Bug 1468222 Consolidate nsISSLStatus info nsITransportSecurityInfo r=Gijs,snorp,jcj,mcmanus,sfraser,keeler,baku,ato

Move all fields of nsISSLStatus to nsITransportSecurityProvider
Remove nsISSLStatus interface and definition
Update all code and test references to nsISSLStatus
Maintain ability to read in older version of serialized nsISSLStatus.  This
is verified with psm_DeserializeCert gtest.

Differential Revision: https://phabricator.services.mozilla.com/D3704

--HG--
extra : moz-landing-system : lando

browser/base/content/browser-siteIdentity.js

@@ -35,10 +35,10 @@ var gIdentityHandler = {
   _isSecureInternalUI: false,
 
   /**
-   * nsISSLStatus metadata provided by gBrowser.securityUI the last time the
+   * nsITransportSecurityInfo metadata provided by gBrowser.securityUI the last
-   * identity UI was updated, or null if the connection is not secure.
+   * time the identity UI was updated, or null if the connection is not secure.
    */
-  _sslStatus: null,
+  _secInfo: null,
 
   /**
    * Bitmask provided by nsIWebProgressListener.onSecurityChange.
@@ -297,12 +297,12 @@ var gIdentityHandler = {
   },
 
   /**
-   * Helper to parse out the important parts of _sslStatus (of the SSL cert in
+   * Helper to parse out the important parts of _secInfo (of the SSL cert in
    * particular) for use in constructing identity UI strings
   */
   getIdentityData() {
     var result = {};
-    var cert = this._sslStatus.serverCert;
+    var cert = this._secInfo.serverCert;
 
     // Human readable name of Subject
     result.subjectOrg = cert.organization;
@@ -347,8 +347,7 @@ var gIdentityHandler = {
     // Firstly, populate the state properties required to display the UI. See
     // the documentation of the individual properties for details.
     this.setURI(uri);
-    this._sslStatus = gBrowser.securityUI.secInfo &&
+    this._secInfo = gBrowser.securityUI.secInfo;
-                      gBrowser.securityUI.secInfo.SSLStatus;
 
     // Then, update the user interface with the available data.
     this.refreshIdentityBlock();

browser/base/content/browser.js

@@ -2964,7 +2964,6 @@ var BrowserOnClick = {
   onCertError(browser, elementId, isTopFrame, location, securityInfoAsString, frameId) {
     let secHistogram = Services.telemetry.getHistogramById("SECURITY_UI");
     let securityInfo;
-    let sslStatus;
 
     switch (elementId) {
       case "exceptionDialogButton":
@@ -2973,24 +2972,23 @@ var BrowserOnClick = {
         }
 
         securityInfo = getSecurityInfo(securityInfoAsString);
-        sslStatus = securityInfo.SSLStatus;
         let params = { exceptionAdded: false,
-                       sslStatus };
+                       securityInfo };
         if (Services.prefs.getBoolPref("browser.security.newcerterrorpage.enabled", false)) {
           let overrideService = Cc["@mozilla.org/security/certoverride;1"]
                                   .getService(Ci.nsICertOverrideService);
           let flags = 0;
-          if (sslStatus.isUntrusted) {
+          if (securityInfo.isUntrusted) {
             flags |= overrideService.ERROR_UNTRUSTED;
           }
-          if (sslStatus.isDomainMismatch) {
+          if (securityInfo.isDomainMismatch) {
             flags |= overrideService.ERROR_MISMATCH;
           }
-          if (sslStatus.isNotValidAtThisTime) {
+          if (securityInfo.isNotValidAtThisTime) {
             flags |= overrideService.ERROR_TIME;
           }
           let uri = Services.uriFixup.createFixupURI(location, 0);
-          let cert = sslStatus.serverCert;
+          let cert = securityInfo.serverCert;
           overrideService.rememberValidityOverride(
             uri.asciiHost, uri.port,
             cert,
@@ -3038,25 +3036,24 @@ var BrowserOnClick = {
         }
 
         securityInfo = getSecurityInfo(securityInfoAsString);
-        sslStatus = securityInfo.SSLStatus;
         let errorInfo = getDetailedCertErrorInfo(location,
                                                  securityInfo);
         let validityInfo = {
-          notAfter: sslStatus.serverCert.validity.notAfter,
+          notAfter: securityInfo.serverCert.validity.notAfter,
-          notBefore: sslStatus.serverCert.validity.notBefore,
+          notBefore: securityInfo.serverCert.validity.notBefore,
-          notAfterLocalTime: sslStatus.serverCert.validity.notAfterLocalTime,
+          notAfterLocalTime: securityInfo.serverCert.validity.notAfterLocalTime,
-          notBeforeLocalTime: sslStatus.serverCert.validity.notBeforeLocalTime,
+          notBeforeLocalTime: securityInfo.serverCert.validity.notBeforeLocalTime,
         };
         browser.messageManager.sendAsyncMessage("CertErrorDetails", {
             code: securityInfo.errorCode,
             info: errorInfo,
             codeString: securityInfo.errorCodeString,
-            certIsUntrusted: sslStatus.isUntrusted,
+            certIsUntrusted: securityInfo.isUntrusted,
-            certSubjectAltNames: sslStatus.serverCert.subjectAltNames,
+            certSubjectAltNames: securityInfo.serverCert.subjectAltNames,
             validity: validityInfo,
             url: location,
-            isDomainMismatch: sslStatus.isDomainMismatch,
+            isDomainMismatch: securityInfo.isDomainMismatch,
-            isNotValidAtThisTime: sslStatus.isNotValidAtThisTime,
+            isNotValidAtThisTime: securityInfo.isNotValidAtThisTime,
             frameId,
         });
         break;

browser/base/content/pageinfo/security.js

@@ -27,8 +27,6 @@ var security = {
   },
 
   _getSecurityInfo() {
-    const nsISSLStatus = Ci.nsISSLStatus;
-
     // We don't have separate info for a frame, return null until further notice
     // (see bug 138479)
     if (!this.windowInfo.isTopWindow)
@@ -49,10 +47,10 @@ var security = {
       (ui.state & Ci.nsIWebProgressListener.STATE_IS_INSECURE);
     var isEV =
       (ui.state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL);
-    var status = ui.secInfo && ui.secInfo.SSLStatus;
+    var secInfo = ui.secInfo;
 
-    if (!isInsecure && status) {
+    if (!isInsecure && secInfo) {
-      var cert = status.serverCert;
+      var cert = secInfo.serverCert;
       var issuerName = cert.issuerOrganization || cert.issuerName;
 
       var retval = {
@@ -70,26 +68,26 @@ var security = {
 
       var version;
       try {
-        retval.encryptionAlgorithm = status.cipherName;
+        retval.encryptionAlgorithm = secInfo.cipherName;
-        retval.encryptionStrength = status.secretKeyLength;
+        retval.encryptionStrength = secInfo.secretKeyLength;
-        version = status.protocolVersion;
+        version = secInfo.protocolVersion;
       } catch (e) {
       }
 
       switch (version) {
-        case nsISSLStatus.SSL_VERSION_3:
+        case Ci.nsITransportSecurityInfo.SSL_VERSION_3:
           retval.version = "SSL 3";
           break;
-        case nsISSLStatus.TLS_VERSION_1:
+        case Ci.nsITransportSecurityInfo.TLS_VERSION_1:
           retval.version = "TLS 1.0";
           break;
-        case nsISSLStatus.TLS_VERSION_1_1:
+        case Ci.nsITransportSecurityInfo.TLS_VERSION_1_1:
           retval.version = "TLS 1.1";
           break;
-        case nsISSLStatus.TLS_VERSION_1_2:
+        case Ci.nsITransportSecurityInfo.TLS_VERSION_1_2:
           retval.version = "TLS 1.2";
           break;
-        case nsISSLStatus.TLS_VERSION_1_3:
+        case Ci.nsITransportSecurityInfo.TLS_VERSION_1_3:
           retval.version = "TLS 1.3";
           break;
       }
@@ -98,13 +96,17 @@ var security = {
       // Since we do not yet enforce the CT Policy on secure connections,
       // we must not complain on policy discompliance (it might be viewed
       // as a security issue by the user).
-      switch (status.certificateTransparencyStatus) {
+      switch (secInfo.certificateTransparencyStatus) {
-        case nsISSLStatus.CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE:
+        case Ci.nsITransportSecurityInfo.
-        case nsISSLStatus.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS:
+                CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE:
-        case nsISSLStatus.CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS:
+        case Ci.nsITransportSecurityInfo.
+                CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS:
+        case Ci.nsITransportSecurityInfo.
+                CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS:
           retval.certificateTransparency = null;
           break;
-        case nsISSLStatus.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT:
+        case Ci.nsITransportSecurityInfo.
+                CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT:
           retval.certificateTransparency = "Compliant";
           break;
       }

devtools/shared/security/auth.js

@@ -300,8 +300,9 @@ OOBCert.Client.prototype = {
     // Client verifies that Server's cert matches hash(ServerCert) from the
     // advertisement
     dumpv("Validate server cert hash");
-    const serverCert = socket.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
+    const serverCert = socket.securityInfo
-                           .SSLStatus.serverCert;
+                             .QueryInterface(Ci.nsITransportSecurityInfo)
+                             .serverCert;
     const advertisedCert = cert;
     if (serverCert.sha256Fingerprint != advertisedCert.sha256) {
       dumpn("Server cert hash doesn't match advertisement");

devtools/shared/security/socket.js

@@ -354,7 +354,7 @@ function _isInputAlive(input) {
 function _storeCertOverride(s, host, port) {
   // eslint-disable-next-line no-shadow
   const cert = s.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
-              .SSLStatus.serverCert;
+                             .serverCert;
   const overrideBits = Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                      Ci.nsICertOverrideService.ERROR_MISMATCH;
   certOverrideService.rememberValidityOverride(host, port, cert, overrideBits,

devtools/shared/webconsole/network-helper.js

@@ -588,7 +588,6 @@ var NetworkHelper = {
     const wpl = Ci.nsIWebProgressListener;
     const NSSErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
                                .getService(Ci.nsINSSErrorsService);
-    const SSLStatus = securityInfo.SSLStatus;
     if (!NSSErrorsService.isNSSErrorCode(securityInfo.errorCode)) {
       const state = securityInfo.securityState;
 
@@ -621,23 +620,23 @@ var NetworkHelper = {
       }
 
       // Cipher suite.
-      info.cipherSuite = SSLStatus.cipherName;
+      info.cipherSuite = securityInfo.cipherName;
 
       // Key exchange group name.
-      info.keaGroupName = SSLStatus.keaGroupName;
+      info.keaGroupName = securityInfo.keaGroupName;
 
       // Certificate signature scheme.
-      info.signatureSchemeName = SSLStatus.signatureSchemeName;
+      info.signatureSchemeName = securityInfo.signatureSchemeName;
 
       // Protocol version.
       info.protocolVersion =
-        this.formatSecurityProtocol(SSLStatus.protocolVersion);
+        this.formatSecurityProtocol(securityInfo.protocolVersion);
 
       // Certificate.
-      info.cert = this.parseCertificateInfo(SSLStatus.serverCert);
+      info.cert = this.parseCertificateInfo(securityInfo.serverCert);
 
       // Certificate transparency status.
-      info.certificateTransparency = SSLStatus.certificateTransparencyStatus;
+      info.certificateTransparency = securityInfo.certificateTransparencyStatus;
 
       // HSTS and HPKP if available.
       if (httpActivity.hostname) {
@@ -720,24 +719,24 @@ var NetworkHelper = {
   },
 
   /**
-   * Takes protocolVersion of SSLStatus object and returns human readable
+   * Takes protocolVersion of TransportSecurityInfo object and returns
-   * description.
+   * human readable description.
    *
    * @param Number version
-   *        One of nsISSLStatus version constants.
+   *        One of nsITransportSecurityInfo version constants.
    * @return string
    *         One of TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 if @param version
    *         is valid, Unknown otherwise.
    */
   formatSecurityProtocol: function(version) {
     switch (version) {
-      case Ci.nsISSLStatus.TLS_VERSION_1:
+      case Ci.nsITransportSecurityInfo.TLS_VERSION_1:
         return "TLSv1";
-      case Ci.nsISSLStatus.TLS_VERSION_1_1:
+      case Ci.nsITransportSecurityInfo.TLS_VERSION_1_1:
         return "TLSv1.1";
-      case Ci.nsISSLStatus.TLS_VERSION_1_2:
+      case Ci.nsITransportSecurityInfo.TLS_VERSION_1_2:
         return "TLSv1.2";
-      case Ci.nsISSLStatus.TLS_VERSION_1_3:
+      case Ci.nsITransportSecurityInfo.TLS_VERSION_1_3:
         return "TLSv1.3";
       default:
         DevToolsUtils.reportException("NetworkHelper.formatSecurityProtocol",

devtools/shared/webconsole/test/unit/test_security-info-parser.js

@@ -36,12 +36,10 @@ const MockSecurityInfo = {
   QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]),
   securityState: wpl.STATE_IS_SECURE,
   errorCode: 0,
-  SSLStatus: {
+  cipherName: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
-    cipherSuite: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+  // TLS_VERSION_1_2
-    // TLS_VERSION_1_2
+  protocolVersion: 3,
-    protocolVersion: 3,
+  serverCert: MockCertificate,
-    serverCert: MockCertificate,
-  }
 };
 
 function run_test() {
@@ -49,7 +47,7 @@ function run_test() {
 
   equal(result.state, "secure", "State is correct.");
 
-  equal(result.cipherSuite, MockSecurityInfo.cipherSuite,
+  equal(result.cipherSuite, MockSecurityInfo.cipherName,
     "Cipher suite is correct.");
 
   equal(result.protocolVersion, "TLSv1.2", "Protocol version is correct.");

devtools/shared/webconsole/test/unit/test_security-info-state.js

@@ -22,11 +22,9 @@ const MockSecurityInfo = {
   QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]),
   securityState: wpl.STATE_IS_BROKEN,
   errorCode: 0,
-  SSLStatus: {
+  // nsISSLStatus.TLS_VERSION_1_2
-    // nsISSLStatus.TLS_VERSION_1_2
+  protocolVersion: 3,
-    protocolVersion: 3,
+  cipherName: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
-    cipherSuite: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
-  }
 };
 
 function run_test() {

devtools/shared/webconsole/test/unit/test_security-info-static-hpkp.js

@@ -23,13 +23,11 @@ const MockSecurityInfo = {
   QueryInterface: ChromeUtils.generateQI([Ci.nsITransportSecurityInfo]),
   securityState: wpl.STATE_IS_SECURE,
   errorCode: 0,
-  SSLStatus: {
+  cipherName: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
-    cipherSuite: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+  // TLS_VERSION_1_2
-    // TLS_VERSION_1_2
+  protocolVersion: 3,
-    protocolVersion: 3,
+  serverCert: {
-    serverCert: {
+    validity: {}
-      validity: {}
-    },
   }
 };
 

dom/push/test/xpcshell/head-http2.js

@@ -33,8 +33,8 @@ CertOverrideListener.prototype = {
     throw Cr.NS_ERROR_NO_INTERFACE;
   },
 
-  notifyCertProblem: function(socketInfo, sslStatus, targetHost) {
+  notifyCertProblem: function(socketInfo, secInfo, targetHost) {
-    var cert = sslStatus.QueryInterface(Ci.nsISSLStatus).serverCert;
+    var cert = secInfo.serverCert;
     var cos = Cc["@mozilla.org/security/certoverride;1"].
               getService(Ci.nsICertOverrideService);
     cos.rememberValidityOverride(this.host, this.port, cert, this.bits, false);

mobile/android/chrome/content/browser.js

@@ -5568,18 +5568,18 @@ var IdentityHandler = {
   // Loaded active tracking content. Yellow triangle icon is shown.
   TRACKING_MODE_CONTENT_LOADED: "tracking_content_loaded",
 
-  // Cache the most recent SSLStatus and Location seen in getIdentityStrings
+  // Cache the most recent TransportSecurityInfo and Location seen in
-  _lastStatus : null,
+  // getIdentityStrings
+  _lastSecInfo : null,
   _lastLocation : null,
 
   /**
-   * Helper to parse out the important parts of _lastStatus (of the SSL cert in
+   * Helper to parse out the important parts of _lastSecInfo (of the SSL cert in
    * particular) for use in constructing identity UI strings
   */
   getIdentityData : function() {
     let result = {};
-    let status = this._lastStatus.QueryInterface(Ci.nsISSLStatus);
+    let cert = this._lastSecInfo.serverCert;
-    let cert = status.serverCert;
 
     // Human readable name of Subject
     result.subjectOrg = cert.organization;
@@ -5683,8 +5683,7 @@ var IdentityHandler = {
    * (if available). Return the data needed to update the UI.
    */
   checkIdentity: function checkIdentity(aState, aBrowser) {
-    this._lastStatus = aBrowser.securityUI.secInfo &&
+    this._lastSecInfo = aBrowser.securityUI.secInfo;
-                       aBrowser.securityUI.secInfo.SSLStatus;
 
     // Don't pass in the actual location object, since it can cause us to
     // hold on to the window object too long.  Just pass in the fields we

mobile/android/chrome/content/content.js

@@ -181,12 +181,12 @@ var AboutCertErrorListener = {
     return content.document.documentURI.startsWith("about:certerror");
   },
 
-  _setTechDetailsMsgPart1(hostString, sslStatus, securityInfo, technicalInfo, doc) {
+  _setTechDetailsMsgPart1(hostString, securityInfo, technicalInfo, doc) {
     let msg = gPipNSSBundle.formatStringFromName("certErrorIntro",
                                                  [hostString], 1);
     msg += "\n\n";
 
-    if (sslStatus.isUntrusted && !sslStatus.serverCert.isSelfSigned) {
+    if (securityInfo.isUntrusted && !securityInfo.serverCert.isSelfSigned) {
       switch (securityInfo.errorCode) {
         case SEC_ERROR_UNKNOWN_ISSUER:
           msg += gPipNSSBundle.GetStringFromName("certErrorTrust_UnknownIssuer") + "\n";
@@ -215,18 +215,18 @@ var AboutCertErrorListener = {
           msg += gPipNSSBundle.GetStringFromName("certErrorTrust_Untrusted") + "\n";
       }
     }
-    if (sslStatus.isUntrusted && sslStatus.serverCert.isSelfSigned) {
+    if (securityInfo.isUntrusted && securityInfo.serverCert.isSelfSigned) {
       msg += gPipNSSBundle.GetStringFromName("certErrorTrust_SelfSigned") + "\n";
     }
 
     technicalInfo.appendChild(doc.createTextNode(msg));
   },
 
-  _setTechDetails(sslStatus, securityInfo, location) {
+  _setTechDetails(securityInfo, location) {
-    if (!securityInfo || !sslStatus || !location) {
+    if (!securityInfo || !location) {
       return;
     }
-    let validity = sslStatus.serverCert.validity;
+    let validity = securityInfo.serverCert.validity;
 
     let doc = content.document;
     // CSS class and error code are set from nsDocShell.
@@ -258,10 +258,10 @@ var AboutCertErrorListener = {
         gPipNSSBundle.GetStringFromName("certErrorSymantecDistrustAdministrator");
     }
 
-    this._setTechDetailsMsgPart1(hostString, sslStatus, securityInfo, technicalInfo, doc);
+    this._setTechDetailsMsgPart1(hostString, securityInfo, technicalInfo, doc);
 
