nullptr,
                            rootKeyPair.get(), signerKeyPair));
-    EXPECT_NE(ENCODING_FAILED, signerDER);
+    EXPECT_FALSE(ENCODING_FAILED(signerDER));
     if (signerDEROut) {
       *signerDEROut = signerDER;
     }
 
     ByteString signerNameDER;
     if (signerName) {
       signerNameDER = CNToDERName(signerName);
-      EXPECT_NE(ENCODING_FAILED, signerNameDER);
+      EXPECT_FALSE(ENCODING_FAILED(signerNameDER));
     }
     ByteString certs[] = { signerDER, ByteString() };
     return CreateEncodedOCSPSuccessfulResponse(certStatus, *endEntityCertID,
                                                signerName, *signerKeyPair,
                                                oneDayBeforeNow,
                                                oneDayBeforeNow,
                                                &oneDayAfterNow, certs);
   }
@@ -421,26 +421,26 @@ protected:
                                              time_t notBefore,
                                              time_t notAfter,
                                              const char* subject,
                                 /*optional*/ const ByteString* extensions,
                                 /*optional*/ TestKeyPair* signerKeyPair,
                                      /*out*/ ScopedTestKeyPair& keyPair)
   {
     ByteString serialNumberDER(CreateEncodedSerialNumber(serialNumber));
-    if (serialNumberDER == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(serialNumberDER)) {
+      return ByteString();
     }
     ByteString issuerDER(CNToDERName(issuer));
-    if (issuerDER == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(issuerDER)) {
+      return ByteString();
     }
     ByteString subjectDER(CNToDERName(subject));
-    if (subjectDER == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(subjectDER)) {
+      return ByteString();
     }
     return ::mozilla::pkix::test::CreateEncodedCertificate(
                                     v3,
                                     sha256WithRSAEncryption,
                                     serialNumberDER, issuerDER, notBefore,
                                     notAfter, subjectDER, extensions,
                                     signerKeyPair,
                                     SignatureAlgorithm::rsa_pkcs1_with_sha256,
@@ -542,17 +542,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                           ++rootIssuedCount, rootName,
                           now - (10 * Time::ONE_DAY_IN_SECONDS),
                           now - (2 * Time::ONE_DAY_IN_SECONDS),
                           signerName, extensions, rootKeyPair.get(),
                           signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   ByteString certs[] = { signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
   Input response;
@@ -577,17 +577,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          ++rootIssuedCount, rootName,
                          now + (2 * Time::ONE_DAY_IN_SECONDS),
                          now + (10 * Time::ONE_DAY_IN_SECONDS),
                          signerName, extensions, rootKeyPair.get(),
                          signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   ByteString certs[] = { signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
   Input response;
@@ -677,17 +677,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
                               ExtensionCriticality::NotCritical),
     ByteString()
   };
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          1, subCAName, oneDayBeforeNow, oneDayAfterNow,
                          signerName, extensions, unknownKeyPair.get(),
                          signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   // OCSP response signed by that delegated responder
   ByteString certs[] = { signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
                          oneDayBeforeNow, &oneDayAfterNow, certs));
@@ -717,30 +717,30 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
     ByteString()
   };
   ScopedTestKeyPair subCAKeyPair;
   ByteString subCADER(CreateEncodedCertificate(
                         ++rootIssuedCount, rootName,
                         oneDayBeforeNow, oneDayAfterNow,
                         subCAName, subCAExtensions, rootKeyPair.get(),
                         subCAKeyPair));
-  ASSERT_NE(ENCODING_FAILED, subCADER);
+  ASSERT_FALSE(ENCODING_FAILED(subCADER));
 
