Bug 1680320 - Use nsIX509Cert::GetSha256Fingerprint instead of GetCertFingerprintByOidTag r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D99107

security/manager/ssl/nsCertOverrideService.cpp

@@ -424,13 +424,15 @@ nsresult nsCertOverrideService::Write(const MutexAutoLock& aProofOfLock) {
   return NS_OK;
 }
 
-static nsresult GetCertFingerprintByOidTag(nsIX509Cert* aCert,
-                                           SECOidTag aOidTag, nsCString& fp) {
-  UniqueCERTCertificate nsscert(aCert->GetCert());
-  if (!nsscert) {
-    return NS_ERROR_FAILURE;
+static nsresult GetCertSha256Fingerprint(nsIX509Cert* aCert,
+                                         nsCString& aResult) {
+  nsAutoString fpStrUTF16;
+  nsresult rv = aCert->GetSha256Fingerprint(fpStrUTF16);
+  if (NS_FAILED(rv)) {
+    return rv;
   }
-  return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
+  aResult.Assign(NS_ConvertUTF16toUTF8(fpStrUTF16));
+  return NS_OK;
 }
 
 NS_IMETHODIMP
@@ -473,8 +475,10 @@ nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
   }
 
   nsAutoCString fpStr;
-  rv = GetCertFingerprintByOidTag(nsscert.get(), SEC_OID_SHA256, fpStr);
-  if (NS_FAILED(rv)) return rv;
+  rv = GetCertSha256Fingerprint(aCert, fpStr);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
 
   nsAutoCString dbkey;
   rv = aCert->GetDbKey(dbkey);
@@ -565,9 +569,7 @@ nsCertOverrideService::HasMatchingOverride(const nsACString& aHostName,
   *aIsTemporary = settings->mIsTemporary;
 
   nsAutoCString fpStr;
-  nsresult rv;
-
-  rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, fpStr);
+  nsresult rv = GetCertSha256Fingerprint(aCert, fpStr);
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -704,11 +706,10 @@ nsCertOverrideService::IsCertUsedForOverrides(nsIX509Cert* aCert,
       }
 
       if (matchesDBKey(aCert, settings->mDBKey)) {
-        nsAutoCString cert_fingerprint;
-        nsresult rv =
-            GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, cert_fingerprint);
+        nsAutoCString certFingerprint;
+        nsresult rv = GetCertSha256Fingerprint(aCert, certFingerprint);
         if (NS_SUCCEEDED(rv) &&
-            settings->mFingerprint.Equals(cert_fingerprint)) {
+            settings->mFingerprint.Equals(certFingerprint)) {
           counter++;
         }
       }
@@ -759,11 +760,10 @@ nsresult nsCertOverrideService::EnumerateCertOverrides(
       aEnumerator(settings, aUserData);
     } else {
       if (matchesDBKey(aCert, settings->mDBKey)) {
-        nsAutoCString cert_fingerprint;
-        nsresult rv =
-            GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, cert_fingerprint);
+        nsAutoCString certFingerprint;
+        nsresult rv = GetCertSha256Fingerprint(aCert, certFingerprint);
         if (NS_SUCCEEDED(rv) &&
-            settings->mFingerprint.Equals(cert_fingerprint)) {
+            settings->mFingerprint.Equals(certFingerprint)) {
           aEnumerator(settings, aUserData);
         }
       }

security/manager/ssl/nsClientAuthRemember.cpp

@@ -146,6 +146,18 @@ nsClientAuthRememberService::DeleteDecisionsByHost(
   return nssComponent->ClearSSLExternalAndInternalSessionCache();
 }
 
+static nsresult GetCertSha256Fingerprint(CERTCertificate* aNssCert,
+                                         nsCString& aResult) {
+  nsCOMPtr<nsIX509Cert> cert(nsNSSCertificate::Create(aNssCert));
+  nsAutoString fpStrUTF16;
+  nsresult rv = cert->GetSha256Fingerprint(fpStrUTF16);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  aResult.Assign(NS_ConvertUTF16toUTF8(fpStrUTF16));
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsClientAuthRememberService::RememberDecision(
     const nsACString& aHostName, const OriginAttributes& aOriginAttributes,
@@ -158,7 +170,7 @@ nsClientAuthRememberService::RememberDecision(
   }
 
   nsAutoCString fpStr;
-  nsresult rv = GetCertFingerprintByOidTag(aServerCert, SEC_OID_SHA256, fpStr);
+  nsresult rv = GetCertSha256Fingerprint(aServerCert, fpStr);
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -189,10 +201,11 @@ nsClientAuthRememberService::HasRememberedDecision(
   *aRetVal = false;
   aCertDBKey.Truncate();
 
-  nsresult rv;
   nsAutoCString fpStr;
-  rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, fpStr);
-  if (NS_FAILED(rv)) return rv;
+  nsresult rv = GetCertSha256Fingerprint(aCert, fpStr);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
 
   nsAutoCString entryKey;
   GetEntryKey(aHostName, aOriginAttributes, fpStr, entryKey);

security/manager/ssl/nsNSSCertHelper.cpp

@@ -98,20 +98,3 @@ void LossyUTF8ToUTF16(const char* str, uint32_t len,
     CopyASCIItoUTF16(span, result);
   }
 }
-
-nsresult GetCertFingerprintByOidTag(CERTCertificate* nsscert, SECOidTag aOidTag,
-                                    nsCString& fp) {
-  nsTArray<uint8_t> digestArray;
-  nsresult rv = Digest::DigestBuf(aOidTag, nsscert->derCert.data,
-                                  nsscert->derCert.len, digestArray);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  SECItem digestItem = {siBuffer, digestArray.Elements(),
-                        static_cast<unsigned int>(digestArray.Length())};
-
-  UniquePORTString tmpstr(CERT_Hexify(&digestItem, 1));
-  NS_ENSURE_TRUE(tmpstr, NS_ERROR_OUT_OF_MEMORY);
-
-  fp.Assign(tmpstr.get());
-  return NS_OK;
-}

security/manager/ssl/nsNSSCertHelper.h

@@ -15,8 +15,7 @@
 extern const char* kRootModuleName;
 extern const size_t kRootModuleNameLen;
 
-nsresult GetCertFingerprintByOidTag(CERTCertificate* nsscert, SECOidTag aOidTag,
-                                    nsCString& fp);
+class nsIX509Cert;
 
 // If input is valid UTF-8, converts from UTF-8 to UTF-16. Otherwise,
 // converts from Latin1 to UTF-16.