Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-11 12:25:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 767241, Part 2: Replace almost all uses of NSSCleanupAutoPtrClass with ScopedNSSTypes, r=honzab

Browse Source 
--HG--
extra : rebase_source : 5fa068e15febb301b0c776f1a565262d698789b2
This commit is contained in:
Brian Smith 2012-11-12 09:42:28 -08:00
parent ddd80afae9
commit 3a071d2b94
19 changed files with 192 additions and 381 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@ -111,6 +111,7 @@
#include "nsServiceManagerUtils.h"
#include "nsIConsoleService.h"
#include "PSMRunnable.h"
#include "ScopedNSSTypes.h"
#include "ssl.h"
#include "secerr.h"
@ -127,7 +128,6 @@ namespace {
NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
// do not use a nsCOMPtr to avoid static initializer/destructor
@ -615,11 +615,9 @@ private:
SSLServerCertVerificationJob(const void * fdForLogging,
TransportSecurityInfo * infoObject,
CERTCertificate * cert);
~SSLServerCertVerificationJob();
const void * const mFdForLogging;
const RefPtr<TransportSecurityInfo> mInfoObject;
CERTCertificate * const mCert;
const ScopedCERTCertificate mCert;
};
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
@ -631,11 +629,6 @@ SSLServerCertVerificationJob::SSLServerCertVerificationJob(
{
}
SSLServerCertVerificationJob::~SSLServerCertVerificationJob()
{
CERT_DestroyCertificate(mCert);
}
SECStatus
PSM_SSL_PKIX_AuthCertificate(CERTCertificate *peerCert, void * pinarg,
const char * hostname)
@ -818,10 +811,9 @@ BlockServerCertChangeForSpdy(nsNSSSocketInfo *infoObject,
" Assuming spdy.\n"));
// Check to see if the cert has actually changed
CERTCertificate * c = cert2->GetCert();
ScopedCERTCertificate c(cert2->GetCert());
NS_ASSERTION(c, "very bad and hopefully impossible state");
bool sameCert = CERT_CompareCerts(c, serverCert);
CERT_DestroyCertificate(c);
if (sameCert)
return SECSuccess;
@ -887,8 +879,8 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert)
nsc = nsNSSCertificate::Create(cert);
}
CERTCertList *certList = nullptr;
certList = CERT_GetCertChainFromCert(cert, PR_Now(), certUsageSSLCA);
ScopedCERTCertList certList(CERT_GetCertChainFromCert(cert, PR_Now(),
certUsageSSLCA));
if (!certList) {
rv = SECFailure;
} else {
@ -943,20 +935,15 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert)
// We have found a signer cert that we want to remember.
char* nickname = nsNSSCertificate::defaultServerNickname(node->cert);
if (nickname && *nickname) {
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
if (slot) {
PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE,
nickname, false);
PK11_FreeSlot(slot);
}
}
PR_FREEIF(nickname);
}
if (certList) {
CERT_DestroyCertList(certList);
}
// The connection may get terminated, for example, if the server requires
// a client cert. Let's provide a minimal SSLStatus
// to the caller that contains at least the cert and its status.
@ -1125,8 +1112,7 @@ AuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
socketInfo->SetFirstServerHelloReceived();
}
CERTCertificate *serverCert = SSL_PeerCertificate(fd);
CERTCertificateCleaner serverCertCleaner(serverCert);
ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
if (!checkSig || isServer || !socketInfo || !serverCert) {
PR_SetError(PR_INVALID_STATE_ERROR, 0);

7
security/manager/ssl/src/TransportSecurityInfo.cpp
View File

@ -15,10 +15,10 @@
#include "nsIObjectInputStream.h"
#include "nsIObjectOutputStream.h"
#include "nsNSSCertHelper.h"
#include "nsNSSCleaner.h"
#include "nsIProgrammingLanguage.h"
#include "nsIArray.h"
#include "PSMRunnable.h"
#include "ScopedNSSTypes.h"
#include "secerr.h"
@ -34,8 +34,6 @@
namespace {
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
} // unnamed namespace
@ -780,8 +778,7 @@ AppendErrorTextMismatch(const nsString &host,
const PRUnichar *params[1];
nsresult rv;
CERTCertificate *nssCert = nullptr;
CERTCertificateCleaner nssCertCleaner(nssCert);
ScopedCERTCertificate nssCert;
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
if (cert2)

16
security/manager/ssl/src/nsCMS.cpp
View File

@ -14,10 +14,10 @@
#include "nsArrayUtils.h"
#include "nsCertVerificationThread.h"
#include "nsCERTValInParamWrapper.h"
#include "ScopedNSSTypes.h"
#include "prlog.h"
#include "nsNSSCleaner.h"
#include "nsNSSComponent.h"
#ifdef PR_LOGGING
@ -28,8 +28,6 @@ using namespace mozilla;
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NS_IMPL_THREADSAFE_ISUPPORTS2(nsCMSMessage, nsICMSMessage,
nsICMSMessage2)
@ -540,8 +538,7 @@ NS_IMETHODIMP nsCMSMessage::CreateEncrypted(nsIArray * aRecipientCerts)
if (!nssRecipientCert)
return NS_ERROR_FAILURE;
CERTCertificate *c = nssRecipientCert->GetCert();
CERTCertificateCleaner rcCleaner(c);
ScopedCERTCertificate c(nssRecipientCert->GetCert());
recipientCerts.set(i, c);
}
@ -579,8 +576,7 @@ NS_IMETHODIMP nsCMSMessage::CreateEncrypted(nsIArray * aRecipientCerts)
// Create and attach recipient information //
for (i=0; i < recipientCertCount; i++) {
CERTCertificate *rc = recipientCerts.get(i);
CERTCertificateCleaner rcCleaner(rc);
ScopedCERTCertificate rc(recipientCerts.get(i));
if ((recipientInfo = NSS_CMSRecipientInfo_Create(m_cmsMsg, rc)) == nullptr) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't create recipient info\n"));
goto loser;
@ -611,7 +607,8 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned(nsIX509Cert* aSigningCert, nsIX509Cert*
NSSCMSContentInfo *cinfo;
NSSCMSSignedData *sigd;
NSSCMSSignerInfo *signerinfo;
CERTCertificate *scert = nullptr, *ecert = nullptr;
ScopedCERTCertificate scert;
ScopedCERTCertificate ecert;
nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert);
nsresult rv = NS_ERROR_FAILURE;
@ -630,9 +627,6 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned(nsIX509Cert* aSigningCert, nsIX509Cert*
}
}
CERTCertificateCleaner ecertCleaner(ecert);
CERTCertificateCleaner scertCleaner(scert);
/*
* create the message object
*/