   // Delegated responder cert signed by that sub-CA
   const ByteString extensions[] = {
     CreateEncodedEKUExtension(OCSPSigningEKUDER,
                               ExtensionCriticality::NotCritical),
     ByteString(),
   };
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          1, subCAName, oneDayBeforeNow, oneDayAfterNow,
                          signerName, extensions, subCAKeyPair.get(),
                          signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   // OCSP response signed by the delegated responder issued by the sub-CA
   // that is trying to impersonate the root.
   ByteString certs[] = { subCADER, signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
@@ -771,30 +771,30 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
     ByteString()
   };
   ScopedTestKeyPair subCAKeyPair;
   ByteString subCADER(CreateEncodedCertificate(++rootIssuedCount, rootName,
                                                oneDayBeforeNow, oneDayAfterNow,
                                                subCAName, subCAExtensions,
                                                rootKeyPair.get(),
                                                subCAKeyPair));
-  ASSERT_NE(ENCODING_FAILED, subCADER);
+  ASSERT_FALSE(ENCODING_FAILED(subCADER));
 
   // Delegated responder cert signed by that sub-CA
   const ByteString extensions[] = {
     CreateEncodedEKUExtension(OCSPSigningEKUDER,
                               ExtensionCriticality::NotCritical),
     ByteString()
   };
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          1, subCAName, oneDayBeforeNow, oneDayAfterNow,
                          signerName, extensions, subCAKeyPair.get(),
                          signerKeyPair));
-  ASSERT_NE(ENCODING_FAILED, signerDER);
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   // OCSP response signed by the delegated responder issued by the sub-CA
   // that is trying to impersonate the root.
   ByteString certs[] = { signerDER, subCADER, ByteString() };
   ByteString responseString(
                  CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
@@ -816,17 +816,17 @@ public:
   void SetUp()
   {
     pkixocsp_VerifyEncodedResponse_DelegatedResponder::SetUp();
 
     responseString =
         CreateEncodedIndirectOCSPSuccessfulResponse(
           "OCSPGetCertTrustTest Signer", OCSPResponseContext::good,
           byKey, &OCSPSigningEKUDER, &signerCertDER);
-    if (responseString == ENCODING_FAILED) {
+    if (ENCODING_FAILED(responseString)) {
       abort();
     }
     if (response.Init(responseString.data(), responseString.length())
           != Success) {
       abort();
     }
     if (signerCertDER.length() == 0) {
       abort();
--- a/security/pkix/test/lib/pkixtestnss.cpp
+++ b/security/pkix/test/lib/pkixtestnss.cpp
@@ -186,24 +186,24 @@ GenerateKeyPair()
 
   return nullptr;
 }
 
 ByteString
 SHA1(const ByteString& toHash)
 {
   if (InitNSSIfNeeded() != Success) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
 
   uint8_t digestBuf[SHA1_LENGTH];
   SECStatus srv = PK11_HashBuf(SEC_OID_SHA1, digestBuf, toHash.data(),
                                static_cast<int32_t>(toHash.length()));
   if (srv != SECSuccess) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
   return ByteString(digestBuf, sizeof(digestBuf));
 }
 
 Result
 TestCheckPublicKey(Input subjectPublicKeyInfo)
 {
   Result rv = InitNSSIfNeeded();
--- a/security/pkix/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -92,38 +92,36 @@ TamperOnce(/*in/out*/ ByteString& item, 
   }
   if (item.find(from, pos + from.length()) != string::npos) {
     return Result::FATAL_ERROR_INVALID_ARGS; // More than once match.
   }
   item.replace(pos, from.length(), to);
   return Success;
 }
 
-// An empty string returned from an encoding function signifies failure.
-const ByteString ENCODING_FAILED;
-
 // Given a tag and a value, generates a DER-encoded tag-length-value item.
-static ByteString
+ByteString
 TLV(uint8_t tag, const ByteString& value)
 {
   ByteString result;
   result.push_back(tag);
 
   if (value.length() < 128) {
     result.push_back(value.length());
   } else if (value.length() < 256) {
     result.push_back(0x81u);
     result.push_back(value.length());
   } else if (value.length() < 65536) {
     result.push_back(0x82u);
     result.push_back(static_cast<uint8_t>(value.length() / 256));
     result.push_back(static_cast<uint8_t>(value.length() % 256));
   } else {
-    assert(false);
-    return ENCODING_FAILED;
+    // It is MUCH more convenient for TLV to be infallible than for it to have
+    // "proper" error handling.
+    abort();
   }
   result.append(value);
   return result;
 }
 
