Bug 1751078 - avoid passing an extra copy of the server certificate's bytes during verification r=jschanck

Differential Revision: https://phabricator.services.mozilla.com/D136680
2022-01-26 21:23:50 +00:00 · 2022-01-26 21:23:50 +00:00 · 161c96d597
--- a/ipc/glue/BackgroundParentImpl.cpp
+++ b/ipc/glue/BackgroundParentImpl.cpp
@ -793,9 +793,8 @@ bool BackgroundParentImpl::DeallocPUDPSocketParent(PUDPSocketParent* actor) {

 already_AddRefed<mozilla::psm::PVerifySSLServerCertParent>
 BackgroundParentImpl::AllocPVerifySSLServerCertParent(
-    const ByteArray& aServerCert, const nsTArray<ByteArray>& aPeerCertChain,
-    const nsCString& aHostName, const int32_t& aPort,
-    const OriginAttributes& aOriginAttributes,
+    const nsTArray<ByteArray>& aPeerCertChain, const nsCString& aHostName,
+    const int32_t& aPort, const OriginAttributes& aOriginAttributes,
    const Maybe<ByteArray>& aStapledOCSPResponse,
    const Maybe<ByteArray>& aSctsFromTLSExtension,
    const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
@ -807,17 +806,17 @@ BackgroundParentImpl::AllocPVerifySSLServerCertParent(

 mozilla::ipc::IPCResult
 BackgroundParentImpl::RecvPVerifySSLServerCertConstructor(
-    PVerifySSLServerCertParent* aActor, const ByteArray& aServerCert,
-    nsTArray<ByteArray>&& aPeerCertChain, const nsCString& aHostName,
-    const int32_t& aPort, const OriginAttributes& aOriginAttributes,
+    PVerifySSLServerCertParent* aActor, nsTArray<ByteArray>&& aPeerCertChain,
+    const nsCString& aHostName, const int32_t& aPort,
+    const OriginAttributes& aOriginAttributes,
    const Maybe<ByteArray>& aStapledOCSPResponse,
    const Maybe<ByteArray>& aSctsFromTLSExtension,
    const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
    const uint32_t& aProviderFlags, const uint32_t& aCertVerifierFlags) {
  mozilla::psm::VerifySSLServerCertParent* authCert =
      static_cast<mozilla::psm::VerifySSLServerCertParent*>(aActor);
-  if (!authCert->Dispatch(aServerCert, std::move(aPeerCertChain), aHostName,
-                          aPort, aOriginAttributes, aStapledOCSPResponse,
+  if (!authCert->Dispatch(std::move(aPeerCertChain), aHostName, aPort,
+                          aOriginAttributes, aStapledOCSPResponse,
                          aSctsFromTLSExtension, aDcInfo, aProviderFlags,
                          aCertVerifierFlags)) {
    return IPC_FAIL_NO_REASON(this);
--- a/ipc/glue/BackgroundParentImpl.h
+++ b/ipc/glue/BackgroundParentImpl.h
@ -214,9 +214,8 @@ class BackgroundParentImpl : public PBackgroundParent,

  already_AddRefed<mozilla::psm::PVerifySSLServerCertParent>
  AllocPVerifySSLServerCertParent(
-      const ByteArray& aServerCert, const nsTArray<ByteArray>& aPeerCertChain,
-      const nsCString& aHostName, const int32_t& aPort,
-      const OriginAttributes& aOriginAttributes,
+      const nsTArray<ByteArray>& aPeerCertChain, const nsCString& aHostName,
+      const int32_t& aPort, const OriginAttributes& aOriginAttributes,
      const Maybe<ByteArray>& aStapledOCSPResponse,
      const Maybe<ByteArray>& aSctsFromTLSExtension,
      const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
@ -224,9 +223,9 @@ class BackgroundParentImpl : public PBackgroundParent,
      const uint32_t& aCertVerifierFlags) override;

  mozilla::ipc::IPCResult RecvPVerifySSLServerCertConstructor(
-      PVerifySSLServerCertParent* aActor, const ByteArray& aServerCert,
-      nsTArray<ByteArray>&& aPeerCertChain, const nsCString& aHostName,
-      const int32_t& aPort, const OriginAttributes& aOriginAttributes,
+      PVerifySSLServerCertParent* aActor, nsTArray<ByteArray>&& aPeerCertChain,
+      const nsCString& aHostName, const int32_t& aPort,
+      const OriginAttributes& aOriginAttributes,
      const Maybe<ByteArray>& aStapledOCSPResponse,
      const Maybe<ByteArray>& aSctsFromTLSExtension,
      const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
--- a/ipc/glue/PBackground.ipdl
+++ b/ipc/glue/PBackground.ipdl
@ -271,8 +271,7 @@ parent:

  async PMediaTransport();

