bug 316710, Land some generic crypto backend code, mostly cleanup, some small enhancements

Patch by Bob Relyea, r=kengert


git-svn-id: svn://10.0.0.236/trunk@187222 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/security/manager/locales/en-US/chrome/pipnss/pipnss.properties

@@ -322,6 +322,11 @@ VerifyIssuerNotTrusted=<Issuer Not Trusted>
 VerifyIssuerUnknown=<Issuer Unknown>
 VerifyInvalidCA=<Invalid CA>
 VerifyUnknown=<Unknown>
+CertUser=Your Cert
+CertCA=CA (Certificate Authority)
+CertSSL=SSL Server
+CertEmail=Peer S/MIME
+CertUnknown=Unknown
 CertNoNickname=(no nickname)
 CertNoEmailAddress=(no email address)
 NicknameExpired=(expired)

mozilla/security/manager/ssl/public/Makefile.in

@@ -62,7 +62,9 @@ SDK_XPIDLSRCS = \
 XPIDLSRCS = \
     nsIFormSigningDialog.idl \
     nsICertSelect.idl \
+    nsIX509Cert2.idl \
     nsIX509CertDB2.idl \
+    nsIX509CertList.idl \
     nsIPKCS11Slot.idl \
     nsIPK11TokenDB.idl \
     nsICertPickDialogs.idl \

mozilla/security/manager/ssl/public/nsINSSCertCache.idl

@@ -36,7 +36,9 @@
 
 #include "nsISupports.idl"
 
-[scriptable, uuid(6c143dac-bd65-4333-b594-7ed1e748e0f9)]
+interface nsIX509CertList;
+
+[scriptable, uuid(1b75bdae-1757-4322-9d1e-cfcaa18cb710)]
 interface nsINSSCertCache : nsISupports {
 
   /*
@@ -45,6 +47,12 @@ interface nsINSSCertCache : nsISupports {
    * Creates a cache of all certificates currently known to NSS.
    */
   void cacheAllCerts();
+  void cacheCertList(in nsIX509CertList list); 
+
+  /*
+   * get an X509CertList
+   */
+  nsIX509CertList getX509CachedCerts();
 
   /*
    * getCachedCerts

mozilla/security/manager/ssl/public/nsIX509Cert2.idl

@@ -0,0 +1,64 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Bob Relyea <rrelyea@redhat.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+interface nsIArray;
+interface nsIX509CertValidity;
+interface nsIASN1Object;
+
+%{ C++
+ /* forward declaration */
+ typedef struct CERTCertificateStr CERTCertificate;
+%}
+[ptr] native CERTCertificatePtr(CERTCertificate);
+
+/**
+ * This represents additional interfaces to X.509 certificates
+ */
+[scriptable, uuid(648f0d58-eedf-4b45-9174-3b92fb1fc06d)]
+interface nsIX509Cert2 : nsISupports {
+  /**
+   *  Additional constants to classify the type of a certificate.
+   */
+  const unsigned long ANY_CERT  = 0xffff;
+  readonly attribute unsigned long certType;
+  void markForPermDeletion();
+  [notxpcom, noscript] CERTCertificatePtr getCert();
+};

mozilla/security/manager/ssl/public/nsIX509CertDB2.idl

@@ -39,6 +39,8 @@
 
 #include "nsISupports.idl"
 
+interface nsIX509CertList;
+
 /**
  * This represents a service to access and manipulate 
  * X.509 certificates stored in a database through methods
@@ -58,5 +60,10 @@ interface nsIX509CertDB2 : nsISupports {
    * @param aName name of the cert for display purposes.
    */
   void addCertFromBase64(in string base64, in string aTrust, in string aName);
+
+  /*
+   * Get all the known certs in the database
+   */
+  nsIX509CertList getCerts();
 };
 