19
security/manager/ssl/src/nsCertOverrideService.cpp
View File

@ -18,15 +18,14 @@
#include "nsPromiseFlatString.h"
#include "nsThreadUtils.h"
#include "nsStringBuffer.h"
#include "ScopedNSSTypes.h"
#include "nspr.h"
#include "pk11pub.h"
#include "certdb.h"
#include "sechash.h"
#include "ssl.h" // For SSL_ClearSessionCache
#include "nsNSSCleaner.h"
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
using namespace mozilla;
static const char kCertOverrideFileName[] = "cert_override.txt";
@ -414,11 +413,10 @@ GetCertFingerprintByOidTag(nsIX509Cert *aCert,
if (!cert2)
return NS_ERROR_FAILURE;
CERTCertificate* nsscert = cert2->GetCert();
ScopedCERTCertificate nsscert(cert2->GetCert());
if (!nsscert)
return NS_ERROR_FAILURE;
CERTCertificateCleaner nsscertCleaner(nsscert);
return GetCertFingerprintByOidTag(nsscert, aOidTag, fp);
}
@ -453,11 +451,10 @@ GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
if (!cert2)
return NS_ERROR_FAILURE;
CERTCertificate* nsscert = cert2->GetCert();
ScopedCERTCertificate nsscert(cert2->GetCert());
if (!nsscert)
return NS_ERROR_FAILURE;
CERTCertificateCleaner nsscertCleaner(nsscert);
return GetCertFingerprintByDottedOidString(nsscert, dottedOid, fp);
}
@ -477,16 +474,14 @@ nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, in
if (!cert2)
return NS_ERROR_FAILURE;
CERTCertificate* nsscert = cert2->GetCert();
ScopedCERTCertificate nsscert(cert2->GetCert());
if (!nsscert)
return NS_ERROR_FAILURE;
CERTCertificateCleaner nsscertCleaner(nsscert);
char* nickname = nsNSSCertificate::defaultServerNickname(nsscert);
if (!aTemporary && nickname && *nickname)
{
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) {
PR_Free(nickname);
return NS_ERROR_FAILURE;
@ -494,8 +489,6 @@ nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, in
SECStatus srv = PK11_ImportCert(slot, nsscert, CK_INVALID_HANDLE,
nickname, false);
PK11_FreeSlot(slot);
if (srv != SECSuccess) {
PR_Free(nickname);
return NS_ERROR_FAILURE;

22
security/manager/ssl/src/nsCertPicker.cpp
View File

@ -11,16 +11,15 @@
#include "nsNSSComponent.h"
#include "nsNSSCertificate.h"
#include "nsReadableUtils.h"
#include "nsNSSCleaner.h"
#include "nsICertPickDialogs.h"
#include "nsNSSShutDown.h"
#include "nsNSSCertHelper.h"
NSSCleanupAutoPtrClass(CERTCertNicknames, CERT_FreeNicknames)
NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
#include "ScopedNSSTypes.h"
#include "cert.h"
using namespace mozilla;
NS_IMPL_ISUPPORTS1(nsCertPicker, nsIUserCertPicker)
nsCertPicker::nsCertPicker()
@ -49,31 +48,24 @@ NS_IMETHODIMP nsCertPicker::PickByUsage(nsIInterfaceRequestor *ctx,
{
// Iterate over all certs. This assures that user is logged in to all hardware tokens.
CERTCertList *allcerts = nullptr;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
allcerts = PK11_ListCerts(PK11CertListUnique, ctx);
CERT_DestroyCertList(allcerts);
ScopedCERTCertList allcerts(PK11_ListCerts(PK11CertListUnique, ctx));
}
/* find all user certs that are valid and for SSL */
/* note that we are allowing expired certs in this list */
CERTCertList *certList =
ScopedCERTCertList certList(
CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
(SECCertUsage)certUsage,
!allowDuplicateNicknames,
!allowInvalid,
ctx);
CERTCertListCleaner clc(certList);
ctx));
if (!certList) {
return NS_ERROR_NOT_AVAILABLE;
}
CERTCertNicknames *nicknames = getNSSCertNicknamesFromCertList(certList);
CERTCertNicknamesCleaner cnc(nicknames);
ScopedCERTCertNicknames nicknames(getNSSCertNicknamesFromCertList(certList));
if (!nicknames) {
return NS_ERROR_NOT_AVAILABLE;
}

14
security/manager/ssl/src/nsCertTree.cpp
View File

@ -20,9 +20,9 @@
#include "nsXPCOMCID.h"
#include "nsTHashtable.h"
#include "nsHashKeys.h"
#include "ScopedNSSTypes.h"
#include "prlog.h"
#include "nsNSSCleaner.h"
using namespace mozilla;
@ -30,8 +30,6 @@ using namespace mozilla;
extern PRLogModuleInfo* gPIPNSSLog;
#endif
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
static NS_DEFINE_CID(kCertOverrideCID, NS_CERTOVERRIDE_CID);
@ -641,12 +639,9 @@ nsCertTree::GetCertsByType(uint32_t aType,
void *aCertCmpFnArg)
{
nsNSSShutDownPreventionLock locker;
CERTCertList *certList = nullptr;
nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
certList = PK11_ListCerts(PK11CertListUnique, cxt);
ScopedCERTCertList certList(PK11_ListCerts(PK11CertListUnique, cxt));
nsresult rv = GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg);
if (certList)
CERT_DestroyCertList(certList);
return rv;
}
@ -815,8 +810,7 @@ nsCertTree::DeleteEntryObject(uint32_t index)
// although there are still overrides stored,
// so, we keep the cert, but remove the trust
CERTCertificate *nsscert = nullptr;
CERTCertificateCleaner nsscertCleaner(nsscert);
ScopedCERTCertificate nsscert;
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
if (cert2) {

4
security/manager/ssl/src/nsClientAuthRemember.cpp
View File

@ -22,12 +22,8 @@
#include "certdb.h"
#include "sechash.h"
#include "nsNSSCleaner.h"
using namespace mozilla;
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NS_IMPL_THREADSAFE_ISUPPORTS2(nsClientAuthRememberService,
nsIObserver,
nsISupportsWeakReference)

