diff --git a/security/manager/ssl/nsCertOverrideService.cpp b/security/manager/ssl/nsCertOverrideService.cpp index 7b5be221a9cb..48c45ccf8798 100644 --- a/security/manager/ssl/nsCertOverrideService.cpp +++ b/security/manager/ssl/nsCertOverrideService.cpp @@ -424,13 +424,15 @@ nsresult nsCertOverrideService::Write(const MutexAutoLock& aProofOfLock) { return NS_OK; } -static nsresult GetCertFingerprintByOidTag(nsIX509Cert* aCert, - SECOidTag aOidTag, nsCString& fp) { - UniqueCERTCertificate nsscert(aCert->GetCert()); - if (!nsscert) { - return NS_ERROR_FAILURE; +static nsresult GetCertSha256Fingerprint(nsIX509Cert* aCert, + nsCString& aResult) { + nsAutoString fpStrUTF16; + nsresult rv = aCert->GetSha256Fingerprint(fpStrUTF16); + if (NS_FAILED(rv)) { + return rv; } - return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp); + aResult.Assign(NS_ConvertUTF16toUTF8(fpStrUTF16)); + return NS_OK; } NS_IMETHODIMP @@ -473,8 +475,10 @@ nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName, } nsAutoCString fpStr; - rv = GetCertFingerprintByOidTag(nsscert.get(), SEC_OID_SHA256, fpStr); - if (NS_FAILED(rv)) return rv; + rv = GetCertSha256Fingerprint(aCert, fpStr); + if (NS_FAILED(rv)) { + return rv; + } nsAutoCString dbkey; rv = aCert->GetDbKey(dbkey); @@ -565,9 +569,7 @@ nsCertOverrideService::HasMatchingOverride(const nsACString& aHostName, *aIsTemporary = settings->mIsTemporary; nsAutoCString fpStr; - nsresult rv; - - rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, fpStr); + nsresult rv = GetCertSha256Fingerprint(aCert, fpStr); if (NS_FAILED(rv)) { return rv; } @@ -704,11 +706,10 @@ nsCertOverrideService::IsCertUsedForOverrides(nsIX509Cert* aCert, } if (matchesDBKey(aCert, settings->mDBKey)) { - nsAutoCString cert_fingerprint; - nsresult rv = - GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, cert_fingerprint); + nsAutoCString certFingerprint; + nsresult rv = GetCertSha256Fingerprint(aCert, certFingerprint); if (NS_SUCCEEDED(rv) && - settings->mFingerprint.Equals(cert_fingerprint)) { + settings->mFingerprint.Equals(certFingerprint)) { counter++; } } @@ -759,11 +760,10 @@ nsresult nsCertOverrideService::EnumerateCertOverrides( aEnumerator(settings, aUserData); } else { if (matchesDBKey(aCert, settings->mDBKey)) { - nsAutoCString cert_fingerprint; - nsresult rv = - GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, cert_fingerprint); + nsAutoCString certFingerprint; + nsresult rv = GetCertSha256Fingerprint(aCert, certFingerprint); if (NS_SUCCEEDED(rv) && - settings->mFingerprint.Equals(cert_fingerprint)) { + settings->mFingerprint.Equals(certFingerprint)) { aEnumerator(settings, aUserData); } } diff --git a/security/manager/ssl/nsClientAuthRemember.cpp b/security/manager/ssl/nsClientAuthRemember.cpp index c22a2ff1832b..a61b98ce8b6d 100644 --- a/security/manager/ssl/nsClientAuthRemember.cpp +++ b/security/manager/ssl/nsClientAuthRemember.cpp @@ -146,6 +146,18 @@ nsClientAuthRememberService::DeleteDecisionsByHost( return nssComponent->ClearSSLExternalAndInternalSessionCache(); } +static nsresult GetCertSha256Fingerprint(CERTCertificate* aNssCert, + nsCString& aResult) { + nsCOMPtr cert(nsNSSCertificate::Create(aNssCert)); + nsAutoString fpStrUTF16; + nsresult rv = cert->GetSha256Fingerprint(fpStrUTF16); + if (NS_FAILED(rv)) { + return rv; + } + aResult.Assign(NS_ConvertUTF16toUTF8(fpStrUTF16)); + return NS_OK; +} + NS_IMETHODIMP nsClientAuthRememberService::RememberDecision( const nsACString& aHostName, const OriginAttributes& aOriginAttributes, @@ -158,7 +170,7 @@ nsClientAuthRememberService::RememberDecision( } nsAutoCString fpStr; - nsresult rv = GetCertFingerprintByOidTag(aServerCert, SEC_OID_SHA256, fpStr); + nsresult rv = GetCertSha256Fingerprint(aServerCert, fpStr); if (NS_FAILED(rv)) { return rv; } @@ -189,10 +201,11 @@ nsClientAuthRememberService::HasRememberedDecision( *aRetVal = false; aCertDBKey.Truncate(); - nsresult rv; nsAutoCString fpStr; - rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, fpStr); - if (NS_FAILED(rv)) return rv; + nsresult rv = GetCertSha256Fingerprint(aCert, fpStr); + if (NS_FAILED(rv)) { + return rv; + } nsAutoCString entryKey; GetEntryKey(aHostName, aOriginAttributes, fpStr, entryKey); diff --git a/security/manager/ssl/nsNSSCertHelper.cpp b/security/manager/ssl/nsNSSCertHelper.cpp index c5d579a7ac8f..faff726b7e70 100644 --- a/security/manager/ssl/nsNSSCertHelper.cpp +++ b/security/manager/ssl/nsNSSCertHelper.cpp @@ -98,20 +98,3 @@ void LossyUTF8ToUTF16(const char* str, uint32_t len, CopyASCIItoUTF16(span, result); } } - -nsresult GetCertFingerprintByOidTag(CERTCertificate* nsscert, SECOidTag aOidTag, - nsCString& fp) { - nsTArray digestArray; - nsresult rv = Digest::DigestBuf(aOidTag, nsscert->derCert.data, - nsscert->derCert.len, digestArray); - NS_ENSURE_SUCCESS(rv, rv); - - SECItem digestItem = {siBuffer, digestArray.Elements(), - static_cast(digestArray.Length())}; - - UniquePORTString tmpstr(CERT_Hexify(&digestItem, 1)); - NS_ENSURE_TRUE(tmpstr, NS_ERROR_OUT_OF_MEMORY); - - fp.Assign(tmpstr.get()); - return NS_OK; -} diff --git a/security/manager/ssl/nsNSSCertHelper.h b/security/manager/ssl/nsNSSCertHelper.h index 50066304805a..453e2e21eb3a 100644 --- a/security/manager/ssl/nsNSSCertHelper.h +++ b/security/manager/ssl/nsNSSCertHelper.h @@ -15,8 +15,7 @@ extern const char* kRootModuleName; extern const size_t kRootModuleNameLen; -nsresult GetCertFingerprintByOidTag(CERTCertificate* nsscert, SECOidTag aOidTag, - nsCString& fp); +class nsIX509Cert; // If input is valid UTF-8, converts from UTF-8 to UTF-16. Otherwise, // converts from Latin1 to UTF-16.