 OCSPResponseContext::OCSPResponseContext(const CertID& certID, time_t time)
   : certID(certID)
   , responseStatus(successful)
@@ -150,18 +148,18 @@ static ByteString KeyHash(const ByteStri
 static ByteString SingleResponse(OCSPResponseContext& context);
 static ByteString CertID(OCSPResponseContext& context);
 static ByteString CertStatus(OCSPResponseContext& context);
 
 static ByteString
 HashedOctetString(const ByteString& bytes)
 {
   ByteString digest(SHA1(bytes));
-  if (digest == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(digest)) {
+    return ByteString();
   }
   return TLV(der::OCTET_STRING, digest);
 }
 
 static ByteString
 BitString(const ByteString& rawBytes, bool corrupt)
 {
   ByteString prefixed;
@@ -185,17 +183,19 @@ Boolean(bool value)
   return TLV(der::BOOLEAN, encodedValue);
 }
 
 static ByteString
 Integer(long value)
 {
   if (value < 0 || value > 127) {
     // TODO: add encoding of larger values
-    return ENCODING_FAILED;
+    // It is MUCH more convenient for Integer to be infallible than for it to
+    // have "proper" error handling.
+    abort();
   }
 
   ByteString encodedValue;
   encodedValue.push_back(static_cast<uint8_t>(value));
   return TLV(der::INTEGER, encodedValue);
 }
 
 enum TimeEncoding { UTCTime = 0, GeneralizedTime = 1 };
@@ -220,29 +220,29 @@ gmtime_r(const time_t* t, /*out*/ tm* ex
 // the number of seconds since the Unix epoch.
 static ByteString
 TimeToEncodedTime(time_t time, TimeEncoding encoding)
 {
   assert(encoding == UTCTime || encoding == GeneralizedTime);
 
   tm exploded;
   if (!gmtime_r(&time, &exploded)) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
 
   if (exploded.tm_sec >= 60) {
     // round down for leap seconds
     exploded.tm_sec = 59;
   }
 
   // exploded.tm_year is the year offset by 1900.
   int year = exploded.tm_year + 1900;
 
   if (encoding == UTCTime && (year < 1950 || year >= 2050)) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
 
   ByteString value;
 
   if (encoding == GeneralizedTime) {
     value.push_back('0' + (year / 1000));
     value.push_back('0' + ((year % 1000) / 100));
   }
@@ -276,17 +276,17 @@ TimeToGeneralizedTime(time_t time)
 // as UTCTime; certificate validity dates in 2050 or later MUST be encoded as
 // GeneralizedTime." (This is a special case of the rule that we must always
 // use the shortest possible encoding.)
 static ByteString
 TimeToTimeChoice(time_t time)
 {
   tm exploded;
   if (!gmtime_r(&time, &exploded)) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
   TimeEncoding encoding = (exploded.tm_year + 1900 >= 1950 &&
                            exploded.tm_year + 1900 < 2050)
                         ? UTCTime
                         : GeneralizedTime;
 
   return TimeToEncodedTime(time, encoding);
 }
@@ -336,58 +336,55 @@ YMDHMS(int16_t year, int16_t month, int1
   totalSeconds += hour * 60 * 60;
   totalSeconds += minutes * 60;
   totalSeconds += seconds;
   return TimeFromElapsedSecondsAD(totalSeconds);
 }
 
 static ByteString
 SignedData(const ByteString& tbsData,
-           TestKeyPair& keyPair,
+           /*optional*/ TestKeyPair* keyPair,
            SignatureAlgorithm signatureAlgorithm,
            bool corrupt, /*optional*/ const ByteString* certs)
 {
   ByteString signature;
-  if (keyPair.SignData(tbsData, signatureAlgorithm, signature) != Success) {
-     return ENCODING_FAILED;
-   }
+  if (keyPair) {
+    if (keyPair->SignData(tbsData, signatureAlgorithm, signature)
+          != Success) {
+       return ByteString();
+     }
+  }
 