-    if (sslStatus.isDomainMismatch) {
+    if (securityInfo.isDomainMismatch) {
-      let subjectAltNamesList = sslStatus.serverCert.subjectAltNames;
+      let subjectAltNamesList = securityInfo.serverCert.subjectAltNames;
       let subjectAltNames = subjectAltNamesList.split(",");
       let numSubjectAltNames = subjectAltNames.length;
       let msgPrefix = "";
@@ -343,7 +343,7 @@ var AboutCertErrorListener = {
       }
     }
 
-    if (sslStatus.isNotValidAtThisTime) {
+    if (securityInfo.isNotValidAtThisTime) {
       let nowTime = new Date().getTime() * 1000;
       let dateOptions = { year: "numeric", month: "long", day: "numeric", hour: "numeric", minute: "numeric" };
       let now = new Services.intl.DateTimeFormat(undefined, dateOptions).format(new Date());
@@ -384,8 +384,7 @@ var AboutCertErrorListener = {
     let securityInfo = docShell.failedChannel && docShell.failedChannel.securityInfo;
     securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
                 .QueryInterface(Ci.nsISerializable);
-    let sslStatus = securityInfo.SSLStatus;
+    this._setTechDetails(securityInfo, ownerDoc.location.href);
-    this._setTechDetails(sslStatus, securityInfo, ownerDoc.location.href);
   },
 };
 AboutCertErrorListener.init();

mobile/android/modules/SSLExceptions.jsm

@@ -22,7 +22,7 @@ function SSLExceptions() {
 
 SSLExceptions.prototype = {
   _overrideService: null,
-  _sslStatus: null,
+  _secInfo: null,
 
   getInterface: function SSLE_getInterface(aIID) {
     return this.QueryInterface(aIID);
@@ -33,8 +33,10 @@ SSLExceptions.prototype = {
     To collect the SSL status we intercept the certificate error here
     and store the status for later use.
   */
-  notifyCertProblem: function SSLE_notifyCertProblem(socketInfo, sslStatus, targetHost) {
+  notifyCertProblem: function SSLE_notifyCertProblem(socketInfo,
-    this._sslStatus = sslStatus.QueryInterface(Ci.nsISSLStatus);
+                                                     secInfo,
+                                                     targetHost) {
+    this._secInfo = secInfo;
     return true; // suppress error UI
   },
 
@@ -43,7 +45,7 @@ SSLExceptions.prototype = {
     for the certificate and the errors.
    */
   _checkCert: function SSLE_checkCert(aURI) {
-    this._sslStatus = null;
+    this._secInfo = null;
 
     let req = new XMLHttpRequest();
     try {
@@ -61,15 +63,15 @@ SSLExceptions.prototype = {
                      "Logged for information purposes only: " + e);
     }
 
-    return this._sslStatus;
+    return this._secInfo;
   },
 
   /**
     Internal method to create an override.
   */
   _addOverride: function SSLE_addOverride(aURI, aWindow, aTemporary) {
-    let SSLStatus = this._checkCert(aURI);
+    let secInfo = this._checkCert(aURI);
-    let certificate = SSLStatus.serverCert;
+    let certificate = secInfo.serverCert;
 
     let flags = 0;
 
@@ -78,11 +80,11 @@ SSLExceptions.prototype = {
       aTemporary = true;
     }
 
-    if (SSLStatus.isUntrusted)
+    if (secInfo.isUntrusted)
       flags |= this._overrideService.ERROR_UNTRUSTED;
-    if (SSLStatus.isDomainMismatch)
+    if (secInfo.isDomainMismatch)
       flags |= this._overrideService.ERROR_MISMATCH;
-    if (SSLStatus.isNotValidAtThisTime)
+    if (secInfo.isNotValidAtThisTime)
       flags |= this._overrideService.ERROR_TIME;
 
     this._overrideService.rememberValidityOverride(

mobile/android/modules/geckoview/GeckoViewProgress.jsm

@@ -159,8 +159,7 @@ var IdentityHandler = {
       result.host = uri.host;
     }
 
-    let status = aBrowser.securityUI.secInfo.SSLStatus;
+    let cert = aBrowser.securityUI.secInfo.serverCert;
-    let cert = status.serverCert;
 
     result.organization = cert.organization;
     result.subjectName = cert.subjectName;

netwerk/protocol/http/nsHttpChannel.cpp

@@ -71,7 +71,6 @@
 #include "nsIPrincipal.h"
 #include "nsIScriptError.h"
 #include "nsIScriptSecurityManager.h"
-#include "nsISSLStatus.h"
 #include "nsITransportSecurityInfo.h"
 #include "nsIWebProgressListener.h"
 #include "LoadContextInfo.h"
@@ -1925,7 +1924,7 @@ GetPKPConsoleErrorTag(uint32_t failureResult, nsAString& consoleErrorTag)
  */
 nsresult
 nsHttpChannel::ProcessSingleSecurityHeader(uint32_t aType,
-                                           nsISSLStatus *aSSLStatus,
+                                           nsITransportSecurityInfo* aSecInfo,
                                            uint32_t aFlags)
 {
     nsHttpAtom atom;
@@ -1952,7 +1951,7 @@ nsHttpChannel::ProcessSingleSecurityHeader(uint32_t aType,
         NS_GetOriginAttributes(this, originAttributes);
         uint32_t failureResult;
         uint32_t headerSource = nsISiteSecurityService::SOURCE_ORGANIC_REQUEST;
-        rv = sss->ProcessHeader(aType, mURI, securityHeader, aSSLStatus,
+        rv = sss->ProcessHeader(aType, mURI, securityHeader, aSecInfo,
                                 aFlags, headerSource, originAttributes,
                                 nullptr, nullptr, &failureResult);
         if (NS_FAILED(rv)) {
@@ -2027,17 +2026,13 @@ nsHttpChannel::ProcessSecurityHeaders()
     // Get the TransportSecurityInfo
     nsCOMPtr<nsITransportSecurityInfo> transSecInfo = do_QueryInterface(mSecurityInfo);
     NS_ENSURE_TRUE(transSecInfo, NS_ERROR_FAILURE);
-    nsCOMPtr<nsISSLStatus> sslStatus;
-    rv = transSecInfo->GetSSLStatus(getter_AddRefs(sslStatus));
-    NS_ENSURE_SUCCESS(rv, rv);
-    NS_ENSURE_TRUE(sslStatus, NS_ERROR_FAILURE);
 
     rv = ProcessSingleSecurityHeader(nsISiteSecurityService::HEADER_HSTS,
-                                     sslStatus, flags);
+                                     transSecInfo, flags);
     NS_ENSURE_SUCCESS(rv, rv);
 
     rv = ProcessSingleSecurityHeader(nsISiteSecurityService::HEADER_HPKP,
-                                     sslStatus, flags);
+                                     transSecInfo, flags);
     NS_ENSURE_SUCCESS(rv, rv);
 
     return NS_OK;
@@ -2163,10 +2158,6 @@ nsHttpChannel::ProcessSSLInformation()
         do_QueryInterface(mSecurityInfo);
     if (!securityInfo)
         return;
-    nsCOMPtr<nsISSLStatus> sslstat;
-    securityInfo->GetSSLStatus(getter_AddRefs(sslstat));
-    if (!sslstat)
-        return;
 
     uint32_t state;
     if (securityInfo &&
@@ -2182,7 +2173,7 @@ nsHttpChannel::ProcessSSLInformation()
 
     // Send (SHA-1) signature algorithm errors to the web console
     nsCOMPtr<nsIX509Cert> cert;
-    sslstat->GetServerCert(getter_AddRefs(cert));
+    securityInfo->GetServerCert(getter_AddRefs(cert));
     if (cert) {
         UniqueCERTCertificate nssCert(cert->GetCert());
         if (nssCert) {

netwerk/protocol/http/nsHttpChannel.h

@@ -38,7 +38,7 @@ class nsDNSPrefetch;
 class nsICancelable;
 class nsIHttpChannelAuthProvider;
 class nsInputStreamPump;
-class nsISSLStatus;
+class nsITransportSecurityInfo;
 
 namespace mozilla { namespace net {
 
@@ -439,8 +439,8 @@ private:
      * from ProcessSecurityHeaders.
      */
     MOZ_MUST_USE nsresult ProcessSingleSecurityHeader(uint32_t aType,
-                                                      nsISSLStatus *aSSLStatus,
+      nsITransportSecurityInfo* aSecInfo,
-                                                      uint32_t aFlags);
+      uint32_t aFlags);
 
     void InvalidateCacheEntryForLocation(const char *location);
     void AssembleCacheKey(const char *spec, uint32_t postID, nsACString &key);

netwerk/protocol/http/nsHttpNTLMAuth.cpp

@@ -23,7 +23,6 @@
 #ifdef XP_WIN
 #include "nsIChannel.h"
 #include "nsIX509Cert.h"
-#include "nsISSLStatus.h"
 #include "nsITransportSecurityInfo.h"
 #endif
 #include "mozilla/Attributes.h"
@@ -339,13 +338,8 @@ nsHttpNTLMAuth::GenerateCredentials(nsIHttpAuthenticableChannel *authChannel,
             do_QueryInterface(security);
 
         if (mUseNative && secInfo) {
-            nsCOMPtr<nsISSLStatus> status;
-            rv = secInfo->GetSSLStatus(getter_AddRefs(status));
-            if (NS_FAILED(rv))
-                return rv;
-
             nsCOMPtr<nsIX509Cert> cert;
-            rv = status->GetServerCert(getter_AddRefs(cert));
+            rv = secInfo->GetServerCert(getter_AddRefs(cert));
             if (NS_FAILED(rv))
                 return rv;
 

netwerk/socket/nsITransportSecurityInfo.idl

@@ -6,16 +6,21 @@
 
 #include "nsISupports.idl"
 
-interface nsISSLStatus;
+interface nsIX509Cert;
 interface nsIX509CertList;
 
-[builtinclass, scriptable, uuid(216112d3-28bc-4671-b057-f98cc09ba1ea)]
+[scriptable, uuid(216112d3-28bc-4671-b057-f98cc09ba1ea)]
 interface nsITransportSecurityInfo : nsISupports {
     readonly attribute unsigned long securityState;
-    [infallible] readonly attribute long errorCode; // PRErrorCode
+    readonly attribute long errorCode; // PRErrorCode
     // errorCode as string (e.g. "SEC_ERROR_UNKNOWN_ISSUER")
     readonly attribute AString errorCodeString;
 
+    /**
+     * The following parameters are only valid after the TLS handshake
+     * has completed.  Check securityState first.
+     */
+
     /**
      * If certificate verification failed, this will be the peer certificate
      * chain provided in the handshake, so it can be used for error reporting.
@@ -23,6 +28,48 @@ interface nsITransportSecurityInfo : nsISupports {
      */
     readonly attribute nsIX509CertList failedCertChain;
 
-    readonly attribute nsISSLStatus SSLStatus;
+    readonly attribute nsIX509Cert serverCert;
+    readonly attribute nsIX509CertList succeededCertChain;
+
+    [must_use]
+    readonly attribute ACString cipherName;
+    [must_use]
+    readonly attribute unsigned long keyLength;
+    [must_use]
+    readonly attribute unsigned long secretKeyLength;
+    [must_use]
+    readonly attribute ACString keaGroupName;
+    [must_use]
+    readonly attribute ACString signatureSchemeName;
+
+    const short SSL_VERSION_3   = 0;
+    const short TLS_VERSION_1   = 1;
+    const short TLS_VERSION_1_1 = 2;
+    const short TLS_VERSION_1_2 = 3;
+    const short TLS_VERSION_1_3 = 4;
+    [must_use]
+    readonly attribute unsigned short protocolVersion;
+
+    const short CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE          = 0;
+    const short CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT        = 5;
+    const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS  = 6;
+    const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS = 7;
+    [must_use]
+    readonly attribute unsigned short certificateTransparencyStatus;
+
+    [must_use]
+    readonly attribute boolean isDomainMismatch;
+    [must_use]
+    readonly attribute boolean isNotValidAtThisTime;
+
+    [must_use]
+    readonly attribute boolean isUntrusted;
+
+    /**
+     * True only if (and after) serverCert was successfully validated as
+     * Extended Validation (EV).
+     */
+    [must_use]
+    readonly attribute boolean isExtendedValidation;
 };
 

netwerk/test/unit/test_http2.js

@@ -1208,8 +1208,8 @@ CertOverrideListener.prototype = {
     throw Cr.NS_ERROR_NO_INTERFACE;
   },
 
-  notifyCertProblem: function(socketInfo, sslStatus, targetHost) {
+  notifyCertProblem: function(socketInfo, secInfo, targetHost) {
-    var cert = sslStatus.QueryInterface(Ci.nsISSLStatus).serverCert;
+    var cert = secInfo.serverCert;
     var cos = Cc["@mozilla.org/security/certoverride;1"].
               getService(Ci.nsICertOverrideService);
     cos.rememberValidityOverride(this.host, this.port, cert, this.bits, false);

security/manager/pki/resources/content/exceptionDialog.js

@@ -7,7 +7,7 @@
 var gDialog;
 var gBundleBrand;
 var gPKIBundle;
-var gSSLStatus;
+var gSecInfo;
 var gCert;
 var gChecking;
 var gBroken;
@@ -38,9 +38,9 @@ function initExceptionDialog() {
       document.getElementById("locationTextBox").value = args[0].location;
       document.getElementById("checkCertButton").disabled = false;
 
-      if (args[0].sslStatus) {
+      if (args[0].securityInfo) {
-        gSSLStatus = args[0].sslStatus;
+        gSecInfo = args[0].securityInfo;
-        gCert = gSSLStatus.serverCert;
+        gCert = gSecInfo.serverCert;
         gBroken = true;
         updateCertStatus();
       } else if (args[0].prefetchCert) {
@@ -66,7 +66,7 @@ function initExceptionDialog() {
 
 /**
  * Helper function for checkCert. Set as the onerror/onload callbacks for an
- * XMLHttpRequest. Sets gSSLStatus, gCert, gBroken, and gChecking according to
+ * XMLHttpRequest. Sets gSecInfo, gCert, gBroken, and gChecking according to
  * the load information from the request. Probably should not be used directly.
  *
  * @param {XMLHttpRequest} req
@@ -76,10 +76,9 @@ function initExceptionDialog() {
  */
 function grabCert(req, evt) {
   if (req.channel && req.channel.securityInfo) {
-    gSSLStatus = req.channel.securityInfo
+    gSecInfo = req.channel.securityInfo
-                    .QueryInterface(Ci.nsITransportSecurityInfo).SSLStatus;
+                  .QueryInterface(Ci.nsITransportSecurityInfo);
-    gCert = gSSLStatus ? gSSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert
+    gCert = gSecInfo ? gSecInfo.serverCert : null;
-                       : null;
   }
   gBroken = evt.type == "error";
   gChecking = false;
@@ -92,7 +91,7 @@ function grabCert(req, evt) {
  */
 function checkCert() {
   gCert = null;
-  gSSLStatus = null;
+  gSecInfo = null;
   gChecking = true;
   gBroken = false;
   updateCertStatus();
@@ -185,13 +184,13 @@ function updateCertStatus() {
       var uts = "addExceptionUnverifiedOrBadSignatureShort";
       var utl = "addExceptionUnverifiedOrBadSignatureLong2";
       var use1 = false;
-      if (gSSLStatus.isDomainMismatch) {
+      if (gSecInfo.isDomainMismatch) {
         bucketId += gNsISecTel.WARNING_BAD_CERT_TOP_ADD_EXCEPTION_FLAG_DOMAIN;
         use1 = true;
         shortDesc = mms;
         longDesc  = mml;
       }
-      if (gSSLStatus.isNotValidAtThisTime) {
+      if (gSecInfo.isNotValidAtThisTime) {
         bucketId += gNsISecTel.WARNING_BAD_CERT_TOP_ADD_EXCEPTION_FLAG_TIME;
         if (!use1) {
           use1 = true;
@@ -203,7 +202,7 @@ function updateCertStatus() {
           longDesc2  = exl;
         }
       }
-      if (gSSLStatus.isUntrusted) {
+      if (gSecInfo.isUntrusted) {
         bucketId +=
           gNsISecTel.WARNING_BAD_CERT_TOP_ADD_EXCEPTION_FLAG_UNTRUSTED;
         if (!use1) {
@@ -299,7 +298,7 @@ function viewCertButtonClick() {
  * Handle user request to add an exception for the specified cert
  */
 function addException() {
-  if (!gCert || !gSSLStatus) {
+  if (!gCert || !gSecInfo) {
     return;
   }
 
@@ -308,17 +307,17 @@ function addException() {
   var flags = 0;
   let confirmBucketId =
         gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_BASE;
-  if (gSSLStatus.isUntrusted) {
+  if (gSecInfo.isUntrusted) {
     flags |= overrideService.ERROR_UNTRUSTED;
     confirmBucketId +=
         gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_UNTRUSTED;
   }
-  if (gSSLStatus.isDomainMismatch) {
+  if (gSecInfo.isDomainMismatch) {
     flags |= overrideService.ERROR_MISMATCH;
     confirmBucketId +=
            gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_DOMAIN;
   }
-  if (gSSLStatus.isNotValidAtThisTime) {
+  if (gSecInfo.isNotValidAtThisTime) {
     flags |= overrideService.ERROR_TIME;
     confirmBucketId +=
            gNsISecTel.WARNING_BAD_CERT_TOP_CONFIRM_ADD_EXCEPTION_FLAG_TIME;

security/manager/ssl/SSLServerCertVerification.cpp

@@ -126,7 +126,6 @@
 #include "nsNSSCertificate.h"
 #include "nsNSSComponent.h"
 #include "nsNSSIOLayer.h"
-#include "nsSSLStatus.h"
 #include "nsServiceManagerUtils.h"
 #include "nsString.h"
 #include "nsURLHelper.h"
@@ -618,7 +617,7 @@ CertErrorRunnable::CheckCertOverrides()
         nsIInterfaceRequestor* csi
           = static_cast<nsIInterfaceRequestor*>(mInfoObject);
         bool suppressMessage = false; // obsolete, ignored
-        Unused << bcl->NotifyCertProblem(csi, mInfoObject->SSLStatus(),
+        Unused << bcl->NotifyCertProblem(csi, mInfoObject,
                                          hostWithPortString, &suppressMessage);
       }
     }
@@ -828,17 +827,16 @@ BlockServerCertChangeForSpdy(nsNSSSocketInfo* infoObject,
   // no cert change to worry about.
   nsCOMPtr<nsIX509Cert> cert;
 
-  RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
+  if (!infoObject->IsHandshakeCompleted()) {
-  if (!status) {
-    // If we didn't have a status, then this is the
     // first handshake on this connection, not a
     // renegotiation.
     return SECSuccess;
   }
 
-  status->GetServerCert(getter_AddRefs(cert));
+  infoObject->GetServerCert(getter_AddRefs(cert));
   if (!cert) {
-    MOZ_ASSERT_UNREACHABLE("nsSSLStatus must have a cert implementing nsIX509Cert");
+    MOZ_ASSERT_UNREACHABLE(
+             "TransportSecurityInfo must have a cert implementing nsIX509Cert");
     PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
     return SECFailure;
   }
@@ -1441,22 +1439,12 @@ AuthCertificate(CertVerifier& certVerifier,
     // Certificate verification succeeded. Delete any potential record of
     // certificate error bits.
     RememberCertErrorsTable::GetInstance().RememberCertHasError(infoObject,
-                                                                nullptr,
                                                                 SECSuccess);
     GatherSuccessfulValidationTelemetry(builtCertChain);
     GatherCertificateTransparencyTelemetry(builtCertChain,
                                   /*isEV*/ evOidPolicy != SEC_OID_UNKNOWN,
                                            certificateTransparencyInfo);
 