81
security/manager/ssl/src/nsCrypto.cpp
View File

@ -59,6 +59,7 @@
#include "secmod.h"
#include "nsISaveAsCharset.h"
#include "nsNativeCharsetUtils.h"
#include "ScopedNSSTypes.h"
#include "ssl.h" // For SSL_ClearSessionCache
@ -69,12 +70,7 @@
using namespace mozilla;
NSSCleanupAutoPtrClass(SECKEYPrivateKey, SECKEY_DestroyPrivateKey)
NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot)
NSSCleanupAutoPtrClass(CERTCertNicknames, CERT_FreeNicknames)
NSSCleanupAutoPtrClass(PK11SymKey, PK11_FreeSymKey)
NSSCleanupAutoPtrClass_WithParam(PK11Context, PK11_DestroyContext, TrueParam, true)
NSSCleanupAutoPtrClass_WithParam(SECItem, SECITEM_FreeItem, TrueParam, true)
/*
* These are the most common error strings that are returned
@ -698,8 +694,7 @@ cryptojs_generateOneKeyPair(JSContext *cx, nsKeyPairInfo *keyPairInfo,
// user's key3.db file. Which the slot returned by
// PK11_GetInternalKeySlot has access to and PK11_GetInternalSlot
// does not.
PK11SlotInfo *intSlot = nullptr;
PK11SlotInfoCleaner siCleaner(intSlot);
ScopedPK11SlotInfo intSlot;
if (willEscrow && !PK11_IsInternal(slot)) {
intSlot = PK11_GetInternalSlot();
@ -707,7 +702,6 @@ cryptojs_generateOneKeyPair(JSContext *cx, nsKeyPairInfo *keyPairInfo,
if (!PK11_DoesMechanism(intSlot, mechanism)) {
// Set to null, and the subsequent code will not attempt to use it.
PK11_FreeSlot(intSlot);
intSlot = nullptr;
}
}
@ -832,23 +826,17 @@ cryptojs_generateOneKeyPair(JSContext *cx, nsKeyPairInfo *keyPairInfo,
//If we generated the key pair on the internal slot because the
// keys were going to be escrowed, move the keys over right now.
if (mustMoveKey) {
SECKEYPrivateKey *newPrivKey = PK11_LoadPrivKey(slot,
ScopedSECKEYPrivateKey newPrivKey(PK11_LoadPrivKey(slot,
keyPairInfo->privKey,
keyPairInfo->pubKey,
true, true);
SECKEYPrivateKeyCleaner pkCleaner(newPrivKey);
true, true));
if (!newPrivKey)
return NS_ERROR_FAILURE;
// The private key is stored on the selected slot now, and the copy we
// ultimately use for escrowing when the time comes lives
// in the internal slot. We will delete it from that slot
// after the requests are made. This call only gives up
// our reference to the key object and does not actually
// physically remove it from the card itself.
// The actual delete calls are being made in the destructors
// of the cleaner helper instances.
// after the requests are made.
}
return NS_OK;
@ -1013,13 +1001,12 @@ nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo,
CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){
return NS_ERROR_FAILURE;
}
CERTCertificate *cert = wrappingCert->GetCert();
ScopedCERTCertificate cert(wrappingCert->GetCert());
if (!cert)
return NS_ERROR_FAILURE;
CRMFEncryptedKey *encrKey =
CRMF_CreateEncryptedKeyWithEncryptedValue(keyInfo->privKey, cert);
CERT_DestroyCertificate(cert);
if (!encrKey)
return NS_ERROR_FAILURE;
@ -1046,14 +1033,13 @@ nsSetDNForRequest(CRMFCertRequest *certReq, char *reqDN)
if (!reqDN || CRMF_CertRequestIsFieldPresent(certReq, crmfSubject)) {
return NS_ERROR_FAILURE;
}
CERTName *subjectName = CERT_AsciiToName(reqDN);
ScopedCERTName subjectName(CERT_AsciiToName(reqDN));
if (!subjectName) {
return NS_ERROR_FAILURE;
}
SECStatus srv = CRMF_CertRequestSetTemplateField(certReq, crmfSubject,
static_cast<void*>
(subjectName));
CERT_DestroyName(subjectName);
return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
}
@ -1488,8 +1474,7 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCertReqMsg *certReqMsg,
// allows multiple requests to be sent in one step.
unsigned long der_request_len = 0;
SECItem *der_request = nullptr;
SECItemCleanerTrueParam der_request_cleaner(der_request);
ScopedSECItem der_request;
if (SECSuccess != CRMF_EncodeCertRequest(certReq,
nsCRMFEncoderItemCount,
@ -1516,17 +1501,10 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCertReqMsg *certReqMsg,
// issuer names in the CA's certificate as follows:
// K = SHA1(DER-encoded-subjectName | Kec | DER-encoded-issuerName)"
PK11SymKey *shared_secret = nullptr;
PK11SymKeyCleaner shared_secret_cleaner(shared_secret);
PK11SymKey *subject_and_secret = nullptr;
PK11SymKeyCleaner subject_and_secret_cleaner(subject_and_secret);
PK11SymKey *subject_and_secret_and_issuer = nullptr;
PK11SymKeyCleaner subject_and_secret_and_issuer_cleaner(subject_and_secret_and_issuer);
PK11SymKey *sha1_of_subject_and_secret_and_issuer = nullptr;
PK11SymKeyCleaner sha1_of_subject_and_secret_and_issuer_cleaner(sha1_of_subject_and_secret_and_issuer);
ScopedPK11SymKey shared_secret;
ScopedPK11SymKey subject_and_secret;
ScopedPK11SymKey subject_and_secret_and_issuer;
ScopedPK11SymKey sha1_of_subject_and_secret_and_issuer;
shared_secret =
PK11_PubDeriveWithKDF(keyInfo->privKey, // SECKEYPrivateKey *privKey
@ -1615,23 +1593,18 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCertReqMsg *certReqMsg,
PK11_DigestOp(context, der_request->data, der_request->len))
return NS_ERROR_FAILURE;
SECItem *result_hmac_sha1_item = nullptr;
SECItemCleanerTrueParam result_hmac_sha1_item_cleaner(result_hmac_sha1_item);
result_hmac_sha1_item = SECITEM_AllocItem(nullptr, nullptr, SHA1_LENGTH);
if (!result_hmac_sha1_item)
return NS_ERROR_FAILURE;
ScopedAutoSECItem result_hmac_sha1_item(SHA1_LENGTH);
if (SECSuccess !=
PK11_DigestFinal(context,
result_hmac_sha1_item->data,
&result_hmac_sha1_item->len,
result_hmac_sha1_item.data,
&result_hmac_sha1_item.len,
SHA1_LENGTH))
return NS_ERROR_FAILURE;
if (SECSuccess !=
CRMF_CertReqMsgSetKeyAgreementPOP(certReqMsg, crmfDHMAC,
crmfNoSubseqMess, result_hmac_sha1_item))
crmfNoSubseqMess, &result_hmac_sha1_item))
return NS_ERROR_FAILURE;
return NS_OK;
@ -1950,14 +1923,13 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMFObject** aReturn)
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
CERTCertificate *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
&certDer, nullptr, false,
true);
ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
&certDer, nullptr,
false, true));
if (!cert)
return NS_ERROR_FAILURE;
escrowCert = nsNSSCertificate::Create(cert);
CERT_DestroyCertificate(cert);
nssCert = escrowCert;
if (!nssCert)
return NS_ERROR_OUT_OF_MEMORY;
@ -2217,10 +2189,9 @@ static bool
nsCertAlreadyExists(SECItem *derCert)
{
CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
CERTCertificate *cert;
bool retVal = false;
cert = CERT_FindCertByDERCert(handle, derCert);
ScopedCERTCertificate cert(CERT_FindCertByDERCert(handle, derCert));
if (cert) {
if (cert->isperm && !cert->nickname && !cert->emailAddr) {
//If the cert doesn't have a nickname or email addr, it is
@ -2229,7 +2200,6 @@ nsCertAlreadyExists(SECItem *derCert)
} else if (cert->isperm) {
retVal = true;
}
CERT_DestroyCertificate(cert);
}
return retVal;
}
@ -2270,7 +2240,6 @@ nsCrypto::ImportUserCertificates(const nsAString& aNickname,
nsAutoCString localNick;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
nsresult rv = NS_OK;
CERTCertList *caPubs = nullptr;
nsCOMPtr<nsIPK11Token> token;
nickname = ToNewCString(aNickname);
@ -2382,7 +2351,8 @@ nsCrypto::ImportUserCertificates(const nsAString& aNickname,
//That would be a good thing.
//Import the root chain into the cert db.
caPubs = CMMF_CertRepContentGetCAPubs(certRepContent);
{
ScopedCERTCertList caPubs(CMMF_CertRepContentGetCAPubs(certRepContent));
if (caPubs) {
int32_t numCAs = nsCertListCount(caPubs);
@ -2405,9 +2375,8 @@ nsCrypto::ImportUserCertificates(const nsAString& aNickname,
nsNSSCertificateDB::ImportValidCACerts(numCAs, derCerts, ctx);
nsMemory::Free(derCerts);
}
CERT_DestroyCertList(caPubs);
}
}
if (aDoForcedBackup) {
// I can't pop up a file picker from the depths of JavaScript,
@ -2639,7 +2608,7 @@ nsCrypto::SignText(const nsAString& aStringToSign, const nsAString& aCaOption,
++numberOfCerts;
}
CERTCertNicknames* nicknames = getNSSCertNicknamesFromCertList(certList);
ScopedCERTCertNicknames nicknames(getNSSCertNicknamesFromCertList(certList));
if (!nicknames) {
aResult.Append(internalError);
@ -2647,8 +2616,6 @@ nsCrypto::SignText(const nsAString& aStringToSign, const nsAString& aCaOption,
return NS_OK;
}
CERTCertNicknamesCleaner cnc(nicknames);
NS_ASSERTION(nicknames->numnicknames == numberOfCerts,
"nicknames->numnicknames != numberOfCerts");

