--- a/browser/base/content/browser-siteIdentity.js
+++ b/browser/base/content/browser-siteIdentity.js
@@ -342,22 +342,18 @@ var gIdentityHandler = {
*/
updateIdentity(state, uri) {
let shouldHidePopup = this._uri && (this._uri.spec != uri.spec);
this._state = state;
// Firstly, populate the state properties required to display the UI. See
// the documentation of the individual properties for details.
this.setURI(uri);
- this._sslStatus = gBrowser.securityUI
- .QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
- if (this._sslStatus) {
- this._sslStatus.QueryInterface(Ci.nsISSLStatus);
- }
+ this._sslStatus = gBrowser.securityUI.secInfo &&
+ gBrowser.securityUI.secInfo.SSLStatus;
// Then, update the user interface with the available data.
this.refreshIdentityBlock();
// Handle a location change while the Control Center is focused
// by closing the popup (bug 1207542)
if (shouldHidePopup) {
PanelMultiView.hidePopup(this._identityPopup);
}--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -2992,18 +2992,17 @@ var BrowserOnClick = {
switch (elementId) {
case "exceptionDialogButton":
if (isTopFrame) {
secHistogram.add(Ci.nsISecurityUITelemetry.WARNING_BAD_CERT_TOP_CLICK_ADD_EXCEPTION);
}
securityInfo = getSecurityInfo(securityInfoAsString);
- sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ sslStatus = securityInfo.SSLStatus;
let params = { exceptionAdded: false,
sslStatus };
try {
switch (Services.prefs.getIntPref("browser.ssl_override_behavior")) {
case 2 : // Pre-fetch & pre-populate
params.prefetchCert = true;
case 1 : // Pre-populate
@@ -3030,18 +3029,17 @@ var BrowserOnClick = {
break;
case "advancedButton":
if (isTopFrame) {
secHistogram.add(Ci.nsISecurityUITelemetry.WARNING_BAD_CERT_TOP_UNDERSTAND_RISKS);
}
securityInfo = getSecurityInfo(securityInfoAsString);
- sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ sslStatus = securityInfo.SSLStatus;
let errorInfo = getDetailedCertErrorInfo(location,
securityInfo);
let validityInfo = {
notAfter: sslStatus.serverCert.validity.notAfter,
notBefore: sslStatus.serverCert.validity.notBefore,
notAfterLocalTime: sslStatus.serverCert.validity.notAfterLocalTime,
notBeforeLocalTime: sslStatus.serverCert.validity.notBeforeLocalTime,
};--- a/browser/base/content/pageinfo/security.js
+++ b/browser/base/content/pageinfo/security.js
@@ -22,17 +22,16 @@ var security = {
// Display the server certificate (static)
viewCert() {
var cert = security._cert;
viewCertHelper(window, cert);
},
_getSecurityInfo() {
- const nsISSLStatusProvider = Ci.nsISSLStatusProvider;
const nsISSLStatus = Ci.nsISSLStatus;
// We don't have separate info for a frame, return null until further notice
// (see bug 138479)
if (!this.windowInfo.isTopWindow)
return null;
var hostName = this.windowInfo.hostName;
@@ -45,21 +44,19 @@ var security = {
(ui.state & Ci.nsIWebProgressListener.STATE_IS_BROKEN);
var isMixed =
(ui.state & (Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT |
Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT));
var isInsecure =
(ui.state & Ci.nsIWebProgressListener.STATE_IS_INSECURE);
var isEV =
(ui.state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL);
- ui.QueryInterface(nsISSLStatusProvider);
- var status = ui.SSLStatus;
+ var status = ui.secInfo && ui.secInfo.SSLStatus;
if (!isInsecure && status) {
- status.QueryInterface(nsISSLStatus);
var cert = status.serverCert;
var issuerName = cert.issuerOrganization || cert.issuerName;
var retval = {
hostName,
cAName: issuerName,
encryptionAlgorithm: undefined,
encryptionStrength: undefined,--- a/devtools/shared/security/auth.js
+++ b/devtools/shared/security/auth.js
@@ -295,17 +295,17 @@ OOBCert.Client.prototype = {
* Whether the connection is valid.
*/
// eslint-disable-next-line no-shadow
validateConnection({ cert, socket }) {
// Step B.7
// Client verifies that Server's cert matches hash(ServerCert) from the
// advertisement
dumpv("Validate server cert hash");
- const serverCert = socket.securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+ const serverCert = socket.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
.SSLStatus.serverCert;
const advertisedCert = cert;
if (serverCert.sha256Fingerprint != advertisedCert.sha256) {
dumpn("Server cert hash doesn't match advertisement");
return false;
}
return true;
},--- a/devtools/shared/security/socket.js
+++ b/devtools/shared/security/socket.js
@@ -348,17 +348,17 @@ function _isInputAlive(input) {
/**
* To allow the connection to proceed with self-signed cert, we store a cert
* override. This implies that we take on the burden of authentication for
* these connections.