   ByteString signatureAlgorithmDER;
   switch (signatureAlgorithm) {
     case SignatureAlgorithm::rsa_pkcs1_with_sha256:
       signatureAlgorithmDER.assign(alg_sha256WithRSAEncryption,
                                    sizeof(alg_sha256WithRSAEncryption));
       break;
     default:
-      return ENCODING_FAILED;
+      return ByteString();
   }
 
   // TODO: add ability to have signatures of bit length not divisible by 8,
   // resulting in unused bits in the bitstring encoding
   ByteString signatureNested(BitString(signature, corrupt));
-  if (signatureNested == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(signatureNested)) {
+    return ByteString();
   }
 
   ByteString certsNested;
   if (certs) {
     ByteString certsSequenceValue;
     while (!(*certs).empty()) {
       certsSequenceValue.append(*certs);
       ++certs;
     }
     ByteString certsSequence(TLV(der::SEQUENCE, certsSequenceValue));
-    if (certsSequence == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     certsNested = TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
                       certsSequence);
-    if (certsNested == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
   }
 
   ByteString value;
   value.append(tbsData);
   value.append(signatureAlgorithmDER);
   value.append(signatureNested);
   value.append(certsNested);
   return TLV(der::SEQUENCE, value);
@@ -406,30 +403,21 @@ Extension(Input extnID, ExtensionCritica
           const ByteString& extnValueBytes)
 {
   ByteString encoded;
 
   encoded.append(ByteString(extnID.UnsafeGetData(), extnID.GetLength()));
 
   if (criticality == ExtensionCriticality::Critical) {
     ByteString critical(Boolean(true));
-    if (critical == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     encoded.append(critical);
   }
 
   ByteString extnValueSequence(TLV(der::SEQUENCE, extnValueBytes));
-  if (extnValueBytes == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   ByteString extnValue(TLV(der::OCTET_STRING, extnValueSequence));
-  if (extnValue == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   encoded.append(extnValue);
   return TLV(der::SEQUENCE, encoded);
 }
 
 void
 MaybeLogOutput(const ByteString& result, const char* suffix)
 {
   assert(suffix);
@@ -482,34 +470,34 @@ CreateEncodedCertificate(long version, I
                          SignatureAlgorithm signatureAlgorithm,
                          /*out*/ ScopedTestKeyPair& keyPairResult)
 {
   // It may be the case that privateKeyResult references the same TestKeyPair
   // as issuerKeyPair. Thus, we can't set keyPairResult until after we're done
   // with issuerKeyPair.
   ScopedTestKeyPair subjectKeyPair(GenerateKeyPair());
   if (!subjectKeyPair) {
-    return ENCODING_FAILED;
+    return ByteString();
   }
 
   ByteString tbsCertificate(TBSCertificate(version, serialNumber,
                                            signature, issuerNameDER, notBefore,
                                            notAfter, subjectNameDER,
                                            subjectKeyPair->subjectPublicKeyInfo,
                                            extensions));
-  if (tbsCertificate == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(tbsCertificate)) {
+    return ByteString();
   }
 
   ByteString result(SignedData(tbsCertificate,
-                               issuerKeyPair ? *issuerKeyPair
-                                             : *subjectKeyPair,
+                               issuerKeyPair ? issuerKeyPair
+                                             : subjectKeyPair.get(),
                                signatureAlgorithm, false, nullptr));
-  if (result == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(result)) {
+    return ByteString();
   }
 
   MaybeLogOutput(result, "cert");
 
   keyPairResult = subjectKeyPair.release();
 
   return result;
 }
@@ -535,72 +523,66 @@ TBSCertificate(long versionValue,
                time_t notAfterTime, const ByteString& subject,
                const ByteString& subjectPublicKeyInfo,
                /*optional*/ const ByteString* extensions)
 {
   ByteString value;
 
   if (versionValue != static_cast<long>(der::Version::v1)) {
     ByteString versionInteger(Integer(versionValue));
-    if (versionInteger == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     ByteString version(TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
                            versionInteger));
-    if (version == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     value.append(version);
   }
 
   value.append(serialNumber);
   value.append(signature.UnsafeGetData(), signature.GetLength());
   value.append(issuer);
 
