Backed out changeset 51eaba841505 (bug 1406856) for failing eslint at security/manager/ssl/tests/unit/head_psm.js:732:53 | Multiple spaces found before '='. r=backout

--HG--
extra : amend_source : 46ecb5c0f3f8c682aa0eaf27e14527b516710903

security/manager/ssl/SSLServerCertVerification.cpp

@@ -1468,27 +1468,27 @@ AuthCertificate(CertVerifier& certVerifier,
       infoObject->SetSSLStatus(status);
     }
 
-    EVStatus evStatus;
-    if (evOidPolicy == SEC_OID_UNKNOWN) {
-      evStatus = EVStatus::NotEV;
-    } else {
-      evStatus = EVStatus::EV;
+    if (!status->HasServerCert()) {
+      EVStatus evStatus;
+      if (evOidPolicy == SEC_OID_UNKNOWN) {
+        evStatus = EVStatus::NotEV;
+      } else {
+        evStatus = EVStatus::EV;
+      }
+
+      RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert.get());
+      status->SetServerCert(nsc, evStatus);
+      MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+              ("AuthCertificate setting NEW cert %p", nsc.get()));
     }
 
-    RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert.get());
-    status->SetServerCert(nsc, evStatus);
-
-    status->SetSucceededCertChain(Move(certList));
-    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
-        ("AuthCertificate setting NEW cert %p", nsc.get()));
-
     status->SetCertificateTransparencyInfo(certificateTransparencyInfo);
   }
 
   if (rv != Success) {
     // Certificate validation failed; store the peer certificate chain on
     // infoObject so it can be used for error reporting.
-    infoObject->SetFailedCertChain(Move(certList));
+    infoObject->SetFailedCertChain(Move(peerCertChain));
     PR_SetError(MapResultToPRErrorCode(rv), 0);
   }
 

security/manager/ssl/TransportSecurityInfo.cpp

@@ -1012,7 +1012,6 @@ TransportSecurityInfo::SetStatusErrorBits(nsNSSCertificate* cert,
   }
 
   mSSLStatus->SetServerCert(cert, EVStatus::NotEV);
-  mSSLStatus->SetFailedCertChain(mFailedCertChain);
 
   mSSLStatus->mHaveCertErrorBits = true;
   mSSLStatus->mIsDomainMismatch =

security/manager/ssl/nsISSLStatus.idl

@@ -7,13 +7,10 @@
 #include "nsISupports.idl"
 
 interface nsIX509Cert;
-interface nsIX509CertList;
 
 [scriptable, uuid(fa9ba95b-ca3b-498a-b889-7c79cf28fee8)]
 interface nsISSLStatus : nsISupports {
   readonly attribute nsIX509Cert serverCert;
-  readonly attribute nsIX509CertList failedCertChain;
-  readonly attribute nsIX509CertList succeededCertChain;
 
   [must_use]
   readonly attribute ACString cipherName;

security/manager/ssl/nsNSSCallbacks.cpp

@@ -1221,7 +1221,7 @@ DetermineEVAndCTStatusAndSetNewCert(RefPtr<nsSSLStatus> sslStatus,
 
   SECOidTag evOidPolicy;
   CertificateTransparencyInfo certificateTransparencyInfo;
-  UniqueCERTCertList builtChain;
+  UniqueCERTCertList unusedBuiltChain;
   const bool saveIntermediates = false;
   mozilla::pkix::Result rv = certVerifier->VerifySSLServerCert(
     cert,
@@ -1230,7 +1230,7 @@ DetermineEVAndCTStatusAndSetNewCert(RefPtr<nsSSLStatus> sslStatus,
     mozilla::pkix::Now(),
     infoObject,
     infoObject->GetHostName(),
-    builtChain,
+    unusedBuiltChain,
     saveIntermediates,
     flags,
     infoObject->GetOriginAttributes(),
@@ -1255,7 +1255,6 @@ DetermineEVAndCTStatusAndSetNewCert(RefPtr<nsSSLStatus> sslStatus,
 
