Bug 1260643 - Convert most uses of ScopedCERTCertificate in PSM to UniqueCERTCertificate. r=keeler

MozReview-Commit-ID: JnjoUd7d2M0 --HG-- extra : transplant_source : %99x%B6%F5%09%97%E6%60%B6%3C%3C%C2%D5vt%27%0C-%96%1B
2024-11-24 21:31:04 +00:00 · 2016-04-20 01:14:22 -07:00 · 2016-04-20 01:14:22 -07:00 · 372fe1a598
commit 372fe1a598
parent debbccb785
25 changed files with 152 additions and 152 deletions
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@ -165,8 +165,8 @@ AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot)
      return SECFailure;
  }

-  mTrustedRoot = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                                         &trustedDER, nullptr, false, true);
+  mTrustedRoot.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+                                             &trustedDER, nullptr, false, true));
  if (!mTrustedRoot) {
    return SECFailure;
  }
@ -244,7 +244,7 @@ AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
  // expose it in any other easy-to-use fashion.
  SECItem candidateCertDERSECItem =
    UnsafeMapInputToSECItem(candidateCertDER);
-  ScopedCERTCertificate candidateCert(
+  UniqueCERTCertificate candidateCert(
    CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem,
                            nullptr, false, true));
  if (!candidateCert) {
--- a/security/apps/AppTrustDomain.h
+++ b/security/apps/AppTrustDomain.h
@ -69,7 +69,7 @@ public:
 private:
  /*out*/ ScopedCERTCertList& mCertChain;
  void* mPinArg; // non-owning!
-  ScopedCERTCertificate mTrustedRoot;
+  UniqueCERTCertificate mTrustedRoot;
  unsigned int mMinRSABits;

  static StaticMutex sMutex;
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@ -645,7 +645,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
 }

 SECStatus
-CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
+CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert,
                     /*optional*/ const SECItem* stapledOCSPResponse,
                                  Time time,
                     /*optional*/ void* pinarg,
@ -675,9 +675,10 @@ CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,

  // CreateCertErrorRunnable assumes that CheckCertHostname is only called
  // if VerifyCert succeeded.
-  SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
-                            hostname, builtChain, flags, stapledOCSPResponse,
-                            evOidPolicy, ocspStaplingStatus, keySizeStatus,
+  SECStatus rv = VerifyCert(peerCert.get(), certificateUsageSSLServer, time,
+                            pinarg, hostname, builtChain, flags,
+                            stapledOCSPResponse, evOidPolicy,
+                            ocspStaplingStatus, keySizeStatus,
                            sha1ModeResult, pinningTelemetryInfo);
  if (rv != SECSuccess) {
    return rv;
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@ -84,7 +84,7 @@ public:
      /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr);

  SECStatus VerifySSLServerCert(
-                    CERTCertificate* peerCert,
+                    const UniqueCERTCertificate& peerCert,
       /*optional*/ const SECItem* stapledOCSPResponse,
                    mozilla::pkix::Time time,
       /*optional*/ void* pinarg,
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@ -179,7 +179,7 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
  // performance problem because NSS will just find the existing
  // CERTCertificate in its in-memory cache and return it.
  SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER);
-  ScopedCERTCertificate candidateCert(
+  UniqueCERTCertificate candidateCert(
    CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem,
                            nullptr, false, true));
  if (!candidateCert) {
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@ -348,7 +348,8 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
 }

 SECStatus
-DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
+DetermineCertOverrideErrors(const UniqueCERTCertificate& cert,
+                            const char* hostName,
                            PRTime now, PRErrorCode defaultErrorCodeToReport,
                            /*out*/ uint32_t& collectedErrors,
                            /*out*/ PRErrorCode& errorCodeTrust,
@ -378,7 +379,8 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
      collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
      errorCodeTrust = defaultErrorCodeToReport;

-      SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, now, false);
+      SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert.get(), now,
+                                                              false);
      if (validity == secCertTimeUndetermined) {
        // This only happens if cert is null. CERT_CheckCertValidTimes will
        // have set the error code to SEC_ERROR_INVALID_ARGS. We should really
@ -638,7 +640,7 @@ CertErrorRunnable*
 CreateCertErrorRunnable(CertVerifier& certVerifier,
                        PRErrorCode defaultErrorCodeToReport,
                        nsNSSSocketInfo* infoObject,
-                        CERTCertificate* cert,
+                        const UniqueCERTCertificate& cert,
                        const void* fdForLogging,
                        uint32_t providerFlags,
                        PRTime now)
@ -667,7 +669,7 @@ CreateCertErrorRunnable(CertVerifier& certVerifier,
    return nullptr;
  }