-  async PVerifySSLServerCert(ByteArray aServerCert,
-                             ByteArray[] aPeerCertChain,
+  async PVerifySSLServerCert(ByteArray[] aPeerCertChain,
                             nsCString aHostName,
                             int32_t aPort,
                             OriginAttributes aOriginAttributes,
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@ -688,34 +688,6 @@ static void CollectCertTelemetry(
  }
 }

-static void AuthCertificateSetResults(
-    TransportSecurityInfo* aInfoObject, const nsCOMPtr<nsIX509Cert>& aCert,
-    nsTArray<nsTArray<uint8_t>>&& aBuiltCertChain,
-    nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
-    uint16_t aCertificateTransparencyStatus, EVStatus aEvStatus,
-    bool aSucceeded, bool aIsBuiltCertChainRootBuiltInRoot) {
-  MOZ_ASSERT(aInfoObject);
-  if (aSucceeded) {
-    // Certificate verification succeeded. Delete any potential record of
-    // certificate error bits.
-    RememberCertErrorsTable::GetInstance().RememberCertHasError(aInfoObject,
-                                                                SECSuccess);
-
-    aInfoObject->SetServerCert(aCert, aEvStatus);
-    aInfoObject->SetSucceededCertChain(std::move(aBuiltCertChain));
-    MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("AuthCertificate setting NEW cert"));
-
-    aInfoObject->SetIsBuiltCertChainRootBuiltInRoot(
-        aIsBuiltCertChainRootBuiltInRoot);
-    aInfoObject->SetCertificateTransparencyStatus(
-        aCertificateTransparencyStatus);
-  } else {
-    // Certificate validation failed; store the peer certificate chain on
-    // infoObject so it can be used for error reporting.
-    aInfoObject->SetFailedCertChain(std::move(aPeerCertChain));
-  }
-}
-
 // Note: Takes ownership of |peerCertChain| if SECSuccess is not returned.
 Result AuthCertificate(
    CertVerifier& certVerifier, void* aPinArg,
@ -885,7 +857,6 @@ static nsTArray<nsTArray<uint8_t>> CreateCertBytesArray(
 /*static*/
 SECStatus SSLServerCertVerificationJob::Dispatch(
    uint64_t addrForLogging, void* aPinArg,
-    const UniqueCERTCertificate& serverCert,
    nsTArray<nsTArray<uint8_t>>&& peerCertChain, const nsACString& aHostName,
    int32_t aPort, const OriginAttributes& aOriginAttributes,
    Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
@ -894,9 +865,10 @@ SECStatus SSLServerCertVerificationJob::Dispatch(
    uint32_t certVerifierFlags,
    BaseSSLServerCertVerificationResult* aResultTask) {
  // Runs on the socket transport thread
-  if (!aResultTask || !serverCert) {
-    NS_ERROR("Invalid parameters for SSL server cert validation");
-    PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+  if (!aResultTask || peerCertChain.IsEmpty()) {
+    MOZ_ASSERT_UNREACHABLE(
+        "must have result task and non-empty peer cert chain");
+    PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
    return SECFailure;
  }

@ -906,9 +878,9 @@ SECStatus SSLServerCertVerificationJob::Dispatch(
  }

  RefPtr<SSLServerCertVerificationJob> job(new SSLServerCertVerificationJob(
-      addrForLogging, aPinArg, serverCert, std::move(peerCertChain), aHostName,
-      aPort, aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension,
-      dcInfo, providerFlags, time, certVerifierFlags, aResultTask));
+      addrForLogging, aPinArg, std::move(peerCertChain), aHostName, aPort,
+      aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension, dcInfo,
+      providerFlags, time, certVerifierFlags, aResultTask));