*/
function _storeCertOverride(s, host, port) {
// eslint-disable-next-line no-shadow
- const cert = s.securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+ const cert = s.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
.SSLStatus.serverCert;
const overrideBits = Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_MISMATCH;
certOverrideService.rememberValidityOverride(host, port, cert, overrideBits,
true /* temporary */);
}
/**--- a/devtools/shared/webconsole/network-helper.js
+++ b/devtools/shared/webconsole/network-helper.js
@@ -595,17 +595,16 @@ var NetworkHelper = {
* - request is mixed content (which makes no sense whatsoever)
* => .securityState has STATE_IS_BROKEN flag
* => .errorCode is NOT an NSS error code
* => .errorMessage is not available
* => state === "weak"
*/
securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
- securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
const wpl = Ci.nsIWebProgressListener;
const NSSErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
.getService(Ci.nsINSSErrorsService);
const SSLStatus = securityInfo.SSLStatus;
if (!NSSErrorsService.isNSSErrorCode(securityInfo.errorCode)) {
const state = securityInfo.securityState;
--- a/devtools/shared/webconsole/test/unit/test_security-info-parser.js
+++ b/devtools/shared/webconsole/test/unit/test_security-info-parser.js
@@ -28,18 +28,17 @@ const MockCertificate = {
sha1Fingerprint: "qwertyuiop",
validity: {
notBeforeLocalDay: "yesterday",
notAfterLocalDay: "tomorrow",
}
};
const MockSecurityInfo = {
- QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo,
- Ci.nsISSLStatusProvider]),
+ QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]),
securityState: wpl.STATE_IS_SECURE,
errorCode: 0,
SSLStatus: {
cipherSuite: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
// TLS_VERSION_1_2
protocolVersion: 3,
serverCert: MockCertificate,
}--- a/devtools/shared/webconsole/test/unit/test_security-info-state.js
+++ b/devtools/shared/webconsole/test/unit/test_security-info-state.js
@@ -14,18 +14,17 @@ Object.defineProperty(this, "NetworkHelp
},
configurable: true,
writeable: false,
enumerable: true
});
const wpl = Ci.nsIWebProgressListener;
const MockSecurityInfo = {
- QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo,
- Ci.nsISSLStatusProvider]),
+ QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]),
securityState: wpl.STATE_IS_BROKEN,
errorCode: 0,
SSLStatus: {
// nsISSLStatus.TLS_VERSION_1_2
protocolVersion: 3,
cipherSuite: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
}
};--- a/devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js
+++ b/devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js
@@ -15,18 +15,17 @@ Object.defineProperty(this, "NetworkHelp
configurable: true,
writeable: false,
enumerable: true
});
const wpl = Ci.nsIWebProgressListener;
const MockSecurityInfo = {
- QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo,
- Ci.nsISSLStatusProvider]),
+ QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]),
securityState: wpl.STATE_IS_SECURE,
errorCode: 0,
SSLStatus: {
cipherSuite: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
// TLS_VERSION_1_2
protocolVersion: 3,
serverCert: {
validity: {}--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@@ -54,16 +54,17 @@
#include "nsIContent.h"
#include "nsIDocShell.h"
#include "nsIDocShellTreeOwner.h"
#include "nsIDOMWindow.h"
#include "nsIDOMWindowUtils.h"
#include "nsIInterfaceRequestorUtils.h"
#include "nsILoadInfo.h"
#include "nsIPromptFactory.h"
+#include "nsITransportSecurityInfo.h"
#include "nsIURI.h"
#include "nsIWindowWatcher.h"
#include "nsIWebBrowserChrome.h"
#include "nsIXULBrowserWindow.h"
#include "nsIXULWindow.h"
#include "nsIRemoteBrowser.h"
#include "nsViewManager.h"
#include "nsVariant.h"
@@ -884,16 +885,25 @@ TabParent::GetState(uint32_t *aState)
{
NS_ENSURE_ARG(aState);
NS_WARNING("SecurityState not valid here");
*aState = 0;
return NS_OK;
}
NS_IMETHODIMP
+TabParent::GetSecInfo(nsITransportSecurityInfo** _result)
+{
+ NS_ENSURE_ARG_POINTER(_result);
+ NS_WARNING("TransportSecurityInfo not valid here");
+ *_result = nullptr;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
TabParent::SetDocShell(nsIDocShell *aDocShell)
{
NS_ENSURE_ARG(aDocShell);
NS_WARNING("No mDocShell member in TabParent so there is no docShell to set");
return NS_OK;
}
a11y::PDocAccessibleParent*--- a/mobile/android/chrome/content/browser.js
+++ b/mobile/android/chrome/content/browser.js
@@ -5689,19 +5689,18 @@ var IdentityHandler = {
Telemetry.addData("TRACKING_PROTECTION_SHIELD", value);
},
/**
* Determine the identity of the page being displayed by examining its SSL cert
* (if available). Return the data needed to update the UI.
*/
checkIdentity: function checkIdentity(aState, aBrowser) {
- this._lastStatus = aBrowser.securityUI
- .QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ this._lastStatus = aBrowser.securityUI.secInfo &&
+ aBrowser.securityUI.secInfo.SSLStatus;
// Don't pass in the actual location object, since it can cause us to
// hold on to the window object too long. Just pass in the fields we
// care about. (bug 424829)
let locationObj = {};
try {
let location = aBrowser.contentWindow.location;
locationObj.host = location.host;--- a/mobile/android/chrome/content/content.js
+++ b/mobile/android/chrome/content/content.js
@@ -355,18 +355,17 @@ var AboutCertErrorListener = {
if (aEvent.type != "AboutCertErrorLoad") {
return;
}
let ownerDoc = aEvent.originalTarget.ownerGlobal;
let securityInfo = docShell.failedChannel && docShell.failedChannel.securityInfo;
securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
.QueryInterface(Ci.nsISerializable);
- let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslStatus = securityInfo.SSLStatus;
this._setTechDetails(sslStatus, securityInfo, ownerDoc.location.href);
},
};
AboutCertErrorListener.init();
// This is copied from desktop's tab-content.js. See bug 1153485 about sharing this code somehow.
var AboutReaderListener = {
--- a/mobile/android/modules/geckoview/GeckoViewProgress.jsm
+++ b/mobile/android/modules/geckoview/GeckoViewProgress.jsm
@@ -154,18 +154,17 @@ var IdentityHandler = {
} catch (e) {}
try {
result.host = IDNService.convertToDisplayIDN(uri.host, {});
} catch (e) {
result.host = uri.host;
}
- let status = aBrowser.securityUI.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus.QueryInterface(Ci.nsISSLStatus);
+ let status = aBrowser.securityUI.secInfo.SSLStatus;
let cert = status.serverCert;
result.organization = cert.organization;
result.subjectName = cert.subjectName;
result.issuerOrganization = cert.issuerOrganization;
result.issuerCommonName = cert.issuerCommonName;
try {--- a/netwerk/base/nsISecureBrowserUI.idl
+++ b/netwerk/base/nsISecureBrowserUI.idl
@@ -3,21 +3,23 @@
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsISupports.idl"
interface mozIDOMWindowProxy;
interface nsIDocShell;
+interface nsITransportSecurityInfo;
[scriptable, uuid(718c662a-f810-4a80-a6c9-0b1810ecade2)]
interface nsISecureBrowserUI : nsISupports
{
void init(in mozIDOMWindowProxy window);
void setDocShell(in nsIDocShell docShell);
readonly attribute unsigned long state;
+ readonly attribute nsITransportSecurityInfo secInfo;
};
%{C++
#define NS_SECURE_BROWSER_UI_CONTRACTID "@mozilla.org/secure_browser_ui;1"
%}--- a/netwerk/protocol/http/AlternateServices.cpp
+++ b/netwerk/protocol/http/AlternateServices.cpp
@@ -10,18 +10,16 @@
#include "LoadInfo.h"
#include "nsEscape.h"
#include "nsHttpConnectionInfo.h"
#include "nsHttpChannel.h"
#include "nsHttpHandler.h"
#include "nsThreadUtils.h"
#include "nsHttpTransaction.h"
#include "NullHttpTransaction.h"
-#include "nsISSLStatusProvider.h"
-#include "nsISSLStatus.h"
#include "nsISSLSocketControl.h"
#include "nsIWellKnownOpportunisticUtils.h"
/* RFC 7838 Alternative Services
http://httpwg.org/http-extensions/opsec.html
note that connections currently do not do mixed-scheme (the I attribute
in the ConnectionInfo prevents it) but could, do not honor tls-commit and should
not, and always require authentication--- a/netwerk/protocol/http/Http2Session.cpp
+++ b/netwerk/protocol/http/Http2Session.cpp
@@ -22,18 +22,16 @@
#include "mozilla/EndianUtils.h"
#include "mozilla/Telemetry.h"
#include "mozilla/Preferences.h"
#include "nsHttp.h"
#include "nsHttpHandler.h"
#include "nsHttpConnection.h"
#include "nsIRequestContext.h"
#include "nsISSLSocketControl.h"
-#include "nsISSLStatus.h"
-#include "nsISSLStatusProvider.h"
#include "nsISupportsPriority.h"
#include "nsStandardURL.h"
#include "nsURLHelper.h"
#include "prnetdb.h"
#include "sslt.h"
#include "mozilla/Sprintf.h"
#include "nsSocketTransportService2.h"
#include "nsNetUtil.h"
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -64,17 +64,16 @@
#include "nsContentUtils.h"
#include "nsContentSecurityManager.h"
#include "nsIClassOfService.h"
#include "nsIPermissionManager.h"
#include "nsIPrincipal.h"
#include "nsIScriptError.h"
#include "nsIScriptSecurityManager.h"
#include "nsISSLStatus.h"
-#include "nsISSLStatusProvider.h"
#include "nsITransportSecurityInfo.h"
#include "nsIWebProgressListener.h"
#include "LoadContextInfo.h"
#include "netCore.h"
#include "nsHttpTransaction.h"
#include "nsICacheEntryDescriptor.h"
#include "nsICancelable.h"
#include "nsIHttpChannelAuthProvider.h"
@@ -1850,21 +1849,21 @@ nsHttpChannel::ProcessSecurityHeaders()
// mSecurityInfo may not always be present, and if it's not then it is okay
// to just disregard any security headers since we know nothing about the
// security of the connection.