-    // The connection may get terminated, for example, if the server requires
-    // a client cert. Let's provide a minimal SSLStatus
-    // to the caller that contains at least the cert and its status.
-    RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
-    if (!status) {
-      status = new nsSSLStatus();
-      infoObject->SetSSLStatus(status);
-    }
-
     EVStatus evStatus;
     if (evOidPolicy == SEC_OID_UNKNOWN) {
       evStatus = EVStatus::NotEV;
@@ -1465,13 +1453,13 @@ AuthCertificate(CertVerifier& certVerifier,
     }
 
     RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert.get());
-    status->SetServerCert(nsc, evStatus);
+    infoObject->SetServerCert(nsc, evStatus);
 
-    status->SetSucceededCertChain(std::move(builtCertChain));
+    infoObject->SetSucceededCertChain(std::move(builtCertChain));
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
             ("AuthCertificate setting NEW cert %p", nsc.get()));
 
-    status->SetCertificateTransparencyInfo(certificateTransparencyInfo);
+    infoObject->SetCertificateTransparencyInfo(certificateTransparencyInfo);
   }
 
   if (rv != Success) {

security/manager/ssl/TransportSecurityInfo.cpp

@@ -39,7 +39,20 @@
 namespace mozilla { namespace psm {
 
 TransportSecurityInfo::TransportSecurityInfo()
-  : mMutex("TransportSecurityInfo::mMutex")
+  : mCipherSuite(0)
+  , mProtocolVersion(0)
+  , mCertificateTransparencyStatus(nsITransportSecurityInfo::
+      CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE)
+  , mKeaGroup()
+  , mSignatureSchemeName()
+  , mIsDomainMismatch(false)
+  , mIsNotValidAtThisTime(false)
+  , mIsUntrusted(false)
+  , mIsEV(false)
+  , mHasIsEVStatus(false)
+  , mHaveCipherSuiteAndProtocol(false)
+  , mHaveCertErrorBits(false)
+  , mMutex("TransportSecurityInfo::mMutex")
   , mSecurityState(nsIWebProgressListener::STATE_IS_INSECURE)
   , mSubRequestsBrokenSecurity(0)
   , mSubRequestsNoSecurity(0)
@@ -183,50 +196,87 @@ TransportSecurityInfo::GetInterface(const nsIID & uuid, void * *result)
 static NS_DEFINE_CID(kTransportSecurityInfoMagic, TRANSPORTSECURITYINFOMAGIC);
 
 NS_IMETHODIMP
-TransportSecurityInfo::Write(nsIObjectOutputStream* stream)
+TransportSecurityInfo::Write(nsIObjectOutputStream* aStream)
 {
-  nsresult rv = stream->WriteID(kTransportSecurityInfoMagic);
+  nsresult rv = aStream->WriteID(kTransportSecurityInfoMagic);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   MutexAutoLock lock(mMutex);
 
-  rv = stream->Write32(mSecurityState);
+  rv = aStream->Write32(mSecurityState);
   if (NS_FAILED(rv)) {
     return rv;
   }
-  rv = stream->Write32(mSubRequestsBrokenSecurity);
+  rv = aStream->Write32(mSubRequestsBrokenSecurity);
   if (NS_FAILED(rv)) {
     return rv;
   }
-  rv = stream->Write32(mSubRequestsNoSecurity);
+  rv = aStream->Write32(mSubRequestsNoSecurity);
   if (NS_FAILED(rv)) {
     return rv;
   }
-  rv = stream->Write32(static_cast<uint32_t>(mErrorCode));
+  rv = aStream->Write32(static_cast<uint32_t>(mErrorCode));
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  // Write empty string where mErrorMessageCached lived before.
-  rv = stream->WriteWStringZ(NS_ConvertUTF8toUTF16("").get());
   if (NS_FAILED(rv)) {
     return rv;
   }
 
-  // For successful connections and for connections with overridable errors,
+  // Re-purpose mErrorMessageCached to represent serialization version
-  // mSSLStatus will be non-null. However, for connections with non-overridable
+  // If string doesn't match exact version it will be treated as older
-  // errors, it will be null.
+  // serialization.
-  nsCOMPtr<nsISerializable> serializable(mSSLStatus);
+  rv = aStream->WriteWStringZ(NS_ConvertUTF8toUTF16("1").get());
-  rv = NS_WriteOptionalCompoundObject(stream,
+  if (NS_FAILED(rv)) {
-                                      serializable,
+    return rv;
-                                      NS_GET_IID(nsISSLStatus),
+  }
+
+  // moved from nsISSLStatus
+  rv = NS_WriteOptionalCompoundObject(aStream, mServerCert,
+                                      NS_GET_IID(nsIX509Cert),
                                       true);
-  if (NS_FAILED(rv)) {
+  NS_ENSURE_SUCCESS(rv, rv);
-    return rv;
-  }
 
-  rv = NS_WriteOptionalCompoundObject(stream,
+  rv = aStream->Write16(mCipherSuite);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = aStream->Write16(mProtocolVersion);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = aStream->WriteBoolean(mIsDomainMismatch);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->WriteBoolean(mIsNotValidAtThisTime);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->WriteBoolean(mIsUntrusted);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->WriteBoolean(mIsEV);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = aStream->WriteBoolean(mHasIsEVStatus);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->WriteBoolean(mHaveCipherSuiteAndProtocol);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->WriteBoolean(mHaveCertErrorBits);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = aStream->Write16(mCertificateTransparencyStatus);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = aStream->WriteStringZ(mKeaGroup.get());
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = aStream->WriteStringZ(mSignatureSchemeName.get());
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = NS_WriteOptionalCompoundObject(aStream,
+                                      mSucceededCertChain,
+                                      NS_GET_IID(nsIX509CertList),
+                                       true);
+   if (NS_FAILED(rv)) {
+     return rv;
+   }
+  // END moved from nsISSLStatus
+
+  rv = NS_WriteOptionalCompoundObject(aStream,
                                       mFailedCertChain,
                                       NS_GET_IID(nsIX509CertList),
                                       true);
@@ -237,11 +287,117 @@ TransportSecurityInfo::Write(nsIObjectOutputStream* stream)
   return NS_OK;
 }
 
+// This is for backward compatability to be able to read nsISSLStatus
+// serialized object.
+nsresult TransportSecurityInfo::ReadSSLStatus(nsIObjectInputStream* aStream)
+{
+  bool nsISSLStatusPresent;
+  nsresult rv = aStream->ReadBoolean(&nsISSLStatusPresent);
+  NS_ENSURE_SUCCESS(rv, rv);
+  if (!nsISSLStatusPresent) {
+    return NS_OK;
+  }
+  // nsISSLStatus present.  Prepare to read elements.
+  // Throw away cid, validate iid
+  nsCID cid;
+  nsIID iid;
+  rv = aStream->ReadID(&cid);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->ReadID(&iid);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  static const nsIID nsSSLStatusIID = {
+    0xfa9ba95b, 0xca3b, 0x498a,
+    { 0xb8, 0x89, 0x7c, 0x79, 0xcf, 0x28, 0xfe, 0xe8 }
+  };
+  if (!iid.Equals(nsSSLStatusIID)) {
+    return NS_ERROR_UNEXPECTED;
+  }
+
+  nsCOMPtr<nsISupports> cert;
+  rv = aStream->ReadObject(true, getter_AddRefs(cert));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  if (cert) {
+    mServerCert = do_QueryInterface(cert);
+    if (!mServerCert) {
+      return NS_NOINTERFACE;
+    }
+  }
+
+  rv = aStream->Read16(&mCipherSuite);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // The code below is a workaround to allow serializing new fields
+  // while preserving binary compatibility with older streams. For more details
+  // on the binary compatibility requirement, refer to bug 1248628.
+  // Here, we take advantage of the fact that mProtocolVersion was originally
+  // stored as a 16 bits integer, but the highest 8 bits were never used.
+  // These bits are now used for stream versioning.
+  uint16_t protocolVersionAndStreamFormatVersion;
+  rv = aStream->Read16(&protocolVersionAndStreamFormatVersion);
+  NS_ENSURE_SUCCESS(rv, rv);
+  mProtocolVersion = protocolVersionAndStreamFormatVersion & 0xFF;
+  const uint8_t streamFormatVersion =
+  (protocolVersionAndStreamFormatVersion >> 8) & 0xFF;
+
+  rv = aStream->ReadBoolean(&mIsDomainMismatch);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->ReadBoolean(&mIsNotValidAtThisTime);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->ReadBoolean(&mIsUntrusted);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->ReadBoolean(&mIsEV);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = aStream->ReadBoolean(&mHasIsEVStatus);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->ReadBoolean(&mHaveCipherSuiteAndProtocol);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = aStream->ReadBoolean(&mHaveCertErrorBits);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // Added in version 1 (see bug 1305289).
+  if (streamFormatVersion >= 1) {
+    rv = aStream->Read16(&mCertificateTransparencyStatus);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
+  // Added in version 2 (see bug 1304923).
+  if (streamFormatVersion >= 2) {
+    rv = aStream->ReadCString(mKeaGroup);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = aStream->ReadCString(mSignatureSchemeName);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
+  // Added in version 3 (see bug 1406856).
+  if (streamFormatVersion >= 3) {
+    nsCOMPtr<nsISupports> succeededCertChainSupports;
+    rv = NS_ReadOptionalObject(aStream, true,
+                               getter_AddRefs(succeededCertChainSupports));
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+    mSucceededCertChain = do_QueryInterface(succeededCertChainSupports);
+
+    // Read only to consume bytes from the stream.
+    nsCOMPtr<nsISupports> failedCertChainSupports;
+    rv = NS_ReadOptionalObject(aStream, true,
+                               getter_AddRefs(failedCertChainSupports));
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+  }
+  return rv;
+}
+
 NS_IMETHODIMP
-TransportSecurityInfo::Read(nsIObjectInputStream* stream)
+TransportSecurityInfo::Read(nsIObjectInputStream* aStream)
 {
   nsID id;
-  nsresult rv = stream->ReadID(&id);
+  nsresult rv = aStream->ReadID(&id);
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -251,12 +407,12 @@ TransportSecurityInfo::Read(nsIObjectInputStream* stream)
 
   MutexAutoLock lock(mMutex);
 
-  rv = stream->Read32(&mSecurityState);
+  rv = aStream->Read32(&mSecurityState);
   if (NS_FAILED(rv)) {
     return rv;
   }
   uint32_t subRequestsBrokenSecurity;
-  rv = stream->Read32(&subRequestsBrokenSecurity);
+  rv = aStream->Read32(&subRequestsBrokenSecurity);
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -266,42 +422,93 @@ TransportSecurityInfo::Read(nsIObjectInputStream* stream)
   }
   mSubRequestsBrokenSecurity = subRequestsBrokenSecurity;
   uint32_t subRequestsNoSecurity;
-  rv = stream->Read32(&subRequestsNoSecurity);
+  rv = aStream->Read32(&subRequestsNoSecurity);
   if (NS_FAILED(rv)) {
     return rv;
   }
   if (subRequestsNoSecurity >
-      static_cast<uint32_t>(std::numeric_limits<int32_t>::max())) {
+        static_cast<uint32_t>(std::numeric_limits<int32_t>::max())) {
     return NS_ERROR_UNEXPECTED;
   }
   mSubRequestsNoSecurity = subRequestsNoSecurity;
   uint32_t errorCode;
-  rv = stream->Read32(&errorCode);
+  rv = aStream->Read32(&errorCode);
   if (NS_FAILED(rv)) {
     return rv;
   }
   // PRErrorCode will be a negative value
   mErrorCode = static_cast<PRErrorCode>(errorCode);
 
-  // We don't do error messages here anymore.
+  // Re-purpose mErrorMessageCached to represent serialization version
-  nsString unused;
+  // If string doesn't match exact version it will be treated as older
-  rv = stream->ReadString(unused);
+  // serialization.
+  nsAutoString serVersion;
+  rv = aStream->ReadString(serVersion);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
-  // For successful connections and for connections with overridable errors,
+  // moved from nsISSLStatus
-  // mSSLStatus will be non-null. For connections with non-overridable errors,
+  if (!serVersion.EqualsASCII("1")) {
-  // it will be null.
+    // nsISSLStatus may be present
-  nsCOMPtr<nsISupports> supports;
+    rv = ReadSSLStatus(aStream);
-  rv = NS_ReadOptionalObject(stream, true, getter_AddRefs(supports));
+    NS_ENSURE_SUCCESS(rv, rv);
-  if (NS_FAILED(rv)) {
+  } else {
-    return rv;
+    nsCOMPtr<nsISupports> cert;
+    rv = NS_ReadOptionalObject(aStream, true, getter_AddRefs(cert));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    if (cert != nullptr) {
+      mServerCert = do_QueryInterface(cert);
+      if (!mServerCert) {
+        return NS_NOINTERFACE;
+      }
+    }
+
+    rv = aStream->Read16(&mCipherSuite);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = aStream->Read16(&mProtocolVersion);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = aStream->ReadBoolean(&mIsDomainMismatch);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = aStream->ReadBoolean(&mIsNotValidAtThisTime);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = aStream->ReadBoolean(&mIsUntrusted);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = aStream->ReadBoolean(&mIsEV);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = aStream->ReadBoolean(&mHasIsEVStatus);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = aStream->ReadBoolean(&mHaveCipherSuiteAndProtocol);
+    NS_ENSURE_SUCCESS(rv, rv);
+    rv = aStream->ReadBoolean(&mHaveCertErrorBits);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = aStream->Read16(&mCertificateTransparencyStatus);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = aStream->ReadCString(mKeaGroup);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = aStream->ReadCString(mSignatureSchemeName);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    nsCOMPtr<nsISupports> succeededCertChainSupports;
+    rv = NS_ReadOptionalObject(aStream, true,
+                               getter_AddRefs(succeededCertChainSupports));
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+    mSucceededCertChain = do_QueryInterface(succeededCertChainSupports);
   }
-  mSSLStatus = BitwiseCast<nsSSLStatus*, nsISupports*>(supports.get());
+  // END moved from nsISSLStatus
 
   nsCOMPtr<nsISupports> failedCertChainSupports;
-  rv = NS_ReadOptionalObject(stream, true, getter_AddRefs(failedCertChainSupports));
+  rv = NS_ReadOptionalObject(aStream, true,
+                             getter_AddRefs(failedCertChainSupports));
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -362,23 +569,6 @@ TransportSecurityInfo::GetClassIDNoAlloc(nsCID *aClassIDNoAlloc)
   return NS_OK;
 }
 
-NS_IMETHODIMP
-TransportSecurityInfo::GetSSLStatus(nsISSLStatus** _result)
-{
-  NS_ENSURE_ARG_POINTER(_result);
-
-  *_result = mSSLStatus;
-  NS_IF_ADDREF(*_result);
-
-  return NS_OK;
-}
-
-void
-TransportSecurityInfo::SetSSLStatus(nsSSLStatus *aSSLStatus)
-{
-  mSSLStatus = aSSLStatus;
-}
-
 // RememberCertErrorsTable
 
 /*static*/ RememberCertErrorsTable*
@@ -407,66 +597,67 @@ GetHostPortKey(TransportSecurityInfo* infoObject, /*out*/ nsCString& result)
 
 void
 RememberCertErrorsTable::RememberCertHasError(TransportSecurityInfo* infoObject,
-                                              nsSSLStatus* status,
                                               SECStatus certVerificationResult)
 {
   nsresult rv;
 
   nsAutoCString hostPortKey;
   rv = GetHostPortKey(infoObject, hostPortKey);
-  if (NS_FAILED(rv))
+  if (NS_FAILED(rv)) {
     return;
+  }
 
   if (certVerificationResult != SECSuccess) {
-    MOZ_ASSERT(status, "Must have nsSSLStatus object when remembering flags");
+    MOZ_ASSERT(infoObject->mHaveCertErrorBits, "Must have error bits when remembering flags");
-
+    if (!infoObject->mHaveCertErrorBits) {
-    if (!status)
       return;
+    }
 
     CertStateBits bits;
-    bits.mIsDomainMismatch = status->mIsDomainMismatch;
+    bits.mIsDomainMismatch = infoObject->mIsDomainMismatch;
-    bits.mIsNotValidAtThisTime = status->mIsNotValidAtThisTime;
+    bits.mIsNotValidAtThisTime = infoObject->mIsNotValidAtThisTime;
-    bits.mIsUntrusted = status->mIsUntrusted;
+    bits.mIsUntrusted = infoObject->mIsUntrusted;
 
     MutexAutoLock lock(mMutex);
     mErrorHosts.Put(hostPortKey, bits);
-  }
+  } else {
-  else {
     MutexAutoLock lock(mMutex);
     mErrorHosts.Remove(hostPortKey);
   }
 }
 
 void
-RememberCertErrorsTable::LookupCertErrorBits(TransportSecurityInfo* infoObject,
+RememberCertErrorsTable::LookupCertErrorBits(TransportSecurityInfo* infoObject)
-                                             nsSSLStatus* status)
 {
   // Get remembered error bits from our cache, because of SSL session caching
   // the NSS library potentially hasn't notified us for this socket.
-  if (status->mHaveCertErrorBits)
+  if (infoObject->mHaveCertErrorBits) {
     // Rather do not modify bits if already set earlier
     return;
+  }
 
   nsresult rv;
 
   nsAutoCString hostPortKey;
   rv = GetHostPortKey(infoObject, hostPortKey);
-  if (NS_FAILED(rv))
+  if (NS_FAILED(rv)) {
     return;
+  }
 
   CertStateBits bits;
   {
     MutexAutoLock lock(mMutex);
-    if (!mErrorHosts.Get(hostPortKey, &bits))
+    if (!mErrorHosts.Get(hostPortKey, &bits)) {
       // No record was found, this host had no cert errors
       return;
+    }
   }
 
   // This host had cert errors, update the bits correctly
-  status->mHaveCertErrorBits = true;
+  infoObject->mHaveCertErrorBits = true;
-  status->mIsDomainMismatch = bits.mIsDomainMismatch;
+  infoObject->mIsDomainMismatch = bits.mIsDomainMismatch;
-  status->mIsNotValidAtThisTime = bits.mIsNotValidAtThisTime;
+  infoObject->mIsNotValidAtThisTime = bits.mIsNotValidAtThisTime;
-  status->mIsUntrusted = bits.mIsUntrusted;
+  infoObject->mIsUntrusted = bits.mIsUntrusted;
 }
 
 void
@@ -475,23 +666,17 @@ TransportSecurityInfo::SetStatusErrorBits(nsNSSCertificate* cert,
 {
   MutexAutoLock lock(mMutex);
 
-  if (!mSSLStatus) {
+  SetServerCert(cert, EVStatus::NotEV);
-    mSSLStatus = new nsSSLStatus();
-  }
 
-  mSSLStatus->SetServerCert(cert, EVStatus::NotEV);
+  mHaveCertErrorBits = true;
-  mSSLStatus->SetFailedCertChain(mFailedCertChain);
+  mIsDomainMismatch =
-
-  mSSLStatus->mHaveCertErrorBits = true;
-  mSSLStatus->mIsDomainMismatch =
     collected_errors & nsICertOverrideService::ERROR_MISMATCH;
-  mSSLStatus->mIsNotValidAtThisTime =
+  mIsNotValidAtThisTime =
     collected_errors & nsICertOverrideService::ERROR_TIME;
-  mSSLStatus->mIsUntrusted =
+  mIsUntrusted =
     collected_errors & nsICertOverrideService::ERROR_UNTRUSTED;
 