  nsresult nrv = gCertVerificationThreadPool->Dispatch(job, NS_DISPATCH_NORMAL);
  if (NS_FAILED(nrv)) {
@ -948,14 +920,13 @@ SSLServerCertVerificationJob::Run() {
  CertificateTransparencyInfo certificateTransparencyInfo;
  bool isCertChainRootBuiltInRoot = false;
  nsTArray<nsTArray<uint8_t>> builtChainBytesArray;
-  nsTArray<uint8_t> certBytes(mCert->derCert.data, mCert->derCert.len);
+  nsTArray<uint8_t> certBytes(mPeerCertChain.ElementAt(0).Clone());
  Result rv = AuthCertificate(
      *certVerifier, mPinArg, certBytes, mPeerCertChain, mHostName,
      mOriginAttributes, mStapledOCSPResponse, mSCTsFromTLSExtension, mDCInfo,
      mProviderFlags, mTime, mCertVerifierFlags, builtChainBytesArray, evStatus,
      certificateTransparencyInfo, isCertChainRootBuiltInRoot);

-  nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(mCert.get()));
  if (rv == Success) {
    Telemetry::AccumulateTimeDelta(
        Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX, jobStartTime,
@ -963,7 +934,7 @@ SSLServerCertVerificationJob::Run() {
    Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1);

    mResultTask->Dispatch(
-        cert, std::move(builtChainBytesArray), std::move(mPeerCertChain),
+        std::move(builtChainBytesArray), std::move(mPeerCertChain),
        TransportSecurityInfo::ConvertCertificateTransparencyInfoToStatus(
            certificateTransparencyInfo),
        evStatus, true, 0, 0, isCertChainRootBuiltInRoot, mProviderFlags);
@ -976,13 +947,14 @@ SSLServerCertVerificationJob::Run() {

  PRErrorCode error = MapResultToPRErrorCode(rv);
  uint32_t collectedErrors = 0;
+  nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes)));
  PRErrorCode finalError = AuthCertificateParseResults(
      mAddrForLogging, mHostName, mPort, mOriginAttributes, cert,
      mProviderFlags, mTime, error, collectedErrors);

  // NB: finalError may be 0 here, in which the connection will continue.
  mResultTask->Dispatch(
-      cert, std::move(builtChainBytesArray), std::move(mPeerCertChain),
+      std::move(builtChainBytesArray), std::move(mPeerCertChain),
      nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE,
      EVStatus::NotEV, false, finalError, collectedErrors, false,
      mProviderFlags);
@ -993,8 +965,7 @@ SSLServerCertVerificationJob::Run() {
 //  checks and calls SSLServerCertVerificationJob::Dispatch.
 SECStatus AuthCertificateHookInternal(
    TransportSecurityInfo* infoObject, const void* aPtrForLogging,
-    const UniqueCERTCertificate& serverCert, const nsACString& hostName,
-    nsTArray<nsTArray<uint8_t>>&& peerCertChain,
+    const nsACString& hostName, nsTArray<nsTArray<uint8_t>>&& peerCertChain,
    Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
    Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
    Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags,
@ -1004,7 +975,7 @@ SECStatus AuthCertificateHookInternal(
  MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
          ("[%p] starting AuthCertificateHookInternal\n", aPtrForLogging));

-  if (!infoObject || !serverCert) {
+  if (!infoObject || peerCertChain.IsEmpty()) {
    PR_SetError(PR_INVALID_STATE_ERROR, 0);
    return SECFailure;
  }
@ -1036,7 +1007,7 @@ SECStatus AuthCertificateHookInternal(

  if (XRE_IsSocketProcess()) {
    return RemoteProcessCertVerification(
-        serverCert, std::move(peerCertChain), hostName, infoObject->GetPort(),
+        std::move(peerCertChain), hostName, infoObject->GetPort(),
        infoObject->GetOriginAttributes(), stapledOCSPResponse,
        sctsFromTLSExtension, dcInfo, providerFlags, certVerifierFlags,
        resultTask);
@ -1047,7 +1018,7 @@ SECStatus AuthCertificateHookInternal(
  // and we *want* to do certificate verification on a background thread
  // because of the performance benefits of doing so.
  return SSLServerCertVerificationJob::Dispatch(
-      addr, infoObject, serverCert, std::move(peerCertChain), hostName,
+      addr, infoObject, std::move(peerCertChain), hostName,
      infoObject->GetPort(), infoObject->GetOriginAttributes(),
      stapledOCSPResponse, sctsFromTLSExtension, dcInfo, providerFlags, Now(),
      certVerifierFlags, resultTask);
@ -1151,10 +1122,10 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
  const nsACString& hostname =
      verifyToEchPublicName ? echPublicName : socketInfo->GetHostName();
  socketInfo->SetCertVerificationWaiting();
-  rv = AuthCertificateHookInternal(
-      socketInfo, static_cast<const void*>(fd), serverCert, hostname,
-      std::move(peerCertsBytes), stapledOCSPResponse, sctsFromTLSExtension,
-      dcInfo, providerFlags, certVerifierFlags);
+  rv = AuthCertificateHookInternal(socketInfo, static_cast<const void*>(fd),
+                                   hostname, std::move(peerCertsBytes),
+                                   stapledOCSPResponse, sctsFromTLSExtension,
+                                   dcInfo, providerFlags, certVerifierFlags);
  return rv;
 }