NS_ENSURE_TRUE(mSecurityInfo, NS_OK);
uint32_t flags =
NS_UsePrivateBrowsing(this) ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
- // Get the SSLStatus
- nsCOMPtr<nsISSLStatusProvider> sslprov = do_QueryInterface(mSecurityInfo);
- NS_ENSURE_TRUE(sslprov, NS_ERROR_FAILURE);
+ // Get the TransportSecurityInfo
+ nsCOMPtr<nsITransportSecurityInfo> transSecInfo = do_QueryInterface(mSecurityInfo);
+ NS_ENSURE_TRUE(transSecInfo, NS_ERROR_FAILURE);
nsCOMPtr<nsISSLStatus> sslStatus;
- rv = sslprov->GetSSLStatus(getter_AddRefs(sslStatus));
+ rv = transSecInfo->GetSSLStatus(getter_AddRefs(sslStatus));
NS_ENSURE_SUCCESS(rv, rv);
NS_ENSURE_TRUE(sslStatus, NS_ERROR_FAILURE);
rv = ProcessSingleSecurityHeader(nsISiteSecurityService::HEADER_HSTS,
sslStatus, flags);
NS_ENSURE_SUCCESS(rv, rv);
rv = ProcessSingleSecurityHeader(nsISiteSecurityService::HEADER_HPKP,
@@ -1985,27 +1984,25 @@ nsHttpChannel::ProcessSSLInformation()
// If this is HTTPS, record any use of RSA so that Key Exchange Algorithm
// can be whitelisted for TLS False Start in future sessions. We could
// do the same for DH but its rarity doesn't justify the lookup.
if (mCanceled || NS_FAILED(mStatus) || !mSecurityInfo ||
!IsHTTPS() || mPrivateBrowsing)
return;
- nsCOMPtr<nsISSLStatusProvider> statusProvider =
+ nsCOMPtr<nsITransportSecurityInfo> securityInfo =
do_QueryInterface(mSecurityInfo);
- if (!statusProvider)
+ if (!securityInfo)
return;
nsCOMPtr<nsISSLStatus> sslstat;
- statusProvider->GetSSLStatus(getter_AddRefs(sslstat));
+ securityInfo->GetSSLStatus(getter_AddRefs(sslstat));
if (!sslstat)
return;
- nsCOMPtr<nsITransportSecurityInfo> securityInfo =
- do_QueryInterface(mSecurityInfo);
uint32_t state;
if (securityInfo &&
NS_SUCCEEDED(securityInfo->GetSecurityState(&state)) &&
(state & nsIWebProgressListener::STATE_IS_BROKEN)) {
// Send weak crypto warnings to the web console
if (state & nsIWebProgressListener::STATE_USES_WEAK_CRYPTO) {
nsString consoleErrorTag = NS_LITERAL_STRING("WeakCipherSuiteWarning");
nsString consoleErrorCategory = NS_LITERAL_STRING("SSL");--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -19,17 +19,17 @@
#include "nsIPrefBranch.h"
#include "nsIPrefService.h"
#include "nsIHttpAuthenticableChannel.h"
#include "nsIURI.h"
#ifdef XP_WIN
#include "nsIChannel.h"
#include "nsIX509Cert.h"
#include "nsISSLStatus.h"
-#include "nsISSLStatusProvider.h"
+#include "nsITransportSecurityInfo.h"
#endif
#include "mozilla/Attributes.h"
#include "mozilla/Base64.h"
#include "mozilla/CheckedInt.h"
#include "mozilla/Tokenizer.h"
#include "mozilla/UniquePtr.h"
#include "mozilla/Unused.h"
#include "nsNetUtil.h"
@@ -330,22 +330,22 @@ nsHttpNTLMAuth::GenerateCredentials(nsIH
if (NS_FAILED(rv))
return rv;
nsCOMPtr<nsISupports> security;
rv = channel->GetSecurityInfo(getter_AddRefs(security));
if (NS_FAILED(rv))
return rv;
- nsCOMPtr<nsISSLStatusProvider> statusProvider =
+ nsCOMPtr<nsITransportSecurityInfo> secInfo =
do_QueryInterface(security);
- if (mUseNative && statusProvider) {
+ if (mUseNative && secInfo) {
nsCOMPtr<nsISSLStatus> status;
- rv = statusProvider->GetSSLStatus(getter_AddRefs(status));
+ rv = secInfo->GetSSLStatus(getter_AddRefs(status));
if (NS_FAILED(rv))
return rv;
nsCOMPtr<nsIX509Cert> cert;
rv = status->GetServerCert(getter_AddRefs(cert));
if (NS_FAILED(rv))
return rv;
--- a/netwerk/socket/nsITransportSecurityInfo.idl
+++ b/netwerk/socket/nsITransportSecurityInfo.idl
@@ -1,25 +1,28 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsISupports.idl"
+interface nsISSLStatus;
interface nsIX509CertList;
[builtinclass, scriptable, uuid(216112d3-28bc-4671-b057-f98cc09ba1ea)]
interface nsITransportSecurityInfo : nsISupports {
readonly attribute unsigned long securityState;
[infallible] readonly attribute long errorCode; // PRErrorCode
// errorCode as string (e.g. "SEC_ERROR_UNKNOWN_ISSUER")
readonly attribute AString errorCodeString;
/**
* If certificate verification failed, this will be the peer certificate
* chain provided in the handshake, so it can be used for error reporting.
