Commit 3d651bb9 authored by Sean Feng's avatar Sean Feng
Browse files

Bug 1578534 - Change nsIX509CertDB.constructX509 to take Array<uint8_t> r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D44730

--HG--
extra : moz-landing-system : lando
parent a2de02dc
......@@ -251,9 +251,13 @@ var Policies = {
return;
}
let certFile = reader.result;
let certFileArray = [];
for (let i = 0; i < certFile.length; i++) {
certFileArray.push(certFile.charCodeAt(i));
}
let cert;
try {
cert = gCertDB.constructX509(certFile);
cert = gCertDB.constructX509(certFileArray);
} catch (e) {
try {
// It might be PEM instead of DER.
......
......@@ -833,11 +833,12 @@ nsresult BackgroundFileSaver::ExtractSignatureInfo(const nsAString& filePath) {
continue;
}
nsCOMPtr<nsIX509Cert> nssCert = nullptr;
nsDependentCSubstring certDER(
reinterpret_cast<char*>(
certChainElement->pCertContext->pbCertEncoded),
nsTArray<uint8_t> certByte;
certByte.AppendElements(
certChainElement->pCertContext->pbCertEncoded,
certChainElement->pCertContext->cbCertEncoded);
rv = certDB->ConstructX509(certDER, getter_AddRefs(nssCert));
rv = certDB->ConstructX509(certByte, getter_AddRefs(nssCert));
if (!nssCert) {
extractionSuccess = false;
LOG(("Couldn't create NSS cert [this = %p]", this));
......
......@@ -394,10 +394,10 @@ nsresult TLSServerConnectionInfo::HandshakeCallback(PRFileDesc* aFD) {
}
nsCOMPtr<nsIX509Cert> clientCertPSM;
nsDependentCSubstring certDER(
reinterpret_cast<char*>(clientCert->derCert.data),
clientCert->derCert.len);
rv = certDB->ConstructX509(certDER, getter_AddRefs(clientCertPSM));
nsTArray<uint8_t> clientCertBytes;
clientCertBytes.AppendElements(clientCert->derCert.data,
clientCert->derCert.len);
rv = certDB->ConstructX509(clientCertBytes, getter_AddRefs(clientCertPSM));
if (NS_FAILED(rv)) {
return rv;
}
......
......@@ -223,7 +223,7 @@ interface nsIX509CertDB : nsISupports {
* @return The new certificate object.
*/
[must_use]
nsIX509Cert constructX509(in ACString certDER);
nsIX509Cert constructX509(in Array<uint8_t> certDER);
/**
* Verifies the signature on the given JAR file to verify that it has a
......
......@@ -842,21 +842,31 @@ nsNSSCertificateDB::ConstructX509FromBase64(const nsACString& base64,
return rv;
}
return ConstructX509(certDER, _retval);
return ConstructX509FromSpan(AsBytes(MakeSpan(certDER)), _retval);
}
NS_IMETHODIMP
nsNSSCertificateDB::ConstructX509(const nsACString& certDER,
nsNSSCertificateDB::ConstructX509(const nsTArray<uint8_t>& certDER,
nsIX509Cert** _retval) {
return ConstructX509FromSpan(MakeSpan(certDER.Elements(), certDER.Length()),
_retval);
}
nsresult nsNSSCertificateDB::ConstructX509FromSpan(
Span<const uint8_t> aInputSpan, nsIX509Cert** _retval) {
if (NS_WARN_IF(!_retval)) {
return NS_ERROR_INVALID_POINTER;
}
if (aInputSpan.Length() > std::numeric_limits<unsigned int>::max()) {
return NS_ERROR_ILLEGAL_VALUE;
}
SECItem certData;
certData.type = siDERCertBuffer;
certData.data =
BitwiseCast<unsigned char*, const char*>(certDER.BeginReading());
certData.len = certDER.Length();
certData.data = const_cast<unsigned char*>(
reinterpret_cast<const unsigned char*>(aInputSpan.Elements()));
certData.len = aInputSpan.Length();
UniqueCERTCertificate cert(CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &certData, nullptr, false, true));
......@@ -1002,7 +1012,8 @@ nsNSSCertificateDB::AddCert(const nsACString& aCertDER,
}
nsCOMPtr<nsIX509Cert> newCert;
nsresult rv = ConstructX509(aCertDER, getter_AddRefs(newCert));
nsresult rv = ConstructX509FromSpan(AsBytes(MakeSpan(aCertDER)),
getter_AddRefs(newCert));
if (NS_FAILED(rv)) {
return rv;
}
......