mozilla/security/manager/ssl/public/nsIX509CertList.idl

@@ -0,0 +1,63 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+interface nsISimpleEnumerator;
+interface nsIX509Cert;
+
+[scriptable, uuid(a539759b-e22d-462f-94ea-2915b11b33e8)]
+interface nsIX509CertList : nsISupports {
+   void addCert(in nsIX509Cert cert);
+   void deleteCert(in nsIX509Cert cert);
+   nsISimpleEnumerator getEnumerator();
+
+   [notxpcom, noscript] voidPtr getRawCertList();
+
+};
+
+%{C++
+
+#define NS_X509CERRTLIST_CID { /* 959fb165-6517-487f-ab9b-d8913be53197 */ \
+    0x959fb165,                                                           \
+    0x6517,                                                               \
+    0x487f                                                                \
+    {0xab, 0x9b, 0xd8, 0x91, 0x3b, 0xe5, 0x31, 0x97}                      \
+  }
+
+#define NS_X509CERTLIST_CONTRACTID "@mozilla.org/security/x509certlist;1"
+
+%}

mozilla/security/manager/ssl/src/nsCMS.cpp

@@ -467,7 +467,7 @@ NS_IMETHODIMP nsCMSMessage::CreateEncrypted(nsIArray * aRecipientCerts)
   SECOidTag bulkAlgTag;
   int keySize;
   PRUint32 i;
-  nsNSSCertificate *nssRecipientCert;
+  nsCOMPtr<nsIX509Cert2> nssRecipientCert;
   nsresult rv = NS_ERROR_FAILURE;
 
   // Check the recipient certificates //
@@ -482,9 +482,7 @@ NS_IMETHODIMP nsCMSMessage::CreateEncrypted(nsIArray * aRecipientCerts)
   for (i=0; i<recipientCertCount; i++) {
     nsCOMPtr<nsIX509Cert> x509cert = do_QueryElementAt(aRecipientCerts, i);
 
-    nssRecipientCert = 
-      NS_STATIC_CAST(nsNSSCertificate*, 
-                     NS_STATIC_CAST(nsIX509Cert*, x509cert));
+    nssRecipientCert = do_QueryInterface(x509cert);
 
     if (!nssRecipientCert)
       return NS_ERROR_FAILURE;
@@ -561,16 +559,22 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned(nsIX509Cert* aSigningCert, nsIX509Cert*
   NSSCMSSignedData *sigd;
   NSSCMSSignerInfo *signerinfo;
   CERTCertificate *scert = nsnull, *ecert = nsnull;
+  nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert);
   nsresult rv = NS_ERROR_FAILURE;
 
   /* Get the certs */
-  scert = NS_STATIC_CAST(nsNSSCertificate*, aSigningCert)->GetCert();
+  if (aSigningCert2) {
+    scert = aSigningCert2->GetCert();
+  }
   if (!scert) {
     return NS_ERROR_FAILURE;
   }
 
   if (aEncryptCert) {
-    ecert = NS_STATIC_CAST(nsNSSCertificate*, aEncryptCert)->GetCert();
+    nsCOMPtr<nsIX509Cert2> aEncryptCert2 = do_QueryInterface(aEncryptCert);
+    if (aEncryptCert2) {
+      ecert = aEncryptCert2->GetCert();
+    }
   }
 
   CERTCertificateCleaner ecertCleaner(ecert);

mozilla/security/manager/ssl/src/nsCertTree.cpp

@@ -46,6 +46,9 @@
 #include "nsNSSCertificate.h"
 #include "nsNSSCertHelper.h"
 #include "nsINSSCertCache.h"
+#include "nsArray.h"
+#include "nsISupportsPrimitives.h"
+#include "nsXPCOMCID.h"
 
 #include "prlog.h"
 #ifdef PR_LOGGING
@@ -141,6 +144,7 @@ nsCertTree::nsCertTree() : mTreeArray(NULL)
 {
   mCompareCache.ops = nsnull;
   mNSSComponent = do_GetService(kNSSComponentCID);
+  mCellText = nsnull;
 }
 
