自学教程：C++ CERT_GetDefaultCertDB函数代码示例

void GetCertUsageStrings(CERTCertificate* cert, std::vector<std::string>* out) {  SECCertificateUsage usages = 0;  // TODO(wtc): See if we should use X509Certificate::Verify instead.  if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, PR_TRUE,                                certificateUsageCheckAllUsages,                                NULL, &usages) == SECSuccess) {    static const struct {      SECCertificateUsage usage;      int string_id;    } usage_string_map[] = {      {certificateUsageSSLClient, IDS_CERT_USAGE_SSL_CLIENT},      {certificateUsageSSLServer, IDS_CERT_USAGE_SSL_SERVER},      {certificateUsageSSLServerWithStepUp,        IDS_CERT_USAGE_SSL_SERVER_WITH_STEPUP},      {certificateUsageEmailSigner, IDS_CERT_USAGE_EMAIL_SIGNER},      {certificateUsageEmailRecipient, IDS_CERT_USAGE_EMAIL_RECEIVER},      {certificateUsageObjectSigner, IDS_CERT_USAGE_OBJECT_SIGNER},      {certificateUsageSSLCA, IDS_CERT_USAGE_SSL_CA},      {certificateUsageStatusResponder, IDS_CERT_USAGE_STATUS_RESPONDER},    };    for (size_t i = 0; i < arraysize(usage_string_map); ++i) {      if (usages & usage_string_map[i].usage)        out->push_back(l10n_util::GetStringUTF8(            usage_string_map[i].string_id));    }  }}

static gboolean ssl_connected(gpointer data, gint source,                              b_input_condition cond){	struct scd *conn = data;	/* Right now we don't have any verification functionality for NSS. */	if (conn->verify) {		conn->func(conn->data, 1, NULL, cond);		if (source >= 0) {			closesocket(source);		}		g_free(conn->hostname);		g_free(conn);		return FALSE;	}	if (source == -1) {		goto ssl_connected_failure;	}	/* Until we find out how to handle non-blocking I/O with NSS... */	sock_make_blocking(conn->fd);	conn->prfd = SSL_ImportFD(NULL, PR_ImportTCPSocket(source));	if (!conn->prfd) {		goto ssl_connected_failure;	}	SSL_OptionSet(conn->prfd, SSL_SECURITY, PR_TRUE);	SSL_OptionSet(conn->prfd, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);	SSL_BadCertHook(conn->prfd, (SSLBadCertHandler) nss_bad_cert, NULL);	SSL_AuthCertificateHook(conn->prfd, (SSLAuthCertificate) nss_auth_cert,	                        (void *) CERT_GetDefaultCertDB());	SSL_SetURL(conn->prfd, conn->hostname);	SSL_ResetHandshake(conn->prfd, PR_FALSE);	if (SSL_ForceHandshake(conn->prfd)) {		goto ssl_connected_failure;	}	conn->established = TRUE;	conn->func(conn->data, 0, conn, cond);	return FALSE;ssl_connected_failure:	conn->func(conn->data, 0, NULL, cond);	if (conn->prfd) {		PR_Close(conn->prfd);	} else if (source >= 0) {		/* proxy_disconnect() would be redundant here */		closesocket(source);	}	g_free(conn->hostname);	g_free(conn);	return FALSE;}

/** * getCRLs * * Export a set of certs and keys from the database to a PKCS#12 file. */NS_IMETHODIMP nsCRLManager::GetCrls(nsIArray ** aCrls){  nsNSSShutDownPreventionLock locker;  SECStatus sec_rv;  CERTCrlHeadNode *head = nullptr;  CERTCrlNode *node = nullptr;  nsresult rv;  nsCOMPtr<nsIMutableArray> crlsArray =    do_CreateInstance(NS_ARRAY_CONTRACTID, &rv);  if (NS_FAILED(rv)) {    return rv;  }  // Get the list of certs //  sec_rv = SEC_LookupCrls(CERT_GetDefaultCertDB(), &head, -1);  if (sec_rv != SECSuccess) {    return NS_ERROR_FAILURE;  }  if (head) {    for (node=head->first; node; node = node->next) {      nsCOMPtr<nsICRLInfo> entry = new nsCRLInfo((node->crl));      crlsArray->AppendElement(entry, false);    }    PORT_FreeArena(head->arena, false);  }  *aCrls = crlsArray;  NS_IF_ADDREF(*aCrls);  return NS_OK;}