   if (rv == Success) {
     sslStatus->SetCertificateTransparencyInfo(certificateTransparencyInfo);
-    sslStatus->SetSucceededCertChain(Move(builtChain));
   }
 }
 

security/manager/ssl/nsSSLStatus.cpp

@@ -11,15 +11,8 @@
 #include "nsIObjectOutputStream.h"
 #include "nsIObjectInputStream.h"
 #include "nsNSSCertificate.h"
-#include "nsNSSShutDown.h"
 #include "ssl.h"
 
-
-void
-nsSSLStatus::virtualDestroyNSSReference()
-{
-}
-
 NS_IMETHODIMP
 nsSSLStatus::GetServerCert(nsIX509Cert** aServerCert)
 {
@@ -232,23 +225,6 @@ nsSSLStatus::Read(nsIObjectInputStream* aStream)
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
-  // Added in version 3 (see bug 1406856).
-  if (streamFormatVersion >= 3) {
-    nsCOMPtr<nsISupports> succeededCertChainSupports;
-    rv = NS_ReadOptionalObject(aStream, true, getter_AddRefs(succeededCertChainSupports));
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-    mSucceededCertChain = do_QueryInterface(succeededCertChainSupports);
-
-    nsCOMPtr<nsISupports> failedCertChainSupports;
-    rv = NS_ReadOptionalObject(aStream, true, getter_AddRefs(failedCertChainSupports));
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-    mFailedCertChain = do_QueryInterface(failedCertChainSupports);
-  }
-
   return NS_OK;
 }
 
@@ -256,7 +232,7 @@ NS_IMETHODIMP
 nsSSLStatus::Write(nsIObjectOutputStream* aStream)
 {
   // The current version of the binary stream format.
-  const uint8_t STREAM_FORMAT_VERSION = 3;
+  const uint8_t STREAM_FORMAT_VERSION = 2;
 
   nsresult rv = aStream->WriteCompoundObject(mServerCert,
                                              NS_GET_IID(nsIX509Cert),
@@ -299,23 +275,6 @@ nsSSLStatus::Write(nsIObjectOutputStream* aStream)
   rv = aStream->WriteStringZ(mSignatureSchemeName.get());
   NS_ENSURE_SUCCESS(rv, rv);
 
-  // Added in version 3.
-  rv = NS_WriteOptionalCompoundObject(aStream,
-                                      mSucceededCertChain,
-                                      NS_GET_IID(nsIX509CertList),
-                                      true);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  rv = NS_WriteOptionalCompoundObject(aStream,
-                                      mFailedCertChain,
-                                      NS_GET_IID(nsIX509CertList),
-                                      true);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
   return NS_OK;
 }
 
@@ -395,11 +354,6 @@ NS_IMPL_ISUPPORTS(nsSSLStatus, nsISSLStatus, nsISerializable, nsIClassInfo)
 
 nsSSLStatus::~nsSSLStatus()
 {
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown()) {
-    return;
-  }
-  shutdown(ShutdownCalledFrom::Object);
 }
 
 void
@@ -412,48 +366,6 @@ nsSSLStatus::SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus)
   mHasIsEVStatus = true;
 }
 
-nsresult
-nsSSLStatus::SetSucceededCertChain(UniqueCERTCertList aCertList)
-{
-  nsNSSShutDownPreventionLock lock;
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
-  // nsNSSCertList takes ownership of certList
-  mSucceededCertChain = new nsNSSCertList(Move(aCertList), lock);
-
-  return NS_OK;
-}
-
-void
-nsSSLStatus::SetFailedCertChain(nsIX509CertList* aX509CertList)
-{
-  mFailedCertChain = aX509CertList;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetSucceededCertChain(nsIX509CertList** _result)
-{
-  NS_ENSURE_ARG_POINTER(_result);
-
-  nsCOMPtr<nsIX509CertList> tmpList = mSucceededCertChain;
-  tmpList.forget(_result);
-
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-nsSSLStatus::GetFailedCertChain(nsIX509CertList** _result)
-{
-  NS_ENSURE_ARG_POINTER(_result);
-
-  nsCOMPtr<nsIX509CertList> tmpList = mFailedCertChain;
-  tmpList.forget(_result);
-
-  return NS_OK;
-}
-
 void
 nsSSLStatus::SetCertificateTransparencyInfo(
   const mozilla::psm::CertificateTransparencyInfo& info)