16
security/manager/ssl/src/nsIdentityChecking.cpp
View File

@ -16,7 +16,9 @@
#include "nsNSSComponent.h"
#include "nsSSLStatus.h"
#include "nsNSSCertificate.h"
#include "nsNSSCleaner.h"
#include "ScopedNSSTypes.h"
using namespace mozilla;
#ifdef DEBUG
#ifndef PSM_ENABLE_TEST_EV_ROOTS
@ -28,10 +30,6 @@
extern PRLogModuleInfo* gPIPNSSLog;
#endif
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
NSSCleanupAutoPtrClass_WithParam(SECItem, SECITEM_FreeItem, TrueParam, true)
#define CONST_OID static const unsigned char
#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
@ -1217,8 +1215,7 @@ nsNSSCertificate::hasValidEVOidTag(SECOidTag &resultOidTag, bool &validEV)
if (oid_tag == SEC_OID_UNKNOWN) // not in our list of OIDs accepted for EV
return NS_OK;
CERTCertList *rootList = getRootsForOid(oid_tag);
CERTCertListCleaner rootListCleaner(rootList);
ScopedCERTCertList rootList(getRootsForOid(oid_tag));
CERTRevocationMethodIndex preferedRevMethods[1] = {
cert_revocation_method_ocsp
@ -1277,14 +1274,13 @@ nsNSSCertificate::hasValidEVOidTag(SECOidTag &resultOidTag, bool &validEV)
cvout[0].value.pointer.cert = nullptr;
cvout[1].type = cert_po_end;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("calling CERT_PKIXVerifyCert nss cert %p\n", mCert));
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("calling CERT_PKIXVerifyCert nss cert %p\n", mCert.get()));
rv = CERT_PKIXVerifyCert(mCert, certificateUsageSSLServer,
cvin, cvout, nullptr);
if (rv != SECSuccess)
return NS_OK;
CERTCertificate *issuerCert = cvout[0].value.pointer.cert;
CERTCertificateCleaner issuerCleaner(issuerCert);
ScopedCERTCertificate issuerCert(cvout[0].value.pointer.cert);
#ifdef PR_LOGGING
if (PR_LOG_TEST(gPIPNSSLog, PR_LOG_DEBUG)) {

11
security/manager/ssl/src/nsKeyModule.cpp
View File

@ -6,6 +6,10 @@
#include "nsCOMPtr.h"
#include "nsKeyModule.h"
#include "nsString.h"
#include "ScopedNSSTypes.h"
using namespace mozilla;
using namespace mozilla::psm;
NS_IMPL_ISUPPORTS1(nsKeyObject, nsIKeyObject)
@ -174,8 +178,7 @@ nsKeyObjectFactory::KeyFromString(int16_t aAlgorithm, const nsACString & aKey,
keyItem.data = (unsigned char*)flatKey.get();
keyItem.len = flatKey.Length();
PK11SlotInfo *slot = nullptr;
slot = PK11_GetBestSlot(cipherMech, nullptr);
ScopedPK11SlotInfo slot(PK11_GetBestSlot(cipherMech, nullptr));
if (!slot) {
NS_ERROR("no slot");
return NS_ERROR_FAILURE;
@ -183,10 +186,6 @@ nsKeyObjectFactory::KeyFromString(int16_t aAlgorithm, const nsACString & aKey,
PK11SymKey* symKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap,
cipherOperation, &keyItem, nullptr);
// cleanup code
if (slot)
PK11_FreeSlot(slot);
if (!symKey) {
return NS_ERROR_FAILURE;
}

14
security/manager/ssl/src/nsNSSCallbacks.cpp
View File

@ -3,12 +3,12 @@
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsNSSComponent.h"
#include "nsNSSCallbacks.h"
#include "mozilla/Telemetry.h"
#include "mozilla/TimeStamp.h"
#include "nsNSSComponent.h"
#include "nsNSSIOLayer.h"
#include "nsIWebProgressListener.h"
#include "nsProtectedAuthThread.h"
@ -19,6 +19,7 @@
#include "nsIPrompt.h"
#include "nsProxyRelease.h"
#include "PSMRunnable.h"
#include "ScopedNSSTypes.h"
#include "nsIConsoleService.h"
#include "nsIHttpChannelInternal.h"
#include "nsCRT.h"
@ -880,10 +881,9 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
}
CERTCertificate *peerCert = SSL_PeerCertificate(fd);
ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
const char* caName = nullptr; // caName is a pointer only, no ownership
char* certOrgName = CERT_GetOrgName(&peerCert->issuer);
CERT_DestroyCertificate(peerCert);
char* certOrgName = CERT_GetOrgName(&serverCert->issuer);
caName = certOrgName ? certOrgName : signer;
const char* verisignName = "Verisign, Inc.";
@ -917,12 +917,8 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
RememberCertErrorsTable::GetInstance().LookupCertErrorBits(infoObject,
status);
CERTCertificate *serverCert = SSL_PeerCertificate(fd);
if (serverCert) {
RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(serverCert));
CERT_DestroyCertificate(serverCert);
serverCert = nullptr;
nsCOMPtr<nsIX509Cert> prevcert;
infoObject->GetPreviousCert(getter_AddRefs(prevcert));

4
security/manager/ssl/src/nsNSSCallbacks.h
View File

@ -7,6 +7,7 @@
#ifndef _NSNSSCALLBACKS_H_
#define _NSNSSCALLBACKS_H_
#include "nsCOMPtr.h"
#include "pk11func.h"
#include "nspr.h"
#include "ocspt.h"
@ -14,6 +15,9 @@
#include "mozilla/CondVar.h"
#include "mozilla/Mutex.h"
#include "mozilla/Attributes.h"
#include "nsString.h"
class nsILoadGroup;
char*
PK11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void* arg);