-  RefPtr<nsNSSCertificate> nssCert(nsNSSCertificate::Create(cert));
+  RefPtr<nsNSSCertificate> nssCert(nsNSSCertificate::Create(cert.get()));
  if (!nssCert) {
    NS_ERROR("nsNSSCertificate::Create failed");
    PR_SetError(SEC_ERROR_NO_MEMORY, 0);
@ -731,7 +733,7 @@ public:
  static SECStatus Dispatch(const RefPtr<SharedCertVerifier>& certVerifier,
                            const void* fdForLogging,
                            nsNSSSocketInfo* infoObject,
-                            CERTCertificate* serverCert,
+                            const UniqueCERTCertificate& serverCert,
                            ScopedCERTCertList& peerCertChain,
                            SECItem* stapledOCSPResponse,
                            uint32_t providerFlags,
@ -744,7 +746,7 @@ private:
  SSLServerCertVerificationJob(const RefPtr<SharedCertVerifier>& certVerifier,
                               const void* fdForLogging,
                               nsNSSSocketInfo* infoObject,
-                               CERTCertificate* cert,
+                               const UniqueCERTCertificate& cert,
                               CERTCertList* peerCertChain,
                               SECItem* stapledOCSPResponse,
                               uint32_t providerFlags,
@ -753,7 +755,7 @@ private:
  const RefPtr<SharedCertVerifier> mCertVerifier;
  const void* const mFdForLogging;
  const RefPtr<nsNSSSocketInfo> mInfoObject;
-  const ScopedCERTCertificate mCert;
+  const UniqueCERTCertificate mCert;
  ScopedCERTCertList mPeerCertChain;
  const uint32_t mProviderFlags;
  const Time mTime;
@ -764,13 +766,13 @@ private:

 SSLServerCertVerificationJob::SSLServerCertVerificationJob(
    const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
-    nsNSSSocketInfo* infoObject, CERTCertificate* cert,
+    nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert,
    CERTCertList* peerCertChain, SECItem* stapledOCSPResponse,
    uint32_t providerFlags, Time time, PRTime prtime)
  : mCertVerifier(certVerifier)
  , mFdForLogging(fdForLogging)
  , mInfoObject(infoObject)
-  , mCert(CERT_DupCertificate(cert))
+  , mCert(CERT_DupCertificate(cert.get()))
  , mPeerCertChain(peerCertChain)
  , mProviderFlags(providerFlags)
  , mTime(time)
@ -793,7 +795,7 @@ SSLServerCertVerificationJob::SSLServerCertVerificationJob(
 // in order to support SPDY's cross-origin connection pooling.
 static SECStatus
 BlockServerCertChangeForSpdy(nsNSSSocketInfo* infoObject,
-                             CERTCertificate* serverCert)
+                             const UniqueCERTCertificate& serverCert)
 {
  // Get the existing cert. If there isn't one, then there is
  // no cert change to worry about.
@ -833,9 +835,9 @@ BlockServerCertChangeForSpdy(nsNSSSocketInfo* infoObject,
  }

  // Check to see if the cert has actually changed
-  ScopedCERTCertificate c(cert->GetCert());
+  UniqueCERTCertificate c(cert->GetCert());
  NS_ASSERTION(c, "very bad and hopefully impossible state");
-  bool sameCert = CERT_CompareCerts(c, serverCert);
+  bool sameCert = CERT_CompareCerts(c.get(), serverCert.get());
  if (sameCert) {
    return SECSuccess;
  }
@ -1215,7 +1217,7 @@ GatherSuccessfulValidationTelemetry(const ScopedCERTCertList& certList)
 SECStatus
 AuthCertificate(CertVerifier& certVerifier,
                nsNSSSocketInfo* infoObject,
-                CERTCertificate* cert,
+                const UniqueCERTCertificate& cert,
                ScopedCERTCertList& peerCertChain,
                SECItem* stapledOCSPResponse,
                uint32_t providerFlags,
@ -1293,10 +1295,10 @@ AuthCertificate(CertVerifier& certVerifier,

  if (!status || !status->HasServerCert()) {
    if( rv == SECSuccess ){
-      nsc = nsNSSCertificate::Create(cert, &evOidPolicy);
+      nsc = nsNSSCertificate::Create(cert.get(), &evOidPolicy);
    }
    else {
-      nsc = nsNSSCertificate::Create(cert);
+      nsc = nsNSSCertificate::Create(cert.get());
    }
  }

@ -1353,7 +1355,7 @@ SSLServerCertVerificationJob::Dispatch(
  const RefPtr<SharedCertVerifier>& certVerifier,
  const void* fdForLogging,
  nsNSSSocketInfo* infoObject,
-  CERTCertificate* serverCert,
+  const UniqueCERTCertificate& serverCert,
  ScopedCERTCertList& peerCertChain,
  SECItem* stapledOCSPResponse,
  uint32_t providerFlags,
@ -1427,7 +1429,7 @@ SSLServerCertVerificationJob::Run()
    // Reset the error code here so we can detect if AuthCertificate fails to
    // set the error code if/when it fails.
    PR_SetError(0, 0);
-    SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert.get(),
+    SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert,
                                   mPeerCertChain, mStapledOCSPResponse,
                                   mProviderFlags, mTime);
    if (rv == SECSuccess) {
@ -1450,9 +1452,8 @@ SSLServerCertVerificationJob::Run()
    }
    if (error != 0) {
      RefPtr<CertErrorRunnable> runnable(
-          CreateCertErrorRunnable(*mCertVerifier, error, mInfoObject,
-                                  mCert.get(), mFdForLogging, mProviderFlags,
-                                  mPRTime));
+          CreateCertErrorRunnable(*mCertVerifier, error, mInfoObject, mCert,
+                                  mFdForLogging, mProviderFlags, mPRTime));
      if (!runnable) {
        // CreateCertErrorRunnable set a new error code
        error = PR_GetError();
@ -1523,7 +1524,7 @@ AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig, PRBool isServer)

  nsNSSSocketInfo* socketInfo = static_cast<nsNSSSocketInfo*>(arg);