@ -1171,16 +1142,6 @@ SECStatus AuthCertificateHookWithInfo(
    return SECFailure;
  }

-  SECItem der = {SECItemType::siBuffer, peerCertChain[0].Elements(),
-                 (uint32_t)peerCertChain[0].Length()};
-  UniqueCERTCertificate cert(CERT_NewTempCertificate(
-      CERT_GetDefaultCertDB(), &der, nullptr, false, true));
-  if (!cert) {
-    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
-            ("AuthCertificateHookWithInfo: cert failed"));
-    return SECFailure;
-  }
-
  // we currently only support single stapled responses
  Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
  if (stapledOCSPResponses && (stapledOCSPResponses->Length() == 1)) {
@ -1200,8 +1161,8 @@ SECStatus AuthCertificateHookWithInfo(
  // for Delegated Credentials.
  Maybe<DelegatedCredentialInfo> dcInfo;

-  return AuthCertificateHookInternal(infoObject, aPtrForLogging, cert,
-                                     aHostName, std::move(peerCertChain),
+  return AuthCertificateHookInternal(infoObject, aPtrForLogging, aHostName,
+                                     std::move(peerCertChain),
                                     stapledOCSPResponse, sctsFromTLSExtension,
                                     dcInfo, providerFlags, certVerifierFlags);
 }
@ -1220,12 +1181,11 @@ SSLServerCertVerificationResult::SSLServerCertVerificationResult(
      mProviderFlags(0) {}

 void SSLServerCertVerificationResult::Dispatch(
-    nsCOMPtr<nsIX509Cert> aCert, nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+    nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
    nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
    uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
    bool aSucceeded, PRErrorCode aFinalError, uint32_t aCollectedErrors,
    bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags) {
-  mCert = aCert;
  mBuiltChain = std::move(aBuiltChain);
  mPeerCertChain = std::move(aPeerCertChain);
  mCertificateTransparencyStatus = aCertificateTransparencyStatus;
@ -1236,6 +1196,18 @@ void SSLServerCertVerificationResult::Dispatch(
  mIsBuiltCertChainRootBuiltInRoot = aIsBuiltCertChainRootBuiltInRoot;
  mProviderFlags = aProviderFlags;

+  if (mSucceeded && mBuiltChain.IsEmpty()) {
+    MOZ_ASSERT_UNREACHABLE(
+        "if the handshake succeeded, the built chain shouldn't be empty");
+    mSucceeded = false;
+    mFinalError = SEC_ERROR_LIBRARY_FAILURE;
+  }
+  if (!mSucceeded && mPeerCertChain.IsEmpty()) {
+    MOZ_ASSERT_UNREACHABLE(
+        "if the handshake failed, the peer chain shouldn't be empty");
+    mFinalError = SEC_ERROR_LIBRARY_FAILURE;
+  }
+
  nsresult rv;
  nsCOMPtr<nsIEventTarget> stsTarget =
      do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv);
@ -1265,14 +1237,34 @@ SSLServerCertVerificationResult::Run() {
    SaveIntermediateCerts(mBuiltChain);
  }

-  AuthCertificateSetResults(mInfoObject, mCert, std::move(mBuiltChain),
-                            std::move(mPeerCertChain),
-                            mCertificateTransparencyStatus, mEVStatus,
-                            mSucceeded, mIsBuiltCertChainRootBuiltInRoot);
+  if (mSucceeded) {
+    // Certificate verification succeeded. Delete any potential record of
+    // certificate error bits.
+    RememberCertErrorsTable::GetInstance().RememberCertHasError(mInfoObject,
+                                                                SECSuccess);