   // Validity ::= SEQUENCE {
   //       notBefore      Time,
   //       notAfter       Time }
   ByteString validity;
   {
     ByteString notBefore(TimeToTimeChoice(notBeforeTime));
-    if (notBefore == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(notBefore)) {
+      return ByteString();
     }
     ByteString notAfter(TimeToTimeChoice(notAfterTime));
-    if (notAfter == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(notAfter)) {
+      return ByteString();
     }
     ByteString validityValue;
     validityValue.append(notBefore);
     validityValue.append(notAfter);
     validity = TLV(der::SEQUENCE, validityValue);
-    if (validity == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(validity)) {
+      return ByteString();
     }
   }
   value.append(validity);
 
   value.append(subject);
 
   value.append(subjectPublicKeyInfo);
 
   if (extensions) {
     ByteString extensionsValue;
     while (!(*extensions).empty()) {
       extensionsValue.append(*extensions);
       ++extensions;
     }
     ByteString extensionsSequence(TLV(der::SEQUENCE, extensionsValue));
-    if (extensionsSequence == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(extensionsSequence)) {
+      return ByteString();
     }
     ByteString extensionsWrapped(
       TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3, extensionsSequence));
-    if (extensionsWrapped == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(extensionsWrapped)) {
+      return ByteString();
     }
     value.append(extensionsWrapped);
   }
 
   return TLV(der::SEQUENCE, value);
 }
 
 ByteString
@@ -639,25 +621,17 @@ CNToDERName(const char* cn)
 
   ByteString value(reinterpret_cast<const ByteString::value_type*>(cn));
   value = TLV(der::UTF8String, value);
 
   ByteString ava;
   ava.append(tlv_id_at_commonName, sizeof(tlv_id_at_commonName));
   ava.append(value);
   ava = TLV(der::SEQUENCE, ava);
-  if (ava == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
-
   ByteString rdn(TLV(der::SET, ava));
-  if (rdn == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
-
   return TLV(der::SEQUENCE, rdn);
 }
 
 ByteString
 CreateEncodedSerialNumber(long serialNumberValue)
 {
   return Integer(serialNumberValue);
 }
@@ -669,27 +643,21 @@ ByteString
 CreateEncodedBasicConstraints(bool isCA,
                               /*optional*/ long* pathLenConstraintValue,
                               ExtensionCriticality criticality)
 {
   ByteString value;
 
   if (isCA) {
     ByteString cA(Boolean(true));
-    if (cA == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     value.append(cA);
   }
 
   if (pathLenConstraintValue) {
     ByteString pathLenConstraint(Integer(*pathLenConstraintValue));
-    if (pathLenConstraint == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     value.append(pathLenConstraint);
   }
 
   // python DottedOIDToCode.py --tlv id-ce-basicConstraints 2.5.29.19
   static const uint8_t tlv_id_ce_basicConstraints[] = {
     0x06, 0x03, 0x55, 0x1d, 0x13
   };
   return Extension(Input(tlv_id_ce_basicConstraints), criticality, value);
@@ -713,17 +681,17 @@ CreateEncodedEKUExtension(Input ekuOID, 
 ///////////////////////////////////////////////////////////////////////////////
 // OCSP responses
 
 ByteString
 CreateEncodedOCSPResponse(OCSPResponseContext& context)
 {
   if (!context.skipResponseBytes) {
     if (!context.signerKeyPair) {
-      return ENCODING_FAILED;
+      return ByteString();
     }
   }
 
   // OCSPResponse ::= SEQUENCE {
   //    responseStatus          OCSPResponseStatus,
   //    responseBytes       [0] EXPLICIT ResponseBytes OPTIONAL }
 
   // OCSPResponseStatus ::= ENUMERATED {
@@ -733,41 +701,32 @@ CreateEncodedOCSPResponse(OCSPResponseCo
   //    tryLater            (3),  -- Try again later
   //                              -- (4) is not used
   //    sigRequired         (5),  -- Must sign the request
   //    unauthorized        (6)   -- Request unauthorized
   // }
   ByteString reponseStatusValue;
   reponseStatusValue.push_back(context.responseStatus);
   ByteString responseStatus(TLV(der::ENUMERATED, reponseStatusValue));
-  if (responseStatus == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
 
   ByteString responseBytesNested;
   if (!context.skipResponseBytes) {
     ByteString responseBytes(ResponseBytes(context));
-    if (responseBytes == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(responseBytes)) {
+      return ByteString();
     }
 
     responseBytesNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC,
                               responseBytes);
-    if (responseBytesNested == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
   }
 
   ByteString value;
   value.append(responseStatus);
   value.append(responseBytesNested);
   ByteString result(TLV(der::SEQUENCE, value));
-  if (result == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
 
   MaybeLogOutput(result, "ocsp");
 
   return result;
 }
 
 // ResponseBytes ::= SEQUENCE {
 //    responseType            OBJECT IDENTIFIER,
@@ -775,23 +734,20 @@ CreateEncodedOCSPResponse(OCSPResponseCo
 ByteString
 ResponseBytes(OCSPResponseContext& context)
 {
   // Includes tag and length
   static const uint8_t id_pkix_ocsp_basic_encoded[] = {
     0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
   };
   ByteString response(BasicOCSPResponse(context));
-  if (response == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(response)) {
+    return ByteString();
   }
   ByteString responseNested = TLV(der::OCTET_STRING, response);
-  if (responseNested == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
 
   ByteString value;
   value.append(id_pkix_ocsp_basic_encoded,
                sizeof(id_pkix_ocsp_basic_encoded));
   value.append(responseNested);
   return TLV(der::SEQUENCE, value);
 }
 
@@ -799,98 +755,86 @@ ResponseBytes(OCSPResponseContext& conte
 //   tbsResponseData          ResponseData,
 //   signatureAlgorithm       AlgorithmIdentifier,
 //   signature                BIT STRING,
 //   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
 ByteString
 BasicOCSPResponse(OCSPResponseContext& context)
 {
   ByteString tbsResponseData(ResponseData(context));
-  if (tbsResponseData == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(tbsResponseData)) {
+    return ByteString();
   }
 
   // TODO(bug 980538): certs
-  return SignedData(tbsResponseData, *context.signerKeyPair,
+  return SignedData(tbsResponseData, context.signerKeyPair.get(),
                     SignatureAlgorithm::rsa_pkcs1_with_sha256,
                     context.badSignature, context.certs);
 }
 
 // Extension ::= SEQUENCE {
 //   id               OBJECT IDENTIFIER,
 //   critical         BOOLEAN DEFAULT FALSE
 //   value            OCTET STRING
 // }
 static ByteString
 OCSPExtension(OCSPResponseContext& context, OCSPResponseExtension& extension)
 {
   ByteString encoded;
   encoded.append(extension.id);
   if (extension.critical) {
     ByteString critical(Boolean(true));
-    if (critical == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
     encoded.append(critical);
   }
   ByteString value(TLV(der::OCTET_STRING, extension.value));
-  if (value == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   encoded.append(value);
   return TLV(der::SEQUENCE, encoded);
 }
 
 // Extensions ::= [1] {
 //   SEQUENCE OF Extension
 // }
 static ByteString
 Extensions(OCSPResponseContext& context)
 {
   ByteString value;
   for (OCSPResponseExtension* extension = context.extensions;
        extension; extension = extension->next) {
     ByteString extensionEncoded(OCSPExtension(context, *extension));
-    if (extensionEncoded == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(extensionEncoded)) {
+      return ByteString();
     }
     value.append(extensionEncoded);
   }
   ByteString sequence(TLV(der::SEQUENCE, value));
-  if (sequence == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   return TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1, sequence);
 }
 
 // ResponseData ::= SEQUENCE {
 //    version             [0] EXPLICIT Version DEFAULT v1,
 //    responderID             ResponderID,
 //    producedAt              GeneralizedTime,
 //    responses               SEQUENCE OF SingleResponse,
 //    responseExtensions  [1] EXPLICIT Extensions OPTIONAL }
 ByteString
 ResponseData(OCSPResponseContext& context)
 {
   ByteString responderID(ResponderID(context));
-  if (responderID == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(responderID)) {
+    return ByteString();
   }
   ByteString producedAtEncoded(TimeToGeneralizedTime(context.producedAt));
-  if (producedAtEncoded == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(producedAtEncoded)) {
+    return ByteString();
   }
   ByteString response(SingleResponse(context));
-  if (response == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(response)) {
+    return ByteString();
   }
   ByteString responses(TLV(der::SEQUENCE, response));
-  if (responses == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
   ByteString responseExtensions;
   if (context.extensions || context.includeEmptyExtensions) {
     responseExtensions = Extensions(context);
   }
 
   ByteString value;
   value.append(responderID);
   value.append(producedAtEncoded);
@@ -908,18 +852,18 @@ ResponderID(OCSPResponseContext& context
 {
   ByteString contents;
   uint8_t responderIDType;
   if (!context.signerNameDER.empty()) {
     contents = context.signerNameDER;
     responderIDType = 1; // byName
   } else {
     contents = KeyHash(context.signerKeyPair->subjectPublicKey);
-    if (contents == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(contents)) {
+      return ByteString();
     }
     responderIDType = 2; // byKey
   }
 
   return TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | responderIDType,
              contents);
 }
 
@@ -939,38 +883,35 @@ KeyHash(const ByteString& subjectPublicK
 //    certStatus              CertStatus,
 //    thisUpdate              GeneralizedTime,
 //    nextUpdate          [0] EXPLICIT GeneralizedTime OPTIONAL,
 //    singleExtensions    [1] EXPLICIT Extensions OPTIONAL }
 ByteString
 SingleResponse(OCSPResponseContext& context)
 {
   ByteString certID(CertID(context));
-  if (certID == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(certID)) {
+    return ByteString();
   }
   ByteString certStatus(CertStatus(context));
-  if (certStatus == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(certStatus)) {
+    return ByteString();
   }
   ByteString thisUpdateEncoded(TimeToGeneralizedTime(context.thisUpdate));
-  if (thisUpdateEncoded == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(thisUpdateEncoded)) {
+    return ByteString();
   }
   ByteString nextUpdateEncodedNested;
   if (context.includeNextUpdate) {
     ByteString nextUpdateEncoded(TimeToGeneralizedTime(context.nextUpdate));
-    if (nextUpdateEncoded == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(nextUpdateEncoded)) {
+      return ByteString();
     }
     nextUpdateEncodedNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0,
                                   nextUpdateEncoded);
-    if (nextUpdateEncodedNested == ENCODING_FAILED) {
-      return ENCODING_FAILED;
-    }
   }
 
   ByteString value;
   value.append(certID);
   value.append(certStatus);
   value.append(thisUpdateEncoded);
   value.append(nextUpdateEncodedNested);
   return TLV(der::SEQUENCE, value);
@@ -982,52 +923,49 @@ SingleResponse(OCSPResponseContext& cont
 //        issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
 //        serialNumber        CertificateSerialNumber }
 ByteString
 CertID(OCSPResponseContext& context)
 {
   ByteString issuerName(context.certID.issuer.UnsafeGetData(),
                         context.certID.issuer.GetLength());
   ByteString issuerNameHash(HashedOctetString(issuerName));
-  if (issuerNameHash == ENCODING_FAILED) {
-    return ENCODING_FAILED;
+  if (ENCODING_FAILED(issuerNameHash)) {
+    return ByteString();
   }
 