-  ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
+  UniqueCERTCertificate serverCert(SSL_PeerCertificate(fd));

  if (!checkSig || isServer || !socketInfo || !serverCert) {
      PR_SetError(PR_INVALID_STATE_ERROR, 0);
--- a/security/manager/ssl/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/TransportSecurityInfo.cpp
@ -719,7 +719,7 @@ AppendErrorTextMismatch(const nsString& host, nsIX509Cert* ix509,
  }
  notValidForHostnameString.Append('\n');

-  ScopedCERTCertificate nssCert(ix509->GetCert());
+  UniqueCERTCertificate nssCert(ix509->GetCert());
  if (!nssCert) {
    returnedMessage.Append(notValidForHostnameString);
    return NS_OK;
--- a/security/manager/ssl/nsCertOverrideService.cpp
+++ b/security/manager/ssl/nsCertOverrideService.cpp
@ -348,8 +348,7 @@ GetCertFingerprintByOidTag(nsIX509Cert *aCert,
                           SECOidTag aOidTag, 
                           nsCString &fp)
 {
-
-  ScopedCERTCertificate nsscert(aCert->GetCert());
+  UniqueCERTCertificate nsscert(aCert->GetCert());
  if (!nsscert) {
    return NS_ERROR_FAILURE;
  }
@ -369,7 +368,7 @@ nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
  if (aPort < -1)
    return NS_ERROR_INVALID_ARG;

-  ScopedCERTCertificate nsscert(aCert->GetCert());
+  UniqueCERTCertificate nsscert(aCert->GetCert());
  if (!nsscert) {
    return NS_ERROR_FAILURE;
  }
--- a/security/manager/ssl/nsCertTree.cpp
+++ b/security/manager/ssl/nsCertTree.cpp
@ -4,6 +4,7 @@

 #include "nsCertTree.h"

+#include "ScopedNSSTypes.h"
 #include "mozilla/Logging.h"
 #include "nsArray.h"
 #include "nsArrayUtils.h"
@ -791,12 +792,12 @@ nsCertTree::DeleteEntryObject(uint32_t index)
            // although there are still overrides stored,
            // so, we keep the cert, but remove the trust

-            ScopedCERTCertificate nsscert(cert->GetCert());
+            UniqueCERTCertificate nsscert(cert->GetCert());

            if (nsscert) {
              CERTCertTrust trust;
              memset((void*)&trust, 0, sizeof(trust));
-            
+
              SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override 
              if (srv == SECSuccess) {
                CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert.get(),
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@ -23,6 +23,7 @@
 #include "nsProxyRelease.h"
 #include "pkix/pkixtypes.h"
 #include "PSMRunnable.h"
+#include "ScopedNSSTypes.h"
 #include "SharedSSLState.h"
 #include "ssl.h"
 #include "sslproto.h"
@ -1229,7 +1230,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
           ("HandshakeCallback KEEPING existing cert\n"));
  } else {
-    ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
+    UniqueCERTCertificate serverCert(SSL_PeerCertificate(fd));
    RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(serverCert.get()));
    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
           ("HandshakeCallback using NEW cert %p\n", nssc.get()));
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@ -118,7 +118,7 @@ nsNSSCertificate::InitFromDER(char* certDER, int derLen)
    aCert->dbhandle = CERT_GetDefaultCertDB();
  }

-  mCert = aCert;
+  mCert.reset(aCert);
  return true;
 }

@ -139,7 +139,7 @@ nsNSSCertificate::nsNSSCertificate(CERTCertificate* cert,
    return;

  if (cert) {
-    mCert = CERT_DupCertificate(cert);
+    mCert.reset(CERT_DupCertificate(cert));
    if (evOidPolicy) {
      if (*evOidPolicy == SEC_OID_UNKNOWN) {
        mCachedEVStatus =  ev_status_invalid;
@ -227,7 +227,7 @@ nsNSSCertificate::GetIsBuiltInRoot(bool* aIsBuiltInRoot)
  if (isAlreadyShutDown()) {
    return NS_ERROR_NOT_AVAILABLE;
  }
-  pkix::Result rv = IsCertBuiltInRoot(mCert, *aIsBuiltInRoot);
+  pkix::Result rv = IsCertBuiltInRoot(mCert.get(), *aIsBuiltInRoot);
  if (rv != pkix::Result::Success) {
    return NS_ERROR_FAILURE;
  }
@ -515,7 +515,7 @@ nsNSSCertificate::GetDbKey(nsACString& aDbKey)
 }

 nsresult
-nsNSSCertificate::GetDbKey(CERTCertificate* cert, nsACString& aDbKey)
+nsNSSCertificate::GetDbKey(const UniqueCERTCertificate& cert, nsACString& aDbKey)
 {
  static_assert(sizeof(uint64_t) == 8, "type size sanity check");
  static_assert(sizeof(uint32_t) == 4, "type size sanity check");
@ -1176,15 +1176,15 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
  // in the SignedData).
  if (chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChain ||
      chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot) {
-    ScopedCERTCertificate issuerCert(
-        CERT_FindCertIssuer(mCert.get(), PR_Now(), certUsageAnyCA));
+    UniqueCERTCertificate issuerCert(
+      CERT_FindCertIssuer(mCert.get(), PR_Now(), certUsageAnyCA));
    // the issuerCert of a self signed root is the cert itself,
    // so make sure we're not adding duplicates, again
-    if (issuerCert && issuerCert != mCert.get()) {
+    if (issuerCert && issuerCert != mCert) {
      bool includeRoot =
        (chainMode == nsIX509Cert::CMS_CHAIN_MODE_CertChainWithRoot);
      UniqueCERTCertificateList certChain(
-          CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot));
+        CERT_CertChainFromCert(issuerCert.get(), certUsageAnyCA, includeRoot));
      if (certChain) {
        if (NSS_CMSSignedData_AddCertList(sigd.get(), certChain.get())
              == SECSuccess) {
@ -1198,9 +1198,9 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
      }
      else {
        // try to add the issuerCert, at least
-        if (NSS_CMSSignedData_AddCertificate(sigd.get(), issuerCert)
-            == SECSuccess) {
-          issuerCert.forget();
+        if (NSS_CMSSignedData_AddCertificate(sigd.get(), issuerCert.get())
+              == SECSuccess) {
+          Unused << issuerCert.release();
        }
        else {
          MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
@ -1380,7 +1380,7 @@ nsNSSCertificate::Equals(nsIX509Cert* other, bool* result)
  NS_ENSURE_ARG(other);
  NS_ENSURE_ARG(result);