security/manager/ssl/nsSSLStatus.h

@@ -12,11 +12,8 @@
 #include "nsCOMPtr.h"
 #include "nsString.h"
 #include "nsIX509Cert.h"
-#include "nsIX509CertList.h"
 #include "nsISerializable.h"
 #include "nsIClassInfo.h"
-#include "nsNSSCertificate.h"
-#include "ScopedNSSTypes.h"
 
 class nsNSSCertificate;
 
@@ -29,7 +26,6 @@ class nsSSLStatus final
   : public nsISSLStatus
   , public nsISerializable
   , public nsIClassInfo
-  , public nsNSSShutDownObject
 {
 protected:
   virtual ~nsSSLStatus();
@@ -43,9 +39,6 @@ public:
 
   void SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus);
 
-  nsresult SetSucceededCertChain(mozilla::UniqueCERTCertList certList);
-  void SetFailedCertChain(nsIX509CertList* x509CertList);
-
   bool HasServerCert() {
     return mServerCert != nullptr;
   }
@@ -53,8 +46,6 @@ public:
   void SetCertificateTransparencyInfo(
     const mozilla::psm::CertificateTransparencyInfo& info);
 
-  virtual void virtualDestroyNSSReference() override;
-
   /* public for initilization in this file */
   uint16_t mCipherSuite;
   uint16_t mProtocolVersion;
@@ -76,8 +67,6 @@ public:
 
 private:
   nsCOMPtr<nsIX509Cert> mServerCert;
-  nsCOMPtr<nsIX509CertList> mSucceededCertChain;
-  nsCOMPtr<nsIX509CertList> mFailedCertChain;
 };
 
 #define NS_SSLSTATUS_CID \

security/manager/ssl/tests/unit/head_psm.js

@@ -121,16 +121,6 @@ function pemToBase64(pem) {
             .replace(/[\r\n]/g, "");
 }
 
-function build_cert_chain(certNames) {
-  let certList = Cc["@mozilla.org/security/x509certlist;1"]
-                   .createInstance(Ci.nsIX509CertList);
-  certNames.forEach(function(certName) {
-    let cert = constructCertFromFile("bad_certs/" + certName + ".pem");
-    certList.addCert(cert);
-  });
-  return certList;
-}
-
 function readFile(file) {
   let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
                   .createInstance(Ci.nsIFileInputStream);
@@ -712,7 +702,6 @@ function add_cert_override(aHost, aExpectedBits, aExpectedErrorRegexp,
     (sslstatus.isUntrusted ? Ci.nsICertOverrideService.ERROR_UNTRUSTED : 0) |
     (sslstatus.isDomainMismatch ? Ci.nsICertOverrideService.ERROR_MISMATCH : 0) |
     (sslstatus.isNotValidAtThisTime ? Ci.nsICertOverrideService.ERROR_TIME : 0);
-
   Assert.equal(bits, aExpectedBits,
                "Actual and expected override bits should match");
   let cert = sslstatus.serverCert;
@@ -728,8 +717,7 @@ function add_cert_override(aHost, aExpectedBits, aExpectedErrorRegexp,
 // with the expected errors and that adding an override results in a subsequent
 // connection succeeding.
 function add_cert_override_test(aHost, aExpectedBits, aExpectedError,
-                                aExpectedErrorRegexp = undefined,
-                                aExpectedSSLStatus  = undefined) {
+                                aExpectedErrorRegexp = undefined) {
   add_connection_test(aHost, aExpectedError, null,
                       add_cert_override.bind(this, aHost, aExpectedBits,
                                              aExpectedErrorRegexp));
@@ -737,13 +725,6 @@ function add_cert_override_test(aHost, aExpectedBits, aExpectedError,
     Assert.ok(aSecurityInfo.securityState &
               Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
               "Cert override flag should be set on the security state");
-    if (aExpectedSSLStatus) {
-      let sslstatus = aSecurityInfo.QueryInterface(Ci.nsISSLStatusProvider)
-                                  .SSLStatus;
-      if (aExpectedSSLStatus.failedCertChain) {
-        ok(aExpectedSSLStatus.failedCertChain.equals(sslstatus.failedCertChain));
-      }
-    }
   });
 }
 