   RememberCertErrorsTable::GetInstance().RememberCertHasError(this,
-                                                              mSSLStatus,
                                                               SECFailure);
 }
 
@@ -515,4 +700,223 @@ TransportSecurityInfo::SetFailedCertChain(UniqueCERTCertList certList)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+TransportSecurityInfo::GetServerCert(nsIX509Cert** aServerCert)
+{
+  NS_ENSURE_ARG_POINTER(aServerCert);
+
+  nsCOMPtr<nsIX509Cert> cert = mServerCert;
+  cert.forget(aServerCert);
+  return NS_OK;
+}
+
+void
+TransportSecurityInfo::SetServerCert(nsNSSCertificate* aServerCert,
+                                     EVStatus aEVStatus)
+{
+  MOZ_ASSERT(aServerCert);
+
+  mServerCert = aServerCert;
+  mIsEV = (aEVStatus == EVStatus::EV);
+  mHasIsEVStatus = true;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetSucceededCertChain(nsIX509CertList** _result)
+{
+  NS_ENSURE_ARG_POINTER(_result);
+
+  nsCOMPtr<nsIX509CertList> tmpList = mSucceededCertChain;
+  tmpList.forget(_result);
+
+  return NS_OK;
+}
+
+nsresult
+TransportSecurityInfo::SetSucceededCertChain(UniqueCERTCertList aCertList)
+{
+  // nsNSSCertList takes ownership of certList
+  mSucceededCertChain = new nsNSSCertList(std::move(aCertList));
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetCipherName(nsACString& aCipherName)
+{
+  if (!mHaveCipherSuiteAndProtocol) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  SSLCipherSuiteInfo cipherInfo;
+  if (SSL_GetCipherSuiteInfo(mCipherSuite, &cipherInfo,
+                             sizeof(cipherInfo)) != SECSuccess) {
+    return NS_ERROR_FAILURE;
+  }
+
+  aCipherName.Assign(cipherInfo.cipherSuiteName);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetKeyLength(uint32_t* aKeyLength)
+{
+  NS_ENSURE_ARG_POINTER(aKeyLength);
+  if (!mHaveCipherSuiteAndProtocol) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  SSLCipherSuiteInfo cipherInfo;
+  if (SSL_GetCipherSuiteInfo(mCipherSuite, &cipherInfo,
+                             sizeof(cipherInfo)) != SECSuccess) {
+    return NS_ERROR_FAILURE;
+  }
+
+  *aKeyLength = cipherInfo.symKeyBits;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetSecretKeyLength(uint32_t* aSecretKeyLength)
+{
+  NS_ENSURE_ARG_POINTER(aSecretKeyLength);
+  if (!mHaveCipherSuiteAndProtocol) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  SSLCipherSuiteInfo cipherInfo;
+  if (SSL_GetCipherSuiteInfo(mCipherSuite, &cipherInfo,
+                             sizeof(cipherInfo)) != SECSuccess) {
+    return NS_ERROR_FAILURE;
+  }
+
+  *aSecretKeyLength = cipherInfo.effectiveKeyBits;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetKeaGroupName(nsACString& aKeaGroup)
+{
+  if (!mHaveCipherSuiteAndProtocol) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  aKeaGroup.Assign(mKeaGroup);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetSignatureSchemeName(nsACString& aSignatureScheme)
+{
+  if (!mHaveCipherSuiteAndProtocol) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  aSignatureScheme.Assign(mSignatureSchemeName);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetProtocolVersion(uint16_t* aProtocolVersion)
+{
+  NS_ENSURE_ARG_POINTER(aProtocolVersion);
+  if (!mHaveCipherSuiteAndProtocol) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  *aProtocolVersion = mProtocolVersion;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetCertificateTransparencyStatus(
+  uint16_t* aCertificateTransparencyStatus)
+{
+  NS_ENSURE_ARG_POINTER(aCertificateTransparencyStatus);
+
+  *aCertificateTransparencyStatus = mCertificateTransparencyStatus;
+  return NS_OK;
+}
+
+void
+TransportSecurityInfo::SetCertificateTransparencyInfo(
+  const mozilla::psm::CertificateTransparencyInfo& info)
+{
+  using mozilla::ct::CTPolicyCompliance;
+
+  mCertificateTransparencyStatus =
+    nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE;
+
+  if (!info.enabled) {
+    // CT disabled.
+    return;
+  }
+
+  switch (info.policyCompliance) {
+    case CTPolicyCompliance::Compliant:
+      mCertificateTransparencyStatus =
+        nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT;
+      break;
+    case CTPolicyCompliance::NotEnoughScts:
+      mCertificateTransparencyStatus =
+        nsITransportSecurityInfo
+          ::CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS;
+      break;
+    case CTPolicyCompliance::NotDiverseScts:
+      mCertificateTransparencyStatus =
+        nsITransportSecurityInfo
+          ::CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS;
+      break;
+    case CTPolicyCompliance::Unknown:
+    default:
+      MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type");
+  }
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetIsDomainMismatch(bool* aIsDomainMismatch)
+{
+  NS_ENSURE_ARG_POINTER(aIsDomainMismatch);
+
+  *aIsDomainMismatch = mHaveCertErrorBits && mIsDomainMismatch;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetIsNotValidAtThisTime(bool* aIsNotValidAtThisTime)
+{
+  NS_ENSURE_ARG_POINTER(aIsNotValidAtThisTime);
+
+  *aIsNotValidAtThisTime = mHaveCertErrorBits && mIsNotValidAtThisTime;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetIsUntrusted(bool* aIsUntrusted)
+{
+  NS_ENSURE_ARG_POINTER(aIsUntrusted);
+
+  *aIsUntrusted = mHaveCertErrorBits && mIsUntrusted;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::GetIsExtendedValidation(bool* aIsEV)
+{
+  NS_ENSURE_ARG_POINTER(aIsEV);
+  *aIsEV = false;
+
+  // Never allow bad certs for EV, regardless of overrides.
+  if (mHaveCertErrorBits) {
+    return NS_OK;
+  }
+
+  if (mHasIsEVStatus) {
+    *aIsEV = mIsEV;
+    return NS_OK;
+  }
+
+  return NS_ERROR_NOT_AVAILABLE;
+}
+
 } } // namespace mozilla::psm

security/manager/ssl/TransportSecurityInfo.h

@@ -7,6 +7,7 @@
 #ifndef TransportSecurityInfo_h
 #define TransportSecurityInfo_h
 
+#include "CertVerifier.h" // For CertificateTransparencyInfo
 #include "ScopedNSSTypes.h"
 #include "certt.h"
 #include "mozilla/Assertions.h"
@@ -15,14 +16,20 @@
 #include "mozilla/RefPtr.h"
 #include "nsDataHashtable.h"
 #include "nsIAssociatedContentSecurity.h"
+#include "nsIClassInfo.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsITransportSecurityInfo.h"
-#include "nsSSLStatus.h"
+#include "nsNSSCertificate.h"
 #include "nsString.h"
 #include "pkix/pkixtypes.h"
 
 namespace mozilla { namespace psm {
 
+enum class EVStatus {
+  NotEV = 0,
+  EV = 1,
+};
+
 class TransportSecurityInfo : public nsITransportSecurityInfo
                             , public nsIInterfaceRequestor
                             , public nsIAssociatedContentSecurity
@@ -43,6 +50,14 @@ public:
 
   void SetSecurityState(uint32_t aState);
 
+  inline int32_t GetErrorCode()
+  {
+    int32_t result;
+    mozilla::DebugOnly<nsresult> rv = GetErrorCode(&result);
+    MOZ_ASSERT(NS_SUCCEEDED(rv));
+    return result;
+  }
+
   const nsACString & GetHostName() const { return mHostName; }
 
   void SetHostName(const char* host);
@@ -57,13 +72,39 @@ public:
 
   void SetCanceled(PRErrorCode errorCode);
 
-  /* Set SSL Status values */
-  void SetSSLStatus(nsSSLStatus* aSSLStatus);
-  nsSSLStatus* SSLStatus() { return mSSLStatus; }
   void SetStatusErrorBits(nsNSSCertificate* cert, uint32_t collected_errors);
 
   nsresult SetFailedCertChain(UniqueCERTCertList certList);
 
+  void SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus);
+
+  nsresult SetSucceededCertChain(mozilla::UniqueCERTCertList certList);
+
+  bool HasServerCert() {
+    return mServerCert != nullptr;
+  }
+
+  void SetCertificateTransparencyInfo(
+    const mozilla::psm::CertificateTransparencyInfo& info);
+
+  uint16_t mCipherSuite;
+  uint16_t mProtocolVersion;
+  uint16_t mCertificateTransparencyStatus;
+  nsCString mKeaGroup;
+  nsCString mSignatureSchemeName;
+
+  bool mIsDomainMismatch;
+  bool mIsNotValidAtThisTime;
+  bool mIsUntrusted;
+  bool mIsEV;
+
+  bool mHasIsEVStatus;
+  bool mHaveCipherSuiteAndProtocol;
+
+  /* mHaveCertErrrorBits is relied on to determine whether or not a SPDY
+     connection is eligible for joining in nsNSSSocketInfo::JoinConnection() */
+  bool mHaveCertErrorBits;
+
 private:
   mutable ::mozilla::Mutex mMutex;
 
@@ -81,11 +122,13 @@ private:
   nsCString mHostName;
   OriginAttributes mOriginAttributes;
 
-  /* SSL Status */
+  nsCOMPtr<nsIX509Cert> mServerCert;
-  RefPtr<nsSSLStatus> mSSLStatus;
+  nsCOMPtr<nsIX509CertList> mSucceededCertChain;
 
   /* Peer cert chain for failed connections (for error reporting) */
   nsCOMPtr<nsIX509CertList> mFailedCertChain;
+
+  nsresult ReadSSLStatus(nsIObjectInputStream* aStream);
 };
 
 class RememberCertErrorsTable
@@ -102,11 +145,9 @@ private:
   nsDataHashtable<nsCStringHashKey, CertStateBits> mErrorHosts;
 
 public:
-  void RememberCertHasError(TransportSecurityInfo * infoobject,
+  void RememberCertHasError(TransportSecurityInfo* infoObject,
-                            nsSSLStatus * status,
                             SECStatus certVerificationResult);
-  void LookupCertErrorBits(TransportSecurityInfo * infoObject,
+  void LookupCertErrorBits(TransportSecurityInfo* infoObject);
-                           nsSSLStatus* status);
 
   static void Init()
   {

security/manager/ssl/moz.build

@@ -36,7 +36,6 @@ XPIDL_SOURCES += [
     'nsISecretDecoderRing.idl',
     'nsISecurityUITelemetry.idl',
     'nsISiteSecurityService.idl',
-    'nsISSLStatus.idl',
     'nsITokenDialogs.idl',
     'nsITokenPasswordDialogs.idl',
     'nsIX509Cert.idl',
@@ -126,7 +125,6 @@ UNIFIED_SOURCES += [
     'nsSiteSecurityService.cpp',
     'NSSKeyStore.cpp',
     'nsSSLSocketProvider.cpp',
-    'nsSSLStatus.cpp',
     'nsTLSSocketProvider.cpp',
     'OSKeyStore.cpp',
     'PKCS11ModuleDB.cpp',

security/manager/ssl/nsIBadCertListener2.idl

@@ -6,8 +6,8 @@
 
 #include "nsISupports.idl"
 
-interface nsISSLStatus;
 interface nsIInterfaceRequestor;
+interface nsITransportSecurityInfo;
 
 /**
  * A mechanism to report a broken SSL status. The recipient should NOT block.
@@ -20,13 +20,13 @@ interface nsIBadCertListener2 : nsISupports {
   /**
    *  @param socketInfo A network communication context that can be used to obtain more information
    *                    about the active connection.
-   *  @param status The SSL status object that describes the problem(s).
+   *  @param secInfo The TransportSecurityinfo object that describes the problem(s).
    *  @param targetSite The Site name that was used to open the current connection.
    *
    *  @return The consumer shall return true if it wants to suppress the error message
    *          related to the bad cert (the connection will still get canceled).
    */
   boolean notifyCertProblem(in nsIInterfaceRequestor socketInfo, 
-                            in nsISSLStatus status,
+                            in nsITransportSecurityInfo secInfo,
                             in AUTF8String targetSite);
 };

security/manager/ssl/nsISSLStatus.idl

@@ -1,64 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-interface nsIX509Cert;
-interface nsIX509CertList;
-
-[scriptable, uuid(fa9ba95b-ca3b-498a-b889-7c79cf28fee8)]
-interface nsISSLStatus : nsISupports {
-  readonly attribute nsIX509Cert serverCert;
-  readonly attribute nsIX509CertList failedCertChain;
-  readonly attribute nsIX509CertList succeededCertChain;
-
-  [must_use]
-  readonly attribute ACString cipherName;
-  [must_use]
-  readonly attribute unsigned long keyLength;
-  [must_use]
-  readonly attribute unsigned long secretKeyLength;
-  [must_use]
-  readonly attribute ACString keaGroupName;
-  [must_use]
-  readonly attribute ACString signatureSchemeName;
-
-  const short SSL_VERSION_3   = 0;
-  const short TLS_VERSION_1   = 1;
-  const short TLS_VERSION_1_1 = 2;
-  const short TLS_VERSION_1_2 = 3;
-  const short TLS_VERSION_1_3 = 4;
-  [must_use]
-  readonly attribute unsigned short protocolVersion;
-
-  const short CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE          = 0;
-  const short CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT        = 5;
-  const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS  = 6;
-  const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS = 7;
-  [must_use]
-  readonly attribute unsigned short certificateTransparencyStatus;
-
-  [must_use]
-  readonly attribute boolean isDomainMismatch;
-  [must_use]
-  readonly attribute boolean isNotValidAtThisTime;
-
-  /* Note: To distinguish between
-   *         "unstrusted because missing or untrusted issuer"
-   *       and
-   *         "untrusted because self signed"
-   *       query nsIX509Cert::isSelfSigned
-   */
-  [must_use]
-  readonly attribute boolean isUntrusted;
-
-  /**
-   * True only if (and after) serverCert was successfully validated as
-   * Extended Validation (EV).
-   */
-  [must_use]
-  readonly attribute boolean isExtendedValidation;
-};

security/manager/ssl/nsISiteSecurityService.idl

@@ -7,7 +7,7 @@
 interface nsIURI;
 interface nsIObserver;
 interface nsIHttpChannel;
-interface nsISSLStatus;
+interface nsITransportSecurityInfo;
 interface nsISimpleEnumerator;
 
 %{C++
@@ -115,7 +115,7 @@ interface nsISiteSecurityService : nsISupports
      * @param aType the type of security header in question.
      * @param aSourceURI the URI of the resource with the HTTP header.
      * @param aHeader the HTTP response header specifying security data.
-     * @param aSSLStatus the SSLStatus of the current channel.
+     * @param aSecInfo the TransportSecurityInfo of the current channel.
      * @param aFlags  options for this request as defined in nsISocketProvider:
      *                  NO_PERMANENT_STORAGE
      * @param aOriginAttributes the origin attributes that isolate this origin,
@@ -138,7 +138,7 @@ interface nsISiteSecurityService : nsISupports
     void processHeaderNative(in uint32_t aType,
                              in nsIURI aSourceURI,
                              in ACString aHeader,
-                             in nsISSLStatus aSSLStatus,
+                             in nsITransportSecurityInfo aSecInfo,
                              in uint32_t aFlags,
                              in uint32_t aSource,
                              in const_OriginAttributesRef aOriginAttributes,
@@ -151,7 +151,7 @@ interface nsISiteSecurityService : nsISupports
     void processHeader(in uint32_t aType,
                        in nsIURI aSourceURI,
                        in ACString aHeader,
-                       in nsISSLStatus aSSLStatus,
+                       in nsITransportSecurityInfo aSecInfo,
                        in uint32_t aFlags,
                        in uint32_t aSource,
                        [optional] in jsval aOriginAttributes,

security/manager/ssl/nsNSSCallbacks.cpp

@@ -737,18 +737,12 @@ PreliminaryHandshakeDone(PRFileDesc* fd)
     SSLCipherSuiteInfo cipherInfo;
     if (SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
                                sizeof cipherInfo) == SECSuccess) {
-      /* Set the SSL Status information */
+      /* Set the Status information */
-      RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
+      infoObject->mHaveCipherSuiteAndProtocol = true;
-      if (!status) {
+      infoObject->mCipherSuite = channelInfo.cipherSuite;
-        status = new nsSSLStatus();
+      infoObject->mProtocolVersion = channelInfo.protocolVersion & 0xFF;
-        infoObject->SetSSLStatus(status);
+      infoObject->mKeaGroup.Assign(getKeaGroupName(channelInfo.keaGroup));
-      }
+      infoObject->mSignatureSchemeName.Assign(
-
-      status->mHaveCipherSuiteAndProtocol = true;
-      status->mCipherSuite = channelInfo.cipherSuite;
-      status->mProtocolVersion = channelInfo.protocolVersion & 0xFF;
-      status->mKeaGroup.Assign(getKeaGroupName(channelInfo.keaGroup));
-      status->mSignatureSchemeName.Assign(
         getSignatureName(channelInfo.signatureScheme));
       infoObject->SetKEAUsed(channelInfo.keaType);
       infoObject->SetKEAKeyBits(channelInfo.keaKeyBits);
@@ -962,15 +956,13 @@ AccumulateCipherSuite(Telemetry::HistogramID probe, const SSLChannelInfo& channe
 // because we are on the socket thread, this must not cause any network
 // requests, hence the use of FLAG_LOCAL_ONLY.
 static void
-RebuildVerifiedCertificateInformation(RefPtr<nsSSLStatus> sslStatus,
+RebuildVerifiedCertificateInformation(PRFileDesc* fd,
-                                      PRFileDesc* fd,
                                       nsNSSSocketInfo* infoObject)
 {
-  MOZ_ASSERT(sslStatus);
   MOZ_ASSERT(fd);
   MOZ_ASSERT(infoObject);
 
-  if (!sslStatus || !fd || !infoObject) {
+  if (!fd || !infoObject) {
     return;
   }
 
@@ -1037,19 +1029,19 @@ RebuildVerifiedCertificateInformation(RefPtr<nsSSLStatus> sslStatus,
 
   RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(cert.get()));
   if (rv == Success && evOidPolicy != SEC_OID_UNKNOWN) {
-    sslStatus->SetCertificateTransparencyInfo(certificateTransparencyInfo);
+    infoObject->SetCertificateTransparencyInfo(certificateTransparencyInfo);
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
             ("HandshakeCallback using NEW cert %p (is EV)", nssc.get()));
-    sslStatus->SetServerCert(nssc, EVStatus::EV);
+    infoObject->SetServerCert(nssc, EVStatus::EV);
   } else {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
             ("HandshakeCallback using NEW cert %p (is not EV)", nssc.get()));
-    sslStatus->SetServerCert(nssc, EVStatus::NotEV);
+    infoObject->SetServerCert(nssc, EVStatus::NotEV);
   }
 
   if (rv == Success) {
-    sslStatus->SetCertificateTransparencyInfo(certificateTransparencyInfo);
+    infoObject->SetCertificateTransparencyInfo(certificateTransparencyInfo);
-    sslStatus->SetSucceededCertChain(std::move(builtChain));
+    infoObject->SetSucceededCertChain(std::move(builtChain));
   }
 }
 
@@ -1224,15 +1216,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
                              ioLayerHelpers.treatUnsafeNegotiationAsBroken();
 