-  ScopedCERTCertificate cert(other->GetCert());
+  UniqueCERTCertificate cert(other->GetCert());
  *result = (mCert.get() == cert.get());
  return NS_OK;
 }
@ -1490,17 +1490,17 @@ ConstructCERTCertListFromReversedDERArray(
  size_t numCerts = certArray.GetLength();
  for (size_t i = 0; i < numCerts; ++i) {
    SECItem certDER(UnsafeMapInputToSECItem(*certArray.GetDER(i)));
-    ScopedCERTCertificate cert(CERT_NewTempCertificate(certDB, &certDER,
+    UniqueCERTCertificate cert(CERT_NewTempCertificate(certDB, &certDER,
                                                       nullptr, false, true));
    if (!cert) {
      return SECFailure;
    }
    // certArray is ordered with the root first, but we want the resulting
    // certList to have the root last.
-    if (CERT_AddCertToListHead(certList, cert) != SECSuccess) {
+    if (CERT_AddCertToListHead(certList.get(), cert.get()) != SECSuccess) {
      return SECFailure;
    }
-    cert.forget(); // cert is now owned by certList.
+    Unused << cert.release(); // cert is now owned by certList.
  }

  return SECSuccess;
--- a/security/manager/ssl/nsNSSCertificate.h
+++ b/security/manager/ssl/nsNSSCertificate.h
@ -55,12 +55,13 @@ public:

  // This is a separate static method so nsNSSComponent can use it during NSS
  // initialization. Other code should probably not use it.
-  static nsresult GetDbKey(CERTCertificate* cert, nsACString& aDbKey);
+  static nsresult GetDbKey(const mozilla::UniqueCERTCertificate& cert,
+                           nsACString& aDbKey);

 private:
  virtual ~nsNSSCertificate();

-  mozilla::ScopedCERTCertificate mCert;
+  mozilla::UniqueCERTCertificate mCert;
  bool             mPermDelete;
  uint32_t         mCertType;
  nsresult CreateASN1Struct(nsIASN1Object** aRetVal);
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@ -102,14 +102,13 @@ nsNSSCertificateDB::FindCertByNickname(const nsAString& nickname,
  if (isAlreadyShutDown()) {
    return NS_ERROR_NOT_AVAILABLE;
  }
-  ScopedCERTCertificate cert;
  char *asciiname = nullptr;
  NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
  asciiname = const_cast<char*>(aUtf8Nickname.get());
  MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting \"%s\"\n", asciiname));
-  cert = PK11_FindCertFromNickname(asciiname, nullptr);
+  UniqueCERTCertificate cert(PK11_FindCertFromNickname(asciiname, nullptr));
  if (!cert) {
-    cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname);
+    cert.reset(CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname));
  }
  if (cert) {
    MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("got it\n"));
@ -344,15 +343,14 @@ nsNSSCertificateDB::handleCACertDownload(nsIArray *x509Certs,

  MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Creating temp cert\n"));
  CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-  ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
+  UniqueCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
  if (!tmpCert) {
-    tmpCert = CERT_NewTempCertificate(certdb, &der,
-                                      nullptr, false, true);
+    tmpCert.reset(CERT_NewTempCertificate(certdb, &der, nullptr, false, true));
  }
  free(der.data);
  der.data = nullptr;
  der.len = 0;
-  
+
  if (!tmpCert) {
    NS_ERROR("Couldn't create cert from DER blob");
    return NS_ERROR_FAILURE;
@ -819,7 +817,7 @@ nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
  if (isAlreadyShutDown()) {
    return NS_ERROR_NOT_AVAILABLE;
  }
-  ScopedCERTCertificate cert(aCert->GetCert());
+  UniqueCERTCertificate cert(aCert->GetCert());
  if (!cert) {
    return NS_ERROR_FAILURE;
  }
@ -860,7 +858,7 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
  }
  nsNSSCertTrust trust;
  nsresult rv;
-  ScopedCERTCertificate nsscert(cert->GetCert());
+  UniqueCERTCertificate nsscert(cert->GetCert());

  rv = attemptToLogInWithDefaultPassword();
  if (NS_WARN_IF(rv != NS_OK)) {
@ -912,7 +910,7 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
    return NS_ERROR_NOT_AVAILABLE;
  }
  SECStatus srv;
-  ScopedCERTCertificate nsscert(cert->GetCert());
+  UniqueCERTCertificate nsscert(cert->GetCert());
  CERTCertTrust nsstrust;
  srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
  if (srv != SECSuccess)
@ -1079,7 +1077,7 @@ nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString& aNickname,
  asciiname = const_cast<char*>(aUtf8Nickname.get());