* If verification succeeded, this will be null.
*/
readonly attribute nsIX509CertList failedCertChain;
+
+ readonly attribute nsISSLStatus SSLStatus;
};
--- a/security/manager/pki/resources/content/exceptionDialog.js
+++ b/security/manager/pki/resources/content/exceptionDialog.js
@@ -21,17 +21,19 @@ function initExceptionDialog() {
gNeedReset = false;
gDialog = document.documentElement;
gBundleBrand = document.getElementById("brand_bundle");
gPKIBundle = document.getElementById("pippki_bundle");
gSecHistogram = Services.telemetry.getHistogramById("SECURITY_UI");
gNsISecTel = Ci.nsISecurityUITelemetry;
var brandName = gBundleBrand.getString("brandShortName");
- setText("warningText", gPKIBundle.getFormattedString("addExceptionBrandedWarning2", [brandName]));
+ setText("warningText",
+ gPKIBundle.getFormattedString("addExceptionBrandedWarning2",
+ [brandName]));
gDialog.getButton("extra1").disabled = true;
var args = window.arguments;
if (args && args[0]) {
if (args[0].location) {
// We were pre-seeded with a location.
document.getElementById("locationTextBox").value = args[0].location;
document.getElementById("checkCertButton").disabled = false;
@@ -70,17 +72,17 @@ function initExceptionDialog() {
* @param {XMLHttpRequest} req
* The XMLHttpRequest created and sent by checkCert.
* @param {Event} evt
* The load or error event.
*/
function grabCert(req, evt) {
if (req.channel && req.channel.securityInfo) {
gSSLStatus = req.channel.securityInfo
- .QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
+ .QueryInterface(Ci.nsITransportSecurityInfo).SSLStatus;
gCert = gSSLStatus ? gSSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert
: null;
}
gBroken = evt.type == "error";
gChecking = false;
updateCertStatus();
}
@@ -154,17 +156,18 @@ function resetDialog() {
window.sizeToContent();
}
/**
* Called by input textboxes to manage UI state
*/
function handleTextChange() {
var checkCertButton = document.getElementById("checkCertButton");
- checkCertButton.disabled = !(document.getElementById("locationTextBox").value);
+ checkCertButton.disabled =
+ !(document.getElementById("locationTextBox").value);
if (gNeedReset) {
gNeedReset = false;
resetDialog();
}
}
function updateCertStatus() {
var shortDesc, longDesc;
@@ -196,17 +199,18 @@ function updateCertStatus() {
longDesc = exl;
} else {
use2 = true;
shortDesc2 = exs;
longDesc2 = exl;
}
}
if (gSSLStatus.isUntrusted) {
- bucketId += gNsISecTel.WARNING_BAD_CERT_TOP_ADD_EXCEPTION_FLAG_UNTRUSTED;
+ bucketId +=
+ gNsISecTel.WARNING_BAD_CERT_TOP_ADD_EXCEPTION_FLAG_UNTRUSTED;
if (!use1) {
use1 = true;
shortDesc = uts;
longDesc = utl;
} else if (!use2) {
use2 = true;
shortDesc2 = uts;
longDesc2 = utl;
@@ -224,17 +228,18 @@ function updateCertStatus() {
// If the Private Browsing service is available and the mode is active,
// don't store permanent exceptions, since they would persist after
// private browsing mode was disabled.
var inPrivateBrowsing = inPrivateBrowsingMode();
var pe = document.getElementById("permanent");
pe.disabled = inPrivateBrowsing;
pe.checked = !inPrivateBrowsing;
- setText("headerDescription", gPKIBundle.getString("addExceptionInvalidHeader"));
+ setText("headerDescription",
+ gPKIBundle.getString("addExceptionInvalidHeader"));
} else {
shortDesc = "addExceptionValidShort";
longDesc = "addExceptionValidLong";
gDialog.getButton("extra1").disabled = true;
document.getElementById("permanent").disabled = true;
}
// We're done checking the certificate, so allow the user to check it again.
@@ -296,32 +301,37 @@ function viewCertButtonClick() {
function addException() {
if (!gCert || !gSSLStatus) {
return;
}
var overrideService = Cc["@mozilla.org/security/certoverride;1"]
.getService(Ci.nsICertOverrideService);
var flags = 0;
- let confirmBucketId = gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_BASE;
+ let confirmBucketId =
+ gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_BASE;
if (gSSLStatus.isUntrusted) {
flags |= overrideService.ERROR_UNTRUSTED;
- confirmBucketId += gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_UNTRUSTED;
+ confirmBucketId +=
+ gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_UNTRUSTED;
}
if (gSSLStatus.isDomainMismatch) {
flags |= overrideService.ERROR_MISMATCH;
- confirmBucketId += gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_DOMAIN;
+ confirmBucketId +=
+ gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_DOMAIN;
}
if (gSSLStatus.isNotValidAtThisTime) {
flags |= overrideService.ERROR_TIME;
- confirmBucketId += gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_TIME;
+ confirmBucketId +=
+ gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_TIME;
}
var permanentCheckbox = document.getElementById("permanent");
- var shouldStorePermanently = permanentCheckbox.checked && !inPrivateBrowsingMode();
+ var shouldStorePermanently = permanentCheckbox.checked &&
+ !inPrivateBrowsingMode();
if (!permanentCheckbox.checked) {
gSecHistogram.add(gNsISecTel.WARNING_BAD_CERT_TOP_DONT_REMEMBER_EXCEPTION);
}