-  if (!mSucceeded && mCollectedErrors != 0) {
-    mInfoObject->SetStatusErrorBits(mCert, mCollectedErrors);
+    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+            ("SSLServerCertVerificationResult::Run setting NEW cert"));
+    nsTArray<uint8_t> certBytes(mBuiltChain.ElementAt(0).Clone());
+    nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes)));
+    mInfoObject->SetServerCert(cert, mEVStatus);
+    mInfoObject->SetSucceededCertChain(std::move(mBuiltChain));
+
+    mInfoObject->SetIsBuiltCertChainRootBuiltInRoot(
+        mIsBuiltCertChainRootBuiltInRoot);
+    mInfoObject->SetCertificateTransparencyStatus(
+        mCertificateTransparencyStatus);
+  } else {
+    nsTArray<uint8_t> certBytes(mPeerCertChain.ElementAt(0).Clone());
+    nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes)));
+    // Certificate validation failed; store the peer certificate chain on
+    // infoObject so it can be used for error reporting.
+    mInfoObject->SetFailedCertChain(std::move(mPeerCertChain));
+    if (mCollectedErrors != 0) {
+      mInfoObject->SetStatusErrorBits(cert, mCollectedErrors);
+    }
  }
+
  mInfoObject->SetCertVerificationResult(mFinalError);
  return NS_OK;
 }
--- a/security/manager/ssl/SSLServerCertVerification.h
+++ b/security/manager/ssl/SSLServerCertVerification.h
@ -43,8 +43,7 @@ class BaseSSLServerCertVerificationResult {
 public:
  NS_INLINE_DECL_PURE_VIRTUAL_REFCOUNTING

-  virtual void Dispatch(nsCOMPtr<nsIX509Cert> aCert,
-                        nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+  virtual void Dispatch(nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
                        nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
                        uint16_t aCertificateTransparencyStatus,
                        EVStatus aEVStatus, bool aSucceeded,
@ -68,8 +67,7 @@ class SSLServerCertVerificationResult final

  explicit SSLServerCertVerificationResult(TransportSecurityInfo* infoObject);

-  void Dispatch(nsCOMPtr<nsIX509Cert> aCert,
-                nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+  void Dispatch(nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
                nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
                uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
                bool aSucceeded, PRErrorCode aFinalError,
@ -81,7 +79,6 @@ class SSLServerCertVerificationResult final
  ~SSLServerCertVerificationResult() = default;

  const RefPtr<TransportSecurityInfo> mInfoObject;
-  nsCOMPtr<nsIX509Cert> mCert;
  nsTArray<nsTArray<uint8_t>> mBuiltChain;
  nsTArray<nsTArray<uint8_t>> mPeerCertChain;
  uint16_t mCertificateTransparencyStatus;
@ -99,7 +96,6 @@ class SSLServerCertVerificationJob : public Runnable {

  // Must be called only on the socket transport thread
  static SECStatus Dispatch(uint64_t addrForLogging, void* aPinArg,
-                            const UniqueCERTCertificate& serverCert,
                            nsTArray<nsTArray<uint8_t>>&& peerCertChain,
                            const nsACString& aHostName, int32_t aPort,
                            const OriginAttributes& aOriginAttributes,
@ -115,7 +111,6 @@ class SSLServerCertVerificationJob : public Runnable {

  // Must be called only on the socket transport thread
  SSLServerCertVerificationJob(uint64_t addrForLogging, void* aPinArg,
-                               const UniqueCERTCertificate& cert,
                               nsTArray<nsTArray<uint8_t>>&& peerCertChain,
                               const nsACString& aHostName, int32_t aPort,
                               const OriginAttributes& aOriginAttributes,
@ -128,7 +123,6 @@ class SSLServerCertVerificationJob : public Runnable {
      : Runnable("psm::SSLServerCertVerificationJob"),
        mAddrForLogging(addrForLogging),
        mPinArg(aPinArg),
-        mCert(CERT_DupCertificate(cert.get())),
        mPeerCertChain(std::move(peerCertChain)),
        mHostName(aHostName),
        mPort(aPort),
@ -143,7 +137,6 @@ class SSLServerCertVerificationJob : public Runnable {

  uint64_t mAddrForLogging;
  void* mPinArg;
-  const UniqueCERTCertificate mCert;
  nsTArray<nsTArray<uint8_t>> mPeerCertChain;
  nsCString mHostName;
  int32_t mPort;
--- a/security/manager/ssl/VerifySSLServerCertChild.cpp
+++ b/security/manager/ssl/VerifySSLServerCertChild.cpp
@ -19,11 +19,9 @@ namespace mozilla {
 namespace psm {

