Bug 1308143 - Clean up ExtendedValidation.cpp. r=keeler

In general, the changes here attempt to: 1. Fix up the style to match modern PSM style. 2. Shorten unnecessarily long code. 3. Reduce global scope pollution. MozReview-Commit-ID: GFyqFgV0RLD --HG-- extra : source : 8cb5ee464e42ff07324922abeffef00c7cb1fb1b
2017-05-09 00:53:21 +08:00 · 2017-05-09 00:53:21 +08:00 · 7b21c27198
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@ -7,7 +7,6 @@
 #include "ExtendedValidation.h"

 #include "cert.h"
-#include "certdb.h"
 #include "hasht.h"
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/Assertions.h"
@ -18,23 +17,24 @@
 #include "nsString.h"
 #include "pk11pub.h"
 #include "pkix/pkixtypes.h"
-#include "prerror.h"

-struct nsMyTrustedEVInfo
+namespace mozilla { namespace psm {
+
+struct EVInfo
 {
  // See bug 1338873 about making these fields const.
-  const char* dotted_oid;
-  const char* oid_name; // Set this to null to signal an invalid structure,
+  const char* dottedOid;
+  const char* oidName; // Set this to null to signal an invalid structure,
                  // (We can't have an empty list, so we'll use a dummy entry)
-  unsigned char ev_root_sha256_fingerprint[SHA256_LENGTH];
-  const char* issuer_base64;
-  const char* serial_base64;
+  unsigned char sha256Fingerprint[SHA256_LENGTH];
+  const char* issuerBase64;
+  const char* serialBase64;
 };

 // HOWTO enable additional CA root certificates for EV:
 //
 // For each combination of "root certificate" and "policy OID",
-// one entry must be added to the array named myTrustedEVInfos.
+// one entry must be added to the array named kEVInfos.
 //
 // We use the combination of "issuer name" and "serial number" to
 // uniquely identify the certificate. In order to avoid problems
@ -86,9 +86,9 @@ struct nsMyTrustedEVInfo
 static const size_t NUM_TEST_EV_ROOTS = 2;
 #endif

-static const struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
+static const struct EVInfo kEVInfos[] = {
  // IMPORTANT! When extending this list, if you add another entry that uses
-  // the same dotted_oid as an existing entry, use the same oid_name.
+  // the same dottedOid as an existing entry, use the same oidName.
 #ifdef DEBUG
  // Debug EV certificates should all use the following OID:
  // 1.3.6.1.4.1.13769.666.666.666.1.500.9.1.
@ -1132,11 +1132,11 @@ static const struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
  },
 };

-static SECOidTag sEVInfoOIDTags[mozilla::ArrayLength(myTrustedEVInfos)];
+static SECOidTag sEVInfoOIDTags[ArrayLength(kEVInfos)];

 static_assert(SEC_OID_UNKNOWN == 0,
  "We depend on zero-initialized globals being interpreted as SEC_OID_UNKNOWN.");
-static_assert(mozilla::ArrayLength(sEVInfoOIDTags) == mozilla::ArrayLength(myTrustedEVInfos),
+static_assert(ArrayLength(sEVInfoOIDTags) == ArrayLength(kEVInfos),
  "These arrays are used in parallel and must have the same length.");

 static SECOidTag
@ -1170,8 +1170,6 @@ isEVPolicy(SECOidTag policyOIDTag)
  return false;
 }

-namespace mozilla { namespace psm {
-
 bool
 CertIsAuthoritativeForEVPolicy(const UniqueCERTCertificate& cert,
                               const mozilla::pkix::CertPolicyId& policy)
@ -1190,13 +1188,13 @@ CertIsAuthoritativeForEVPolicy(const UniqueCERTCertificate& cert,
  }

  const SECOidData* cabforumOIDData = SECOID_FindOIDByTag(sCABForumEVOIDTag);
-  for (size_t iEV = 0; iEV < mozilla::ArrayLength(myTrustedEVInfos); ++iEV) {
-    const nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
+  for (size_t i = 0; i < ArrayLength(kEVInfos); ++i) {
+    const EVInfo& entry = kEVInfos[i];

    // This check ensures that only the specific roots we approve for EV get
    // that status, and not certs (roots or otherwise) that happen to have an
    // OID that's already been approved for EV.
-    if (!PodEqual(fingerprint, entry.ev_root_sha256_fingerprint)) {
+    if (!PodEqual(fingerprint, entry.sha256Fingerprint)) {
      continue;
    }