 
-  /* Set the SSL Status information */
+  RememberCertErrorsTable::GetInstance().LookupCertErrorBits(infoObject);
-  RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
-  if (!status) {
-    status = new nsSSLStatus();
-    infoObject->SetSSLStatus(status);
-  }
-
-  RememberCertErrorsTable::GetInstance().LookupCertErrorBits(infoObject,
-                                                             status);
 
   uint32_t state;
   if (renegotiationUnsafe) {
@@ -1249,18 +1233,19 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
     }
   }
 
-  if (status->HasServerCert()) {
+  if (infoObject->HasServerCert()) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
            ("HandshakeCallback KEEPING existing cert\n"));
   } else {
-    RebuildVerifiedCertificateInformation(status, fd, infoObject);
+    RebuildVerifiedCertificateInformation(fd, infoObject);
   }
 
   nsCOMPtr<nsIX509CertList> succeededCertChain;
   // This always returns NS_OK, but the list could be empty. This is a
   // best-effort check for now. Bug 731478 will reduce the incidence of empty
   // succeeded cert chains through better caching.
-  Unused << status->GetSucceededCertChain(getter_AddRefs(succeededCertChain));
+  Unused << infoObject->GetSucceededCertChain(
+                          getter_AddRefs(succeededCertChain));
   bool distrustImminent;
   nsresult srv = IsCertificateDistrustImminent(succeededCertChain,
                                                distrustImminent);
@@ -1272,9 +1257,9 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
   bool untrusted;
   bool notValidAtThisTime;
   // These all return NS_OK, so don't even bother checking the return values.
-  Unused << status->GetIsDomainMismatch(&domainMismatch);
+  Unused << infoObject->GetIsDomainMismatch(&domainMismatch);
-  Unused << status->GetIsUntrusted(&untrusted);
+  Unused << infoObject->GetIsUntrusted(&untrusted);
-  Unused << status->GetIsNotValidAtThisTime(&notValidAtThisTime);
+  Unused << infoObject->GetIsNotValidAtThisTime(&notValidAtThisTime);
   // If we're here, the TLS handshake has succeeded. Thus if any of these
   // booleans are true, the user has added an override for a certificate error.
   if (domainMismatch || untrusted || notValidAtThisTime) {

security/manager/ssl/nsNSSIOLayer.cpp

@@ -460,15 +460,16 @@ nsNSSSocketInfo::IsAcceptableForHost(const nsACString& hostname, bool* _retval)
 
   // Before checking the server certificate we need to make sure the
   // handshake has completed.
-  if (!mHandshakeCompleted || !SSLStatus() || !SSLStatus()->HasServerCert()) {
+  if (!mHandshakeCompleted || !HasServerCert()) {
     return NS_OK;
   }
 
   // If the cert has error bits (e.g. it is untrusted) then do not join.
   // The value of mHaveCertErrorBits is only reliable because we know that
   // the handshake completed.
-  if (SSLStatus()->mHaveCertErrorBits)
+  if (mHaveCertErrorBits) {
     return NS_OK;
+  }
 
   // If the connection is using client certificates then do not join
   // because the user decides on whether to send client certs to hosts on a
@@ -482,7 +483,7 @@ nsNSSSocketInfo::IsAcceptableForHost(const nsACString& hostname, bool* _retval)
   UniqueCERTCertificate nssCert;
 
   nsCOMPtr<nsIX509Cert> cert;
-  if (NS_FAILED(SSLStatus()->GetServerCert(getter_AddRefs(cert)))) {
+  if (NS_FAILED(GetServerCert(getter_AddRefs(cert)))) {
     return NS_OK;
   }
   if (cert) {

security/manager/ssl/nsNSSIOLayer.h

@@ -61,6 +61,7 @@ public:
   void SetEarlyDataAccepted(bool aAccepted);
 
   void SetHandshakeCompleted();
+  bool IsHandshakeCompleted() const { return mHandshakeCompleted; }
   void NoteTimeUntilReady();
 
 

security/manager/ssl/nsNSSModule.cpp

@@ -29,7 +29,6 @@
 #include "nsPKCS11Slot.h"
 #include "nsRandomGenerator.h"
 #include "nsSSLSocketProvider.h"
-#include "nsSSLStatus.h"
 #include "nsSecureBrowserUIImpl.h"
 #include "nsSiteSecurityService.h"
 #include "nsTLSSocketProvider.h"
@@ -154,7 +153,6 @@ NS_DEFINE_NAMED_CID(NS_KEYMODULEOBJECTFACTORY_CID);
 NS_DEFINE_NAMED_CID(NS_CONTENTSIGNATUREVERIFIER_CID);
 NS_DEFINE_NAMED_CID(NS_CERTOVERRIDE_CID);
 NS_DEFINE_NAMED_CID(NS_RANDOMGENERATOR_CID);
-NS_DEFINE_NAMED_CID(NS_SSLSTATUS_CID);
 NS_DEFINE_NAMED_CID(TRANSPORTSECURITYINFO_CID);
 NS_DEFINE_NAMED_CID(NS_NSSERRORSSERVICE_CID);
 NS_DEFINE_NAMED_CID(NS_NSSVERSION_CID);
@@ -205,8 +203,6 @@ static const mozilla::Module::CIDEntry kNSSCIDs[] = {
                 ThreadRestriction::MainThreadOnly> },
   { &kNS_RANDOMGENERATOR_CID, false, nullptr,
     Constructor<nsRandomGenerator, nullptr, ProcessRestriction::AnyProcess> },
-  { &kNS_SSLSTATUS_CID, false, nullptr,
-    Constructor<nsSSLStatus, nullptr, ProcessRestriction::AnyProcess> },
   { &kTRANSPORTSECURITYINFO_CID, false, nullptr,
     Constructor<TransportSecurityInfo, nullptr,
                 ProcessRestriction::AnyProcess> },

security/manager/ssl/nsSSLStatus.cpp

@@ -1,464 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "CTVerifyResult.h"
-#include "mozilla/Casting.h"
-#include "nsSSLStatus.h"
-#include "nsIClassInfoImpl.h"
-#include "nsIObjectOutputStream.h"
-#include "nsIObjectInputStream.h"
-#include "nsNSSCertificate.h"
-#include "ssl.h"
-
-NS_IMETHODIMP
-nsSSLStatus::GetServerCert(nsIX509Cert** aServerCert)
-{
-  NS_ENSURE_ARG_POINTER(aServerCert);
-
-  nsCOMPtr<nsIX509Cert> cert = mServerCert;
-  cert.forget(aServerCert);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetKeyLength(uint32_t* aKeyLength)
-{
-  NS_ENSURE_ARG_POINTER(aKeyLength);
-  if (!mHaveCipherSuiteAndProtocol) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  SSLCipherSuiteInfo cipherInfo;
-  if (SSL_GetCipherSuiteInfo(mCipherSuite, &cipherInfo,
-                             sizeof(cipherInfo)) != SECSuccess) {
-    return NS_ERROR_FAILURE;
-  }
-
-  *aKeyLength = cipherInfo.symKeyBits;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetSecretKeyLength(uint32_t* aSecretKeyLength)
-{
-  NS_ENSURE_ARG_POINTER(aSecretKeyLength);
-  if (!mHaveCipherSuiteAndProtocol) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  SSLCipherSuiteInfo cipherInfo;
-  if (SSL_GetCipherSuiteInfo(mCipherSuite, &cipherInfo,
-                             sizeof(cipherInfo)) != SECSuccess) {
-    return NS_ERROR_FAILURE;
-  }
-
-  *aSecretKeyLength = cipherInfo.effectiveKeyBits;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetCipherName(nsACString& aCipherName)
-{
-  if (!mHaveCipherSuiteAndProtocol) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  SSLCipherSuiteInfo cipherInfo;
-  if (SSL_GetCipherSuiteInfo(mCipherSuite, &cipherInfo,
-                             sizeof(cipherInfo)) != SECSuccess) {
-    return NS_ERROR_FAILURE;
-  }
-
-  aCipherName.Assign(cipherInfo.cipherSuiteName);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetKeaGroupName(nsACString& aKeaGroup)
-{
-  if (!mHaveCipherSuiteAndProtocol) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  aKeaGroup.Assign(mKeaGroup);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetSignatureSchemeName(nsACString& aSignatureScheme)
-{
-  if (!mHaveCipherSuiteAndProtocol) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  aSignatureScheme.Assign(mSignatureSchemeName);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetProtocolVersion(uint16_t* aProtocolVersion)
-{
-  NS_ENSURE_ARG_POINTER(aProtocolVersion);
-  if (!mHaveCipherSuiteAndProtocol) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  *aProtocolVersion = mProtocolVersion;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetCertificateTransparencyStatus(
-  uint16_t* aCertificateTransparencyStatus)
-{
-  NS_ENSURE_ARG_POINTER(aCertificateTransparencyStatus);
-
-  *aCertificateTransparencyStatus = mCertificateTransparencyStatus;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetIsDomainMismatch(bool* aIsDomainMismatch)
-{
-  NS_ENSURE_ARG_POINTER(aIsDomainMismatch);
-
-  *aIsDomainMismatch = mHaveCertErrorBits && mIsDomainMismatch;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetIsNotValidAtThisTime(bool* aIsNotValidAtThisTime)
-{
-  NS_ENSURE_ARG_POINTER(aIsNotValidAtThisTime);
-
-  *aIsNotValidAtThisTime = mHaveCertErrorBits && mIsNotValidAtThisTime;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetIsUntrusted(bool* aIsUntrusted)
-{
-  NS_ENSURE_ARG_POINTER(aIsUntrusted);
-
-  *aIsUntrusted = mHaveCertErrorBits && mIsUntrusted;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetIsExtendedValidation(bool* aIsEV)
-{
-  NS_ENSURE_ARG_POINTER(aIsEV);
-  *aIsEV = false;
-
-  // Never allow bad certs for EV, regardless of overrides.
-  if (mHaveCertErrorBits) {
-    return NS_OK;
-  }
-
-  if (mHasIsEVStatus) {
-    *aIsEV = mIsEV;
-    return NS_OK;
-  }
-
-  return NS_ERROR_NOT_AVAILABLE;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::Read(nsIObjectInputStream* aStream)
-{
-  nsCOMPtr<nsISupports> cert;
-  nsresult rv = aStream->ReadObject(true, getter_AddRefs(cert));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  mServerCert = do_QueryInterface(cert);
-  if (!mServerCert) {
-    return NS_NOINTERFACE;
-  }
-
-  rv = aStream->Read16(&mCipherSuite);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  // The code below is a workaround to allow serializing new fields
-  // while preserving binary compatibility with older streams. For more details
-  // on the binary compatibility requirement, refer to bug 1248628.
-  // Here, we take advantage of the fact that mProtocolVersion was originally
-  // stored as a 16 bits integer, but the highest 8 bits were never used.
-  // These bits are now used for stream versioning.
-  uint16_t protocolVersionAndStreamFormatVersion;
-  rv = aStream->Read16(&protocolVersionAndStreamFormatVersion);
-  NS_ENSURE_SUCCESS(rv, rv);
-  mProtocolVersion = protocolVersionAndStreamFormatVersion & 0xFF;
-  const uint8_t streamFormatVersion =
-    (protocolVersionAndStreamFormatVersion >> 8) & 0xFF;
-
-  rv = aStream->ReadBoolean(&mIsDomainMismatch);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->ReadBoolean(&mIsNotValidAtThisTime);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->ReadBoolean(&mIsUntrusted);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->ReadBoolean(&mIsEV);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = aStream->ReadBoolean(&mHasIsEVStatus);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->ReadBoolean(&mHaveCipherSuiteAndProtocol);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->ReadBoolean(&mHaveCertErrorBits);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  // Added in version 1 (see bug 1305289).
-  if (streamFormatVersion >= 1) {
-    rv = aStream->Read16(&mCertificateTransparencyStatus);
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-
-  // Added in version 2 (see bug 1304923).
-  if (streamFormatVersion >= 2) {
-    rv = aStream->ReadCString(mKeaGroup);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    rv = aStream->ReadCString(mSignatureSchemeName);
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-
-  // Added in version 3 (see bug 1406856).
-  if (streamFormatVersion >= 3) {
-    nsCOMPtr<nsISupports> succeededCertChainSupports;
-    rv = NS_ReadOptionalObject(aStream, true, getter_AddRefs(succeededCertChainSupports));
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-    mSucceededCertChain = do_QueryInterface(succeededCertChainSupports);
-
-    nsCOMPtr<nsISupports> failedCertChainSupports;
-    rv = NS_ReadOptionalObject(aStream, true, getter_AddRefs(failedCertChainSupports));
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-    mFailedCertChain = do_QueryInterface(failedCertChainSupports);
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::Write(nsIObjectOutputStream* aStream)
-{
-  // The current version of the binary stream format.
-  const uint8_t STREAM_FORMAT_VERSION = 3;
-
-  nsresult rv = aStream->WriteCompoundObject(mServerCert,
-                                             NS_GET_IID(nsIX509Cert),
-                                             true);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = aStream->Write16(mCipherSuite);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  uint16_t protocolVersionAndStreamFormatVersion =
-    mozilla::AssertedCast<uint8_t>(mProtocolVersion) |
-    (STREAM_FORMAT_VERSION << 8);
-  rv = aStream->Write16(protocolVersionAndStreamFormatVersion);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = aStream->WriteBoolean(mIsDomainMismatch);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->WriteBoolean(mIsNotValidAtThisTime);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->WriteBoolean(mIsUntrusted);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->WriteBoolean(mIsEV);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = aStream->WriteBoolean(mHasIsEVStatus);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->WriteBoolean(mHaveCipherSuiteAndProtocol);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aStream->WriteBoolean(mHaveCertErrorBits);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  // Added in version 1.
-  rv = aStream->Write16(mCertificateTransparencyStatus);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  // Added in version 2.
-  rv = aStream->WriteStringZ(mKeaGroup.get());
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = aStream->WriteStringZ(mSignatureSchemeName.get());
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  // Added in version 3.
-  rv = NS_WriteOptionalCompoundObject(aStream,
-                                      mSucceededCertChain,
-                                      NS_GET_IID(nsIX509CertList),
-                                      true);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  rv = NS_WriteOptionalCompoundObject(aStream,
-                                      mFailedCertChain,
-                                      NS_GET_IID(nsIX509CertList),
-                                      true);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetInterfaces(uint32_t* aCount, nsIID*** aArray)
-{
-  *aCount = 0;
-  *aArray = nullptr;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetScriptableHelper(nsIXPCScriptable** aHelper)
-{
-  *aHelper = nullptr;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetContractID(nsACString& aContractID)
-{
-  aContractID.SetIsVoid(true);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetClassDescription(nsACString& aClassDescription)
-{
-  aClassDescription.SetIsVoid(true);
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetClassID(nsCID** aClassID)
-{
-  *aClassID = (nsCID*) moz_xmalloc(sizeof(nsCID));
-  return GetClassIDNoAlloc(*aClassID);
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetFlags(uint32_t* aFlags)
-{
-  *aFlags = 0;
-  return NS_OK;
-}
-
-static NS_DEFINE_CID(kSSLStatusCID, NS_SSLSTATUS_CID);
-
-NS_IMETHODIMP
-nsSSLStatus::GetClassIDNoAlloc(nsCID* aClassIDNoAlloc)
-{
-  *aClassIDNoAlloc = kSSLStatusCID;
-  return NS_OK;
-}
-
-nsSSLStatus::nsSSLStatus()
-: mCipherSuite(0)
-, mProtocolVersion(0)
-, mCertificateTransparencyStatus(nsISSLStatus::
-    CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE)
-, mKeaGroup()
-, mSignatureSchemeName()
-, mIsDomainMismatch(false)
-, mIsNotValidAtThisTime(false)
-, mIsUntrusted(false)
-, mIsEV(false)
-, mHasIsEVStatus(false)
-, mHaveCipherSuiteAndProtocol(false)
-, mHaveCertErrorBits(false)
-{
-}
-
-NS_IMPL_ISUPPORTS(nsSSLStatus, nsISSLStatus, nsISerializable, nsIClassInfo)
-
-void
-nsSSLStatus::SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus)
-{
-  MOZ_ASSERT(aServerCert);
-
-  mServerCert = aServerCert;
-  mIsEV = (aEVStatus == EVStatus::EV);
-  mHasIsEVStatus = true;
-}
-
-nsresult
-nsSSLStatus::SetSucceededCertChain(UniqueCERTCertList aCertList)
-{
-  // nsNSSCertList takes ownership of certList
-  mSucceededCertChain = new nsNSSCertList(std::move(aCertList));
-
-  return NS_OK;
-}
-
-void
-nsSSLStatus::SetFailedCertChain(nsIX509CertList* aX509CertList)
-{
-  mFailedCertChain = aX509CertList;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetSucceededCertChain(nsIX509CertList** _result)
-{
-  NS_ENSURE_ARG_POINTER(_result);
-
-  nsCOMPtr<nsIX509CertList> tmpList = mSucceededCertChain;
-  tmpList.forget(_result);
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetFailedCertChain(nsIX509CertList** _result)
-{
-  NS_ENSURE_ARG_POINTER(_result);
-
-  nsCOMPtr<nsIX509CertList> tmpList = mFailedCertChain;
-  tmpList.forget(_result);
-
-  return NS_OK;
-}
-
-void
-nsSSLStatus::SetCertificateTransparencyInfo(
-  const mozilla::psm::CertificateTransparencyInfo& info)
-{
-  using mozilla::ct::CTPolicyCompliance;
-
-  mCertificateTransparencyStatus =
-    nsISSLStatus::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE;
-
-  if (!info.enabled) {
-    // CT disabled.
-    return;
-  }
-
-  switch (info.policyCompliance) {
-    case CTPolicyCompliance::Compliant:
-      mCertificateTransparencyStatus =
-        nsISSLStatus::CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT;
-      break;
-    case CTPolicyCompliance::NotEnoughScts:
-      mCertificateTransparencyStatus =
-        nsISSLStatus::CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS;
-      break;
-    case CTPolicyCompliance::NotDiverseScts:
-      mCertificateTransparencyStatus =
-        nsISSLStatus::CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS;
-      break;
-    case CTPolicyCompliance::Unknown:
-    default:
-      MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type");
-  }
-}