 void nsCertTree::ClearCompareHash()
@@ -286,6 +290,7 @@ nsCertTree::nsCertCompareFunc
 nsCertTree::GetCompareFuncFromCertType(PRUint32 aType)
 {
   switch (aType) {
+    case nsIX509Cert2::ANY_CERT:
     case nsIX509Cert::USER_CERT:
       return CmpUserCert;
     case nsIX509Cert::CA_CERT:
@@ -316,7 +321,7 @@ nsCertTree::GetCertsByTypeFromCertList(CERTCertList *aCertList,
   for (node = CERT_LIST_HEAD(aCertList);
        !CERT_LIST_END(node, aCertList);
        node = CERT_LIST_NEXT(node)) {
-    if (getCertType(node->cert) == aType) {
+    if (aType == nsIX509Cert2::ANY_CERT || getCertType(node->cert) == aType) {
       nsCOMPtr<nsIX509Cert> pipCert = new nsNSSCertificate(node->cert);
       if (pipCert) {
         int i;
@@ -419,6 +424,10 @@ nsCertTree::UpdateUIContents()
   if (!mTreeArray)
     return NS_ERROR_OUT_OF_MEMORY;
 
+  nsCOMPtr<nsIMutableArray> newCell;
+  NS_NewArray(getter_AddRefs(newCell));
+  mCellText = newCell;
+
   PRUint32 j = 0;
   nsCOMPtr<nsISupports> isupport = dont_AddRef(mCertArray->ElementAt(j));
   nsCOMPtr<nsIX509Cert> orgCert = do_QueryInterface(isupport);
@@ -711,6 +720,22 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
       _retval.SetCapacity(0);
     return NS_OK;
   }
+  PRInt32 colIndex;
+  col->GetIndex(&colIndex);
+  PRUint32 arrayIndex=row+colIndex*mNumRows;
+  PRUint32 arrayLength=0;
+  if (mCellText) {
+    mCellText->GetLength(&arrayLength);
+  }
+  if (arrayIndex < arrayLength) {
+    nsCOMPtr<nsISupportsString> myString;
+    mCellText->QueryElementAt(arrayIndex,
+	nsISupportsString::GetIID(), getter_AddRefs(myString));
+    if (myString) {
+      myString->GetData(_retval);
+      return NS_OK;
+    }
+  }
   nsCOMPtr<nsIX509Cert> cert = dont_AddRef(GetCertAtIndex(row));
   if (cert == nsnull) return NS_ERROR_FAILURE;
   if (NS_LITERAL_STRING("certcol").Equals(colID)) {
@@ -793,9 +818,41 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
     }
   } else if (NS_LITERAL_STRING("serialnumcol").Equals(colID)) {
     rv = cert->GetSerialNumber(_retval);
+  } else if (NS_LITERAL_STRING("typecol").Equals(colID)) {
+    nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
+    PRUint32 type = nsIX509Cert::UNKNOWN_CERT;
+
+    if (pipCert) {
+	rv = pipCert->GetCertType(&type);
+    }
+
+    switch (type) {
+    case nsIX509Cert::USER_CERT:
+        rv = mNSSComponent->GetPIPNSSBundleString("CertUser", _retval);
+	break;
+    case nsIX509Cert::CA_CERT:
+        rv = mNSSComponent->GetPIPNSSBundleString("CertCA", _retval);
+	break;
+    case nsIX509Cert::SERVER_CERT:
+        rv = mNSSComponent->GetPIPNSSBundleString("CertSSL", _retval);
+	break;
+    case nsIX509Cert::EMAIL_CERT:
+        rv = mNSSComponent->GetPIPNSSBundleString("CertEmail", _retval);
+	break;
+    default:
+        rv = mNSSComponent->GetPIPNSSBundleString("CertUnknown", _retval);
+	break;
+    }
+
   } else {
     return NS_ERROR_FAILURE;
   }
+  if (mCellText) {
+    nsCOMPtr<nsISupportsString> text(do_CreateInstance(NS_SUPPORTS_STRING_CONTRACTID, &rv));
+    NS_ENSURE_SUCCESS(rv, rv);
+    text->SetData(_retval);
+    mCellText->ReplaceElementAt(text, arrayIndex, PR_FALSE);
+  }
   return rv;
 }
 

mozilla/security/manager/ssl/src/nsCertTree.h

@@ -45,6 +45,7 @@
 #include "nsITreeBoxObject.h"
 #include "nsITreeSelection.h"
 #include "nsISupportsArray.h"
+#include "nsIArray.h"
 #include "pldhash.h"
 #include "nsIX509CertDB.h"
 