  /* Find a good cert in the user's database */
-  ScopedCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
+  UniqueCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
                                                      asciiname,
                                                      certUsageEmailRecipient,
                                                      true, ctx));
@ -1116,7 +1114,7 @@ nsNSSCertificateDB::FindEmailSigningCert(const nsAString& aNickname,
  asciiname = const_cast<char*>(aUtf8Nickname.get());

  /* Find a good cert in the user's database */
-  ScopedCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
+  UniqueCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
                                                      asciiname,
                                                      certUsageEmailSigner,
                                                      true, ctx));
@ -1243,7 +1241,7 @@ nsNSSCertificateDB::ConstructX509(const char* certDER,
  secitem_cert.data = (unsigned char*)certDER;
  secitem_cert.len = lengthDER;

-  ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+  UniqueCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                                     &secitem_cert, nullptr,
                                                     false, true));
  if (!cert)
@ -1337,18 +1335,17 @@ nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert,
      PR_smprintf_free(tmp);
    }

-    ScopedCERTCertificate dummycert;
+    UniqueCERTCertificate dummycert;

    if (PK11_IsInternal(slot)) {
      /* look up the nickname to make sure it isn't in use already */
-      dummycert = CERT_FindCertByNickname(defaultcertdb, nickname.get());
-
+      dummycert.reset(CERT_FindCertByNickname(defaultcertdb, nickname.get()));
    } else {
      /*
       * Check the cert against others that already live on the smart 
       * card.
       */
-      dummycert = PK11_FindCertFromNickname(nickname.get(), ctx);
+      dummycert.reset(PK11_FindCertFromNickname(nickname.get(), ctx));
      if (dummycert) {
 	/*
 	 * Make sure the subject names are different.
@ -1400,10 +1397,10 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char* aBase64,

  MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Creating temp cert\n"));
  CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-  ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
-  if (!tmpCert)
-    tmpCert = CERT_NewTempCertificate(certdb, &der,
-                                      nullptr, false, true);
+  UniqueCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
+  if (!tmpCert) {
+    tmpCert.reset(CERT_NewTempCertificate(certdb, &der, nullptr, false, true));
+  }
  free(der.data);
  der.data = nullptr;
  der.len = 0;
@ -1457,7 +1454,7 @@ nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert* cert,
  if (srv != SECSuccess) {
    return MapSECStatus(SECFailure);
  }
-  ScopedCERTCertificate nssCert(cert->GetCert());
+  UniqueCERTCertificate nssCert(cert->GetCert());

  nsresult rv = attemptToLogInWithDefaultPassword();
  if (NS_WARN_IF(rv != NS_OK)) {
@ -1512,7 +1509,7 @@ VerifyCertAtTime(nsIX509Cert* aCert,
  EnsureIdentityInfoLoaded();
 #endif

-  ScopedCERTCertificate nssCert(aCert->GetCert());
+  UniqueCERTCertificate nssCert(aCert->GetCert());
  if (!nssCert) {
    return NS_ERROR_INVALID_ARG;
  }
@ -1535,7 +1532,7 @@ VerifyCertAtTime(nsIX509Cert* aCert,
                                            aFlags,
                                            &evOidPolicy);
  } else {
-    srv = certVerifier->VerifyCert(nssCert, aUsage, aTime,
+    srv = certVerifier->VerifyCert(nssCert.get(), aUsage, aTime,
                                   nullptr, // Assume no context
                                   aHostname,
                                   resultChain,
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@ -700,7 +700,7 @@ MaybeImportFamilySafetyRoot(PCCERT_CONTEXT certificate,
      return NS_ERROR_FAILURE;
    }
    nsAutoCString dbKey;
-    nsresult rv = nsNSSCertificate::GetDbKey(nssCertificate.get(), dbKey);
+    nsresult rv = nsNSSCertificate::GetDbKey(nssCertificate, dbKey);
    if (NS_FAILED(rv)) {
      MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("GetDbKey failed"));
      return rv;
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@ -18,6 +18,7 @@
 #include "mozilla/Casting.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/Logging.h"
+#include "mozilla/Move.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/Telemetry.h"
 #include "nsCharSeparatedTokenizer.h"
@ -336,14 +337,14 @@ nsNSSSocketInfo::IsAcceptableForHost(const nsACString& hostname, bool* _retval)
  // Ensure that the server certificate covers the hostname that would
  // like to join this connection

-  ScopedCERTCertificate nssCert;
+  UniqueCERTCertificate nssCert;

  nsCOMPtr<nsIX509Cert> cert;
  if (NS_FAILED(SSLStatus()->GetServerCert(getter_AddRefs(cert)))) {
    return NS_OK;
  }
  if (cert) {
-    nssCert = cert->GetCert();
+    nssCert.reset(cert->GetCert());
  }

  if (!nssCert) {
@ -1990,14 +1991,14 @@ public:
                         CERTCertificate** pRetCert,
                         SECKEYPrivateKey** pRetKey,
                         nsNSSSocketInfo* info,
-                         CERTCertificate* serverCert)
+                         const UniqueCERTCertificate& serverCert)
    : mRV(SECFailure)
    , mErrorCodeToReport(SEC_ERROR_NO_MEMORY)
    , mPRetCert(pRetCert)
    , mPRetKey(pRetKey)
    , mCANames(caNames)
    , mSocketInfo(info)
-    , mServerCert(serverCert)
+    , mServerCert(serverCert.get())
  {
  }

