Bug 1319252 - Remove nsIX509Cert.getAllTokenNames(). r?keeler,mossop
nsIX509Cert.getAllTokenNames() is only used (improperly) to determine if a
certificate is a built-in. nsIX509Cert.isBuiltInRoot should be used instead.
MozReview-Commit-ID: LBwI8nTc05C
--- a/security/manager/ssl/nsIX509Cert.idl
+++ b/security/manager/ssl/nsIX509Cert.idl
@@ -231,26 +231,13 @@ interface nsIX509Cert : nsISupports {
[retval, array, size_is(length)] out octet data);
/**
* Retrieves the NSS certificate object wrapped by this interface
*/
[notxpcom, noscript] CERTCertificatePtr getCert();
/**
- * Human readable names identifying all hardware or
- * software tokens the certificate is stored on.
- *
- * @param length On success, the number of entries in the returned array.
- * @return On success, an array containing the names of all tokens
- * the certificate is stored on (may be empty).
- * On failure the function throws/returns an error.
- */
- void getAllTokenNames(out unsigned long length,
- [retval, array, size_is(length)] out wstring
- tokenNames);
-
- /**
* Either delete the certificate from all cert databases,
* or mark it as untrusted.
*/
void markForPermDeletion();
};
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -720,65 +720,16 @@ nsNSSCertificate::GetChain(nsIArray** _r
array->AppendElement(cert, false);
}
*_rvChain = array;
NS_IF_ADDREF(*_rvChain);
return NS_OK;
}
NS_IMETHODIMP
-nsNSSCertificate::GetAllTokenNames(uint32_t* aLength, char16_t*** aTokenNames)
-{
- nsNSSShutDownPreventionLock locker;
- if (isAlreadyShutDown())
- return NS_ERROR_NOT_AVAILABLE;
-
- NS_ENSURE_ARG(aLength);
- NS_ENSURE_ARG(aTokenNames);
- *aLength = 0;
- *aTokenNames = nullptr;
-
- // Get the slots from NSS
- UniquePK11SlotList slots(PK11_GetAllSlotsForCert(mCert.get(), nullptr));
- if (!slots) {
- if (PORT_GetError() == SEC_ERROR_NO_TOKEN) {
- return NS_OK; // List of slots is empty, return empty array
- }
- return NS_ERROR_FAILURE;
- }
-
- // read the token names from slots
- PK11SlotListElement* le;
-
- for (le = slots->head; le; le = le->next) {
- ++(*aLength);
- }
-
- *aTokenNames = (char16_t**) moz_xmalloc(sizeof(char16_t*) * (*aLength));
- if (!*aTokenNames) {
- *aLength = 0;
- return NS_ERROR_OUT_OF_MEMORY;
- }
-
- uint32_t iToken;
- for (le = slots->head, iToken = 0; le; le = le->next, ++iToken) {
- char* token = PK11_GetTokenName(le->slot);
- (*aTokenNames)[iToken] = ToNewUnicode(NS_ConvertUTF8toUTF16(token));
- if (!(*aTokenNames)[iToken]) {
- NS_FREE_XPCOM_ALLOCATED_POINTER_ARRAY(iToken, *aTokenNames);
- *aLength = 0;
- *aTokenNames = nullptr;
- return NS_ERROR_OUT_OF_MEMORY;
- }
- }
-
- return NS_OK;
-}
-
-NS_IMETHODIMP
nsNSSCertificate::GetSubjectName(nsAString& _subjectName)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
_subjectName.Truncate();
if (mCert->subjectName) {
--- a/security/manager/tools/genHPKPStaticPins.js
+++ b/security/manager/tools/genHPKPStaticPins.js
@@ -95,31 +95,16 @@ function stripComments(buf) {
let match = entryRegex.exec(lines[i]);
if (!match) {
data = data + lines[i];
}
}
return data;
}
-function isBuiltinToken(tokenName) {
- return tokenName == "Builtin Object Token";
-}
-
-function isCertBuiltIn(cert) {
- let tokenNames = cert.getAllTokenNames({});
- if (!tokenNames) {
- return false;
- }
- if (tokenNames.some(isBuiltinToken)) {
- return true;
- }
- return false;
-}
-
function download(filename) {
let req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
.createInstance(Ci.nsIXMLHttpRequest);
req.open("GET", filename, false); // doing the request synchronously
try {
req.send();
} catch (e) {
throw new Error(`ERROR: problem downloading '${filename}': ${e}`);
@@ -390,17 +375,17 @@ function downloadAndParseChromePins(file
// nicknames and digests of the SPKInfo for the mozilla trust store
function loadNSSCertinfo(extraCertificates) {
let allCerts = gCertDB.getCerts();
let enumerator = allCerts.getEnumerator();
let certNameToSKD = {};
let certSKDToName = {};
while (enumerator.hasMoreElements()) {
let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
- if (!isCertBuiltIn(cert)) {
+ if (!cert.isBuiltInRoot) {
continue;
}
let name = cert.displayName;
let SKD = cert.sha256SubjectPublicKeyInfoDigest;
certNameToSKD[name] = SKD;
certSKDToName[SKD] = name;
}
--- a/toolkit/modules/CertUtils.jsm
+++ b/toolkit/modules/CertUtils.jsm
@@ -160,26 +160,20 @@ this.checkCert =
var issuerCert = cert;
while (issuerCert.issuer && !issuerCert.issuer.equals(issuerCert))
issuerCert = issuerCert.issuer;
const certNotBuiltInErr = "Certificate issuer is not built-in.";
if (!issuerCert)
throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
- var tokenNames = issuerCert.getAllTokenNames({});
-
- if (!tokenNames || !tokenNames.some(isBuiltinToken))
+ if (!issuerCert.isBuiltInRoot)
throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
}
-function isBuiltinToken(tokenName) {
- return tokenName == "Builtin Object Token";
-}
-
/**
* This class implements nsIBadCertListener. Its job is to prevent "bad cert"
* security dialogs from being shown to the user. It is better to simply fail
* if the certificate is bad. See bug 304286.
*
* @param aAllowNonBuiltInCerts (optional)
* When true certificates that aren't builtin are allowed. When false
* or not specified the certificate must be a builtin certificate.