@@ -129,6 +130,8 @@ private:
                                     void              *aCertCmpFnArg,
                                     nsISupportsArray **_certs);
 
+  nsCOMPtr<nsIMutableArray> mCellText;
+
 #ifdef DEBUG_CERT_TREE
   /* for debugging purposes */
   void dumpMap();

mozilla/security/manager/ssl/src/nsNSSCertCache.cpp

@@ -35,6 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #include "nsNSSCertCache.h"
+#include "nsNSSCertificate.h"
 #include "nsAutoLock.h"
 #include "cert.h"
 #include "nsCOMPtr.h"
@@ -69,9 +70,6 @@ void nsNSSCertCache::destructorSafeDestroyNSSReference()
   if (isAlreadyShutDown())
     return;
 
-  if (mCertList) {
-    CERT_DestroyCertList(mCertList);
-  }
   if (mutex) {
     PR_DestroyLock(mutex);
     mutex = nsnull;
@@ -85,31 +83,60 @@ nsNSSCertCache::CacheAllCerts()
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
-  {
-    nsAutoLock lock(mutex);
-    if (mCertList) {
-      CERT_DestroyCertList(mCertList);
-      mCertList = nsnull;
-    }
-  }
-
   nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
   
   CERTCertList *newList = PK11_ListCerts(PK11CertListUnique, cxt);
 
   if (newList) {
     nsAutoLock lock(mutex);
-    mCertList = newList;
+    mCertList = new nsNSSCertList(newList, PR_TRUE); // adopt
   }
   
   return NS_OK;
 }
 
+NS_IMETHODIMP
+nsNSSCertCache::CacheCertList(nsIX509CertList *list)
+{
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown())
+    return NS_ERROR_NOT_AVAILABLE;
+
+  {
+    nsAutoLock lock(mutex);
+    mCertList = list;
+    //NS_ADDREF(mCertList);
+  }
+  
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsNSSCertCache::GetX509CachedCerts(nsIX509CertList **list)
+{
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown())
+    return NS_ERROR_NOT_AVAILABLE;
+
+  {
+    nsAutoLock lock(mutex);
+    if (!mCertList) {
+      return NS_ERROR_NOT_AVAILABLE;
+    }
+    *list = mCertList;
+    NS_ADDREF(*list);
+  }
+  
+  return NS_OK;
+}
+
+
+
 void* nsNSSCertCache::GetCachedCerts()
 {
   if (isAlreadyShutDown())
     return nsnull;
 
   nsAutoLock lock(mutex);
-  return mCertList;
+  return mCertList->GetRawCertList();
 }

mozilla/security/manager/ssl/src/nsNSSCertCache.h

@@ -38,8 +38,10 @@
 #define _NSNSSCERTCACHE_H_
 
 #include "nsINSSCertCache.h"
+#include "nsIX509CertList.h"
 #include "certt.h"
 #include "nsNSSShutDown.h"
+#include "nsCOMPtr.h"
 
 class nsNSSCertCache : public nsINSSCertCache,
                        public nsNSSShutDownObject
@@ -53,7 +55,7 @@ public:
 
 private:
   PRLock *mutex;
-  CERTCertList *mCertList;
+  nsCOMPtr<nsIX509CertList> mCertList;
   virtual void virtualDestroyNSSReference();
   void destructorSafeDestroyNSSReference();
 };

mozilla/security/manager/ssl/src/nsNSSCertificate.cpp

@@ -88,7 +88,8 @@ static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
 /* nsNSSCertificate */
 
-NS_IMPL_THREADSAFE_ISUPPORTS2(nsNSSCertificate, nsIX509Cert,
+NS_IMPL_THREADSAFE_ISUPPORTS3(nsNSSCertificate, nsIX509Cert,
+                                                nsIX509Cert2,
                                                 nsISMimeCert)
 
 nsNSSCertificate*
@@ -165,16 +166,12 @@ void nsNSSCertificate::destructorSafeDestroyNSSReference()
   }
 }
 