   ByteString issuerKeyHash;
   {
     // context.certID.issuerSubjectPublicKeyInfo is the entire
     // SubjectPublicKeyInfo structure, but we need just the subjectPublicKey
     // part.
     Reader input(context.certID.issuerSubjectPublicKeyInfo);
     Reader contents;
     if (der::ExpectTagAndGetValue(input, der::SEQUENCE, contents) != Success) {
-      return ENCODING_FAILED;
+      return ByteString();
     }
     // Skip AlgorithmIdentifier
     if (der::ExpectTagAndSkipValue(contents, der::SEQUENCE) != Success) {
-      return ENCODING_FAILED;
+      return ByteString();
     }
     Input subjectPublicKey;
     if (der::BitStringWithNoUnusedBits(contents, subjectPublicKey)
           != Success) {
-      return ENCODING_FAILED;
+      return ByteString();
     }
     issuerKeyHash = KeyHash(ByteString(subjectPublicKey.UnsafeGetData(),
                                        subjectPublicKey.GetLength()));
-    if (issuerKeyHash == ENCODING_FAILED) {
-      return ENCODING_FAILED;
+    if (ENCODING_FAILED(issuerKeyHash)) {
+      return ByteString();
     }
   }
 
   ByteString serialNumberValue(context.certID.serialNumber.UnsafeGetData(),
                                context.certID.serialNumber.GetLength());
   ByteString serialNumber(TLV(der::INTEGER, serialNumberValue));
-  if (serialNumber == ENCODING_FAILED) {
-    return ENCODING_FAILED;
-  }
 
   // python DottedOIDToCode.py --alg id-sha1 1.3.14.3.2.26
   static const uint8_t alg_id_sha1[] = {
     0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a
   };
 
   ByteString value;
   value.append(alg_id_sha1, sizeof(alg_id_sha1));
@@ -1057,22 +995,22 @@ CertStatus(OCSPResponseContext& context)
     case 0:
     case 2:
     {
       return TLV(der::CONTEXT_SPECIFIC | context.certStatus, ByteString());
     }
     case 1:
     {
       ByteString revocationTime(TimeToGeneralizedTime(context.revocationTime));
-      if (revocationTime == ENCODING_FAILED) {
-        return ENCODING_FAILED;
+      if (ENCODING_FAILED(revocationTime)) {
+        return ByteString();
       }
       // TODO(bug 980536): add support for revocationReason
       return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1, revocationTime);
     }
     default:
       assert(false);
       // fall through
   }
-  return ENCODING_FAILED;
+  return ByteString();
 }
 
 } } } // namespace mozilla::pkix::test
--- a/security/pkix/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -31,17 +31,18 @@
 
 #include "pkix/enumclass.h"
 #include "pkix/pkixtypes.h"
 #include "pkix/ScopedPtr.h"
 
 namespace mozilla { namespace pkix { namespace test {
 
 typedef std::basic_string<uint8_t> ByteString;
-extern const ByteString ENCODING_FAILED;
+
+inline bool ENCODING_FAILED(const ByteString& bs) { return bs.empty(); }
 
 // XXX: Ideally, we should define this instead:
 //
 //   template <typename T, std::size_t N>
 //   constexpr inline std::size_t
 //   ArrayLength(T (&)[N])
 //   {
 //     return N;
@@ -74,17 +75,16 @@ static const uint8_t tlv_id_kp_serverAut
 };
 
 extern const Input sha256WithRSAEncryption;
 
 // e.g. YMDHMS(2016, 12, 31, 1, 23, 45) => 2016-12-31:01:23:45 (GMT)
 mozilla::pkix::Time YMDHMS(int16_t year, int16_t month, int16_t day,
                            int16_t hour, int16_t minutes, int16_t seconds);
 
-
 ByteString CNToDERName(const char* cn);
 
 class TestKeyPair
 {
 public:
   virtual ~TestKeyPair() { }
 
   // The DER encoding of the entire SubjectPublicKeyInfo structure. This is