/** * Loads the public key for the specified cert name from the NSS store. * * @param certData  The DER-encoded X509 certificate to extract the key from. * @param certDataSize The size of certData. * @param publicKey Out parameter for the public key to use. * @return CryptoX_Success on success, CryptoX_Error on error.*/CryptoX_ResultNSS_LoadPublicKey(const unsigned char *certData, unsigned int certDataSize,                  SECKEYPublicKey **publicKey){  CERTCertificate * cert;  SECItem certDataItem = { siBuffer, (unsigned char*) certData, certDataSize };  if (!certData || !publicKey) {    return CryptoX_Error;  }  cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDataItem, NULL,                                 PR_FALSE, PR_TRUE);  /* Get the cert and embedded public key out of the database */  if (!cert) {    return CryptoX_Error;  }  *publicKey = CERT_ExtractPublicKey(cert);  CERT_DestroyCertificate(cert);  if (!*publicKey) {    return CryptoX_Error;  }  return CryptoX_Success;}

/* * void deleteCertificate(in nsIX509Cert aCert); */NS_IMETHODIMP nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert){  nsNSSShutDownPreventionLock locker;  nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);  CERTCertificate *cert = nssCert->GetCert();  if (!cert) return NS_ERROR_FAILURE;  CERTCertificateCleaner certCleaner(cert);  SECStatus srv = SECSuccess;  PRUint32 certType;  nssCert->GetCertType(&certType);  if (NS_FAILED(nssCert->MarkForPermDeletion()))  {    return NS_ERROR_FAILURE;  }  if (cert->slot && certType != nsIX509Cert::USER_CERT) {    // To delete a cert of a slot (builtin, most likely), mark it as    // completely untrusted.  This way we keep a copy cached in the    // local database, and next time we try to load it off of the     // external token/slot, we'll know not to trust it.  We don't     // want to do that with user certs, because a user may  re-store    // the cert onto the card again at which point we *will* want to     // trust that cert if it chains up properly.    nsNSSCertTrust trust(0, 0, 0);    srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),                                cert, trust.GetTrust());  }  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("cert deleted: %d", srv));  return (srv) ? NS_ERROR_FAILURE : NS_OK;}

/* Add the server's certificate to our database of trusted servers.  */static SECStatustrustNewServer (CERTCertificate *serverCert){  SECStatus secStatus;  CERTCertTrust *trust = NULL;  PK11SlotInfo *slot;  /* Import the certificate.  */  slot = PK11_GetInternalKeySlot();;  secStatus = PK11_ImportCert(slot, serverCert, CK_INVALID_HANDLE, "stap-server", PR_FALSE);  if (secStatus != SECSuccess)    goto done;    /* Make it a trusted peer.  */  trust = (CERTCertTrust *)PORT_ZAlloc(sizeof(CERTCertTrust));  if (! trust)    {      secStatus = SECFailure;      goto done;    }  secStatus = CERT_DecodeTrustString(trust, "P,P,P");  if (secStatus != SECSuccess)    goto done;  secStatus = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), serverCert, trust);  if (secStatus != SECSuccess)    goto done;done:  if (trust)    PORT_Free(trust);  return secStatus;}

intfind_certificate(cms_context *ctx){	if (!ctx->certname || !*ctx->certname)		return -1;	typedef struct {		enum {			PW_NONE = 0,			PW_FROMFILE = 1,			PW_PLAINTEXT = 2,			PW_EXTERNAL = 3		} source;		char *data;	} secuPWData;	secuPWData pwdata = { 0, 0 };	CERTCertificate *cert = NULL;	cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), ctx->certname,		certUsageObjectSigner, PR_FALSE, &pwdata);	if (cert == NULL) {		fprintf(stderr, "Could not find certificate/n");		exit(1);	}		ctx->cert = cert;	return 0;}