@ -2038,7 +2039,7 @@ nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
  RefPtr<nsNSSSocketInfo> info(
    reinterpret_cast<nsNSSSocketInfo*>(socket->higher->secret));

-  ScopedCERTCertificate serverCert(SSL_PeerCertificate(socket));
+  UniqueCERTCertificate serverCert(SSL_PeerCertificate(socket));
  if (!serverCert) {
    NS_NOTREACHED("Missing server certificate should have been detected during "
                  "server cert authentication.");
@ -2086,7 +2087,7 @@ ClientAuthDataRunnable::RunOnTargetThread()

  UniquePLArenaPool arena;
  char** caNameStrings;
-  ScopedCERTCertificate cert;
+  UniqueCERTCertificate cert;
  UniqueSECKEYPrivateKey privKey;
  ScopedCERTCertList certList;
  CERTCertListNode* node;
@ -2102,7 +2103,7 @@ ClientAuthDataRunnable::RunOnTargetThread()
  // If a client cert preference was set on the socket info, use that and skip
  // the client cert UI and/or search of the user's past cert decisions.
  if (socketClientCert) {
-    cert = socketClientCert->GetCert();
+    cert.reset(socketClientCert->GetCert());
    if (!cert) {
      goto loser;
    }
@ -2113,7 +2114,7 @@ ClientAuthDataRunnable::RunOnTargetThread()
      goto loser;
    }

-    *mPRetCert = cert.forget();
+    *mPRetCert = cert.release();
    *mPRetKey = privKey.release();
    mRV = SECSuccess;
    return;
@ -2161,7 +2162,7 @@ ClientAuthDataRunnable::RunOnTargetThread()
      goto noCert;
    }

-    ScopedCERTCertificate low_prio_nonrep_cert;
+    UniqueCERTCertificate lowPrioNonrepCert;

    // loop through the list until we find a cert with a key
    while (!CERT_LIST_END(node, certList)) {
@ -2171,13 +2172,13 @@ ClientAuthDataRunnable::RunOnTargetThread()
      if (privKey) {
        if (hasExplicitKeyUsageNonRepudiation(node->cert)) {
          privKey = nullptr;
-          // Not a prefered cert
-          if (!low_prio_nonrep_cert) { // did not yet find a low prio cert
-            low_prio_nonrep_cert = CERT_DupCertificate(node->cert);
+          // Not a preferred cert
+          if (!lowPrioNonrepCert) { // did not yet find a low prio cert
+            lowPrioNonrepCert.reset(CERT_DupCertificate(node->cert));
          }
        } else {
          // this is a good cert to present
-          cert = CERT_DupCertificate(node->cert);
+          cert.reset(CERT_DupCertificate(node->cert));
          break;
        }
      }
@ -2190,8 +2191,8 @@ ClientAuthDataRunnable::RunOnTargetThread()
      node = CERT_LIST_NEXT(node);
    }

-    if (!cert && low_prio_nonrep_cert) {
-      cert = low_prio_nonrep_cert.forget();
+    if (!cert && lowPrioNonrepCert) {
+      cert = Move(lowPrioNonrepCert);
      privKey.reset(PK11_FindKeyByAnyCert(cert.get(), wincx));
    }

@ -2235,7 +2236,7 @@ ClientAuthDataRunnable::RunOnTargetThread()
            nsNSSCertificate* obj_cert =
              reinterpret_cast<nsNSSCertificate*>(found_cert.get());
            if (obj_cert) {
-              cert = obj_cert->GetCert();
+              cert.reset(obj_cert->GetCert());
            }
          }

@ -2395,7 +2396,7 @@ ClientAuthDataRunnable::RunOnTargetThread()
        ++i, node = CERT_LIST_NEXT(node)) {

        if (i == selectedIndex) {
-          cert = CERT_DupCertificate(node->cert);
+          cert.reset(CERT_DupCertificate(node->cert));
          break;
        }
      }
@ -2434,7 +2435,7 @@ loser:
 done:
  int error = PR_GetError();

-  *mPRetCert = cert.forget();
+  *mPRetCert = cert.release();
  *mPRetKey = privKey.release();

  if (mRV == SECFailure) {
--- a/security/manager/ssl/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/nsPKCS12Blob.cpp
@ -1,35 +1,30 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: nsPKCS12Blob.cpp,v 1.49 2007/09/05 07:13:46 jwalden%mit.edu Exp $ */

 #include "nsPKCS12Blob.h"

-#include "pkix/pkixtypes.h"
-
-#include "prmem.h"
-#include "prprf.h"
-
-#include "nsIFile.h"
-#include "nsNetUtil.h"
-#include "nsIInputStream.h"
+#include "ScopedNSSTypes.h"
+#include "nsCRT.h"
+#include "nsDirectoryServiceDefs.h"
+#include "nsICertificateDialogs.h"
 #include "nsIDirectoryService.h"
-#include "nsThreadUtils.h"
-
+#include "nsIFile.h"
+#include "nsIInputStream.h"
+#include "nsKeygenHandler.h" // For GetSlotWithMechanism
+#include "nsNSSCertificate.h"
 #include "nsNSSComponent.h"
 #include "nsNSSHelper.h"
-#include "nsString.h"
-#include "nsReadableUtils.h"
-#include "nsXPIDLString.h"
-#include "nsDirectoryServiceDefs.h"
 #include "nsNSSHelper.h"
-#include "nsNSSCertificate.h"
-#include "nsKeygenHandler.h" //For GetSlotWithMechanism
-#include "nsPK11TokenDB.h"
-#include "nsICertificateDialogs.h"
 #include "nsNSSShutDown.h"
-#include "nsCRT.h"
-
+#include "nsNetUtil.h"
+#include "nsPK11TokenDB.h"
+#include "nsReadableUtils.h"
+#include "nsString.h"
+#include "nsThreadUtils.h"
+#include "pkix/pkixtypes.h"
+#include "prmem.h"
+#include "prprf.h"
 #include "secerr.h"

