Backed out changeset 9963c30121ab (bug 1700165) for causing failures on test_certs.js. CLOSED TREE

security/manager/ssl/nsCertOverrideService.cpp

@@ -743,6 +743,48 @@ void nsCertOverrideService::CountPermanentOverrideTelemetry(
                         overrideCount);
 }
 
+static bool matchesDBKey(nsIX509Cert* cert, const nsCString& matchDbKey) {
+  nsAutoCString dbKey;
+  nsresult rv = cert->GetDbKey(dbKey);
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+  return dbKey.Equals(matchDbKey);
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::IsCertUsedForOverrides(nsIX509Cert* aCert,
+                                              bool aCheckTemporaries,
+                                              bool aCheckPermanents,
+                                              uint32_t* aRetval) {
+  NS_ENSURE_ARG(aCert);
+  NS_ENSURE_ARG(aRetval);
+
+  uint32_t counter = 0;
+  {
+    MutexAutoLock lock(mMutex);
+    for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) {
+      RefPtr<nsCertOverride> settings = iter.Get()->mSettings;
+
+      if ((settings->mIsTemporary && !aCheckTemporaries) ||
+          (!settings->mIsTemporary && !aCheckPermanents)) {
+        continue;
+      }
+
+      if (matchesDBKey(aCert, settings->mDBKey)) {
+        nsAutoCString certFingerprint;
+        nsresult rv = GetCertSha256Fingerprint(aCert, certFingerprint);
+        if (NS_SUCCEEDED(rv) &&
+            settings->mFingerprint.Equals(certFingerprint)) {
+          counter++;
+        }
+      }
+    }
+  }
+  *aRetval = counter;
+  return NS_OK;
+}
+
 static bool IsDebugger() {
 #ifdef ENABLE_WEBDRIVER
   nsCOMPtr<nsIMarionette> marionette = do_GetService(NS_MARIONETTE_CONTRACTID);

security/manager/ssl/nsICertOverrideService.idl

@@ -193,6 +193,18 @@ interface nsICertOverrideService : nsISupports {
    */
   void clearAllOverrides();
 
+  /**
+   *  Is the given cert used in rules?
+   *
+   *  @param aCert The cert we're looking for
+   *  @return how many override entries are currently on file
+   *          for the given certificate
+   */
+  [must_use]
+  uint32_t isCertUsedForOverrides(in nsIX509Cert aCert,
+                                  in boolean aCheckTemporaries,
+                                  in boolean aCheckPermanents);
+
   Array<nsICertOverride> getOverrides();
 
   /**

toolkit/components/cleardata/tests/unit/test_certs.js

@@ -27,16 +27,10 @@ add_task(async function() {
 
   ok(cert, "Cert was created");
 
-  Assert.ok(
-    !overrideService.hasMatchingOverride(
-      TEST_URI.asciiHost,
-      TEST_URI.port,
-      {},
-      cert,
-      {},
-      {}
-    ),
-    `Should not have override for ${TEST_URI.asciiHost}:${TEST_URI.port} yet`
+  Assert.equal(
+    overrideService.isCertUsedForOverrides(cert, true, true),
+    0,
+    "Cert should not be used for override yet"
   );
 
   overrideService.rememberValidityOverride(
@@ -48,16 +42,10 @@ add_task(async function() {
     false
   );
 
-  Assert.ok(
-    overrideService.hasMatchingOverride(
-      TEST_URI.asciiHost,
-      TEST_URI.port,
-      {},
-      cert,
-      {},
-      {}
-    ),
-    `Should have override for ${TEST_URI.asciiHost}:${TEST_URI.port} now`
+  Assert.equal(
+    overrideService.isCertUsedForOverrides(cert, true, true),
+    1,
+    "Cert should be used for override now"
   );
 
   await new Promise(aResolve => {
@@ -72,16 +60,10 @@ add_task(async function() {
     );
   });
 
-  Assert.ok(
-    !overrideService.hasMatchingOverride(
-      TEST_URI.asciiHost,
-      TEST_URI.port,
-      {},
-      cert,
-      {},
-      {}
-    ),
-    `Should not have override for ${TEST_URI.asciiHost}:${TEST_URI.port} now`
+  Assert.equal(
+    overrideService.isCertUsedForOverrides(cert, true, true),
+    0,
+    "Cert should not be used for override now"
   );
 
   for (let uri of [TEST_URI, ANOTHER_TEST_URI, YET_ANOTHER_TEST_URI]) {