Bug 1580318 - Remove nsIX509CertList from verifyCertFinished r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D44244

--HG--
extra : moz-landing-system : lando

security/manager/pki/resources/content/pippki.js

@@ -298,9 +298,7 @@ function getChainForUsage(results, usage) {
       certificateUsages[result.usageString] == usage &&
       result.errorCode == PRErrorCodeSuccess
     ) {
-      // The chain attribute here is generated by the VerifyCertAtTime API,
-      // and it is a nsIX509CertList, so we have to enumerate it.
-      return Array.from(result.chain.getEnumerator());
+      return result.chain;
     }
   }
   return null;

security/manager/ssl/nsIX509CertDB.idl

@@ -11,7 +11,6 @@ interface nsIX509Cert;
 interface nsIFile;
 interface nsIInterfaceRequestor;
 interface nsIZipReader;
-interface nsIX509CertList;
 interface nsIInputStream;
 
 %{C++
@@ -40,7 +39,7 @@ interface nsIOpenSignedAppFileCallback : nsISupports
 [scriptable, function, uuid(49e16fc8-efac-4f57-8361-956ef6b960a4)]
 interface nsICertVerificationCallback : nsISupports {
   void verifyCertFinished(in int32_t aPRErrorCode,
-                          in nsIX509CertList aVerifiedChain,
+                          in Array<nsIX509Cert> aVerifiedChain,
                           in bool aHasEVPolicy);
 };
 

security/manager/ssl/nsNSSCertificateDB.cpp

@@ -1157,14 +1157,17 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
                           int64_t /*SECCertificateUsage*/ aUsage,
                           uint32_t aFlags, const nsACString& aHostname,
                           mozilla::pkix::Time aTime,
-                          nsIX509CertList** aVerifiedChain, bool* aHasEVPolicy,
+                          nsTArray<RefPtr<nsIX509Cert>>& aVerifiedChain,
+                          bool* aHasEVPolicy,
                           int32_t* /*PRErrorCode*/ _retval) {
   NS_ENSURE_ARG_POINTER(aCert);
   NS_ENSURE_ARG_POINTER(aHasEVPolicy);
-  NS_ENSURE_ARG_POINTER(aVerifiedChain);
   NS_ENSURE_ARG_POINTER(_retval);
 
-  *aVerifiedChain = nullptr;
+  if (!aVerifiedChain.IsEmpty()) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
   *aHasEVPolicy = false;
   *_retval = PR_UNKNOWN_ERROR;
 
@@ -1203,16 +1206,20 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
         OriginAttributes(), &evOidPolicy);
   }
 
-  nsCOMPtr<nsIX509CertList> nssCertList;
-  // This adopts the list
-  nssCertList = new nsNSSCertList(std::move(resultChain));
-  NS_ENSURE_TRUE(nssCertList, NS_ERROR_FAILURE);
+  if (result == mozilla::pkix::Success) {
+    nsresult rv = nsNSSCertificateDB::ConstructCertArrayFromUniqueCertList(
+        resultChain, aVerifiedChain);
+
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+
+    if (evOidPolicy != SEC_OID_UNKNOWN) {
+      *aHasEVPolicy = true;
+    }
+  }
 
   *_retval = mozilla::pkix::MapResultToPRErrorCode(result);
-  if (result == mozilla::pkix::Success && evOidPolicy != SEC_OID_UNKNOWN) {
-    *aHasEVPolicy = true;
-  }
-  nssCertList.forget(aVerifiedChain);
 
   return NS_OK;
 }
@@ -1230,7 +1237,6 @@ class VerifyCertAtTimeTask final : public CryptoTask {
         mCallback(new nsMainThreadPtrHolder<nsICertVerificationCallback>(
             "nsICertVerificationCallback", aCallback)),
         mPRErrorCode(SEC_ERROR_LIBRARY_FAILURE),
-        mVerifiedCertList(nullptr),
         mHasEVPolicy(false) {}
 
  private:
@@ -1241,14 +1247,14 @@ class VerifyCertAtTimeTask final : public CryptoTask {
     }
     return VerifyCertAtTime(mCert, mUsage, mFlags, mHostname,
                             mozilla::pkix::TimeFromEpochInSeconds(mTime),
-                            getter_AddRefs(mVerifiedCertList), &mHasEVPolicy,
-                            &mPRErrorCode);
+                            mVerifiedCertList, &mHasEVPolicy, &mPRErrorCode);
   }
 
   virtual void CallCallback(nsresult rv) override {
     if (NS_FAILED(rv)) {
-      Unused << mCallback->VerifyCertFinished(SEC_ERROR_LIBRARY_FAILURE,
-                                              nullptr, false);
+      nsTArray<RefPtr<nsIX509Cert>> tmp;
+      Unused << mCallback->VerifyCertFinished(SEC_ERROR_LIBRARY_FAILURE, tmp,
+                                              false);
     } else {
       Unused << mCallback->VerifyCertFinished(mPRErrorCode, mVerifiedCertList,
                                               mHasEVPolicy);
@@ -1262,7 +1268,7 @@ class VerifyCertAtTimeTask final : public CryptoTask {
   uint64_t mTime;
   nsMainThreadPtrHandle<nsICertVerificationCallback> mCallback;
   int32_t mPRErrorCode;
-  nsCOMPtr<nsIX509CertList> mVerifiedCertList;
+  nsTArray<RefPtr<nsIX509Cert>> mVerifiedCertList;
   bool mHasEVPolicy;
 };