gSecHistogram.add(confirmBucketId);
var uri = getURI();
overrideService.rememberValidityOverride(
uri.asciiHost, uri.port,--- a/security/manager/ssl/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/TransportSecurityInfo.cpp
@@ -45,17 +45,16 @@ TransportSecurityInfo::TransportSecurity
, mErrorCode(0)
, mPort(0)
{
}
NS_IMPL_ISUPPORTS(TransportSecurityInfo,
nsITransportSecurityInfo,
nsIInterfaceRequestor,
- nsISSLStatusProvider,
nsIAssociatedContentSecurity,
nsISerializable,
nsIClassInfo)
void
TransportSecurityInfo::SetHostName(const char* host)
{
mHostName.Assign(host);
@@ -359,17 +358,17 @@ static NS_DEFINE_CID(kNSSSocketInfoCID,
NS_IMETHODIMP
TransportSecurityInfo::GetClassIDNoAlloc(nsCID *aClassIDNoAlloc)
{
*aClassIDNoAlloc = kNSSSocketInfoCID;
return NS_OK;
}
-nsresult
+NS_IMETHODIMP
TransportSecurityInfo::GetSSLStatus(nsISSLStatus** _result)
{
NS_ENSURE_ARG_POINTER(_result);
*_result = mSSLStatus;
NS_IF_ADDREF(*_result);
return NS_OK;--- a/security/manager/ssl/TransportSecurityInfo.h
+++ b/security/manager/ssl/TransportSecurityInfo.h
@@ -11,40 +11,37 @@
#include "certt.h"
#include "mozilla/Assertions.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/Mutex.h"
#include "mozilla/RefPtr.h"
#include "nsDataHashtable.h"
#include "nsIAssociatedContentSecurity.h"
#include "nsIInterfaceRequestor.h"
-#include "nsISSLStatusProvider.h"
#include "nsITransportSecurityInfo.h"
#include "nsSSLStatus.h"
#include "nsString.h"
#include "pkix/pkixtypes.h"
namespace mozilla { namespace psm {
class TransportSecurityInfo : public nsITransportSecurityInfo
, public nsIInterfaceRequestor
- , public nsISSLStatusProvider
, public nsIAssociatedContentSecurity
, public nsISerializable
, public nsIClassInfo
{
protected:
virtual ~TransportSecurityInfo() {}
public:
TransportSecurityInfo();
NS_DECL_THREADSAFE_ISUPPORTS
NS_DECL_NSITRANSPORTSECURITYINFO
NS_DECL_NSIINTERFACEREQUESTOR
- NS_DECL_NSISSLSTATUSPROVIDER
NS_DECL_NSIASSOCIATEDCONTENTSECURITY
NS_DECL_NSISERIALIZABLE
NS_DECL_NSICLASSINFO
void SetSecurityState(uint32_t aState);
const nsACString & GetHostName() const { return mHostName; }
--- a/security/manager/ssl/moz.build
+++ b/security/manager/ssl/moz.build
@@ -31,17 +31,16 @@ XPIDL_SOURCES += [
'nsIPKCS11Module.idl',
'nsIPKCS11ModuleDB.idl',
'nsIPKCS11Slot.idl',
'nsIProtectedAuthThread.idl',
'nsISecretDecoderRing.idl',
'nsISecurityUITelemetry.idl',
'nsISiteSecurityService.idl',
'nsISSLStatus.idl',
- 'nsISSLStatusProvider.idl',
'nsITokenDialogs.idl',
'nsITokenPasswordDialogs.idl',
'nsIX509Cert.idl',
'nsIX509CertDB.idl',
'nsIX509CertList.idl',
'nsIX509CertValidity.idl',
]
deleted file mode 100644
--- a/security/manager/ssl/nsISSLStatusProvider.idl
+++ /dev/null
@@ -1,13 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-interface nsISSLStatus;
-
-[scriptable, uuid(179b1ab1-0950-4427-9556-6f496dc4a27f)]
-interface nsISSLStatusProvider : nsISupports {
- readonly attribute nsISSLStatus SSLStatus;
-};--- a/security/manager/ssl/nsSecureBrowserUIImpl.cpp
+++ b/security/manager/ssl/nsSecureBrowserUIImpl.cpp
@@ -84,18 +84,17 @@ nsSecureBrowserUIImpl::nsSecureBrowserUI
MOZ_ASSERT(NS_IsMainThread());
ResetStateTracking();
}
NS_IMPL_ISUPPORTS(nsSecureBrowserUIImpl,
nsISecureBrowserUI,
nsIWebProgressListener,
- nsISupportsWeakReference,
- nsISSLStatusProvider)
+ nsISupportsWeakReference)
NS_IMETHODIMP
nsSecureBrowserUIImpl::Init(mozIDOMWindowProxy* aWindow)
{
MOZ_ASSERT(NS_IsMainThread());
if (MOZ_LOG_TEST(gSecureDocLog, LogLevel::Debug)) {
nsCOMPtr<nsIDOMWindow> window(do_QueryReferent(mWindow));
@@ -369,33 +368,31 @@ nsSecureBrowserUIImpl::EvaluateAndUpdate
mNewToplevelSecurityState =
GetSecurityStateFromSecurityInfoAndRequest(info, aRequest);
MOZ_LOG(gSecureDocLog, LogLevel::Debug,
("SecureUI:%p: OnStateChange: remember mNewToplevelSecurityState => %x\n",
this, mNewToplevelSecurityState));
- nsCOMPtr<nsISSLStatusProvider> sp(do_QueryInterface(info));
- if (sp) {
+ nsCOMPtr<nsITransportSecurityInfo> psmInfo(do_QueryInterface(info));
+ if (psmInfo) {
// Ignore result
updateStatus = true;
- (void) sp->GetSSLStatus(getter_AddRefs(temp_SSLStatus));
+ (void) psmInfo->GetSSLStatus(getter_AddRefs(temp_SSLStatus));
if (temp_SSLStatus) {
bool aTemp;
if (NS_SUCCEEDED(temp_SSLStatus->GetIsExtendedValidation(&aTemp))) {
mNewToplevelIsEV = aTemp;
}
}
+ mSecInfo = psmInfo;
}
mNewToplevelSecurityStateKnown = true;
- if (updateStatus) {
- mSSLStatus = temp_SSLStatus;
- }
MOZ_LOG(gSecureDocLog, LogLevel::Debug,
("SecureUI:%p: remember securityInfo %p\n", this,
info));
nsCOMPtr<nsIAssociatedContentSecurity> associatedContentSecurityFromRequest(
do_QueryInterface(aRequest));
if (associatedContentSecurityFromRequest) {
mCurrentToplevelSecurityInfo = aRequest;
} else {
@@ -1009,17 +1006,17 @@ nsSecureBrowserUIImpl::UpdateSecuritySta
bool flagsChanged = false;
if (mNotifiedSecurityState != newSecurityState) {
// Something changed since the last time.
flagsChanged = true;
mNotifiedSecurityState = newSecurityState;
// If we have no security, we also shouldn't have any SSL status.