security/manager/ssl/nsSSLStatus.h

@@ -1,84 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef _NSSSLSTATUS_H
-#define _NSSSLSTATUS_H
-
-#include "CertVerifier.h" // For CertificateTransparencyInfo
-#include "nsISSLStatus.h"
-#include "nsCOMPtr.h"
-#include "nsString.h"
-#include "nsIX509Cert.h"
-#include "nsIX509CertList.h"
-#include "nsISerializable.h"
-#include "nsIClassInfo.h"
-#include "nsNSSCertificate.h"
-#include "ScopedNSSTypes.h"
-
-class nsNSSCertificate;
-
-enum class EVStatus {
-  NotEV = 0,
-  EV = 1,
-};
-
-class nsSSLStatus final
-  : public nsISSLStatus
-  , public nsISerializable
-  , public nsIClassInfo
-{
-protected:
-  virtual ~nsSSLStatus() {}
-public:
-  NS_DECL_THREADSAFE_ISUPPORTS
-  NS_DECL_NSISSLSTATUS
-  NS_DECL_NSISERIALIZABLE
-  NS_DECL_NSICLASSINFO
-
-  nsSSLStatus();
-
-  void SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus);
-
-  nsresult SetSucceededCertChain(mozilla::UniqueCERTCertList certList);
-  void SetFailedCertChain(nsIX509CertList* x509CertList);
-
-  bool HasServerCert() {
-    return mServerCert != nullptr;
-  }
-
-  void SetCertificateTransparencyInfo(
-    const mozilla::psm::CertificateTransparencyInfo& info);
-
-  /* public for initilization in this file */
-  uint16_t mCipherSuite;
-  uint16_t mProtocolVersion;
-  uint16_t mCertificateTransparencyStatus;
-  nsCString mKeaGroup;
-  nsCString mSignatureSchemeName;
-
-  bool mIsDomainMismatch;
-  bool mIsNotValidAtThisTime;
-  bool mIsUntrusted;
-  bool mIsEV;
-
-  bool mHasIsEVStatus;
-  bool mHaveCipherSuiteAndProtocol;
-
-  /* mHaveCertErrrorBits is relied on to determine whether or not a SPDY
-     connection is eligible for joining in nsNSSSocketInfo::JoinConnection() */
-  bool mHaveCertErrorBits;
-
-private:
-  nsCOMPtr<nsIX509Cert> mServerCert;
-  nsCOMPtr<nsIX509CertList> mSucceededCertChain;
-  nsCOMPtr<nsIX509CertList> mFailedCertChain;
-};
-
-#define NS_SSLSTATUS_CID \
-{ 0xe2f14826, 0x9e70, 0x4647, \
-  { 0xb2, 0x3f, 0x10, 0x10, 0xf5, 0x12, 0x46, 0x28 } }
-
-#endif

security/manager/ssl/nsSecureBrowserUIImpl.cpp

@@ -12,7 +12,6 @@
 #include "nsIDocShell.h"
 #include "nsIDocShellTreeItem.h"
 #include "nsIInterfaceRequestorUtils.h"
-#include "nsISSLStatus.h"
 #include "nsISecurityEventSink.h"
 #include "nsITransportSecurityInfo.h"
 #include "nsIWebProgress.h"
@@ -224,28 +223,14 @@ nsSecureBrowserUIImpl::UpdateStateAndSecurityInfo(nsIChannel* channel,
     if (NS_FAILED(rv)) {
       return rv;
     }
-    nsCOMPtr<nsISSLStatus> sslStatus;
+    bool isEV;
-    rv = mTopLevelSecurityInfo->GetSSLStatus(getter_AddRefs(sslStatus));
+    rv = mTopLevelSecurityInfo->GetIsExtendedValidation(&isEV);
     if (NS_FAILED(rv)) {
       return rv;
     }
-    if (!sslStatus) {
+    if (isEV) {
-      MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
+      MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, ("  is EV"));
-              ("  no sslStatus -> setting state to not secure"));
+      mState |= STATE_IDENTITY_EV_TOPLEVEL;
-      mState = STATE_IS_INSECURE;
-      mTopLevelSecurityInfo = nullptr;
-    } else {
-      MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
-              ("  have sslStatus %p", sslStatus.get()));
-      bool isEV;
-      rv = sslStatus->GetIsExtendedValidation(&isEV);
-      if (NS_FAILED(rv)) {
-        return rv;
-      }
-      if (isEV) {
-        MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, ("  is EV"));
-        mState |= STATE_IDENTITY_EV_TOPLEVEL;
-      }
     }
   } else {
     mState = STATE_IS_INSECURE;

security/manager/ssl/nsSiteSecurityService.cpp

@@ -19,9 +19,9 @@
 #include "mozilla/dom/ToJSValue.h"
 #include "nsArrayEnumerator.h"
 #include "nsCOMArray.h"
-#include "nsISSLStatus.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsISocketProvider.h"
+#include "nsITransportSecurityInfo.h"
 #include "nsIURI.h"
 #include "nsIX509Cert.h"
 #include "nsNSSComponent.h"
@@ -774,7 +774,7 @@ nsSiteSecurityService::ProcessHeaderScriptable(
   uint32_t aType,
   nsIURI* aSourceURI,
   const nsACString& aHeader,
-  nsISSLStatus* aSSLStatus,
+  nsITransportSecurityInfo* aSecInfo,
   uint32_t aFlags,
   uint32_t aSource,
   JS::HandleValue aOriginAttributes,
@@ -791,7 +791,7 @@ nsSiteSecurityService::ProcessHeaderScriptable(
       return NS_ERROR_INVALID_ARG;
     }
   }
-  return ProcessHeader(aType, aSourceURI, aHeader, aSSLStatus, aFlags,
+  return ProcessHeader(aType, aSourceURI, aHeader, aSecInfo, aFlags,
                        aSource, originAttributes, aMaxAge, aIncludeSubdomains,
                        aFailureResult);
 }
@@ -800,7 +800,7 @@ NS_IMETHODIMP
 nsSiteSecurityService::ProcessHeader(uint32_t aType,
                                      nsIURI* aSourceURI,
                                      const nsACString& aHeader,
-                                     nsISSLStatus* aSSLStatus,
+                                     nsITransportSecurityInfo* aSecInfo,
                                      uint32_t aFlags,
                                      uint32_t aHeaderSource,
                                      const OriginAttributes& aOriginAttributes,
@@ -830,9 +830,9 @@ nsSiteSecurityService::ProcessHeader(uint32_t aType,
       return NS_ERROR_INVALID_ARG;
   }
 
-  NS_ENSURE_ARG(aSSLStatus);
+  NS_ENSURE_ARG(aSecInfo);
   return ProcessHeaderInternal(aType, aSourceURI, PromiseFlatCString(aHeader),
-                               aSSLStatus, aFlags, source, aOriginAttributes,
+                               aSecInfo, aFlags, source, aOriginAttributes,
                                aMaxAge, aIncludeSubdomains, aFailureResult);
 }
 
@@ -841,7 +841,7 @@ nsSiteSecurityService::ProcessHeaderInternal(
   uint32_t aType,
   nsIURI* aSourceURI,
   const nsCString& aHeader,
-  nsISSLStatus* aSSLStatus,
+  nsITransportSecurityInfo* aSecInfo,
   uint32_t aFlags,
   SecurityPropertySource aSource,
   const OriginAttributes& aOriginAttributes,
@@ -865,19 +865,19 @@ nsSiteSecurityService::ProcessHeaderInternal(
     *aIncludeSubdomains = false;
   }
 
-  if (aSSLStatus) {
+  if (aSecInfo) {
     bool tlsIsBroken = false;
     bool trustcheck;
     nsresult rv;
-    rv = aSSLStatus->GetIsDomainMismatch(&trustcheck);
+    rv = aSecInfo->GetIsDomainMismatch(&trustcheck);
     NS_ENSURE_SUCCESS(rv, rv);
     tlsIsBroken = tlsIsBroken || trustcheck;
 
-    rv = aSSLStatus->GetIsNotValidAtThisTime(&trustcheck);
+    rv = aSecInfo->GetIsNotValidAtThisTime(&trustcheck);
     NS_ENSURE_SUCCESS(rv, rv);
     tlsIsBroken = tlsIsBroken || trustcheck;
 
-    rv = aSSLStatus->GetIsUntrusted(&trustcheck);
+    rv = aSecInfo->GetIsUntrusted(&trustcheck);
     NS_ENSURE_SUCCESS(rv, rv);
     tlsIsBroken = tlsIsBroken || trustcheck;
     if (tlsIsBroken) {
@@ -904,7 +904,7 @@ nsSiteSecurityService::ProcessHeaderInternal(
                             aFailureResult);
       break;
     case nsISiteSecurityService::HEADER_HPKP:
-      rv = ProcessPKPHeader(aSourceURI, aHeader, aSSLStatus, aFlags,
+      rv = ProcessPKPHeader(aSourceURI, aHeader, aSecInfo, aFlags,
                             aOriginAttributes, aMaxAge, aIncludeSubdomains,
                             aFailureResult);
       break;
@@ -1056,7 +1056,7 @@ nsresult
 nsSiteSecurityService::ProcessPKPHeader(
   nsIURI* aSourceURI,
   const nsCString& aHeader,
-  nsISSLStatus* aSSLStatus,
+  nsITransportSecurityInfo* aSecInfo,
   uint32_t aFlags,
   const OriginAttributes& aOriginAttributes,
   uint64_t* aMaxAge,
@@ -1067,7 +1067,7 @@ nsSiteSecurityService::ProcessPKPHeader(
     *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN;
   }
   SSSLOG(("SSS: processing HPKP header '%s'", aHeader.get()));
-  NS_ENSURE_ARG(aSSLStatus);
+  NS_ENSURE_ARG(aSecInfo);
 
   const uint32_t aType = nsISiteSecurityService::HEADER_HPKP;
   bool foundMaxAge = false;
@@ -1103,7 +1103,7 @@ nsSiteSecurityService::ProcessPKPHeader(
   nsresult rv = GetHost(aSourceURI, host);
   NS_ENSURE_SUCCESS(rv, rv);
   nsCOMPtr<nsIX509Cert> cert;
-  rv = aSSLStatus->GetServerCert(getter_AddRefs(cert));
+  rv = aSecInfo->GetServerCert(getter_AddRefs(cert));
   NS_ENSURE_SUCCESS(rv, rv);
   NS_ENSURE_TRUE(cert, NS_ERROR_FAILURE);
   UniqueCERTCertificate nssCert(cert->GetCert());

security/manager/ssl/nsSiteSecurityService.h

@@ -18,7 +18,7 @@
 #include "prtime.h"
 
 class nsIURI;
-class nsISSLStatus;
+class nsITransportSecurityInfo;
 
 using mozilla::OriginAttributes;
 
@@ -178,7 +178,7 @@ private:
                         const OriginAttributes& aOriginAttributes);
   nsresult ProcessHeaderInternal(uint32_t aType, nsIURI* aSourceURI,
                                  const nsCString& aHeader,
-                                 nsISSLStatus* aSSLStatus,
+                                 nsITransportSecurityInfo* aSecInfo,
                                  uint32_t aFlags,
                                  SecurityPropertySource aSource,
                                  const OriginAttributes& aOriginAttributes,
@@ -191,7 +191,7 @@ private:
                             uint64_t* aMaxAge, bool* aIncludeSubdomains,
                             uint32_t* aFailureResult);
   nsresult ProcessPKPHeader(nsIURI* aSourceURI, const nsCString& aHeader,
-                            nsISSLStatus* aSSLStatus, uint32_t flags,
+                            nsITransportSecurityInfo* aSecInfo, uint32_t flags,
                             const OriginAttributes& aOriginAttributes,
                             uint64_t* aMaxAge, bool* aIncludeSubdomains,
                             uint32_t* aFailureResult);

security/manager/ssl/tests/gtest/DeserializeCertTest.cpp

@@ -6,9 +6,14 @@
 
 #include "gtest/gtest.h"
 #include "nsCOMPtr.h"
-#include "nsString.h"
+#include "nsITransportSecurityInfo.h"
+#include "nsIX509Cert.h"
+#include "nsIX509CertList.h"
 #include "nsSerializationHelper.h"
+#include "nsString.h"
 
+// nsITransportSecurityInfo de-serializatin tests
+//
 // These tests verify that we can still deserialize old binary strings
 // generated for security info.  This is necessary because service workers
 // stores these strings on disk.
@@ -22,6 +27,33 @@
 //
 // We would like to move away from this binary compatibility requirement
 // in service workers.  See bug 1248628.
+void
+deserializeAndVerify(const nsCString &serializedSecInfo,
+                     bool hasFailedCertChain)
+{
+  nsCOMPtr<nsISupports> secInfo;
+  nsresult rv = NS_DeserializeObject(serializedSecInfo, getter_AddRefs(secInfo));
+  ASSERT_EQ(NS_OK, rv);
+  ASSERT_TRUE(secInfo);
+
+  nsCOMPtr<nsITransportSecurityInfo> securityInfo = do_QueryInterface(secInfo);
+  ASSERT_TRUE(securityInfo);
+
+  nsCOMPtr<nsIX509Cert> cert;
+  rv = securityInfo->GetServerCert(getter_AddRefs(cert));
+  ASSERT_EQ(NS_OK, rv);
+  ASSERT_TRUE(cert);
+
+  nsCOMPtr<nsIX509CertList> failedChain;
+  rv = securityInfo->GetFailedCertChain(getter_AddRefs(failedChain));
+  ASSERT_EQ(NS_OK, rv);
+ 
+  if (hasFailedCertChain) { 
+    ASSERT_TRUE(failedChain);
+  } else {
+    ASSERT_FALSE(failedChain);
+  }
+}
 
 TEST(psm_DeserializeCert, gecko33)
 {
@@ -53,10 +85,7 @@ TEST(psm_DeserializeCert, gecko33)
   "HZmFBVHMcUN/87HsQo20PdOekeEvkjrrMIxW+gxw22Yb67yF/qKgwrWr+43bLN709iyw+LWiU7sQcHL2xk9SYiWQDj2tYz2soObV"
   "QYTJm0VUZMEVFhtALq46cx92Zu4vFwC8AAwAAAAABAQAA");
 
-  nsCOMPtr<nsISupports> cert;
+  deserializeAndVerify(base64Serialization, false);
-  nsresult rv = NS_DeserializeObject(base64Serialization, getter_AddRefs(cert));
-  ASSERT_EQ(NS_OK, rv);
-  ASSERT_TRUE(cert);
 }
 
 TEST(psm_DeserializeCert, gecko46)
@@ -89,8 +118,119 @@ TEST(psm_DeserializeCert, gecko46)
   "HC9DpZdrWTEH/W69Cr/KxRqGsWPwpgMv2Wqav8jaT35JxqTXjOlhQqzo6fNn3eYOeCf4PkCxZKwckWjy10qDaRbjhwAMHAGj2TPr"
   "idlvOj/7QyyX5m8up/1US8z1fRW4yoCSOt6V2bwuH6cAvAAMAAAAAAQEAAA==");
 
-  nsCOMPtr<nsISupports> cert;
+  deserializeAndVerify(base64Serialization, false);
-  nsresult rv = NS_DeserializeObject(base64Serialization, getter_AddRefs(cert));
-  ASSERT_EQ(NS_OK, rv);
-  ASSERT_TRUE(cert);
 }
+
+TEST(psm_DeserializeCert, preSSLStatusConsolidation)
+{
+  // Generated using serialized output of test "good.include-subdomains.pinning.example.com"
+  // in security/manager/ssl/tests/unit/test_cert_chains.js
+  nsCString base64Serialization(
+  "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAgAAgAAAAAAAAAAAAAAAAAAAAAB4vFIJp5w"
+  "RkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAONMIIDiTCCAnGg"
+  "AwIBAgIUWbWLTwLBvfwcoiU7I8lDz9snfUgwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE2MTEyNzAw"
+  "MDAwMFoYDzIwMTkwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw"
+  "ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV"
+  "JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o"
+  "N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd"
+  "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0"
+  "gg0qLmV4YW1wbGUuY29tghUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs"
+  "ZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB"
+  "hhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBE+6IPJK5OeonoQPC4CCWMd69SjhwS7X6TNgxDJzW7"
+  "qpVm4SFyYZ2xqzr2zib5LsYek6/jok5LPSpJVeFuSeiesvGMxk0O4ZEihPxSM4uR4xpCnPzz7LoFIzMELJv5i+cgLw4+6cINPkLj"
+  "oCUdb+AXSTur7THJaO75B44I2JjJfMfzgW1FwoWgXL/PQWRw+VY6OY1glqZOXzP+vfSja1SoggpiCzdPx7h1/SEEZov7zhCZXv1C"
+  "enx1njlpcj9wWEJMsyZczMNtiz5GkRrLaqCz9F8ah3NvkvPAZ0oOqtxuQgMXK/c0OXJVKi0SCJsWqZDoZhCrS/dE9guxlseZqhSI"
+  "wC8DAwAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+xZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgA"
+  "AAACZgoyJpFcT/u7IImFpjLfBb3Dl5pUIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFFm1i08Cwb38HKIlOyPJQ8/b"
+  "J31IMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNjExMjcwMDAwMDBaGA8yMDE5MDIwNTAwMDAwMFow"
+  "GjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2"
+  "ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC"
+  "a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk"
+  "zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+"
+  "SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbYIVKi5waW5u"
+  "aW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZG9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9t"
+  "YWlucy5waW5uaW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4"
+  "LzANBgkqhkiG9w0BAQsFAAOCAQEARPuiDySuTnqJ6EDwuAgljHevUo4cEu1+kzYMQyc1u6qVZuEhcmGdsas69s4m+S7GHpOv46JO"
+  "Sz0qSVXhbknonrLxjMZNDuGRIoT8UjOLkeMaQpz88+y6BSMzBCyb+YvnIC8OPunCDT5C46AlHW/gF0k7q+0xyWju+QeOCNiYyXzH"
+  "84FtRcKFoFy/z0FkcPlWOjmNYJamTl8z/r30o2tUqIIKYgs3T8e4df0hBGaL+84QmV79Qnp8dZ45aXI/cFhCTLMmXMzDbYs+RpEa"
+  "y2qgs/RfGodzb5LzwGdKDqrcbkIDFyv3NDlyVSotEgibFqmQ6GYQq0v3RPYLsZbHmaoUiGYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM"
+  "1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYD"
+  "VQQDDAdUZXN0IENBMCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0G"
+  "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr"
+  "4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk"
+  "fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo"
+  "4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQF"
+  "MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK"
+  "9cZFVtzRWYEYkIlicAyTiPw34bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK9"
+  "22MsOsnrLjNlpRDmuH0VFhb5uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZB"
+  "bEw7P6+V9zz5cAzaaq7EB0mCE+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBCAAA=");
+
+  deserializeAndVerify(base64Serialization, false);
+}
+
+TEST(psm_DeserializeCert, preSSLStatusConsolidationFailedCertChain)
+{
+  // Generated using serialized output of test "expired.example.com"
+  // in security/manager/ssl/tests/unit/test_cert_chains.js
+  nsCString base64Serialization(
+  "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAAAAAAAAAAA///gCwAAAAAB4vFIJp5w"
+  "RkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAMgMIIDHDCCAgSg"
+  "AwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAw"
+  "MDAwMFoYDzIwMTQwMTAxMDAwMDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEB"
+  "BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6"
+  "pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9"
+  "0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK"
+  "lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJl"
+  "ZC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcN"
+  "AQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WVsxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7"
+  "IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQDWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l"
+  "297ZaSl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYnq8XuENgIO4DuYrm80/p6bMO6"
+  "laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFwWwtnoK7IAAAMAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vY"
+  "kTvlMZeudM2lzS9HP5b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwggMcMIICBKAD"
+  "AgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAw"
+  "MDAwWhgPMjAxNDAxMDEwMDAwMDBaMCIxIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEF"
+  "AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql"
+  "WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S"
+  "O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV"
+  "YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVk"
+  "LmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0B"
+  "AQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF0DjclopP2B8yxuc/WqIjbN6XdT4Xsg"
+  "Aw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrKf/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb"
+  "3tlpKXSdsp99vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag7gO5iubzT+npsw7qV"
+  "oHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAA"
+  "AAAAAtcwggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENB"
+  "MCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA"
+  "A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa"
+  "p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7"
+  "xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh"
+  "He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P"
+  "BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK9cZFVtzRWYEYkIli"
+  "cAyTiPw34bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK922MsOsnrLjNlpRDm"
+  "uH0VFhb5uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZBbEw7P6+V9zz5cAza"
+  "aq7EB0mCE+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBCAZWfsWVlF0h/q5vYkTvlMZeu"
+  "dM2lzS9HP5b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwggMcMIICBKADAgECAhRj"
+  "0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgP"
+  "MjAxNDAxMDEwMDAwMDBaMCIxIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
+  "MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc"
+  "1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf"
+  "qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl"
+  "nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1w"
+  "bGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOC"
+  "AQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvk"
+  "VV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrKf/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSd"
+  "sp99vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag7gO5iubzT+npsw7qVoHRS/lbq"
+  "5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcw"
+  "ggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIw"
+  "MTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw"
+  "ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV"
+  "JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o"
+  "N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd"
+  "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEG"
+  "MA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK9cZFVtzRWYEYkIlicAyTiPw3"
+  "4bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK922MsOsnrLjNlpRDmuH0VFhb5"
+  "uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZBbEw7P6+V9zz5cAzaaq7EB0mC"
+  "E+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBC");
+
+  deserializeAndVerify(base64Serialization, true);
+}
+

security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js

@@ -3,10 +3,10 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 "use strict";
 