......@@ -53,6 +53,8 @@ class nsNSSCertificateDB final : public nsIX509CertDB
uint8_t* data, uint32_t length);
nsresult handleCACertDownload(mozilla::NotNull<nsIArray*> x509Certs,
nsIInterfaceRequestor* ctx);
nsresult ConstructX509FromSpan(const mozilla::Span<const uint8_t> aInputSpan,
nsIX509Cert** _retval);
};
#define NS_X509CERTDB_CID \
......
......@@ -206,7 +206,7 @@ function constructCertFromFile(filename) {
Ci.nsIX509CertDB
);
try {
return certdb.constructX509(certBytes);
return certdb.constructX509(stringToArray(certBytes));
} catch (e) {}
// It might be PEM instead of DER.
return certdb.constructX509FromBase64(pemToBase64(certBytes));
......
......@@ -118,7 +118,7 @@ function testUTF8InField(field, replacementPrefix, certificateBytesToAlter) {
"should have enough ASCII replacements to make a unique issuer DN"
);
gUniqueIssuerCounter++;
let cert = gCertDB.constructX509(bytes);
let cert = gCertDB.constructX509(stringToArray(bytes));
notEqual(cert[field], null, `accessing nsIX509Cert.${field} shouldn't fail`);
notEqual(
cert.ASN1Structure,
......
......@@ -38,14 +38,6 @@ async function check_no_enterprise_roots_imported(
}
}
function der_array_to_string(derArray) {
let derString = "";
for (let b of derArray) {
derString += String.fromCharCode(b);
}
return derString;
}
async function check_some_enterprise_roots_imported(nssComponent, certDB) {
let enterpriseRoots = nssComponent.getEnterpriseRoots();
notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
......@@ -57,7 +49,7 @@ async function check_some_enterprise_roots_imported(nssComponent, certDB) {
let foundNonBuiltIn = false;
let savedDBKey = null;
for (let certDer of enterpriseRoots) {
let cert = certDB.constructX509(der_array_to_string(certDer));
let cert = certDB.constructX509(certDer);
notEqual(cert, null, "should be able to decode cert from DER");
if (!cert.isBuiltInRoot && !savedDBKey) {
foundNonBuiltIn = true;
......
......@@ -1191,19 +1191,19 @@ nsresult PendingLookup::GenerateWhitelistStringsForChain(
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIX509Cert> signer;
nsDependentCSubstring signerDER(
const_cast<char*>(aChain.element(0).certificate().data()),
aChain.element(0).certificate().size());
rv = certDB->ConstructX509(signerDER, getter_AddRefs(signer));
nsTArray<uint8_t> signerBytes;
signerBytes.AppendElements(aChain.element(0).certificate().data(),
aChain.element(0).certificate().size());
rv = certDB->ConstructX509(signerBytes, getter_AddRefs(signer));
NS_ENSURE_SUCCESS(rv, rv);
for (int i = 1; i < aChain.element_size(); ++i) {
// Get the issuer.
nsCOMPtr<nsIX509Cert> issuer;
nsDependentCSubstring issuerDER(
const_cast<char*>(aChain.element(i).certificate().data()),
aChain.element(i).certificate().size());
rv = certDB->ConstructX509(issuerDER, getter_AddRefs(issuer));
nsTArray<uint8_t> issuerBytes;
issuerBytes.AppendElements(aChain.element(i).certificate().data(),
aChain.element(i).certificate().size());
rv = certDB->ConstructX509(issuerBytes, getter_AddRefs(issuer));
NS_ENSURE_SUCCESS(rv, rv);
rv = GenerateWhitelistStringsForPair(signer, issuer);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment