Bug 1899431 - Use SSL_PeerCertificateChainDER in SSLServerCertVerification. r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D211944

security/manager/ssl/SSLServerCertVerification.cpp

@@ -697,12 +697,12 @@ PRErrorCode AuthCertificateParseResults(
 }
 
 static nsTArray<nsTArray<uint8_t>> CreateCertBytesArray(
-    const UniqueCERTCertList& aCertChain) {
+    const UniqueSECItemArray& aCertChain) {
   nsTArray<nsTArray<uint8_t>> certsBytes;
-  for (CERTCertListNode* n = CERT_LIST_HEAD(aCertChain);
-       !CERT_LIST_END(n, aCertChain); n = CERT_LIST_NEXT(n)) {
+  for (size_t i = 0; i < aCertChain->len; i++) {
     nsTArray<uint8_t> certBytes;
-    certBytes.AppendElements(n->cert->derCert.data, n->cert->derCert.len);
+    certBytes.AppendElements(aCertChain->items[i].data,
+                             aCertChain->items[i].len);
     certsBytes.AppendElement(std::move(certBytes));
   }
   return certsBytes;
@@ -921,11 +921,15 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
     return SECFailure;
   }
 
-  UniqueCERTCertList peerCertChain(SSL_PeerCertificateChain(fd));
-  if (!peerCertChain) {
+  UniqueSECItemArray peerCertChain;
+  SECStatus rv =
+      SSL_PeerCertificateChainDER(fd, TempPtrToSetter(&peerCertChain));
+  if (rv != SECSuccess) {
     PR_SetError(PR_INVALID_STATE_ERROR, 0);
     return SECFailure;
   }
+  MOZ_ASSERT(peerCertChain,
+             "AuthCertificateHook: peerCertChain unexpectedly null");
 
   nsTArray<nsTArray<uint8_t>> peerCertsBytes =
       CreateCertBytesArray(peerCertChain);
@@ -964,8 +968,8 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
   // Get DC information
   Maybe<DelegatedCredentialInfo> dcInfo;
   SSLPreliminaryChannelInfo channelPreInfo;
-  SECStatus rv = SSL_GetPreliminaryChannelInfo(fd, &channelPreInfo,
-                                               sizeof(channelPreInfo));
+  rv = SSL_GetPreliminaryChannelInfo(fd, &channelPreInfo,
+                                     sizeof(channelPreInfo));
   if (rv != SECSuccess) {
     PR_SetError(PR_INVALID_STATE_ERROR, 0);
     return SECFailure;

security/manager/ssl/ScopedNSSTypes.h

@@ -369,6 +369,10 @@ inline void SECITEM_FreeItem_true(SECItem* s) {
   return SECITEM_FreeItem(s, true);
 }
 
+inline void SECITEM_FreeArray_true(SECItemArray* s) {
+  return SECITEM_FreeArray(s, true);
+}
+
 inline void SECOID_DestroyAlgorithmID_true(SECAlgorithmID* a) {
   return SECOID_DestroyAlgorithmID(a, true);
 }
@@ -432,6 +436,8 @@ MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECAlgorithmID, SECAlgorithmID,
                                       internal::SECOID_DestroyAlgorithmID_true)
 MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECItem, SECItem,
                                       internal::SECITEM_FreeItem_true)
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECItemArray, SECItemArray,
+                                      internal::SECITEM_FreeArray_true)
 MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPrivateKey, SECKEYPrivateKey,
                                       SECKEY_DestroyPrivateKey)
 MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPrivateKeyList,

security/nss.symbols

@@ -531,6 +531,7 @@ SECITEM_CopyItem_Util
 SECITEM_DupArray
 SECITEM_DupItem
 SECITEM_DupItem_Util
+SECITEM_FreeArray
 SECITEM_FreeItem
 SECITEM_FreeItem_Util
 SECITEM_HashCompare