/* add given CRL to cache if it is not already there */static SECStatus nss_cache_crl(SECItem *crlDER){  CERTCertDBHandle *db = CERT_GetDefaultCertDB();  CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crlDER, 0);  if(crl) {    /* CRL already cached */    SEC_DestroyCrl(crl);    SECITEM_FreeItem(crlDER, PR_FALSE);    return SECSuccess;  }  /* acquire lock before call of CERT_CacheCRL() */  PR_Lock(nss_crllock);  if(SECSuccess != CERT_CacheCRL(db, crlDER)) {    /* unable to cache CRL */    PR_Unlock(nss_crllock);    SECITEM_FreeItem(crlDER, PR_FALSE);    return SECFailure;  }  /* we need to clear session cache, so that the CRL could take effect */  SSL_ClearSessionCache();  PR_Unlock(nss_crllock);  return SECSuccess;}

int crypto_init(cert_policy *policy) {  SECStatus rv;  DBG("Initializing NSS ...");  if (NSS_IsInitialized()) {    app_has_NSS = 1;    /* we should save the app's password function */    PK11_SetPasswordFunc(password_passthrough);    DBG("...  NSS is initialized");    return 0;  }  if (policy->nss_dir) {    /* initialize with read only databases */    DBG1("Initializing NSS ... database=%s", policy->nss_dir);    rv = NSS_Init(policy->nss_dir);  } else {    /* not database secified */    DBG("Initializing NSS ... with no db");    rv = NSS_NoDB_Init(NULL);  }  if (rv != SECSuccess) {    DBG1("NSS_Initialize failed: %s", SECU_Strerror(PR_GetError()));    return -1;  }  /* register a callback */  PK11_SetPasswordFunc(password_passthrough);  if (policy->ocsp_policy == OCSP_ON) {    CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());  }  DBG("...  NSS Complete");  return 0;}

nsUsageArrayHelper::nsUsageArrayHelper(CERTCertificate *aCert):mCert(aCert){  nsNSSShutDownPreventionLock locker;  defaultcertdb = CERT_GetDefaultCertDB();  nssComponent = do_GetService(kNSSComponentCID, &m_rv);}

SECStatusAppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,                             const CertPolicyId& policy,                             const SECItem& candidateCertDER,                     /*out*/ TrustLevel* trustLevel){  MOZ_ASSERT(policy.IsAnyPolicy());  MOZ_ASSERT(trustLevel);  MOZ_ASSERT(mTrustedRoot);  if (!trustLevel || !policy.IsAnyPolicy()) {    PR_SetError(SEC_ERROR_INVALID_ARGS, 0);    return SECFailure;  }  if (!mTrustedRoot) {    PR_SetError(PR_INVALID_STATE_ERROR, 0);    return SECFailure;  }  // Handle active distrust of the certificate.  // XXX: This would be cleaner and more efficient if we could get the trust  // information without constructing a CERTCertificate here, but NSS doesn't  // expose it in any other easy-to-use fashion.  ScopedCERTCertificate candidateCert(    CERT_NewTempCertificate(CERT_GetDefaultCertDB(),                            const_cast<SECItem*>(&candidateCertDER), nullptr,                            false, true));  if (!candidateCert) {    return SECFailure;  }  CERTCertTrust trust;  if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {    PRUint32 flags = SEC_GET_TRUST_FLAGS(&trust, trustObjectSigning);    // For DISTRUST, we use the CERTDB_TRUSTED or CERTDB_TRUSTED_CA bit,    // because we can have active distrust for either type of cert. Note that    // CERTDB_TERMINAL_RECORD means "stop trying to inherit trust" so if the    // relevant trust bit isn't set then that means the cert must be considered    // distrusted.    PRUint32 relevantTrustBit = endEntityOrCA == EndEntityOrCA::MustBeCA                              ? CERTDB_TRUSTED_CA                              : CERTDB_TRUSTED;    if (((flags & (relevantTrustBit | CERTDB_TERMINAL_RECORD)))            == CERTDB_TERMINAL_RECORD) {      *trustLevel = TrustLevel::ActivelyDistrusted;      return SECSuccess;    }  }  // mTrustedRoot is the only trust anchor for this validation.  if (CERT_CompareCerts(mTrustedRoot.get(), candidateCert.get())) {    *trustLevel = TrustLevel::TrustAnchor;    return SECSuccess;  }  *trustLevel = TrustLevel::InheritsTrust;  return SECSuccess;}