-nsresult
-nsNSSCertificate::SetCertType(PRUint32 aCertType)
-{
-  mCertType = aCertType;
-  return NS_OK;
-}
-
 nsresult
 nsNSSCertificate::GetCertType(PRUint32 *aCertType)
 {
+  if (mCertType == nsIX509Cert::UNKNOWN_CERT) {
+     mCertType = getCertType(mCert);
+  }
   *aCertType = mCertType;
   return NS_OK;
 }
@@ -589,6 +586,8 @@ nsNSSCertificate::GetIssuerOrganization(nsAString &aOrganization)
     if (organization) {
       aOrganization = NS_ConvertUTF8toUCS2(organization);
       PORT_Free(organization);
+    } else {
+      return GetIssuerCommonName(aOrganization);
     }
   }
   return NS_OK;
@@ -1149,11 +1148,15 @@ nsNSSCertificate::Equals(nsIX509Cert *other, PRBool *result)
   NS_ENSURE_ARG(other);
   NS_ENSURE_ARG(result);
 
-  nsNSSCertificate *other2 = NS_STATIC_CAST(nsNSSCertificate*, other);
+  nsCOMPtr<nsIX509Cert2> other2 = do_QueryInterface(other);
   if (!other2)
     return NS_ERROR_FAILURE;
-  
-  *result = (mCert == other2->mCert);
+ 
+  CERTCertificate *cert = other2->GetCert();
+  *result = (mCert == cert);
+  if (cert) {
+    CERT_DestroyCertificate(cert);
+  }
   return NS_OK;
 }
 
@@ -1208,3 +1211,166 @@ char* nsNSSCertificate::defaultServerNickname(CERTCertificate* cert)
   return nickname;
 }
 