-var FakeSSLStatus = function() {
+var FakeTransportSecurityInfo = function() {
 };
 
-FakeSSLStatus.prototype = {
+FakeTransportSecurityInfo.prototype = {
   serverCert: null,
   cipherName: null,
   keyLength: 2048,
@@ -17,7 +17,7 @@ FakeSSLStatus.prototype = {
   getInterface(aIID) {
     return this.QueryInterface(aIID);
   },
-  QueryInterface: ChromeUtils.generateQI(["nsISSLStatus"]),
+  QueryInterface: ChromeUtils.generateQI(["nsITransportSecurityInfo"]),
 };
 
 function whenNewWindowLoaded(aOptions, aCallback) {
@@ -44,10 +44,10 @@ function test() {
 
   function doTest(aIsPrivateMode, aWindow, aCallback) {
     BrowserTestUtils.browserLoaded(aWindow.gBrowser.selectedBrowser).then(() => {
-      let sslStatus = new FakeSSLStatus();
+      let secInfo = new FakeTransportSecurityInfo();
       uri = aWindow.Services.io.newURI("https://localhost/img.png");
       gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                               "max-age=1000", sslStatus, privacyFlags(aIsPrivateMode),
+                               "max-age=1000", secInfo, privacyFlags(aIsPrivateMode),
                                Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
       ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                                 privacyFlags(aIsPrivateMode)),

security/manager/ssl/tests/unit/head_psm.js

@@ -696,12 +696,12 @@ function stopOCSPResponder(responder) {
 }
 
 
-// A prototype for a fake, error-free sslstatus
+// A prototype for a fake, error-free secInfo
-var FakeSSLStatus = function(certificate) {
+var FakeTransportSecurityInfo = function(certificate) {
   this.serverCert = certificate;
 };
 
-FakeSSLStatus.prototype = {
+FakeTransportSecurityInfo.prototype = {
   serverCert: null,
   cipherName: null,
   keyLength: 2048,
@@ -712,7 +712,7 @@ FakeSSLStatus.prototype = {
   getInterface(aIID) {
     return this.QueryInterface(aIID);
   },
-  QueryInterface: ChromeUtils.generateQI(["nsISSLStatus"]),
+  QueryInterface: ChromeUtils.generateQI(["nsITransportSecurityInfo"]),
 };
 
 // Utility functions for adding tests relating to certificate error overrides
@@ -720,15 +720,14 @@ FakeSSLStatus.prototype = {
 // Helper function for add_cert_override_test. Probably doesn't need to be
 // called directly.
 function add_cert_override(aHost, aExpectedBits, aSecurityInfo) {
-  let sslstatus = aSecurityInfo.SSLStatus;
   let bits =
-    (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
+    (aSecurityInfo.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
-    (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
+    (aSecurityInfo.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
-    (sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
+    (aSecurityInfo.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
 
   Assert.equal(bits, aExpectedBits,
                "Actual and expected override bits should match");
-  let cert = sslstatus.serverCert;
+  let cert = aSecurityInfo.serverCert;
   let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
                               .getService(Ci.nsICertOverrideService);
   certOverrideService.rememberValidityOverride(aHost, 8443, cert, aExpectedBits,
@@ -740,17 +739,16 @@ function add_cert_override(aHost, aExpectedBits, aSecurityInfo) {
 // with the expected errors and that adding an override results in a subsequent
 // connection succeeding.
 function add_cert_override_test(aHost, aExpectedBits, aExpectedError,
-                                aExpectedSSLStatus = undefined) {
+                                aExpectedSecInfo = undefined) {
   add_connection_test(aHost, aExpectedError, null,
                       add_cert_override.bind(this, aHost, aExpectedBits));
   add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
     Assert.ok(aSecurityInfo.securityState &
               Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
               "Cert override flag should be set on the security state");
-    if (aExpectedSSLStatus) {
+    if (aExpectedSecInfo) {
-      let sslstatus = aSecurityInfo.SSLStatus;
+      if (aExpectedSecInfo.failedCertChain) {
-      if (aExpectedSSLStatus.failedCertChain) {
+        ok(aExpectedSecInfo.failedCertChain.equals(aSecurityInfo.failedCertChain));
-        ok(aExpectedSSLStatus.failedCertChain.equals(sslstatus.failedCertChain));
       }
     }
   });
@@ -758,18 +756,17 @@ function add_cert_override_test(aHost, aExpectedBits, aExpectedError,
 
 // Helper function for add_prevented_cert_override_test. This is much like
 // add_cert_override except it may not be the case that the connection has an
-// SSLStatus set on it. In this case, the error was not overridable anyway, so
+// SecInfo set on it. In this case, the error was not overridable anyway, so
 // we consider it a success.
 function attempt_adding_cert_override(aHost, aExpectedBits, aSecurityInfo) {
-  let sslstatus = aSecurityInfo.SSLStatus;
+  if (aSecurityInfo.serverCert) {
-  if (sslstatus) {
     let bits =
-      (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
+      (aSecurityInfo.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
-      (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
+      (aSecurityInfo.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
-      (sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
+      (aSecurityInfo.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
     Assert.equal(bits, aExpectedBits,
                  "Actual and expected override bits should match");
-    let cert = sslstatus.serverCert;
+    let cert = aSecurityInfo.serverCert;
     let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
                                 .getService(Ci.nsICertOverrideService);
     certOverrideService.rememberValidityOverride(aHost, 8443, cert, aExpectedBits,

security/manager/ssl/tests/unit/test_cert_overrides_read_only.js

@@ -10,15 +10,14 @@
 // Helper function for add_read_only_cert_override_test. Probably doesn't need
 // to be called directly.
 function add_read_only_cert_override(aHost, aExpectedBits, aSecurityInfo) {
-  let sslstatus = aSecurityInfo.SSLStatus;
   let bits =
-    (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
+    (aSecurityInfo.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
-    (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
+    (aSecurityInfo.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
-    (sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
+    (aSecurityInfo.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
 
   Assert.equal(bits, aExpectedBits,
                "Actual and expected override bits should match");
-  let cert = sslstatus.serverCert;
+  let cert = aSecurityInfo.serverCert;
   let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
                               .getService(Ci.nsICertOverrideService);
   // Setting the last argument to false here ensures that we attempt to store a

security/manager/ssl/tests/unit/test_ct.js

@@ -11,8 +11,7 @@ const certdb  = Cc["@mozilla.org/security/x509certdb;1"]
 
 function expectCT(value) {
   return (securityInfo) => {
-    let sslStatus = securityInfo.SSLStatus;
+    Assert.equal(securityInfo.certificateTransparencyStatus, value,
-    Assert.equal(sslStatus.certificateTransparencyStatus, value,
                  "actual and expected CT status should match");
   };
 }
@@ -30,10 +29,10 @@ function run_test() {
   // where N is 2 in this case. So, a policy-compliant certificate would have at
   // least 3 SCTs.
   add_connection_test("ct-valid.example.com", PRErrorCodeSuccess, null,
-    expectCT(Ci.nsISSLStatus.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT));
+    expectCT(Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT));
   // This certificate has only 2 embedded SCTs, and so is not policy-compliant.
   add_connection_test("ct-insufficient-scts.example.com", PRErrorCodeSuccess,
     null,
-    expectCT(Ci.nsISSLStatus.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS));
+    expectCT(Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS));
   run_next_test();
 }

security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js

@@ -41,7 +41,7 @@ var uri = Services.io.newURI("https://a.pinning2.example.com");
 // This test re-uses certificates from pinning tests because that's easier and
 // simpler than recreating new certificates, hence the slightly longer than
 // necessary domain name.
-var sslStatus = new FakeSSLStatus(constructCertFromFile(
+var secInfo = new FakeTransportSecurityInfo(constructCertFromFile(
   "test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem"));
 
 // Test the normal case of processing HSTS and HPKP headers for
@@ -50,10 +50,10 @@ var sslStatus = new FakeSSLStatus(constructCertFromFile(
 // to be HSTS or HPKP any longer.
 add_task(async function() {
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, GOOD_MAX_AGE,
-                    sslStatus, 0,
+                    secInfo, 0,
                     Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
-                    GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, sslStatus, 0,
+                    GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, secInfo, 0,
                     Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
 
   Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),
@@ -75,10 +75,10 @@ add_task(async function() {
 // unrelated sites don't also get removed.
 add_task(async function() {
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, GOOD_MAX_AGE,
-                    sslStatus, 0,
+                    secInfo, 0,
                     Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
-                    GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, sslStatus, 0,
+                    GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, secInfo, 0,
                     Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
 
   Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),
@@ -90,7 +90,7 @@ add_task(async function() {
   // example.org.
   let unrelatedURI = Services.io.newURI("https://example.org");
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, unrelatedURI,
-                    GOOD_MAX_AGE, sslStatus, 0,
+                    GOOD_MAX_AGE, secInfo, 0,
                     Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                              unrelatedURI, 0), "example.org should be HSTS");
@@ -124,11 +124,11 @@ add_task(async function() {
 
   for (let originAttributes of originAttributesList) {
     sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, GOOD_MAX_AGE,
-                      sslStatus, 0,
+                      secInfo, 0,
                       Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST,
                       originAttributes);
     sss.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
-                      GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, sslStatus, 0,
+                      GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, secInfo, 0,
                       Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST,
                       originAttributes);
 
@@ -141,7 +141,7 @@ add_task(async function() {
 
     // Add an unrelated site to HSTS.  Not HPKP because we have no valid keys.
     sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, unrelatedURI,
-                      GOOD_MAX_AGE, sslStatus, 0,
+                      GOOD_MAX_AGE, secInfo, 0,
                       Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST,
                       originAttributes);
     Assert.ok(sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,

security/manager/ssl/tests/unit/test_ocsp_must_staple.js

@@ -37,9 +37,9 @@ function add_tests() {
     let header = `max-age=1000; pin-sha256="${keyHash}"; pin-sha256="${backupKeyHash}"`;
     let ssservice = Cc["@mozilla.org/ssservice;1"]
                       .getService(Ci.nsISiteSecurityService);
-    let sslStatus = new FakeSSLStatus();
+    let secInfo = new FakeTransportSecurityInfo();
-    sslStatus.serverCert = constructCertFromFile("ocsp_certs/must-staple-ee-with-must-staple-int.pem");
+    secInfo.serverCert = constructCertFromFile("ocsp_certs/must-staple-ee-with-must-staple-int.pem");
-    ssservice.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, header, sslStatus, 0,
+    ssservice.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, header, secInfo, 0,
                             Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
     ok(ssservice.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0),
        "ocsp-stapling-must-staple-ee-with-must-staple-int.example.com should have HPKP set");

security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js

@@ -42,9 +42,9 @@ function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
   let uri = Services.io.newURI("http://localhost");
-  let sslStatus = new FakeSSLStatus();
+  let secInfo = new FakeTransportSecurityInfo();
   SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                          "max-age=10000", sslStatus, 0,
+                          "max-age=10000", secInfo, 0,
                           Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),
      "Domain for the OCSP AIA URI should be considered a HSTS host, otherwise" +

security/manager/ssl/tests/unit/test_pinning_header_parsing.js

@@ -23,18 +23,18 @@ function loadCert(cert_name, trust_string) {
 }
 
 function checkFailParseInvalidPin(pinValue) {
-  let sslStatus = new FakeSSLStatus(
+  let secInfo = new FakeTransportSecurityInfo(
                         certFromFile("a.pinning2.example.com-pinningroot"));
   let uri = Services.io.newURI("https://a.pinning2.example.com");
   throws(() => {
     gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
-                             pinValue, sslStatus, 0,
+                             pinValue, secInfo, 0,
                              Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   }, /NS_ERROR_FAILURE/, `Invalid pin "${pinValue}" should be rejected`);
 }
 
 function checkPassValidPin(pinValue, settingPin, expectedMaxAge) {
-  let sslStatus = new FakeSSLStatus(
+  let secInfo = new FakeTransportSecurityInfo(
                         certFromFile("a.pinning2.example.com-pinningroot"));
   let uri = Services.io.newURI("https://a.pinning2.example.com");
   let maxAge = {};
@@ -47,12 +47,12 @@ function checkPassValidPin(pinValue, settingPin, expectedMaxAge) {
     // add a known valid pin!
     let validPinValue = "max-age=5000;" + VALID_PIN1 + BACKUP_PIN1;
     gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
-                             validPinValue, sslStatus, 0,
+                             validPinValue, secInfo, 0,
                              Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   }
   try {
     gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
-                             pinValue, sslStatus, 0,
+                             pinValue, secInfo, 0,
                              Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST,
                              {}, maxAge);
     ok(true, "Valid pin should be accepted");

security/manager/ssl/tests/unit/test_session_resumption.js

@@ -41,16 +41,15 @@ function add_resume_non_ev_with_override_test() {
       ok(transportSecurityInfo.securityState &
          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
          "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag");
-      let sslStatus = transportSecurityInfo.SSLStatus;
+      ok(!transportSecurityInfo.succeededCertChain,
-      ok(!sslStatus.succeededCertChain,
          "ev-test.example.com should not have succeededCertChain set");
-      ok(!sslStatus.isDomainMismatch,
+      ok(!transportSecurityInfo.isDomainMismatch,
          "expired.example.com should not have isDomainMismatch set");
-      ok(sslStatus.isNotValidAtThisTime,
+      ok(transportSecurityInfo.isNotValidAtThisTime,
          "expired.example.com should have isNotValidAtThisTime set");
-      ok(!sslStatus.isUntrusted,
+      ok(!transportSecurityInfo.isUntrusted,
          "expired.example.com should not have isUntrusted set");
-      ok(!sslStatus.isExtendedValidation,
+      ok(!transportSecurityInfo.isExtendedValidation,
          "expired.example.com should not have isExtendedValidation set");
     }
   );
@@ -66,16 +65,15 @@ function add_one_ev_test() {
       ok(!(transportSecurityInfo.securityState &
            Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN),
          "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag");
-      let sslStatus = transportSecurityInfo.SSLStatus;
+      ok(transportSecurityInfo.succeededCertChain,
-      ok(sslStatus.succeededCertChain,
          "ev-test.example.com should have succeededCertChain set");
-      ok(!sslStatus.isDomainMismatch,
+      ok(!transportSecurityInfo.isDomainMismatch,
          "ev-test.example.com should not have isDomainMismatch set");
-      ok(!sslStatus.isNotValidAtThisTime,
+      ok(!transportSecurityInfo.isNotValidAtThisTime,
          "ev-test.example.com should not have isNotValidAtThisTime set");
-      ok(!sslStatus.isUntrusted,
+      ok(!transportSecurityInfo.isUntrusted,
          "ev-test.example.com should not have isUntrusted set");
-      ok(!gEVExpected || sslStatus.isExtendedValidation,
+      ok(!gEVExpected || transportSecurityInfo.isExtendedValidation,
          "ev-test.example.com should have isExtendedValidation set " +
          "(or this is a non-debug build)");
     }
@@ -126,16 +124,15 @@ function add_one_non_ev_test() {
       ok(!(transportSecurityInfo.securityState &
            Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN),
          `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag`);
-      let sslStatus = transportSecurityInfo.SSLStatus;
+      ok(transportSecurityInfo.succeededCertChain,
-      ok(sslStatus.succeededCertChain,
          `${GOOD_DOMAIN} should have succeededCertChain set`);
-      ok(!sslStatus.isDomainMismatch,
+      ok(!transportSecurityInfo.isDomainMismatch,
          `${GOOD_DOMAIN} should not have isDomainMismatch set`);
-      ok(!sslStatus.isNotValidAtThisTime,
+      ok(!transportSecurityInfo.isNotValidAtThisTime,
          `${GOOD_DOMAIN} should not have isNotValidAtThisTime set`);
-      ok(!sslStatus.isUntrusted,
+      ok(!transportSecurityInfo.isUntrusted,
          `${GOOD_DOMAIN} should not have isUntrusted set`);
-      ok(!sslStatus.isExtendedValidation,
+      ok(!transportSecurityInfo.isExtendedValidation,
          `${GOOD_DOMAIN} should not have isExtendedValidation set`);
     }
   );

security/manager/ssl/tests/unit/test_ssl_status.js

@@ -21,10 +21,9 @@ function run_test() {
   add_connection_test(
     "good.include-subdomains.pinning.example.com", PRErrorCodeSuccess, null,
     function withSecurityInfo(aSecInfo) {
-      let sslstatus = aSecInfo.SSLStatus;
+      equal(aSecInfo.failedCertChain, null,
-      equal(sslstatus.failedCertChain, null,
             "failedCertChain for a successful connection should be null");
-      ok(sslstatus.succeededCertChain.equals(build_cert_chain(["default-ee", "test-ca"])),
+      ok(aSecInfo.succeededCertChain.equals(build_cert_chain(["default-ee", "test-ca"])),
             "succeededCertChain for a successful connection should be as expected");
     }
   );
@@ -34,10 +33,9 @@ function run_test() {
   add_connection_test(
     "expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE, null,
     function withSecurityInfo(aSecInfo) {
-      let sslstatus = aSecInfo.SSLStatus;
+      equal(aSecInfo.succeededCertChain, null,
-      equal(sslstatus.succeededCertChain, null,
             "succeededCertChain for a failed connection should be null");
-      ok(sslstatus.failedCertChain.equals(build_cert_chain(["expired-ee", "test-ca"])),
+      ok(aSecInfo.failedCertChain.equals(build_cert_chain(["expired-ee", "test-ca"])),
             "failedCertChain for a failed connection should be as expected");
     }
   );

security/manager/ssl/tests/unit/test_sss_enumerate.js

@@ -43,7 +43,7 @@ let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
 function insertEntries() {
   for (let testcase of TESTCASES) {
     let uri = Services.io.newURI("https://" + testcase.hostname);
-    let sslStatus = new FakeSSLStatus(constructCertFromFile(
+    let secInfo = new FakeTransportSecurityInfo(constructCertFromFile(
       `test_pinning_dynamic/${testcase.hostname}-pinningroot.pem`));
     // MaxAge is in seconds.
     let maxAge = Math.round((testcase.expireTime - Date.now()) / 1000);
@@ -52,13 +52,13 @@ function insertEntries() {
       header += "; includeSubdomains";
     }
     sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, header,
-                      sslStatus, 0,
+                      secInfo, 0,
                       Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
     for (let key of KEY_HASHES) {
       header += `; pin-sha256="${key}"`;
     }
     sss.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, header,
-                      sslStatus, 0,
+                      secInfo, 0,
                       Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   }
 }

security/manager/ssl/tests/unit/test_sss_eviction.js

@@ -54,11 +54,11 @@ function do_state_read(aSubject, aTopic, aData) {
   ok(gSSService.isSecureURI(
        Ci.nsISiteSecurityService.HEADER_HSTS,
        Services.io.newURI("https://frequentlyused.example.com"), 0));
-  let sslStatus = new FakeSSLStatus();
+  let secInfo = new FakeTransportSecurityInfo();
   for (let i = 0; i < 2000; i++) {
     let uri = Services.io.newURI("http://bad" + i + ".example.com");
     gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                            "max-age=1000", sslStatus, 0,
+                            "max-age=1000", secInfo, 0,
                             Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   }
   do_test_pending();

security/manager/ssl/tests/unit/test_sss_originAttributes.js

@@ -39,7 +39,7 @@ let uri = Services.io.newURI("https://" + host);
 // This test re-uses certificates from pinning tests because that's easier and
 // simpler than recreating new certificates, hence the slightly longer than
 // necessary domain name.
-let sslStatus = new FakeSSLStatus(constructCertFromFile(
+let secInfo = new FakeTransportSecurityInfo(constructCertFromFile(
   "test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem"));
 