if (newSecurityState == lis_no_security) {
- mSSLStatus = nullptr;
+ mSecInfo = nullptr;
}
}
if (mNotifiedToplevelIsEV != mNewToplevelIsEV) {
flagsChanged = true;
mNotifiedToplevelIsEV = mNewToplevelIsEV;
}
@@ -1161,19 +1158,18 @@ nsSecureBrowserUIImpl::OnSecurityChange(
("SecureUI:%p: OnSecurityChange: (%x) %s\n", this,
state, aURI->GetSpecOrDefault().get()));
}
#endif
return NS_OK;
}
-// nsISSLStatusProvider methods
NS_IMETHODIMP
-nsSecureBrowserUIImpl::GetSSLStatus(nsISSLStatus** _result)
+nsSecureBrowserUIImpl::GetSecInfo(nsITransportSecurityInfo** _result)
{
NS_ENSURE_ARG_POINTER(_result);
MOZ_ASSERT(NS_IsMainThread());
switch (mNotifiedSecurityState)
{
case lis_broken_security:
case lis_mixed_security:
@@ -1182,13 +1178,13 @@ nsSecureBrowserUIImpl::GetSSLStatus(nsIS
default:
MOZ_FALLTHROUGH_ASSERT("if this is reached you must add more entries to the switch");
case lis_no_security:
*_result = nullptr;
return NS_OK;
}
- *_result = mSSLStatus;
+ *_result = mSecInfo;
NS_IF_ADDREF(*_result);
return NS_OK;
}--- a/security/manager/ssl/nsSecureBrowserUIImpl.h
+++ b/security/manager/ssl/nsSecureBrowserUIImpl.h
@@ -5,44 +5,41 @@
#ifndef nsSecureBrowserUIImpl_h
#define nsSecureBrowserUIImpl_h
#include "PLDHashTable.h"
#include "mozilla/ReentrancyGuard.h"
#include "nsCOMPtr.h"
#include "nsINetUtil.h"
-#include "nsISSLStatusProvider.h"
#include "nsISecureBrowserUI.h"
#include "nsISecurityEventSink.h"
#include "nsIURI.h"
#include "nsIWebProgressListener.h"
#include "nsWeakReference.h"
-class nsISSLStatus;
+class nsITransportSecurityInfo;
class nsIChannel;
#define NS_SECURE_BROWSER_UI_CID \
{ 0xcc75499a, 0x1dd1, 0x11b2, {0x8a, 0x82, 0xca, 0x41, 0x0a, 0xc9, 0x07, 0xb8}}
class nsSecureBrowserUIImpl : public nsISecureBrowserUI,
public nsIWebProgressListener,
- public nsSupportsWeakReference,
- public nsISSLStatusProvider
+ public nsSupportsWeakReference
{
friend class mozilla::ReentrancyGuard;
public:
nsSecureBrowserUIImpl();
NS_DECL_ISUPPORTS
NS_DECL_NSIWEBPROGRESSLISTENER
NS_DECL_NSISECUREBROWSERUI
- NS_DECL_NSISSLSTATUSPROVIDER
protected:
virtual ~nsSecureBrowserUIImpl() {};
nsWeakPtr mWindow;
nsWeakPtr mDocShell;
nsCOMPtr<nsINetUtil> mIOService;
nsCOMPtr<nsIURI> mCurrentURI;
@@ -82,15 +79,15 @@ protected:
void EvaluateAndUpdateSecurityState(nsIRequest* aRequest, nsISupports *info,
bool withNewLocation, bool withNewSink);
void UpdateSubrequestMembers(nsISupports* securityInfo, nsIRequest* request);
void ObtainEventSink(nsIChannel *channel,
nsCOMPtr<nsISecurityEventSink> &sink);
- nsCOMPtr<nsISSLStatus> mSSLStatus;
+ nsCOMPtr<nsITransportSecurityInfo> mSecInfo;
nsCOMPtr<nsISupports> mCurrentToplevelSecurityInfo;
PLDHashTable mTransferringRequests;
};
#endif // nsSecureBrowserUIImpl_h--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -715,18 +715,17 @@ FakeSSLStatus.prototype = {
QueryInterface: ChromeUtils.generateQI(["nsISSLStatus"]),
};
// Utility functions for adding tests relating to certificate error overrides
// Helper function for add_cert_override_test. Probably doesn't need to be
// called directly.
function add_cert_override(aHost, aExpectedBits, aSecurityInfo) {
- let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslstatus = aSecurityInfo.SSLStatus;
let bits =
(sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
(sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
(sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
Assert.equal(bits, aExpectedBits,
"Actual and expected override bits should match");
let cert = sslstatus.serverCert;
@@ -744,32 +743,30 @@ function add_cert_override_test(aHost, a
aExpectedSSLStatus = undefined) {
add_connection_test(aHost, aExpectedError, null,
add_cert_override.bind(this, aHost, aExpectedBits));
add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
Assert.ok(aSecurityInfo.securityState &
Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
"Cert override flag should be set on the security state");
if (aExpectedSSLStatus) {
- let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslstatus = aSecurityInfo.SSLStatus;
if (aExpectedSSLStatus.failedCertChain) {
ok(aExpectedSSLStatus.failedCertChain.equals(sslstatus.failedCertChain));
}
}
});
}
// Helper function for add_prevented_cert_override_test. This is much like
// add_cert_override except it may not be the case that the connection has an
// SSLStatus set on it. In this case, the error was not overridable anyway, so
// we consider it a success.
function attempt_adding_cert_override(aHost, aExpectedBits, aSecurityInfo) {
- let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslstatus = aSecurityInfo.SSLStatus;
if (sslstatus) {
let bits =
(sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
(sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
(sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
Assert.equal(bits, aExpectedBits,
"Actual and expected override bits should match");
let cert = sslstatus.serverCert;--- a/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
@@ -5,18 +5,17 @@
"use strict";
// Tests that permanent certificate error overrides can be added even if the
// certificate/key databases are in read-only mode.
// Helper function for add_read_only_cert_override_test. Probably doesn't need
// to be called directly.
function add_read_only_cert_override(aHost, aExpectedBits, aSecurityInfo) {
- let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslstatus = aSecurityInfo.SSLStatus;
let bits =
(sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
(sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
(sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
Assert.equal(bits, aExpectedBits,
"Actual and expected override bits should match");
let cert = sslstatus.serverCert;--- a/security/manager/ssl/tests/unit/test_ct.js
+++ b/security/manager/ssl/tests/unit/test_ct.js
@@ -6,18 +6,17 @@
"use strict";
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
function expectCT(value) {
return (securityInfo) => {
- let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslStatus = securityInfo.SSLStatus;
Assert.equal(sslStatus.certificateTransparencyStatus, value,
"actual and expected CT status should match");
};
}
registerCleanupFunction(() => {
Services.prefs.clearUserPref("security.pki.certificate_transparency.mode");
});--- a/security/manager/ssl/tests/unit/test_session_resumption.js
+++ b/security/manager/ssl/tests/unit/test_session_resumption.js
@@ -36,19 +36,17 @@ function add_resume_non_ev_with_override
// This connects again, using session resumption. Note that we don't clear
// the TLS session cache between these operations (that would defeat the
// purpose).
add_connection_test("expired.example.com", PRErrorCodeSuccess, null,
(transportSecurityInfo) => {
ok(transportSecurityInfo.securityState &
Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
"expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag");
- let sslStatus = transportSecurityInfo
- .QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslStatus = transportSecurityInfo.SSLStatus;
ok(!sslStatus.succeededCertChain,
"ev-test.example.com should not have succeededCertChain set");
ok(!sslStatus.isDomainMismatch,
"expired.example.com should not have isDomainMismatch set");
ok(sslStatus.isNotValidAtThisTime,
"expired.example.com should have isNotValidAtThisTime set");
ok(!sslStatus.isUntrusted,
"expired.example.com should not have isUntrusted set");
@@ -63,19 +61,17 @@ function add_resume_non_ev_with_override
// build). This assumes that an appropriate OCSP responder is running or that
// good responses are cached.