62
security/manager/ssl/src/nsNSSCertificate.cpp
View File

@ -34,13 +34,11 @@
#include "nsIObjectOutputStream.h"
#include "nsIObjectInputStream.h"
#include "nsIProgrammingLanguage.h"
#include "nsXULAppAPI.h"
#include "ScopedNSSTypes.h"
#include "nspr.h"
#include "pk11func.h"
#include "certdb.h"
#include "cert.h"
#include "secerr.h"
#include "nssb64.h"
#include "secasn1.h"
@ -48,8 +46,6 @@
#include "ssl.h"
#include "ocsp.h"
#include "plbase64.h"
#include "cms.h"
#include "cert.h"
using namespace mozilla;
@ -59,12 +55,7 @@ extern PRLogModuleInfo* gPIPNSSLog;
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
NSSCleanupAutoPtrClass(CERTCertificateList, CERT_DestroyCertificateList)
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass(NSSCMSMessage, NSS_CMSMessage_Destroy)
NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
NSSCleanupAutoPtrClass(NSSCMSSignedData, NSS_CMSSignedData_Destroy)
NSSCleanupAutoPtrClass(PK11SlotList, PK11_FreeSlotList)
// This is being stored in an uint32_t that can otherwise
// only take values from nsIX509Cert's list of cert types.
@ -198,7 +189,6 @@ void nsNSSCertificate::destructorSafeDestroyNSSReference()
}
if (mCert) {
CERT_DestroyCertificate(mCert);
mCert = nullptr;
}
}
@ -776,7 +766,7 @@ nsNSSCertificate::GetIssuer(nsIX509Cert * *aIssuer)
NS_ENSURE_ARG(aIssuer);
*aIssuer = nullptr;
CERTCertificate *issuer;
ScopedCERTCertificate issuer;
issuer = CERT_FindCertIssuer(mCert, PR_Now(), certUsageSSLClient);
if (issuer) {
nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(issuer);
@ -784,7 +774,6 @@ nsNSSCertificate::GetIssuer(nsIX509Cert * *aIssuer)
*aIssuer = cert;
NS_ADDREF(*aIssuer);
}
CERT_DestroyCertificate(issuer);
}
return NS_OK;
}
@ -822,8 +811,8 @@ nsNSSCertificate::GetChain(nsIArray **_rvChain)
NS_ENSURE_ARG(_rvChain);
nsresult rv;
/* Get the cert chain from NSS */
CERTCertList *nssChain = nullptr;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname));
ScopedCERTCertList nssChain;
nssChain = CERT_GetCertChainFromCert(mCert, PR_Now(), certUsageSSLClient);
if (!nssChain)
return NS_ERROR_FAILURE;
@ -845,8 +834,6 @@ nsNSSCertificate::GetChain(nsIArray **_rvChain)
NS_IF_ADDREF(*_rvChain);
rv = NS_OK;
done:
if (nssChain)
CERT_DestroyCertList(nssChain);
return rv;
}
@ -863,8 +850,7 @@ nsNSSCertificate::GetAllTokenNames(uint32_t *aLength, PRUnichar*** aTokenNames)
*aTokenNames = nullptr;
/* Get the slots from NSS */
PK11SlotList *slots = nullptr;
PK11SlotListCleaner slotCleaner(slots);
ScopedPK11SlotList slots;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting slots for \"%s\"\n", mCert->nickname));
slots = PK11_GetAllSlotsForCert(mCert, nullptr);
if (!slots) {
@ -1082,8 +1068,7 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
return NS_ERROR_OUT_OF_MEMORY;
}
NSSCMSMessage *cmsg = NSS_CMSMessage_Create(nullptr);
NSSCMSMessageCleaner cmsgCleaner(cmsg);
ScopedNSSCMSMessage cmsg(NSS_CMSMessage_Create(nullptr));
if (!cmsg) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
("nsNSSCertificate::ExportAsCMS - can't create CMS message\n"));
@ -1093,8 +1078,8 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
/*
* first, create SignedData with the certificate only (no chain)
*/
NSSCMSSignedData *sigd = NSS_CMSSignedData_CreateCertsOnly(cmsg, mCert, false);
NSSCMSSignedDataCleaner sigdCleaner(sigd);
ScopedNSSCMSSignedData sigd(NSS_CMSSignedData_CreateCertsOnly(cmsg, mCert,
false));
if (!sigd) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
("nsNSSCertificate::ExportAsCMS - can't create SignedData\n"));
@ -1110,8 +1095,8 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
*/
if (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChain ||
chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot) {
CERTCertificate *issuerCert = CERT_FindCertIssuer(mCert, PR_Now(), certUsageAnyCA);
CERTCertificateCleaner issuerCertCleaner(issuerCert);
ScopedCERTCertificate issuerCert(
CERT_FindCertIssuer(mCert, PR_Now(), certUsageAnyCA));
/*
* the issuerCert of a self signed root is the cert itself,
* so make sure we're not adding duplicates, again
@ -1119,11 +1104,11 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
if (issuerCert && issuerCert != mCert) {
bool includeRoot =
(chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot);
CERTCertificateList *certChain = CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot);
CERTCertificateListCleaner certChainCleaner(certChain);
ScopedCERTCertificateList certChain(
CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot));
if (certChain) {
if (NSS_CMSSignedData_AddCertList(sigd, certChain) == SECSuccess) {
certChainCleaner.detach();
certChain.forget();
}
else {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
@ -1135,7 +1120,7 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
/* try to add the issuerCert, at least */
if (NSS_CMSSignedData_AddCertificate(sigd, issuerCert)
== SECSuccess) {
issuerCertCleaner.detach();
issuerCert.forget();
}
else {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
@ -1149,7 +1134,7 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd)
== SECSuccess) {
sigdCleaner.detach();
sigd.forget();
}
else {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
@ -1507,11 +1492,8 @@ nsNSSCertificate::Equals(nsIX509Cert *other, bool *result)
if (!other2)
return NS_ERROR_FAILURE;
CERTCertificate *cert = other2->GetCert();
ScopedCERTCertificate cert(other2->GetCert());
*result = (mCert == cert);
if (cert) {
CERT_DestroyCertificate(cert);
}
return NS_OK;
}
@ -1600,13 +1582,6 @@ nsNSSCertList::nsNSSCertList(CERTCertList *certList, bool adopt)
}
}
nsNSSCertList::~nsNSSCertList()
{
if (mCertList) {
CERT_DestroyCertList(mCertList);
}
}
/* void addCert (in nsIX509Cert cert); */
NS_IMETHODIMP
nsNSSCertList::AddCert(nsIX509Cert *aCert)
@ -1706,13 +1681,6 @@ nsNSSCertListEnumerator::nsNSSCertListEnumerator(CERTCertList *certList)
mCertList = nsNSSCertList::DupCertList(certList);
}
nsNSSCertListEnumerator::~nsNSSCertListEnumerator()
{
if (mCertList) {
CERT_DestroyCertList(mCertList);
}
}
/* boolean hasMoreElements (); */
NS_IMETHODIMP
nsNSSCertListEnumerator::HasMoreElements(bool *_retval)

19
security/manager/ssl/src/nsNSSCertificate.h
View File

@ -19,6 +19,7 @@
#include "nsISimpleEnumerator.h"
#include "nsISerializable.h"
#include "nsIClassInfo.h"
#include "ScopedNSSTypes.h"
#include "certt.h"
class nsAutoString;
@ -56,7 +57,7 @@ public:
static char* defaultServerNickname(CERTCertificate* cert);
private:
CERTCertificate *mCert;
mozilla::ScopedCERTCertificate mCert;
bool mPermDelete;
uint32_t mCertType;
nsCOMPtr<nsIASN1Object> mASN1Structure;
@ -83,11 +84,15 @@ public:
NS_DECL_NSIX509CERTLIST
nsNSSCertList(CERTCertList *certList = nullptr, bool adopt = false);
virtual ~nsNSSCertList();
static CERTCertList *DupCertList(CERTCertList *aCertList);
private:
CERTCertList *mCertList;
virtual ~nsNSSCertList() { }
mozilla::ScopedCERTCertList mCertList;
nsNSSCertList(const nsNSSCertList &) MOZ_DELETE;
void operator=(const nsNSSCertList &) MOZ_DELETE;
};
class nsNSSCertListEnumerator: public nsISimpleEnumerator
@ -97,9 +102,13 @@ public:
NS_DECL_NSISIMPLEENUMERATOR
nsNSSCertListEnumerator(CERTCertList *certList);
virtual ~nsNSSCertListEnumerator();
private:
CERTCertList *mCertList;
virtual ~nsNSSCertListEnumerator() { }
mozilla::ScopedCERTCertList mCertList;
nsNSSCertListEnumerator(const nsNSSCertListEnumerator &) MOZ_DELETE;
void operator=(const nsNSSCertListEnumerator &) MOZ_DELETE;
};