security/manager/ssl/tests/unit/test_cert_chains.js

@@ -5,6 +5,16 @@
 
 "use strict";
 
+function build_cert_chain(certNames) {
+  let certList = Cc["@mozilla.org/security/x509certlist;1"]
+                   .createInstance(Ci.nsIX509CertList);
+  certNames.forEach(function(certName) {
+    let cert = constructCertFromFile("bad_certs/" + certName + ".pem");
+    certList.addCert(cert);
+  });
+  return certList;
+}
+
 function test_cert_equals() {
   let certA = constructCertFromFile("bad_certs/default-ee.pem");
   let certB = constructCertFromFile("bad_certs/default-ee.pem");

security/manager/ssl/tests/unit/test_ssl_status.js

@@ -1,55 +0,0 @@
-// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-"use strict";
-
-do_get_profile();
-
-function run_test() {
-  Services.prefs.setIntPref("security.OCSP.enabled", 1);
-  add_tls_server_setup("BadCertServer", "bad_certs");
-
-  let fakeOCSPResponder = new HttpServer();
-  fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
-    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
-  });
-  fakeOCSPResponder.start(8888);
-
-  // Test successful connection (failedCertChain should be null,
-  // succeededCertChain should be set as expected)
-  add_connection_test(
-    "good.include-subdomains.pinning.example.com", PRErrorCodeSuccess, null,
-    function withSecurityInfo(aSSLStatus) {
-      let sslstatus = aSSLStatus.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
-      equal(sslstatus.failedCertChain, null,
-            "failedCertChain for a successful connection should be null");
-      ok(sslstatus.succeededCertChain.equals(build_cert_chain(["default-ee", "test-ca"])),
-            "succeededCertChain for a successful connection should be as expected");
-    }
-  );
-
-  // Test failed connection (failedCertChain should be set as expected,
-  // succeededCertChain should be null)
-  add_connection_test(
-    "expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE, null,
-    function withSecurityInfo(aSSLStatus) {
-      let sslstatus = aSSLStatus.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
-      equal(sslstatus.succeededCertChain, null,
-            "succeededCertChain for a failed connection should be null");
-      ok(sslstatus.failedCertChain.equals(build_cert_chain(["expired-ee", "test-ca"])),
-            "failedCertChain for a failed connection should be as expected");
-    }
-  );
-
-  // Ensure the correct failed cert chain is set on cert override
-  let overrideStatus = {
-    failedCertChain: build_cert_chain(["expired-ee", "test-ca"])
-  };
-  add_cert_override_test("expired.example.com",
-                         Ci.nsICertOverrideService.ERROR_TIME,
-                         SEC_ERROR_EXPIRED_CERTIFICATE, undefined,
-                         overrideStatus);
-
-  run_next_test();
-}

security/manager/ssl/tests/unit/xpcshell.ini

@@ -151,7 +151,6 @@ run-sequentially = hardcoded ports
 [test_signed_apps.js]
 [test_signed_dir.js]
 tags = addons psm
-[test_ssl_status.js]
 [test_sss_enumerate.js]
 [test_sss_eviction.js]
 [test_sss_originAttributes.js]