 VerifySSLServerCertChild::VerifySSLServerCertChild(
-    const UniqueCERTCertificate& aCert,
    SSLServerCertVerificationResult* aResultTask,
    nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags)
-    : mCert(CERT_DupCertificate(aCert.get())),
-      mResultTask(aResultTask),
+    : mResultTask(aResultTask),
      mPeerCertChain(std::move(aPeerCertChain)),
      mProviderFlags(aProviderFlags) {}

@ -35,14 +33,13 @@ ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertSuccess(
          ("[%p] VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertSuccess",
           this));

-  nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(mCert.get()));
  nsTArray<nsTArray<uint8_t>> certBytesArray;
  for (auto& cert : aBuiltCertChain) {
    certBytesArray.AppendElement(std::move(cert.data()));
  }

-  mResultTask->Dispatch(cert, std::move(certBytesArray),
-                        std::move(mPeerCertChain), aCertTransparencyStatus,
+  mResultTask->Dispatch(std::move(certBytesArray), std::move(mPeerCertChain),
+                        aCertTransparencyStatus,
                        static_cast<EVStatus>(aEVStatus), true, 0, 0,
                        aIsBuiltCertChainRootBuiltInRoot, mProviderFlags);
  return IPC_OK();
@ -56,9 +53,8 @@ ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertFailure(
           "aCollectedErrors=%u",
           this, aFinalError, aCollectedErrors));

-  nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(mCert.get()));
  mResultTask->Dispatch(
-      cert, nsTArray<nsTArray<uint8_t>>(), std::move(mPeerCertChain),
+      nsTArray<nsTArray<uint8_t>>(), std::move(mPeerCertChain),
      nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE,
      EVStatus::NotEV, false, aFinalError, aCollectedErrors, false,
      mProviderFlags);
@ -66,7 +62,6 @@ ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertFailure(
 }

 SECStatus RemoteProcessCertVerification(
-    const UniqueCERTCertificate& aCert,
    nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, const nsACString& aHostName,
    int32_t aPort, const OriginAttributes& aOriginAttributes,
    Maybe<nsTArray<uint8_t>>& aStapledOCSPResponse,
@ -78,9 +73,6 @@ SECStatus RemoteProcessCertVerification(
    return SECFailure;
  }

-  const ByteArray serverCertSerialized =
-      CopyableTArray<uint8_t>{aCert->derCert.data, aCert->derCert.len};
-
  nsTArray<ByteArray> peerCertBytes;
  for (auto& certBytes : aPeerCertChain) {
    peerCertBytes.AppendElement(ByteArray(certBytes));
@ -113,12 +105,11 @@ SECStatus RemoteProcessCertVerification(
  }

  RefPtr<VerifySSLServerCertChild> authCert = new VerifySSLServerCertChild(
-      aCert, aResultTask, std::move(aPeerCertChain), aProviderFlags);
+      aResultTask, std::move(aPeerCertChain), aProviderFlags);
  if (!actorChild->SendPVerifySSLServerCertConstructor(
-          authCert, serverCertSerialized, peerCertBytes,
-          PromiseFlatCString(aHostName), aPort, aOriginAttributes,
-          stapledOCSPResponse, sctsFromTLSExtension, dcInfo, aProviderFlags,
-          aCertVerifierFlags)) {
+          authCert, peerCertBytes, PromiseFlatCString(aHostName), aPort,
+          aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension, dcInfo,
+          aProviderFlags, aCertVerifierFlags)) {
    PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
    return SECFailure;
  }
--- a/security/manager/ssl/VerifySSLServerCertChild.h
+++ b/security/manager/ssl/VerifySSLServerCertChild.h
@ -27,7 +27,6 @@ class VerifySSLServerCertChild : public PVerifySSLServerCertChild {
  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VerifySSLServerCertChild, override);

  explicit VerifySSLServerCertChild(
-      const UniqueCERTCertificate& aCert,
      SSLServerCertVerificationResult* aResultTask,
      nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags);

@ -42,14 +41,12 @@ class VerifySSLServerCertChild : public PVerifySSLServerCertChild {
 private:
  ~VerifySSLServerCertChild() = default;

-  UniqueCERTCertificate mCert;
  RefPtr<SSLServerCertVerificationResult> mResultTask;
  nsTArray<nsTArray<uint8_t>> mPeerCertChain;
  uint32_t mProviderFlags;
 };