function add_one_ev_test() {
add_connection_test("ev-test.example.com", PRErrorCodeSuccess, null,
(transportSecurityInfo) => {
ok(!(transportSecurityInfo.securityState &
Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN),
"ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag");
- let sslStatus = transportSecurityInfo
- .QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslStatus = transportSecurityInfo.SSLStatus;
ok(sslStatus.succeededCertChain,
"ev-test.example.com should have succeededCertChain set");
ok(!sslStatus.isDomainMismatch,
"ev-test.example.com should not have isDomainMismatch set");
ok(!sslStatus.isNotValidAtThisTime,
"ev-test.example.com should not have isNotValidAtThisTime set");
ok(!sslStatus.isUntrusted,
"ev-test.example.com should not have isUntrusted set");
@@ -125,19 +121,17 @@ const GOOD_DOMAIN = "good.include-subdom
// succeed (but isn't EV) and verifies that its succeededCertChain gets set
// appropriately.
function add_one_non_ev_test() {
add_connection_test(GOOD_DOMAIN, PRErrorCodeSuccess, null,
(transportSecurityInfo) => {
ok(!(transportSecurityInfo.securityState &
Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN),
`${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag`);
- let sslStatus = transportSecurityInfo
- .QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslStatus = transportSecurityInfo.SSLStatus;
ok(sslStatus.succeededCertChain,
`${GOOD_DOMAIN} should have succeededCertChain set`);
ok(!sslStatus.isDomainMismatch,
`${GOOD_DOMAIN} should not have isDomainMismatch set`);
ok(!sslStatus.isNotValidAtThisTime,
`${GOOD_DOMAIN} should not have isNotValidAtThisTime set`);
ok(!sslStatus.isUntrusted,
`${GOOD_DOMAIN} should not have isUntrusted set`);--- a/security/manager/ssl/tests/unit/test_ssl_status.js
+++ b/security/manager/ssl/tests/unit/test_ssl_status.js
@@ -15,31 +15,31 @@ function run_test() {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
});
fakeOCSPResponder.start(8888);
// Test successful connection (failedCertChain should be null,
// succeededCertChain should be set as expected)
add_connection_test(
"good.include-subdomains.pinning.example.com", PRErrorCodeSuccess, null,
- function withSecurityInfo(aSSLStatus) {
- let sslstatus = aSSLStatus.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
+ function withSecurityInfo(aSecInfo) {
+ let sslstatus = aSecInfo.SSLStatus;
equal(sslstatus.failedCertChain, null,
"failedCertChain for a successful connection should be null");
ok(sslstatus.succeededCertChain.equals(build_cert_chain(["default-ee", "test-ca"])),
"succeededCertChain for a successful connection should be as expected");
}
);
// Test failed connection (failedCertChain should be set as expected,
// succeededCertChain should be null)
add_connection_test(
"expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE, null,
- function withSecurityInfo(aSSLStatus) {
- let sslstatus = aSSLStatus.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
+ function withSecurityInfo(aSecInfo) {
+ let sslstatus = aSecInfo.SSLStatus;
equal(sslstatus.succeededCertChain, null,
"succeededCertChain for a failed connection should be null");
ok(sslstatus.failedCertChain.equals(build_cert_chain(["expired-ee", "test-ca"])),
"failedCertChain for a failed connection should be as expected");
}
);
// Ensure the correct failed cert chain is set on cert override--- a/security/manager/tools/getHSTSPreloadList.js
+++ b/security/manager/tools/getHSTSPreloadList.js
@@ -106,18 +106,18 @@ function getHosts(rawdata) {
function processStsHeader(host, header, status, securityInfo) {
let maxAge = { value: 0 };
let includeSubdomains = { value: false };
let error = ERROR_NONE;
if (header != null && securityInfo != null) {
try {
let uri = Services.io.newURI("https://" + host.name);
- let sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
- .SSLStatus;
+ let sslStatus = securityInfo.
+ QueryInterface(Ci.nsITransportSecurityInfo).SSLStatus;
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS,
uri, header, sslStatus, 0,
Ci.nsISiteSecurityService.SOURCE_PRELOAD_LIST,
{}, maxAge, includeSubdomains);
} catch (e) {
dump("ERROR: could not process header '" + header + "' from " +
host.name + ": " + e + "\n");
error = e;--- a/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py
+++ b/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py
@@ -37,18 +37,17 @@ class Security(BaseLib):
"""The SSL certificate assiciated with the loaded web page in the given tab.
:param tab_element: The inner tab DOM element.
:returns: Certificate details as JSON object.