+NS_IMPL_THREADSAFE_ISUPPORTS1(nsNSSCertList, nsIX509CertList)
+
+nsNSSCertList::nsNSSCertList(CERTCertList *certList, PRBool adopt)
+{
+  if (certList) {
+    if (adopt) {
+      mCertList = certList;
+    } else {
+      mCertList = DupCertList(certList);
+    }
+  } else {
+    mCertList = CERT_NewCertList();
+  }
+}
+
+nsNSSCertList::~nsNSSCertList()
+{
+  if (mCertList) {
+    CERT_DestroyCertList(mCertList);
+  }
+}
+
+/* void addCert (in nsIX509Cert cert); */
+NS_IMETHODIMP
+nsNSSCertList::AddCert(nsIX509Cert *aCert) 
+{
+  /* This should be a query interface, but currently this his how the
+   * rest of PSM is working */
+  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
+  CERTCertificate *cert;
+
+  cert = nssCert->GetCert();
+  if (cert == nsnull) {
+    NS_ASSERTION(0,"Somehow got nsnull for mCertificate in nsNSSCertificate.");
+    return NS_ERROR_FAILURE;
+  }
+
+  if (mCertList == nsnull) {
+    NS_ASSERTION(0,"Somehow got nsnull for mCertList in nsNSSCertList.");
+    return NS_ERROR_FAILURE;
+  }
+  CERT_AddCertToListTail(mCertList,cert);
+  return NS_OK;
+}
+
+/* void deleteCert (in nsIX509Cert cert); */
+NS_IMETHODIMP
+nsNSSCertList::DeleteCert(nsIX509Cert *aCert)
+{
+  /* This should be a query interface, but currently this his how the
+   * rest of PSM is working */
+  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
+  CERTCertificate *cert = nssCert->GetCert();
+  CERTCertListNode *node;
+
+  if (cert == nsnull) {
+    NS_ASSERTION(0,"Somehow got nsnull for mCertificate in nsNSSCertificate.");
+    return NS_ERROR_FAILURE;
+  }
+
+  if (mCertList == nsnull) {
+    NS_ASSERTION(0,"Somehow got nsnull for mCertList in nsNSSCertList.");
+    return NS_ERROR_FAILURE;
+  }
+
+  for (node = CERT_LIST_HEAD(mCertList); !CERT_LIST_END(node,mCertList);
+                                             node = CERT_LIST_NEXT(node)) {
+    if (node->cert == cert) {
+	CERT_RemoveCertListNode(node);
+        return NS_OK;
+    }
+  }
+  return NS_OK; /* should we fail if we couldn't find it? */
+}
+
+CERTCertList *
+nsNSSCertList::DupCertList(CERTCertList *aCertList)
+{
+  if (!aCertList)
+    return nsnull;
+
+  CERTCertList *newList = CERT_NewCertList();
+
+  if (newList == nsnull) {
+    return nsnull;
+  }
+
+  CERTCertListNode *node;
+  for (node = CERT_LIST_HEAD(aCertList); !CERT_LIST_END(node, aCertList);
+                                              node = CERT_LIST_NEXT(node)) {
+    CERTCertificate *cert = CERT_DupCertificate(node->cert);
+    CERT_AddCertToListTail(newList, cert);
+  }
+  return newList;
+}
+
+void *
+nsNSSCertList::GetRawCertList()
+{
+  return mCertList;
+}
+
+/* nsISimpleEnumerator getEnumerator (); */
+NS_IMETHODIMP
+nsNSSCertList::GetEnumerator(nsISimpleEnumerator **_retval) 
+{
+  nsCOMPtr<nsISimpleEnumerator> enumerator = new nsNSSCertListEnumerator(mCertList);
+  if (!enumerator) { 
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  *_retval = enumerator;
+  NS_ADDREF(*_retval);
+  return NS_OK;
+}
+
+NS_IMPL_THREADSAFE_ISUPPORTS1(nsNSSCertListEnumerator, 
+                              nsISimpleEnumerator)
+
+nsNSSCertListEnumerator::nsNSSCertListEnumerator(CERTCertList *certList)
+{
+  mCertList = nsNSSCertList::DupCertList(certList);
+}
+
+nsNSSCertListEnumerator::~nsNSSCertListEnumerator()
+{
+  if (mCertList) {
+    CERT_DestroyCertList(mCertList);
+  }
+}
+
+/* boolean hasMoreElements (); */
+NS_IMETHODIMP
+nsNSSCertListEnumerator::HasMoreElements(PRBool *_retval)
+{ 
+  NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE);
+
+  *_retval = !CERT_LIST_EMPTY(mCertList);
+  return NS_OK;
+}
+
+/* nsISupports getNext(); */
+NS_IMETHODIMP
+nsNSSCertListEnumerator::GetNext(nsISupports **_retval) 
+{
+  NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE);
+
+  CERTCertListNode *node = CERT_LIST_HEAD(mCertList);
+  if (CERT_LIST_END(node, mCertList)) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIX509Cert> nssCert = new nsNSSCertificate(node->cert);
+  if (!nssCert) { 
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  *_retval = nssCert;
+  NS_ADDREF(*_retval);
+
+  CERT_RemoveCertListNode(node);
+  return NS_OK;
+}

mozilla/security/manager/ssl/src/nsNSSCertificate.h

@@ -40,10 +40,13 @@
 #define _NS_NSSCERTIFICATE_H_
 
 #include "nsIX509Cert.h"
+#include "nsIX509Cert2.h"
 #include "nsIX509CertDB.h"
+#include "nsIX509CertList.h"
 #include "nsIASN1Object.h"
 #include "nsISMimeCert.h"
 #include "nsNSSShutDown.h"
+#include "nsISimpleEnumerator.h"
 
 #include "nsNSSCertHeader.h"
 
@@ -52,21 +55,19 @@ class nsIASN1Sequence;
 
 /* Certificate */
 class nsNSSCertificate : public nsIX509Cert,
+                         public nsIX509Cert2,
                          public nsISMimeCert,
                          public nsNSSShutDownObject
 {
 public:
   NS_DECL_ISUPPORTS
   NS_DECL_NSIX509CERT
+  NS_DECL_NSIX509CERT2
   NS_DECL_NSISMIMECERT
 
   nsNSSCertificate(CERTCertificate *cert);
   /* from a request? */
   virtual ~nsNSSCertificate();
-  CERTCertificate *GetCert();
-  nsresult MarkForPermDeletion();
-  nsresult SetCertType(PRUint32 aCertType);
-  nsresult GetCertType(PRUint32 *aCertType);
   nsresult FormatUIStrings(const nsAutoString &nickname, nsAutoString &nickWithSerial, nsAutoString &details);
   static nsNSSCertificate* ConstructFromDER(char *certDER, int derLen);
 