184
security/manager/ssl/src/nsNSSCertificateDB.cpp
View File

@ -29,11 +29,10 @@
#include "nsComponentManagerUtils.h"
#include "nsIPrompt.h"
#include "nsThreadUtils.h"
#include "ScopedNSSTypes.h"
#include "nspr.h"
#include "pk11func.h"
#include "certdb.h"
#include "cert.h"
#include "secerr.h"
#include "nssb64.h"
#include "secasn1.h"
@ -42,19 +41,12 @@
#include "ocsp.h"
#include "plbase64.h"
#include "nsNSSCleaner.h"
using namespace mozilla;
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
NSSCleanupAutoPtrClass(CERTCertificateList, CERT_DestroyCertificateList)
NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot)
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
@ -73,8 +65,11 @@ nsNSSCertificateDB::FindCertByNickname(nsISupports *aToken,
const nsAString &nickname,
nsIX509Cert **_rvCert)
{
NS_ENSURE_ARG_POINTER(_rvCert);
*_rvCert = nullptr;
nsNSSShutDownPreventionLock locker;
CERTCertificate *cert = nullptr;
ScopedCERTCertificate cert;
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
@ -94,14 +89,11 @@ nsNSSCertificateDB::FindCertByNickname(nsISupports *aToken,
if (cert) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("got it\n"));
nsCOMPtr<nsIX509Cert> pCert = nsNSSCertificate::Create(cert);
CERT_DestroyCertificate(cert);
if (pCert) {
*_rvCert = pCert;
NS_ADDREF(*_rvCert);
pCert.forget(_rvCert);
return NS_OK;
}
}
*_rvCert = nullptr;
return NS_ERROR_FAILURE;
}
@ -109,14 +101,17 @@ NS_IMETHODIMP
nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken,
nsIX509Cert **_cert)
{
NS_ENSURE_ARG_POINTER(aDBkey);
NS_ENSURE_ARG(aDBkey[0]);
NS_ENSURE_ARG_POINTER(aToken);
NS_ENSURE_ARG_POINTER(_cert);
*_cert = nullptr;
nsNSSShutDownPreventionLock locker;
SECItem keyItem = {siBuffer, nullptr, 0};
SECItem *dummy;
CERTIssuerAndSN issuerSN;
//unsigned long moduleID,slotID;
*_cert = nullptr;
if (!aDBkey || !*aDBkey)
return NS_ERROR_INVALID_ARG;
dummy = NSSBase64_DecodeBuffer(nullptr, &keyItem, aDBkey,
(uint32_t)PL_strlen(aDBkey));
@ -125,7 +120,7 @@ nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken,
return NS_ERROR_INVALID_ARG;
}
CERTCertificate *cert;
ScopedCERTCertificate cert;
// someday maybe we can speed up the search using the moduleID and slotID
// moduleID = NS_NSS_GET_LONG(keyItem.data);
// slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]);
@ -146,12 +141,10 @@ nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken,
cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), &issuerSN);
PR_FREEIF(keyItem.data);
if (cert) {
nsNSSCertificate *nssCert = nsNSSCertificate::Create(cert);
CERT_DestroyCertificate(cert);
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
if (!nssCert)
return NS_ERROR_OUT_OF_MEMORY;
NS_ADDREF(nssCert);
*_cert = static_cast<nsIX509Cert*>(nssCert);
nssCert.forget(_cert);
}
return NS_OK;
}
@ -167,7 +160,7 @@ nsNSSCertificateDB::FindCertNicknames(nsISupports *aToken,
/*
* obtain the cert list from NSS
*/
CERTCertList *certList = nullptr;
ScopedCERTCertList certList;
PK11CertListType pk11type;
#if 0
// this would seem right, but it didn't work...
@ -190,8 +183,6 @@ nsNSSCertificateDB::FindCertNicknames(nsISupports *aToken,
* finish up
*/
cleanup:
if (certList)
CERT_DestroyCertList(certList);
return rv;
}
@ -334,7 +325,7 @@ nsNSSCertificateDB::handleCACertDownload(nsIArray *x509Certs,
return rv;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
CERTCertificate *tmpCert;
ScopedCERTCertificate tmpCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
tmpCert = CERT_FindCertByDERCert(certdb, &der);
if (!tmpCert) {
@ -350,8 +341,6 @@ nsNSSCertificateDB::handleCACertDownload(nsIArray *x509Certs,
return NS_ERROR_FAILURE;
}
CERTCertificateCleaner tmpCertCleaner(tmpCert);
if (!CERT_IsCACert(tmpCert, nullptr)) {
DisplayCertificateAlert(ctx, "NotACACert", certToShow);
return NS_ERROR_FAILURE;
@ -393,13 +382,11 @@ nsNSSCertificateDB::handleCACertDownload(nsIArray *x509Certs,
// Import additional delivered certificates that can be verified.
// build a CertList for filtering
CERTCertList *certList = CERT_NewCertList();
ScopedCERTCertList certList(CERT_NewCertList());
if (!certList) {
return NS_ERROR_FAILURE;
}
CERTCertListCleaner listCleaner(certList);
// get all remaining certs into temp store
for (uint32_t i=0; i<numCerts; i++) {
@ -499,7 +486,7 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t * data, uint32_t length,
nsresult nsrv = NS_OK;
CERTCertDBHandle *certdb;
CERTCertificate **certArray = nullptr;
CERTCertList *certList = nullptr;
ScopedCERTCertList certList;
CERTCertListNode *node;
PRTime now;
SECCertUsage certusage;
@ -599,8 +586,7 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t * data, uint32_t length,
}
}
CERTCertificateList *certChain = nullptr;
CERTCertificateListCleaner chainCleaner(certChain);
ScopedCERTCertificateList certChain;
if (!alert_and_skip) {
certChain = CERT_CertChainFromCert(node->cert, certusage, false);
@ -639,9 +625,6 @@ loser:
if (certArray) {
CERT_DestroyCertArray(certArray, numcerts);
}
if (certList) {
CERT_DestroyCertList(certList);
}
if (arena)
PORT_FreeArena(arena, true);
return nsrv;
@ -655,7 +638,7 @@ nsNSSCertificateDB::ImportServerCertificate(uint8_t * data, uint32_t length,
nsNSSShutDownPreventionLock locker;
SECStatus srv = SECFailure;
nsresult nsrv = NS_OK;
CERTCertificate * cert;
ScopedCERTCertificate cert;
SECItem **rawCerts = nullptr;
int numcerts;
int i;
@ -706,8 +689,6 @@ nsNSSCertificateDB::ImportServerCertificate(uint8_t * data, uint32_t length,
}
loser:
PORT_Free(rawCerts);
if (cert)
CERT_DestroyCertificate(cert);
if (arena)
PORT_FreeArena(arena, true);
return nsrv;
@ -716,7 +697,7 @@ loser:
nsresult
nsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInterfaceRequestor *ctx)
{
CERTCertList *certList = nullptr;
ScopedCERTCertList certList;
SECItem **rawArray;
// build a CertList for filtering
@ -725,8 +706,6 @@ nsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInte
return NS_ERROR_FAILURE;
}
CERTCertListCleaner listCleaner(certList);
// get all certs into temp store
SECStatus srv = SECFailure;
CERTCertificate **certArray = nullptr;
@ -810,8 +789,7 @@ nsNSSCertificateDB::ImportValidCACertsInList(CERTCertList *certList, nsIInterfac
}
}
CERTCertificateList *certChain = nullptr;
CERTCertificateListCleaner chainCleaner(certChain);
ScopedCERTCertificateList certChain;
if (!alert_and_skip) {
certChain = CERT_CertChainFromCert(node->cert, certUsageAnyCA, false);
@ -891,14 +869,14 @@ nsNSSCertificateDB::ImportUserCertificate(uint8_t *data, uint32_t length, nsIInt
}
nsNSSShutDownPreventionLock locker;
PK11SlotInfo *slot;
ScopedPK11SlotInfo slot;
nsAutoCString nickname;
nsresult rv = NS_ERROR_FAILURE;
int numCACerts;
SECItem *CACerts;
CERTDERCerts * collectArgs;
PLArenaPool *arena;
CERTCertificate * cert = nullptr;
ScopedCERTCertificate cert;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
@ -922,7 +900,7 @@ nsNSSCertificateDB::ImportUserCertificate(uint8_t *data, uint32_t length, nsIInt
DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow);
goto loser;
}
PK11_FreeSlot(slot);
slot = nullptr;
/* pick a nickname for the cert */
if (cert->nickname) {
@ -943,7 +921,7 @@ nsNSSCertificateDB::ImportUserCertificate(uint8_t *data, uint32_t length, nsIInt
if (!slot) {
goto loser;
}
PK11_FreeSlot(slot);
slot = nullptr;
{
nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert);
@ -961,9 +939,6 @@ loser:
if (arena) {
PORT_FreeArena(arena, false);
}
if ( cert ) {
CERT_DestroyCertificate(cert);
}
return rv;
}
@ -975,9 +950,8 @@ nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
{
nsNSSShutDownPreventionLock locker;
nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
CERTCertificate *cert = nssCert->GetCert();
ScopedCERTCertificate cert(nssCert->GetCert());
if (!cert) return NS_ERROR_FAILURE;
CERTCertificateCleaner certCleaner(cert);
SECStatus srv = SECSuccess;
uint32_t certType;
@ -1019,8 +993,8 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
if (!pipCert)
return NS_ERROR_FAILURE;
CERTCertificate *nsscert = pipCert->GetCert();
CERTCertificateCleaner certCleaner(nsscert);
ScopedCERTCertificate nsscert(pipCert->GetCert());
if (type == nsIX509Cert::CA_CERT) {
// always start with untrusted and move up
trust.SetValidCA();
@ -1063,14 +1037,13 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
nsNSSShutDownPreventionLock locker;
SECStatus srv;
nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
CERTCertificate *nsscert = pipCert->GetCert();
ScopedCERTCertificate nsscert(pipCert->GetCert());
CERTCertTrust nsstrust;
srv = CERT_GetCertTrust(nsscert, &nsstrust);
if (srv != SECSuccess)
return NS_ERROR_FAILURE;
nsNSSCertTrust trust(&nsstrust);
CERT_DestroyCertificate(nsscert);
if (certType == nsIX509Cert::CA_CERT) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
*_isTrusted = trust.HasTrustedCA(true, false, false);
@ -1197,10 +1170,9 @@ nsNSSCertificateDB::ExportPKCS12File(nsISupports *aToken,
if (count == 0) return NS_OK;
nsCOMPtr<nsIPK11Token> localRef;
if (!aToken) {
PK11SlotInfo *keySlot = PK11_GetInternalKeySlot();
ScopedPK11SlotInfo keySlot(PK11_GetInternalKeySlot());
NS_ASSERTION(keySlot,"Failed to get the internal key slot");
localRef = new nsPK11Token(keySlot);
PK11_FreeSlot(keySlot);
}
else {
localRef = do_QueryInterface(aToken);
@ -1295,59 +1267,47 @@ nsNSSCertificateDB::GetIsOcspOn(bool *aOcspOn)
NS_IMETHODIMP
nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString &aNickname, nsIX509Cert **_retval)
{
if (!_retval)
return NS_ERROR_FAILURE;
*_retval = 0;
NS_ENSURE_ARG_POINTER(_retval);
*_retval = nullptr;
if (aNickname.IsEmpty())
return NS_OK;
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_OK;
CERTCertificate *cert = 0;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
nsNSSCertificate *nssCert = nullptr;
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
/* Find a good cert in the user's database */
ScopedCERTCertificate cert;
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname,
certUsageEmailRecipient, true, ctx);
if (!cert) { goto loser; }
nssCert = nsNSSCertificate::Create(cert);
if (!nssCert) {
rv = NS_ERROR_OUT_OF_MEMORY;
if (!cert) {
return NS_OK;
}
NS_ADDREF(nssCert);
*_retval = static_cast<nsIX509Cert*>(nssCert);
loser:
if (cert) CERT_DestroyCertificate(cert);
return rv;
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
if (!nssCert) {
return NS_ERROR_OUT_OF_MEMORY;
}
nssCert.forget(_retval);
return NS_OK;
}
/* nsIX509Cert getDefaultEmailSigningCert (); */
NS_IMETHODIMP
nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert **_retval)
{
if (!_retval)
return NS_ERROR_FAILURE;
*_retval = 0;
NS_ENSURE_ARG_POINTER(_retval);
*_retval = nullptr;
if (aNickname.IsEmpty())
return NS_OK;
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_OK;
CERTCertificate *cert = 0;
ScopedCERTCertificate cert;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
nsNSSCertificate *nssCert = nullptr;
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
@ -1355,20 +1315,16 @@ nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert
/* Find a good cert in the user's database */
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname,
certUsageEmailSigner, true, ctx);
if (!cert) { goto loser; }
nssCert = nsNSSCertificate::Create(cert);
if (!nssCert) {
rv = NS_ERROR_OUT_OF_MEMORY;
if (!cert) {
return NS_OK;
}
NS_ADDREF(nssCert);
*_retval = static_cast<nsIX509Cert*>(nssCert);
loser:
if (cert) CERT_DestroyCertificate(cert);
return rv;
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
if (!nssCert) {
return NS_ERROR_OUT_OF_MEMORY;
}
nssCert.forget(_retval);
return NS_OK;
}
NS_IMETHODIMP
@ -1389,15 +1345,14 @@ nsNSSCertificateDB::FindCertByEmailAddress(nsISupports *aToken, const char *aEma
return nsrv;
}
CERTCertList *certlist = PK11_FindCertsFromEmailAddress(aEmailAddress, nullptr);
ScopedCERTCertList certlist(
PK11_FindCertsFromEmailAddress(aEmailAddress, nullptr));
if (!certlist)
return NS_ERROR_FAILURE;
// certlist now contains certificates with the right email address,
// but they might not have the correct usage or might even be invalid
CERTCertListCleaner listCleaner(certlist);
if (CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist))
return NS_ERROR_FAILURE; // no certs found
@ -1476,7 +1431,8 @@ nsNSSCertificateDB::ConstructX509FromBase64(const char *base64,
secitem_cert.data = (unsigned char*)certDER;
secitem_cert.len = lengthDER;
CERTCertificate *cert =
ScopedCERTCertificate cert;
cert =
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert,
nullptr, false, true);
PL_strfree(certDER);
@ -1485,13 +1441,12 @@ nsNSSCertificateDB::ConstructX509FromBase64(const char *base64,
return (PORT_GetError() == SEC_ERROR_NO_MEMORY)
? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE;
nsNSSCertificate *nsNSS = nsNSSCertificate::Create(cert);
CERT_DestroyCertificate(cert);
if (!nsNSS)
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
if (!nssCert) {
return NS_ERROR_OUT_OF_MEMORY;
return CallQueryInterface(nsNSS, _retval);
}
nssCert.forget(_retval);
return NS_OK;
}
void
@ -1547,8 +1502,7 @@ nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert,
* then we need to check for nicknames that already exist on the smart
* card.
*/
PK11SlotInfo *slot = PK11_KeyForCertExists(cert, &keyHandle, ctx);
PK11SlotInfoCleaner slotCleaner(slot);
ScopedPK11SlotInfo slot(PK11_KeyForCertExists(cert, &keyHandle, ctx));
if (!slot)
return;
@ -1576,8 +1530,7 @@ nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert,
PR_smprintf_free(tmp);
}
CERTCertificate *dummycert = nullptr;
CERTCertificateCleaner dummycertCleaner(dummycert);
ScopedCERTCertificate dummycert;
if (PK11_IsInternal(slot)) {
/* look up the nickname to make sure it isn't in use already */
@ -1600,7 +1553,6 @@ nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert,
* the same subject name on the smart card, so let's use this
* nickname.
*/
CERT_DestroyCertificate(dummycert);
dummycert = nullptr;
}
}
@ -1633,9 +1585,8 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const c
NS_ENSURE_SUCCESS(rv, rv);
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
CERTCertificate *tmpCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
tmpCert = CERT_FindCertByDERCert(certdb, &der);
ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
if (!tmpCert)
tmpCert = CERT_NewTempCertificate(certdb, &der,
nullptr, false, true);
@ -1649,12 +1600,9 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const c
}
if (tmpCert->isperm) {
CERT_DestroyCertificate(tmpCert);
return NS_OK;
}
CERTCertificateCleaner tmpCertCleaner(tmpCert);
nsXPIDLCString nickname;
nickname.Adopt(CERT_MakeCANickname(tmpCert));