@ -1204,7 +1202,7 @@ CertIsAuthoritativeForEVPolicy(const UniqueCERTCertificate& cert,
        PodEqual(cabforumOIDData->oid.data, policy.bytes, policy.numBytes)) {
      return true;
    }
-    const SECOidData* oidData = SECOID_FindOIDByTag(sEVInfoOIDTags[iEV]);
+    const SECOidData* oidData = SECOID_FindOIDByTag(sEVInfoOIDTags[i]);
    if (oidData && oidData->oid.len == policy.numBytes &&
        PodEqual(oidData->oid.data, policy.bytes, policy.numBytes)) {
      return true;
@ -1220,7 +1218,7 @@ LoadExtendedValidationInfo()
  static const char* sCABForumOIDString = "2.23.140.1.1";
  static const char* sCABForumOIDDescription = "CA/Browser Forum EV OID";

-  mozilla::ScopedAutoSECItem cabforumOIDItem;
+  ScopedAutoSECItem cabforumOIDItem;
  if (SEC_StringToOID(nullptr, &cabforumOIDItem, sCABForumOIDString, 0)
        != SECSuccess) {
    return NS_ERROR_FAILURE;
@ -1230,8 +1228,8 @@ LoadExtendedValidationInfo()
    return NS_ERROR_FAILURE;
  }

-  for (size_t iEV = 0; iEV < mozilla::ArrayLength(myTrustedEVInfos); ++iEV) {
-    const nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
+  for (size_t i = 0; i < ArrayLength(kEVInfos); ++i) {
+    const EVInfo& entry = kEVInfos[i];

    SECStatus srv;
 #ifdef DEBUG
@ -1241,7 +1239,7 @@ LoadExtendedValidationInfo()
    // unnecessary to check this in non-debug builds since we will safely fall
    // back to DV if the EV information is incorrect.
    nsAutoCString derIssuer;
-    nsresult rv = Base64Decode(nsDependentCString(entry.issuer_base64),
+    nsresult rv = Base64Decode(nsDependentCString(entry.issuerBase64),
                               derIssuer);
    MOZ_ASSERT(NS_SUCCEEDED(rv), "Could not base64-decode built-in EV issuer");
    if (NS_FAILED(rv)) {
@ -1249,7 +1247,7 @@ LoadExtendedValidationInfo()
    }

    nsAutoCString serialNumber;
-    rv = Base64Decode(nsDependentCString(entry.serial_base64), serialNumber);
+    rv = Base64Decode(nsDependentCString(entry.serialBase64), serialNumber);
    MOZ_ASSERT(NS_SUCCEEDED(rv), "Could not base64-decode built-in EV serial");
    if (NS_FAILED(rv)) {
      return rv;
@ -1273,7 +1271,7 @@ LoadExtendedValidationInfo()
      // The entries for the debug EV roots are at indices 0 through
      // NUM_TEST_EV_ROOTS - 1. Since they're not built-in, they probably
      // haven't been loaded yet.
-      MOZ_ASSERT(iEV < NUM_TEST_EV_ROOTS, "Could not find built-in EV root");
+      MOZ_ASSERT(i < NUM_TEST_EV_ROOTS, "Could not find built-in EV root");
    } else {
      unsigned char certFingerprint[SHA256_LENGTH];
      srv = PK11_HashBuf(SEC_OID_SHA256, certFingerprint, cert->derCert.data,
@ -1282,7 +1280,7 @@ LoadExtendedValidationInfo()
      if (srv != SECSuccess) {
        return NS_ERROR_FAILURE;
      }
-      bool same = PodEqual(certFingerprint, entry.ev_root_sha256_fingerprint);
+      bool same = PodEqual(certFingerprint, entry.sha256Fingerprint);
      MOZ_ASSERT(same, "EV root fingerprint mismatch");
      if (!same) {
        return NS_ERROR_FAILURE;
@ -1290,14 +1288,14 @@ LoadExtendedValidationInfo()
    }
 #endif
    // This is the code that actually enables these roots for EV.
-    mozilla::ScopedAutoSECItem evOIDItem;
-    srv = SEC_StringToOID(nullptr, &evOIDItem, entry.dotted_oid, 0);
+    ScopedAutoSECItem evOIDItem;
+    srv = SEC_StringToOID(nullptr, &evOIDItem, entry.dottedOid, 0);
    MOZ_ASSERT(srv == SECSuccess, "SEC_StringToOID failed");
    if (srv != SECSuccess) {
      return NS_ERROR_FAILURE;
    }
-    sEVInfoOIDTags[iEV] = RegisterOID(evOIDItem, entry.oid_name);
-    if (sEVInfoOIDTags[iEV] == SEC_OID_UNKNOWN) {
+    sEVInfoOIDTags[i] = RegisterOID(evOIDItem, entry.oidName);
+    if (sEVInfoOIDTags[i] == SEC_OID_UNKNOWN) {
      return NS_ERROR_FAILURE;
    }
  }