 SECStatus RemoteProcessCertVerification(
-    const UniqueCERTCertificate& aCert,
    nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, const nsACString& aHostName,
    int32_t aPort, const OriginAttributes& aOriginAttributes,
    Maybe<nsTArray<uint8_t>>& aStapledOCSPResponse,
--- a/security/manager/ssl/VerifySSLServerCertParent.cpp
+++ b/security/manager/ssl/VerifySSLServerCertParent.cpp
@ -61,8 +61,7 @@ class IPCServerCertVerificationResult final
                                  VerifySSLServerCertParent* aParent)
      : mTarget(aTarget), mParent(aParent) {}

-  void Dispatch(nsCOMPtr<nsIX509Cert> aCert,
-                nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+  void Dispatch(nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
                nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
                uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
                bool aSucceeded, PRErrorCode aFinalError,
@ -78,7 +77,7 @@ class IPCServerCertVerificationResult final
 };

 void IPCServerCertVerificationResult::Dispatch(
-    nsCOMPtr<nsIX509Cert> aCert, nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
+    nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
    nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
    uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
    bool aSucceeded, PRErrorCode aFinalError, uint32_t aCollectedErrors,
@ -120,9 +119,8 @@ void IPCServerCertVerificationResult::Dispatch(
 }  // anonymous namespace

 bool VerifySSLServerCertParent::Dispatch(
-    const ByteArray& aServerCert, nsTArray<ByteArray>&& aPeerCertChain,
-    const nsCString& aHostName, const int32_t& aPort,
-    const OriginAttributes& aOriginAttributes,
+    nsTArray<ByteArray>&& aPeerCertChain, const nsCString& aHostName,
+    const int32_t& aPort, const OriginAttributes& aOriginAttributes,
    const Maybe<ByteArray>& aStapledOCSPResponse,
    const Maybe<ByteArray>& aSctsFromTLSExtension,
    const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
@ -132,19 +130,6 @@ bool VerifySSLServerCertParent::Dispatch(

  mBackgroundThread = NS_GetCurrentThread();

-  SECItem serverCertItem = {
-      siBuffer, const_cast<uint8_t*>(aServerCert.data().Elements()),
-      static_cast<unsigned int>(aServerCert.data().Length())};
-  UniqueCERTCertificate serverCert(CERT_NewTempCertificate(
-      CERT_GetDefaultCertDB(), &serverCertItem, nullptr, false, true));
-  if (!serverCert) {
-    MOZ_LOG(
-        gPIPNSSLog, LogLevel::Debug,
-        ("VerifySSLServerCertParent::Dispatch - CERT_NewTempCertificate cert "
-         "failed."));
-    return false;
-  }
-
  nsTArray<nsTArray<uint8_t>> peerCertBytes;
  for (auto& certBytes : aPeerCertChain) {
    nsTArray<uint8_t> bytes;
@ -171,9 +156,9 @@ bool VerifySSLServerCertParent::Dispatch(
  RefPtr<IPCServerCertVerificationResult> resultTask =
      new IPCServerCertVerificationResult(mBackgroundThread, this);
  SECStatus status = SSLServerCertVerificationJob::Dispatch(
-      0, nullptr, serverCert, std::move(peerCertBytes), aHostName, aPort,
-      aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension, dcInfo,
-      aProviderFlags, Now(), aCertVerifierFlags, resultTask);
+      0, nullptr, std::move(peerCertBytes), aHostName, aPort, aOriginAttributes,
+      stapledOCSPResponse, sctsFromTLSExtension, dcInfo, aProviderFlags, Now(),
+      aCertVerifierFlags, resultTask);

  if (status != SECWouldBlock) {
    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
--- a/security/manager/ssl/VerifySSLServerCertParent.h
+++ b/security/manager/ssl/VerifySSLServerCertParent.h
@ -30,8 +30,7 @@ class VerifySSLServerCertParent : public PVerifySSLServerCertParent {

  VerifySSLServerCertParent();

-  bool Dispatch(const ByteArray& aServerCert,
-                nsTArray<ByteArray>&& aPeerCertChain,
+  bool Dispatch(nsTArray<ByteArray>&& aPeerCertChain,
                const nsCString& aHostName, const int32_t& aPort,
                const OriginAttributes& aOriginAttributes,
                const Maybe<ByteArray>& aStapledOCSPResponse,