@@ -85,6 +86,33 @@ private:
   void destructorSafeDestroyNSSReference();
 };
 
+class nsNSSCertList: public nsIX509CertList
+{
+public:
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIX509CERTLIST
+
+  nsNSSCertList(CERTCertList *certList = nsnull, PRBool adopt = PR_FALSE);
+  virtual ~nsNSSCertList();
+
+  static CERTCertList *DupCertList(CERTCertList *aCertList);
+private:
+  CERTCertList *mCertList;
+};
+
+class nsNSSCertListEnumerator: public nsISimpleEnumerator
+{
+public:
+   NS_DECL_ISUPPORTS
+   NS_DECL_NSISIMPLEENUMERATOR
+
+   nsNSSCertListEnumerator(CERTCertList *certList);
+   virtual ~nsNSSCertListEnumerator();
+private:
+   CERTCertList *mCertList;
+};
+
+
 #define NS_NSS_LONG 4
 #define NS_NSS_GET_LONG(x) ((((unsigned long)((x)[0])) << 24) | \
                             (((unsigned long)((x)[1])) << 16) | \

mozilla/security/manager/ssl/src/nsNSSCertificateDB.cpp

@@ -867,14 +867,14 @@ NS_IMETHODIMP
 nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
 {
   nsNSSShutDownPreventionLock locker;
-  nsNSSCertificate *nssCert = NS_STATIC_CAST(nsNSSCertificate*, aCert);
+  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
   CERTCertificate *cert = nssCert->GetCert();
   if (!cert) return NS_ERROR_FAILURE;
   CERTCertificateCleaner certCleaner(cert);
   SECStatus srv = SECSuccess;
 
-  PRUint32 certType = getCertType(cert);
-  nssCert->SetCertType(certType);
+  PRUint32 certType;
+  nssCert->GetCertType(&certType);
   if (NS_FAILED(nssCert->MarkForPermDeletion()))
   {
     return NS_ERROR_FAILURE;
@@ -909,7 +909,7 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
   nsNSSShutDownPreventionLock locker;
   SECStatus srv;
   nsNSSCertTrust trust;
-  nsNSSCertificate *pipCert = NS_STATIC_CAST(nsNSSCertificate *, cert);
+  nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
   CERTCertificate *nsscert = pipCert->GetCert();
   CERTCertificateCleaner certCleaner(nsscert);
   if (type == nsIX509Cert::CA_CERT) {
@@ -953,7 +953,7 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
 
   nsNSSShutDownPreventionLock locker;
   SECStatus srv;
-  nsNSSCertificate *pipCert = NS_STATIC_CAST(nsNSSCertificate *, cert);
+  nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
   CERTCertificate *nsscert = pipCert->GetCert();
   CERTCertTrust nsstrust;
   srv = CERT_GetCertTrust(nsscert, &nsstrust);
@@ -1630,3 +1630,22 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const c
 
   return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
 }
+
+NS_IMETHODIMP 
+nsNSSCertificateDB::GetCerts(nsIX509CertList **_retval)
+{
+  CERTCertList *certList;
+
+  nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
+  nsCOMPtr<nsIX509CertList> nssCertList;
+  certList = PK11_ListCerts(PK11CertListUnique, ctx);
+
+  // nsNSSCertList 1) adopts certList, and 2) handles the NULL case fine.
+  // (returns an empty list) 
+  nssCertList = new nsNSSCertList(certList, PR_TRUE);
+  if (!nssCertList) { return NS_ERROR_OUT_OF_MEMORY; }
+
+  *_retval = nssCertList;
+  NS_ADDREF(*_retval);
+  return NS_OK;
+}

mozilla/security/manager/ssl/src/nsNSSComponent.cpp

@@ -857,7 +857,7 @@ nsresult nsNSSComponent::GetNSSCipherIDFromPrefString(const nsACString &aPrefStr
 {
   for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
     if (nsDependentCString(cp->pref) == aPrefString) {
-      aCipherId = cp->id;
+      aCipherId = (PRUint16) cp->id;
       return NS_OK;
     }
   }