 // Check if originAttributes1 and originAttributes2 are isolated with respect
@@ -53,7 +53,7 @@ function doTest(originAttributes1, originAttributes2, shouldShare) {
       header += VALID_PIN + BACKUP_PIN;
     }
     // Set HSTS or HPKP for originAttributes1.
-    sss.processHeader(type, uri, header, sslStatus, 0,
+    sss.processHeader(type, uri, header, secInfo, 0,
                       Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST,
                       originAttributes1);
     ok(sss.isSecureURI(type, uri, 0, originAttributes1),
@@ -101,7 +101,7 @@ function testInvalidOriginAttributes(originAttributes) {
     }
 
     let callbacks = [
-      () => sss.processHeader(type, uri, header, sslStatus, 0,
+      () => sss.processHeader(type, uri, header, secInfo, 0,
                               Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST,
                               originAttributes),
       () => sss.isSecureURI(type, uri, 0, originAttributes),

security/manager/ssl/tests/unit/test_sss_savestate.js

@@ -115,10 +115,10 @@ function run_test() {
     let maxAge = "max-age=" + (i * 1000);
      // alternate setting includeSubdomains
     let includeSubdomains = (i % 2 == 0 ? "; includeSubdomains" : "");
-    let sslStatus = new FakeSSLStatus();
+    let secInfo = new FakeTransportSecurityInfo();
     SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS,
                             uris[uriIndex], maxAge + includeSubdomains,
-                            sslStatus, 0,
+                            secInfo, 0,
                             Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   }
 

security/manager/ssl/tests/unit/test_sts_fqdn.js

@@ -15,9 +15,9 @@ function run_test() {
   // These cases are only relevant as long as bug 1118522 hasn't been fixed.
   ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri2, 0));
 
-  let sslStatus = new FakeSSLStatus();
+  let secInfo = new FakeTransportSecurityInfo();
   SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                          "max-age=1000;includeSubdomains", sslStatus, 0,
+                          "max-age=1000;includeSubdomains", secInfo, 0,
                           Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
   ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri1, 0));

security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js

@@ -1,7 +1,7 @@
 "use strict";
 
 function check_ip(s, v, ip) {
-  let sslStatus = new FakeSSLStatus();
+  let secInfo = new FakeTransportSecurityInfo();
 
   let str = "https://";
   if (v == 6) {
@@ -19,7 +19,7 @@ function check_ip(s, v, ip) {
   let parsedMaxAge = {};
   let parsedIncludeSubdomains = {};
   s.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                  "max-age=1000;includeSubdomains", sslStatus, 0,
+                  "max-age=1000;includeSubdomains", secInfo, 0,
                   Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST, {},
                   parsedMaxAge, parsedIncludeSubdomains);
   ok(!s.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0),

security/manager/ssl/tests/unit/test_sts_parser.js

@@ -9,7 +9,7 @@
 // STS parser tests
 
 let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
-let sslStatus = new FakeSSLStatus();
+let secInfo = new FakeTransportSecurityInfo();
 
 function testSuccess(header, expectedMaxAge, expectedIncludeSubdomains) {
   let dummyUri = Services.io.newURI("https://foo.com/bar.html");
@@ -17,7 +17,7 @@ function testSuccess(header, expectedMaxAge, expectedIncludeSubdomains) {
   let includeSubdomains = {};
 
   sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, dummyUri, header,
-                    sslStatus, 0, sss.SOURCE_ORGANIC_REQUEST, {}, maxAge,
+                    secInfo, 0, sss.SOURCE_ORGANIC_REQUEST, {}, maxAge,
                     includeSubdomains);
 
   equal(maxAge.value, expectedMaxAge, "Did not correctly parse maxAge");
@@ -32,7 +32,7 @@ function testFailure(header) {
 
   throws(() => {
     sss.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, dummyUri, header,
-                      sslStatus, 0, sss.SOURCE_ORGANIC_REQUEST, {}, maxAge,
+                      secInfo, 0, sss.SOURCE_ORGANIC_REQUEST, {}, maxAge,
                       includeSubdomains);
   }, /NS_ERROR_FAILURE/, "Parsed invalid header: " + header);
 }

security/manager/ssl/tests/unit/test_sts_preload_dynamic.js

@@ -15,7 +15,7 @@
 function run_test() {
   let SSService = Cc["@mozilla.org/ssservice;1"]
                     .getService(Ci.nsISiteSecurityService);
-  let sslStatus = new FakeSSLStatus();
+  let secInfo = new FakeTransportSecurityInfo();
   let unlikelyHost = "highlyunlikely.example.com";
   let uri = Services.io.newURI("https://" + unlikelyHost);
   let subDomainUri = Services.io.newURI("https://subdomain." + unlikelyHost);
@@ -60,7 +60,7 @@ function run_test() {
   // Now let's simulate overriding the entry by setting an entry from a header
   // with max-age set to 0
   SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                          "max-age=0", sslStatus, 0,
+                          "max-age=0", secInfo, 0,
                           Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
 
   // this should no longer be an HSTS host

security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js

@@ -13,7 +13,7 @@ Observer.prototype = {
 };
 
 var gObserver = new Observer();
-var sslStatus = new FakeSSLStatus();
+var secInfo = new FakeTransportSecurityInfo();
 
 function cleanup() {
   Services.obs.removeObserver(gObserver, "last-pb-context-exited");
@@ -77,7 +77,7 @@ function test_part1() {
   let subDomainUri =
     Services.io.newURI("https://subdomain.includesubdomains.preloaded.test");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=0", sslStatus, 0,
+                           "max-age=0", secInfo, 0,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
@@ -85,7 +85,7 @@ function test_part1() {
   // check that processing another header (with max-age non-zero) will
   // re-enable a site's sts status
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=1000", sslStatus, 0,
+                           "max-age=1000", secInfo, 0,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
   // but this time include subdomains was not set, so test for that
@@ -97,7 +97,7 @@ function test_part1() {
   // will not remove that (ancestor) site from the list
   uri = Services.io.newURI("https://subdomain.noincludesubdomains.preloaded.test");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=0", sslStatus, 0,
+                           "max-age=0", secInfo, 0,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
                             Services.io.newURI("https://noincludesubdomains.preloaded.test"),
@@ -106,7 +106,7 @@ function test_part1() {
 
   uri = Services.io.newURI("https://subdomain.includesubdomains.preloaded.test");
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=0", sslStatus, 0,
+                           "max-age=0", secInfo, 0,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   // we received a header with "max-age=0", so we have "no information"
   // regarding the sts state of subdomain.includesubdomains.preloaded.test specifically,
@@ -132,7 +132,7 @@ function test_part1() {
        0));
 
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=1000", sslStatus, 0,
+                           "max-age=1000", secInfo, 0,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   // Here's what we have now:
   // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
@@ -159,7 +159,7 @@ function test_part1() {
   uri = Services.io.newURI("https://includesubdomains2.preloaded.test");
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=1", sslStatus, 0,
+                           "max-age=1", secInfo, 0,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   do_timeout(1250, function() {
     ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, 0));
@@ -181,7 +181,7 @@ function test_private_browsing1() {
                             IS_PRIVATE));
 
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=0", sslStatus, IS_PRIVATE,
+                           "max-age=0", secInfo, IS_PRIVATE,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                              IS_PRIVATE));
@@ -190,7 +190,7 @@ function test_private_browsing1() {
 
   // check adding it back in
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=1000", sslStatus, IS_PRIVATE,
+                           "max-age=1000", secInfo, IS_PRIVATE,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri, IS_PRIVATE));
   // but no includeSubdomains this time
@@ -199,7 +199,7 @@ function test_private_browsing1() {
 
   // do the hokey-pokey...
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=0", sslStatus, IS_PRIVATE,
+                           "max-age=0", secInfo, IS_PRIVATE,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                              IS_PRIVATE));
@@ -216,7 +216,7 @@ function test_private_browsing1() {
   ok(gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
                             IS_PRIVATE));
   gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
-                           "max-age=1", sslStatus, IS_PRIVATE,
+                           "max-age=1", secInfo, IS_PRIVATE,
                            Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST);
   do_timeout(1250, function() {
     ok(!gSSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, uri,

services/common/rest.js

@@ -488,7 +488,7 @@ RESTRequest.prototype = {
 
   /** nsIBadCertListener2 **/
 
-  notifyCertProblem(socketInfo, sslStatus, targetHost) {
+  notifyCertProblem(socketInfo, secInfo, targetHost) {
     this._log.warn("Invalid HTTPS certificate encountered!");
     // Suppress invalid HTTPS certificate warnings in the UI.
     // (The request will still fail.)

taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js

@@ -116,8 +116,8 @@ function processStsHeader(host, header, status, securityInfo) {
   if (header != null && securityInfo != null) {
     try {
       let uri = Services.io.newURI("https://" + host.name);
-      let sslStatus = securityInfo.QueryInterface(Ci.nsITransportSecurityInfo).SSLStatus;
+      let secInfo = securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
-      gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, header, sslStatus, 0, Ci.nsISiteSecurityService.SOURCE_PRELOAD_LIST, {}, maxAge, includeSubdomains);
+      gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, header, secInfo, 0, Ci.nsISiteSecurityService.SOURCE_PRELOAD_LIST, {}, maxAge, includeSubdomains);
     } catch (e) {
       dump("ERROR: could not process header '" + header + "' from " + host.name + ": " + e + "\n");
       error = e;

testing/marionette/puppeteer/firefox/firefox_puppeteer/api/security.py

@@ -39,10 +39,9 @@ class Security(BaseLib):
         :returns: Certificate details as JSON object.
         """
         cert = self.marionette.execute_script("""
-          var securityUI = arguments[0].linkedBrowser.securityUI;
+          var secInfo = arguments[0].linkedBrowser.securityUI.secInfo;
-          var status = securityUI.secInfo && securityUI.secInfo.SSLStatus;
 
-          return status ? status.serverCert : null;
+          return secInfo ? secInfo.serverCert : null;
         """, script_args=[tab_element])
 
         uri = self.marionette.execute_script("""

toolkit/components/extensions/webrequest/ChannelWrapper.cpp

@@ -882,7 +882,8 @@ ChannelWrapper::GetErrorString(nsString& aRetVal) const
     nsCOMPtr<nsISupports> securityInfo;
     Unused << chan->GetSecurityInfo(getter_AddRefs(securityInfo));
     if (nsCOMPtr<nsITransportSecurityInfo> tsi = do_QueryInterface(securityInfo)) {
-      auto errorCode = tsi->GetErrorCode();
+      int32_t errorCode = 0;
+      tsi->GetErrorCode(&errorCode);
       if (psm::IsNSSErrorCode(errorCode)) {
         nsCOMPtr<nsINSSErrorsService> nsserr =
           do_GetService(NS_NSS_ERRORS_SERVICE_CONTRACTID);

toolkit/modules/CertUtils.jsm

@@ -142,9 +142,8 @@ function checkCert(aChannel, aAllowNonBuiltInCerts, aCerts) {
     return;
   }
 
-  let sslStatus = aChannel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
+  let secInfo = aChannel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
-                          .SSLStatus;
+  let cert = secInfo.serverCert;
-  let cert = sslStatus.serverCert;
 
   validateCert(cert, aCerts);
 
@@ -153,7 +152,7 @@ function checkCert(aChannel, aAllowNonBuiltInCerts, aCerts) {
   }
 
   let issuerCert = null;
-  for (issuerCert of sslStatus.succeededCertChain.getEnumerator());
+  for (issuerCert of secInfo.succeededCertChain.getEnumerator());
 
   const certNotBuiltInErr = "Certificate issuer is not built-in.";
   if (!issuerCert) {

toolkit/modules/addons/SecurityInfo.jsm

@@ -95,13 +95,13 @@ const SecurityInfo = {
 
     securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
 
-    const SSLStatus = securityInfo.SSLStatus;
     if (NSSErrorsService.isNSSErrorCode(securityInfo.errorCode)) {
       // The connection failed.
       info.state = "broken";
       info.errorMessage = securityInfo.errorMessage;
-      if (options.certificateChain && SSLStatus.failedCertChain) {
+      if (options.certificateChain && securityInfo.failedCertChain) {
-        info.certificates = this.getCertificateChain(SSLStatus.failedCertChain, options);
+        info.certificates = this.getCertificateChain(
+          securityInfo.failedCertChain, options);
       }
       return info;
     }
@@ -133,32 +133,33 @@ const SecurityInfo = {
     }
 
     // Cipher suite.
-    info.cipherSuite = SSLStatus.cipherName;
+    info.cipherSuite = securityInfo.cipherName;
 
     // Key exchange group name.
-    if (SSLStatus.keaGroupName !== "none") {
+    if (securityInfo.keaGroupName !== "none") {
-      info.keaGroupName = SSLStatus.keaGroupName;
+      info.keaGroupName = securityInfo.keaGroupName;
     }
 
     // Certificate signature scheme.
-    if (SSLStatus.signatureSchemeName !== "none") {
+    if (securityInfo.signatureSchemeName !== "none") {
-      info.signatureSchemeName = SSLStatus.signatureSchemeName;
+      info.signatureSchemeName = securityInfo.signatureSchemeName;
     }
 
-    info.isDomainMismatch = SSLStatus.isDomainMismatch;
+    info.isDomainMismatch = securityInfo.isDomainMismatch;
-    info.isExtendedValidation = SSLStatus.isExtendedValidation;
+    info.isExtendedValidation = securityInfo.isExtendedValidation;
-    info.isNotValidAtThisTime = SSLStatus.isNotValidAtThisTime;
+    info.isNotValidAtThisTime = securityInfo.isNotValidAtThisTime;
-    info.isUntrusted = SSLStatus.isUntrusted;
+    info.isUntrusted = securityInfo.isUntrusted;
 
-    info.certificateTransparencyStatus = this.getTransparencyStatus(SSLStatus.certificateTransparencyStatus);
+    info.certificateTransparencyStatus = this.getTransparencyStatus(
+      securityInfo.certificateTransparencyStatus);
 
     // Protocol version.
-    info.protocolVersion = this.formatSecurityProtocol(SSLStatus.protocolVersion);
+    info.protocolVersion = this.formatSecurityProtocol(securityInfo.protocolVersion);
 
-    if (options.certificateChain && SSLStatus.succeededCertChain) {
+    if (options.certificateChain && securityInfo.succeededCertChain) {
-      info.certificates = this.getCertificateChain(SSLStatus.succeededCertChain, options);
+      info.certificates = this.getCertificateChain(securityInfo.succeededCertChain, options);
     } else {
-      info.certificates = [this.parseCertificateInfo(SSLStatus.serverCert, options)];
+      info.certificates = [this.parseCertificateInfo(securityInfo.serverCert, options)];
     }
 
     // HSTS and HPKP if available.
@@ -235,37 +236,37 @@ const SecurityInfo = {
   // Bug 1355903 Transparency is currently disabled using security.pki.certificate_transparency.mode
   getTransparencyStatus(status) {
     switch (status) {
-      case Ci.nsISSLStatus.CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE:
+      case Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE:
         return "not_applicable";
-      case Ci.nsISSLStatus.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT:
+      case Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT:
         return "policy_compliant";
-      case Ci.nsISSLStatus.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS:
+      case Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS:
         return "policy_not_enough_scts";
-      case Ci.nsISSLStatus.CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS:
+      case Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS:
         return "policy_not_diverse_scts";
     }
     return "unknown";
   },
 
   /**
-   * Takes protocolVersion of SSLStatus object and returns human readable
+   * Takes protocolVersion of TransportSecurityInfo object and returns human readable
    * description.
    *
    * @param {number} version
-   *        One of nsISSLStatus version constants.
+   *        One of nsITransportSecurityInfo version constants.
    * @returns {string}
    *         One of TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 if version
    *         is valid, Unknown otherwise.
    */
   formatSecurityProtocol(version) {
     switch (version) {
-      case Ci.nsISSLStatus.TLS_VERSION_1:
+      case Ci.nsITransportSecurityInfo.TLS_VERSION_1:
         return "TLSv1";
-      case Ci.nsISSLStatus.TLS_VERSION_1_1:
+      case Ci.nsITransportSecurityInfo.TLS_VERSION_1_1:
         return "TLSv1.1";
-      case Ci.nsISSLStatus.TLS_VERSION_1_2:
+      case Ci.nsITransportSecurityInfo.TLS_VERSION_1_2:
         return "TLSv1.2";
-      case Ci.nsISSLStatus.TLS_VERSION_1_3:
+      case Ci.nsITransportSecurityInfo.TLS_VERSION_1_3:
         return "TLSv1.3";
     }
     return "unknown";

toolkit/modules/tests/chrome/test_bug544442_checkCert.xul

@@ -88,7 +88,7 @@ function testXHRLoad(aEvent) {
      "issuerName that is not the same as the certificate's");
 
   var cert = channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo).
-             SSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert;
+             serverCert;
 
   certs = [ { issuerName: cert.issuerName,
               commonName: cert.commonName } ];

toolkit/mozapps/extensions/test/browser/head.js

@@ -619,9 +619,8 @@ CertOverrideListener.prototype = {
 
   QueryInterface: ChromeUtils.generateQI(["nsIBadCertListener2", "nsIInterfaceRequestor"]),
 
-  notifyCertProblem(socketInfo, sslStatus, targetHost) {
+  notifyCertProblem(socketInfo, secInfo, targetHost) {
-    var cert = sslStatus.QueryInterface(Ci.nsISSLStatus)
+    var cert = secInfo.serverCert;
-                        .serverCert;
     var cos = Cc["@mozilla.org/security/certoverride;1"].
               getService(Ci.nsICertOverrideService);
     cos.rememberValidityOverride(this.host, -1, cert, this.bits, false);

toolkit/mozapps/update/nsUpdateService.js

@@ -3107,15 +3107,13 @@ Checker.prototype = {
 
     // Set MitM pref.
     try {
-      var sslStatus = request.channel.QueryInterface(Ci.nsIRequest)
+      var secInfo = request.channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
-                        .securityInfo.QueryInterface(Ci.nsITransportSecurityInfo)
+      if (secInfo.serverCert && secInfo.serverCert.issuerName) {
-                        .SSLStatus.QueryInterface(Ci.nsISSLStatus);
-      if (sslStatus && sslStatus.serverCert && sslStatus.serverCert.issuerName) {
         Services.prefs.setStringPref("security.pki.mitm_canary_issuer",
-                                     sslStatus.serverCert.issuerName);
+                                     secInfo.serverCert.issuerName);
       }
     } catch (e) {
-      LOG("Checker:onError - Getting sslStatus failed.");
+      LOG("Checker:onError - Getting secInfo failed.");
     }
 
     // If we can't find an error string specific to this status code,