"""
cert = self.marionette.execute_script("""
var securityUI = arguments[0].linkedBrowser.securityUI;
- var status = securityUI.QueryInterface(Components.interfaces.nsISSLStatusProvider)
- .SSLStatus;
+ var status = securityUI.secInfo && securityUI.secInfo.SSLStatus;
return status ? status.serverCert : null;
""", script_args=[tab_element])
uri = self.marionette.execute_script("""
return arguments[0].linkedBrowser.currentURI.spec;
""", script_args=[tab_element])
--- a/toolkit/content/browser-child.js
+++ b/toolkit/content/browser-child.js
@@ -209,17 +209,17 @@ var WebProgressListener = {
this._send("Content:StatusChange", json, objects);
},
onSecurityChange: function onSecurityChange(aWebProgress, aRequest, aState) {
let json = this._setupJSON(aWebProgress, aRequest);
let objects = this._setupObjects(aWebProgress, aRequest);
json.state = aState;
- json.status = SecurityUI.getSSLStatusAsString();
+ json.secInfo = SecurityUI.getSecInfoAsString();
json.matchedList = null;
if (aRequest && aRequest instanceof Ci.nsIClassifiedChannel) {
json.matchedList = aRequest.matchedList;
}
this._send("Content:SecurityChange", json, objects);
},
@@ -367,25 +367,27 @@ var WebNavigation = {
stop(flags) {
this.webNavigation.stop(flags);
}
};
WebNavigation.init();
var SecurityUI = {
- getSSLStatusAsString() {
- let status = docShell.securityUI.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
+ getSecInfoAsString() {
+ let secInfo = docShell.securityUI.secInfo;
- if (status) {
- let helper = Cc["@mozilla.org/network/serialization-helper;1"]
- .getService(Ci.nsISerializationHelper);
+ if (secInfo) {
+ if (secInfo) {
+ let helper = Cc["@mozilla.org/network/serialization-helper;1"]
+ .getService(Ci.nsISerializationHelper);
- status.QueryInterface(Ci.nsISerializable);
- return helper.serializeToString(status);
+ secInfo.QueryInterface(Ci.nsISerializable);
+ return helper.serializeToString(secInfo);
+ }
}
return null;
}
};
var ControllerCommands = {
init() {--- a/toolkit/modules/CertUtils.jsm
+++ b/toolkit/modules/CertUtils.jsm
@@ -138,17 +138,17 @@ function checkCert(aChannel, aAllowNonBu
// Require https if there are certificate values to verify
if (aCerts) {
throw new Ce("SSL is required and URI scheme is not https.",
Cr.NS_ERROR_UNEXPECTED);
}
return;
}
- let sslStatus = aChannel.securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+ let sslStatus = aChannel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
.SSLStatus;
let cert = sslStatus.serverCert;
validateCert(cert, aCerts);
if (aAllowNonBuiltInCerts === true) {
return;
}--- a/toolkit/modules/RemoteSecurityUI.jsm
+++ b/toolkit/modules/RemoteSecurityUI.jsm
@@ -3,27 +3,25 @@
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
var EXPORTED_SYMBOLS = ["RemoteSecurityUI"];
ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm");
function RemoteSecurityUI() {
- this._SSLStatus = null;
+ this._secInfo = null;
this._state = 0;
}
RemoteSecurityUI.prototype = {
- QueryInterface: ChromeUtils.generateQI([Ci.nsISSLStatusProvider, Ci.nsISecureBrowserUI]),
-
- // nsISSLStatusProvider
- get SSLStatus() { return this._SSLStatus; },
+ QueryInterface: ChromeUtils.generateQI([Ci.nsISecureBrowserUI]),
// nsISecureBrowserUI
get state() { return this._state; },
get tooltipText() { return ""; },
+ get secInfo() { return this._secInfo; },
- _update(aStatus, aState) {
- this._SSLStatus = aStatus;
+ _update(aSecInfo, aState) {
+ this._secInfo = aSecInfo;
this._state = aState;
}
};--- a/toolkit/modules/RemoteWebProgress.jsm
+++ b/toolkit/modules/RemoteWebProgress.jsm
@@ -105,24 +105,24 @@ RemoteWebProgressManager.prototype = {
});
},
removeProgressListener(aListener) {
this._progressListeners =
this._progressListeners.filter(l => l.listener != aListener);
},
- _fixSSLStatusAndState(aStatus, aState) {
+ _fixSecInfoAndState(aSecInfo, aState) {
let deserialized = null;
- if (aStatus) {
+ if (aSecInfo) {
let helper = Cc["@mozilla.org/network/serialization-helper;1"]
.getService(Ci.nsISerializationHelper);
- deserialized = helper.deserializeObject(aStatus);
- deserialized.QueryInterface(Ci.nsISSLStatus);
+ deserialized = helper.deserializeObject(aSecInfo);
+ deserialized.QueryInterface(Ci.nsITransportSecurityInfo);
}
return [deserialized, aState];
},
setCurrentURI(aURI) {
// This function is simpler than nsDocShell::SetCurrentURI since
// it doesn't have to deal with child docshells.
@@ -236,24 +236,24 @@ RemoteWebProgressManager.prototype = {
this._callProgressListeners(
Ci.nsIWebProgress.NOTIFY_LOCATION, "onLocationChange", webProgress,
request, location, flags
);
break;
case "Content:SecurityChange":
- let [status, state] = this._fixSSLStatusAndState(json.status, json.state);
+ let [secInfo, state] = this._fixSecInfoAndState(json.secInfo, json.state);
if (isTopLevel) {
// Invoking this getter triggers the generation of the underlying object,
// which we need to access with ._securityUI, because .securityUI returns
// a wrapper that makes _update inaccessible.
void this._browser.securityUI;
- this._browser._securityUI._update(status, state);
+ this._browser._securityUI._update(secInfo, state);
}
this._callProgressListeners(
Ci.nsIWebProgress.NOTIFY_SECURITY, "onSecurityChange", webProgress,
request, state
);
break;
--- a/toolkit/modules/addons/SecurityInfo.jsm
+++ b/toolkit/modules/addons/SecurityInfo.jsm
@@ -89,17 +89,16 @@ const SecurityInfo = {
*/
let securityInfo = channel.securityInfo;
if (!securityInfo) {
return info;
}
securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
- securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
const SSLStatus = securityInfo.SSLStatus;
if (NSSErrorsService.isNSSErrorCode(securityInfo.errorCode)) {
// The connection failed.
info.state = "broken";
info.errorMessage = securityInfo.errorMessage;
if (options.certificateChain && SSLStatus.failedCertChain) {
info.certificates = this.getCertificateChain(SSLStatus.failedCertChain, options);--- a/toolkit/modules/tests/chrome/test_bug544442_checkCert.xul
+++ b/toolkit/modules/tests/chrome/test_bug544442_checkCert.xul
@@ -82,17 +82,17 @@ function testXHRLoad(aEvent) {
"attribute that does not exist on the certificate");
certs = [ { issuerName: "Incorrect issuerName" } ];
is(getCheckCertResult(channel, false, certs), Cr.NS_ERROR_ILLEGAL_VALUE,
"checkCert should throw NS_ERROR_ILLEGAL_VALUE when the certificate " +
"attributes array passed to checkCert has an element that has an " +
"issuerName that is not the same as the certificate's");
- var cert = channel.securityInfo.QueryInterface(Ci.nsISSLStatusProvider).
+ var cert = channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo).
SSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert;
certs = [ { issuerName: cert.issuerName,
commonName: cert.commonName } ];
is(getCheckCertResult(channel, false, certs), Cr.NS_ERROR_ABORT,
"checkCert should throw NS_ERROR_ABORT when the certificate attributes " +
"array passed to checkCert has a single element that has the same " +
"issuerName and commonName as the certificate's and the certificate is " +--- a/toolkit/mozapps/update/nsUpdateService.js
+++ b/toolkit/mozapps/update/nsUpdateService.js
@@ -3110,17 +3110,17 @@ Checker.prototype = {
onError: function UC_onError(event) {
var request = event.target;
var status = this._getChannelStatus(request);
LOG("Checker:onError - request.status: " + status);
// Set MitM pref.
try {
var sslStatus = request.channel.QueryInterface(Ci.nsIRequest)
- .securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+ .securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
.SSLStatus.QueryInterface(Ci.nsISSLStatus);
if (sslStatus && sslStatus.serverCert && sslStatus.serverCert.issuerName) {
Services.prefs.setStringPref("security.pki.mitm_canary_issuer",
sslStatus.serverCert.issuerName);
}
} catch (e) {
LOG("Checker:onError - Getting sslStatus failed.");
}