 using namespace mozilla;
@ -315,7 +310,7 @@ nsPKCS12Blob::ExportToFile(nsIFile *file,
  for (i=0; i<numCerts; i++) {
    nsNSSCertificate *cert = (nsNSSCertificate *)certs[i];
    // get it as a CERTCertificate XXX
-    ScopedCERTCertificate nssCert(cert->GetCert());
+    UniqueCERTCertificate nssCert(cert->GetCert());
    if (!nssCert) {
      rv = NS_ERROR_FAILURE;
      goto finish;
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@ -695,7 +695,7 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI,
  rv = aSSLStatus->GetServerCert(getter_AddRefs(cert));
  NS_ENSURE_SUCCESS(rv, rv);
  NS_ENSURE_TRUE(cert, NS_ERROR_FAILURE);
-  ScopedCERTCertificate nssCert(cert->GetCert());
+  UniqueCERTCertificate nssCert(cert->GetCert());
  NS_ENSURE_TRUE(nssCert, NS_ERROR_FAILURE);

  mozilla::pkix::Time now(mozilla::pkix::Now());
--- a/security/manager/ssl/tests/compiled/TestIsCertBuiltInRoot.cpp
+++ b/security/manager/ssl/tests/compiled/TestIsCertBuiltInRoot.cpp
@ -128,7 +128,7 @@ AddCertificate(char* pem, char* nickname)
    return false;
  }

-  mozilla::ScopedCERTCertificate cert(
+  mozilla::UniqueCERTCertificate cert(
    CERT_NewTempCertificate(CERT_GetDefaultCertDB(), sCertDER, nickname, false,
                            true));
  if (!cert) {
@ -140,7 +140,7 @@ AddCertificate(char* pem, char* nickname)
  trust.sslFlags = 0;
  trust.emailFlags = 0;
  trust.objectSigningFlags = 0;
-  if (CERT_AddTempCertToPerm(cert, nickname, &trust) != SECSuccess) {
+  if (CERT_AddTempCertToPerm(cert.get(), nickname, &trust) != SECSuccess) {
    fail("CERT_AddTempCertToPerm failed");
    return false;
  }
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@ -117,7 +117,7 @@ DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
  }

-  ScopedCERTCertificate cert;
+  UniqueCERTCertificate cert;
  SSLKEAType certKEA;
  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName,
                                                    &cert, &certKEA)) {
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
@ -145,7 +145,7 @@ main(int argc, char* argv[])
      exit(EXIT_FAILURE);
    }

-    ScopedCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr));
+    UniqueCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr));
    if (!cert) {
      PrintPRError("PK11_FindCertFromNickname failed");
      PR_fprintf(PR_STDERR, "Failed to find certificate with nick '%s'\n",
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
@ -82,7 +82,7 @@ DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
  const char *certNickname = host->mServerCertName ? host->mServerCertName
                                                   : DEFAULT_CERT_NICKNAME;

-  ScopedCERTCertificate cert;
+  UniqueCERTCertificate cert;
  SSLKEAType certKEA;
  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname,
                                                    &cert, &certKEA)) {
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@ -27,13 +27,13 @@ using namespace mozilla::pkix::test;
 using namespace mozilla::test;

 static TestKeyPair*
-CreateTestKeyPairFromCert(CERTCertificate& cert)
+CreateTestKeyPairFromCert(const UniqueCERTCertificate& cert)
 {
-  UniqueSECKEYPrivateKey privateKey(PK11_FindKeyByAnyCert(&cert, nullptr));
+  UniqueSECKEYPrivateKey privateKey(PK11_FindKeyByAnyCert(cert.get(), nullptr));
  if (!privateKey) {
    return nullptr;
  }
-  ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(&cert));
+  ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(cert.get()));
  if (!publicKey) {
    return nullptr;
  }
@ -41,11 +41,11 @@ CreateTestKeyPairFromCert(CERTCertificate& cert)
 }

 SECItemArray*
-GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate* aCert,
+GetOCSPResponseForType(OCSPResponseType aORT, const UniqueCERTCertificate& aCert,
                       const UniquePLArenaPool& aArena,
                       const char* aAdditionalCertName)
 {
-  MOZ_ASSERT(aArena.get());
+  MOZ_ASSERT(aArena);
  MOZ_ASSERT(aCert);
  // Note: |aAdditionalCertName| may or may not need to be non-null depending
  //       on the |aORT| value given.
@ -68,18 +68,18 @@ GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate* aCert,
  time_t now = time(nullptr);
  time_t oldNow = now - (8 * Time::ONE_DAY_IN_SECONDS);

