Closed Bug 1463290 Opened 6 years ago Closed 6 years ago

XPCshell: server_cert.getChain is not a function

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
62 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox62 --- affected

People

(Reporter: mwobensmith, Unassigned)

References

Details

When running a TLS Canary pass for the recent Symantec root cert work, I encountered this error.


let sec_info = xhr.channel.securityInfo;
let ssl_status = sec_info.QueryInterface(Ci.nsISSLStatusProvider).SSLStatus;
let server_cert = ssl_status.serverCert;
let chain = server_cert.getChain().enumerate();


TypeError: server_cert.getChain is not a function

This is only on Nightly 62, with 'security.pki.distrust_ca_policy' set to 2.

I can continue to run the tests, but this limits our ability to capture the entire cert chain, other than the end entity and the issuer.
getChain was removed in bug 867473 in 61. I think you should be able to change that code to use ssl_status.succeededCertChain (or failedCertChain, as appropriate) as of 58.
Depends on: 867473, 1406856
Mystery solved. Thanks Keeler, will do just that.
I can now see the presence of these two APIs, but they don't appear to be working as expected.

For example, if the connection succeeds, ssl_status.succeededCertChain exists and ssl_status.failedCertChain is null. That's fine.

However, in the case where either one is not null, the array is empty. 

I tried to use the enumeration methods previously available for getChain, but those are not supported.

So, in summary, is there another way to access the cert chain from these two APIs? Or is this a bug?
The new APIs are each an nsIX509CertList: https://searchfox.org/mozilla-central/source/security/manager/ssl/nsIX509CertList.idl
You should be able to enumerate them like so:

    let enumerator = ssl_status.succeededCertChain.getEnumerator();
    let certificates = [];
    for (let cert of XPCOMUtils.IterSimpleEnumerator(enumerator, Ci.nsIX509Cert)) {
      certificates.push(cert);
    }

(You might have to import XPCOMUtils: `ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm");`)
(see e.g. https://searchfox.org/mozilla-central/rev/f822a0b61631cbb38901569e69b4967176314aa8/toolkit/modules/addons/SecurityInfo.jsm#181 )
Thank you Keeler - as usual, you are right. 

I was trying to use enumerate() instead of getEnumerator(). Your example works perfectly.
Matt - should I just close this, then?
Flags: needinfo?(mwobensmith)
Yes please.
Flags: needinfo?(mwobensmith)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.