37
security/manager/ssl/src/nsNSSIOLayer.cpp
View File

@ -27,6 +27,7 @@
#include "nsCharSeparatedTokenizer.h"
#include "nsIConsoleService.h"
#include "PSMRunnable.h"
#include "ScopedNSSTypes.h"
#include "ssl.h"
#include "secerr.h"
@ -49,7 +50,6 @@ using namespace mozilla::psm;
namespace {
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass(void, PR_FREEIF)
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
@ -259,8 +259,7 @@ nsNSSSocketInfo::JoinConnection(const nsACString & npnProtocol,
// Ensure that the server certificate covers the hostname that would
// like to join this connection
CERTCertificate *nssCert = nullptr;
CERTCertificateCleaner nsscertCleaner(nssCert);
ScopedCERTCertificate nssCert;
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(SSLStatus()->mServerCert);
if (cert2)
@ -1914,11 +1913,11 @@ void ClientAuthDataRunnable::RunOnTargetThread()
{
PLArenaPool* arena = nullptr;
char** caNameStrings;
CERTCertificate* cert = nullptr;
SECKEYPrivateKey* privKey = nullptr;
CERTCertList* certList = nullptr;
ScopedCERTCertificate cert;
ScopedSECKEYPrivateKey privKey;
ScopedCERTCertList certList;
CERTCertListNode* node;
CERTCertNicknames* nicknames = nullptr;
ScopedCERTCertNicknames nicknames;
char* extracted = nullptr;
int keyError = 0; /* used for private key retrieval error */
SSM_UserCertChoice certChoice;
@ -1972,8 +1971,7 @@ void ClientAuthDataRunnable::RunOnTargetThread()
goto noCert;
}
CERTCertificate* low_prio_nonrep_cert = nullptr;
CERTCertificateCleaner low_prio_cleaner(low_prio_nonrep_cert);
ScopedCERTCertificate low_prio_nonrep_cert;
/* loop through the list until we find a cert with a key */
while (!CERT_LIST_END(node, certList)) {
@ -1991,7 +1989,6 @@ void ClientAuthDataRunnable::RunOnTargetThread()
privKey = PK11_FindKeyByAnyCert(node->cert, wincx);
if (privKey) {
if (hasExplicitKeyUsageNonRepudiation(node->cert)) {
SECKEY_DestroyPrivateKey(privKey);
privKey = nullptr;
// Not a prefered cert
if (!low_prio_nonrep_cert) // did not yet find a low prio cert
@ -2013,8 +2010,7 @@ void ClientAuthDataRunnable::RunOnTargetThread()
}
if (!cert && low_prio_nonrep_cert) {
cert = low_prio_nonrep_cert;
low_prio_nonrep_cert = nullptr; // take it away from the cleaner
cert = low_prio_nonrep_cert.forget();
privKey = PK11_FindKeyByAnyCert(cert, wincx);
}
@ -2270,7 +2266,8 @@ if (!hasRemembered)
}
if (cars && wantRemember) {
cars->RememberDecision(hostname, mServerCert, canceled ? 0 : cert);
cars->RememberDecision(hostname, mServerCert,
canceled ? nullptr : cert.get());
}
}
@ -2300,28 +2297,18 @@ loser:
if (mRV == SECSuccess) {
mRV = SECFailure;
}
if (cert) {
CERT_DestroyCertificate(cert);
cert = nullptr;
}
done:
int error = PR_GetError();
if (extracted) {
PR_Free(extracted);
}
if (nicknames) {
CERT_FreeNicknames(nicknames);
}
if (certList) {
CERT_DestroyCertList(certList);
}
if (arena) {
PORT_FreeArena(arena, false);
}
*mPRetCert = cert;
*mPRetKey = privKey;
*mPRetCert = cert.forget();
*mPRetKey = privKey.forget();
if (mRV == SECFailure) {
mErrorCodeToReport = error;

10
security/manager/ssl/src/nsPKCS12Blob.cpp
View File

@ -26,15 +26,15 @@
#include "nsICertificateDialogs.h"
#include "nsNSSShutDown.h"
#include "nsCRT.h"
#include "pk11func.h"
#include "ScopedNSSTypes.h"
#include "secerr.h"
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
#include "nsNSSCleaner.h"
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
using namespace mozilla;
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
@ -360,9 +360,7 @@ nsPKCS12Blob::ExportToFile(nsIFile *file,
// nsNSSCertificate *cert = reinterpret_cast<nsNSSCertificate *>(certs[i]);
nsNSSCertificate *cert = (nsNSSCertificate *)certs[i];
// get it as a CERTCertificate XXX
CERTCertificate *nssCert = NULL;
CERTCertificateCleaner nssCertCleaner(nssCert);
nssCert = cert->GetCert();
ScopedCERTCertificate nssCert(cert->GetCert());
if (!nssCert) {
rv = NS_ERROR_FAILURE;
goto finish;

9
security/manager/ssl/src/nsRecentBadCerts.cpp
View File

@ -18,12 +18,8 @@
#include "certdb.h"
#include "sechash.h"
#include "nsNSSCleaner.h"
using namespace mozilla;
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NS_IMPL_THREADSAFE_ISUPPORTS1(nsRecentBadCertsService,
nsIRecentBadCertsService)
@ -78,9 +74,8 @@ nsRecentBadCertsService::GetRecentBadCert(const nsAString & aHostNameWithPort,
}
if (foundDER.len) {
CERTCertificate *nssCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
nssCert = CERT_FindCertByDERCert(certdb, &foundDER);
ScopedCERTCertificate nssCert(CERT_FindCertByDERCert(certdb, &foundDER));
if (!nssCert)
nssCert = CERT_NewTempCertificate(certdb, &foundDER,
nullptr, // no nickname
@ -93,8 +88,6 @@ nsRecentBadCertsService::GetRecentBadCert(const nsAString & aHostNameWithPort,
return NS_ERROR_FAILURE;
status->mServerCert = nsNSSCertificate::Create(nssCert);
CERT_DestroyCertificate(nssCert);
status->mHaveCertErrorBits = true;
status->mIsDomainMismatch = isDomainMismatch;
status->mIsNotValidAtThisTime = isNotValidAtThisTime;

16
security/manager/ssl/src/nsSDR.cpp
View File

@ -21,14 +21,14 @@
#include "nsSDR.h"
#include "nsNSSComponent.h"
#include "nsNSSShutDown.h"
#include "ScopedNSSTypes.h"
#include "pk11func.h"
#include "pk11sdr.h" // For PK11SDR_Encrypt, PK11SDR_Decrypt
#include "ssl.h" // For SSL_ClearSessionCache
#include "nsNSSCleaner.h"
NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot)
using namespace mozilla;
// Standard ISupports implementation
// NOTE: Should these be the thread-safe versions?
@ -51,8 +51,7 @@ Encrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t
{
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_OK;
PK11SlotInfo *slot = 0;
PK11SlotInfoCleaner tmpSlotCleaner(slot);
ScopedPK11SlotInfo slot;
SECItem keyid;
SECItem request;
SECItem reply;
@ -94,8 +93,7 @@ Decrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t
{
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_OK;
PK11SlotInfo *slot = 0;
PK11SlotInfoCleaner tmpSlotCleaner(slot);
ScopedPK11SlotInfo slot;
SECStatus s;
SECItem request;
SECItem reply;
@ -200,16 +198,12 @@ ChangePassword()
{
nsNSSShutDownPreventionLock locker;
nsresult rv;
PK11SlotInfo *slot;
slot = PK11_GetInternalKeySlot();
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) return NS_ERROR_NOT_AVAILABLE;
/* Convert UTF8 token name to UCS2 */
NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(slot));
PK11_FreeSlot(slot);
/* Get the set password dialog handler imlementation */
nsCOMPtr<nsITokenPasswordDialogs> dialogs;