-  mozilla::ScopedCERTCertificate cert(CERT_DupCertificate(aCert));
+  mozilla::UniqueCERTCertificate cert(CERT_DupCertificate(aCert.get()));

  if (aORT == ORTGoodOtherCert) {
-    cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr);
+    cert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr));
    if (!cert) {
      PrintPRError("PK11_FindCertFromNickname failed");
      return nullptr;
    }
  }
  // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
-  mozilla::ScopedCERTCertificate
-    issuerCert(CERT_FindCertIssuer(aCert, PR_Now(), certUsageSSLCA));
+  mozilla::UniqueCERTCertificate
+    issuerCert(CERT_FindCertIssuer(aCert.get(), PR_Now(), certUsageSSLCA));
  if (!issuerCert) {
    PrintPRError("CERT_FindCertIssuer failed");
    return nullptr;
@ -101,11 +101,11 @@ GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate* aCert,
  CertID certID(issuer, issuerPublicKey, serialNumber);
  OCSPResponseContext context(certID, now);

-  mozilla::ScopedCERTCertificate signerCert;
+  mozilla::UniqueCERTCertificate signerCert;
  if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded ||
      aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing ||
      aORT == ORTDelegatedMissingMultiple) {
-    signerCert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr);
+    signerCert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr));
    if (!signerCert) {
      PrintPRError("PK11_FindCertFromNickname failed");
      return nullptr;
@ -192,9 +192,9 @@ GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate* aCert,
  }

  if (!signerCert) {
-    signerCert = CERT_DupCertificate(issuerCert.get());
+    signerCert.reset(CERT_DupCertificate(issuerCert.get()));
  }
-  context.signerKeyPair.reset(CreateTestKeyPairFromCert(*signerCert));
+  context.signerKeyPair.reset(CreateTestKeyPairFromCert(signerCert));
  if (!context.signerKeyPair) {
    PrintPRError("PK11_FindKeyByAnyCert failed");
    return nullptr;
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
@ -53,7 +53,8 @@ struct OCSPHost
 };

 SECItemArray*
-GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate* aCert,
+GetOCSPResponseForType(OCSPResponseType aORT,
+                       const mozilla::UniqueCERTCertificate& aCert,
                       const mozilla::UniquePLArenaPool& aArena,
                       const char* aAdditionalCertName);

--- a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
@ -10,6 +10,7 @@

 #include "ScopedNSSTypes.h"
 #include "base64.h"
+#include "mozilla/Move.h"
 #include "mozilla/Snprintf.h"
 #include "nspr.h"
 #include "nss.h"
@ -189,7 +190,7 @@ AddCertificateFromFile(const char* basePath, const char* filename)
    PrintPRError("CERT_DecodeCertPackage failed");
    return rv;
  }
-  ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+  UniqueCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                                     &certDER, nullptr, false,
                                                     true));
  PORT_Free(certDER.data);
@ -204,7 +205,8 @@ AddCertificateFromFile(const char* basePath, const char* filename)
  }
  // The nickname is the filename without '.pem'.
  std::string nickname(filename, strlen(filename) - 4);
-  rv = PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, nickname.c_str(), false);
+  rv = PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE,
+                       nickname.c_str(), false);
  if (rv != SECSuccess) {
    PrintPRError("PK11_ImportCert failed");
    return rv;
@ -410,11 +412,11 @@ DoCallback()
 }

 SECStatus
-ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName,
-                                /*optional*/ ScopedCERTCertificate *certOut,
-                                /*optional*/ SSLKEAType *keaOut)
+ConfigSecureServerWithNamedCert(PRFileDesc* fd, const char* certName,
+                                /*optional*/ UniqueCERTCertificate* certOut,
+                                /*optional*/ SSLKEAType* keaOut)
 {
-  ScopedCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr));
+  UniqueCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr));
  if (!cert) {
    PrintPRError("PK11_FindCertFromNickname failed");
    return SECFailure;
@ -424,7 +426,7 @@ ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName,
  // we don't encounter unknown issuer errors when that's not what we're
  // testing.
  UniqueCERTCertificateList certList;
-  ScopedCERTCertificate issuerCert(
+  UniqueCERTCertificate issuerCert(
    CERT_FindCertByName(CERT_GetDefaultCertDB(), &cert->derIssuer));
  // If we can't find the issuer cert, continue without it.
  if (issuerCert) {
@ -469,7 +471,7 @@ ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName,
    return SECFailure;
  }

-  SSLKEAType certKEA = NSS_FindCertKEAType(cert);
+  SSLKEAType certKEA = NSS_FindCertKEAType(cert.get());

  if (SSL_ConfigSecureServerWithCertChain(fd, cert.get(), certList.get(),
                                          key.get(), certKEA) != SECSuccess) {
@ -478,7 +480,7 @@ ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName,
  }

  if (certOut) {
-    *certOut = cert.forget();
+    *certOut = Move(cert);
  }

  if (keaOut) {
--- a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h
@ -44,9 +44,9 @@ extern const char DEFAULT_CERT_NICKNAME[];
 // Pass DEFAULT_CERT_NICKNAME as certName unless you need a specific
 // certificate.
 SECStatus
-ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName,
-                                /*optional*/ ScopedCERTCertificate *cert,
-                                /*optional*/ SSLKEAType *kea);
+ConfigSecureServerWithNamedCert(PRFileDesc* fd, const char* certName,
+                                /*optional*/ UniqueCERTCertificate* cert,
+                                /*optional*/ SSLKEAType* kea);

 SECStatus
 InitializeNSS(const char* nssCertDBDir);