// TODO: Remove #include "pkix/pkixnss.h", #include "cert.h",// #include "ScopedPtr.h", etc. when this is rewritten to be independent of// NSS.ResultCheckNameConstraints(Input encodedNameConstraints,                     const BackCert& firstChild,                     KeyPurposeId requiredEKUIfPresent){  ScopedPtr<PLArenaPool, PORT_FreeArena_false>    arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));  if (!arena) {    return Result::FATAL_ERROR_NO_MEMORY;  }  SECItem encodedNameConstraintsSECItem =    UnsafeMapInputToSECItem(encodedNameConstraints);  // Owned by arena  const CERTNameConstraints* constraints =    CERT_DecodeNameConstraintsExtension(arena.get(),                                        &encodedNameConstraintsSECItem);  if (!constraints) {    return MapPRErrorCodeToResult(PR_GetError());  }  for (const BackCert* child = &firstChild; child; child = child->childCert) {    SECItem childCertDER = UnsafeMapInputToSECItem(child->GetDER());    ScopedPtr<CERTCertificate, CERT_DestroyCertificate>      nssCert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &childCertDER,                                      nullptr, false, true));    if (!nssCert) {      return MapPRErrorCodeToResult(PR_GetError());    }    bool includeCN = child->endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&                     requiredEKUIfPresent == KeyPurposeId::id_kp_serverAuth;    // owned by arena    const CERTGeneralName*      names(CERT_GetConstrainedCertificateNames(nssCert.get(), arena.get(),                                                includeCN));    if (!names) {      return MapPRErrorCodeToResult(PR_GetError());    }    CERTGeneralName* currentName = const_cast<CERTGeneralName*>(names);    do {      if (CERT_CheckNameSpace(arena.get(), constraints, currentName)            != SECSuccess) {        // XXX: It seems like CERT_CheckNameSpace doesn't always call        // PR_SetError when it fails, so we ignore what PR_GetError would        // return. NSS's cert_VerifyCertChainOld does something similar.        return Result::ERROR_CERT_NOT_IN_NAME_SPACE;      }      currentName = CERT_GetNextGeneralName(currentName);    } while (currentName != names);  }  return Success;}

NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const char *aTrust, const char *aName){  NS_ENSURE_ARG_POINTER(aBase64);  nsCOMPtr <nsIX509Cert> newCert;  nsNSSCertTrust trust;  // need to calculate the trust bits from the aTrust string.  nsresult rv = CERT_DecodeTrustString(trust.GetTrust(), /* this is const, but not declared that way */(char *) aTrust);  NS_ENSURE_SUCCESS(rv, rv); // if bad trust passed in, return error.  rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert));  NS_ENSURE_SUCCESS(rv, rv);  SECItem der;  rv = newCert->GetRawDER(&der.len, (PRUint8 **)&der.data);  NS_ENSURE_SUCCESS(rv, rv);  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert/n"));  CERTCertificate *tmpCert;  CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();  tmpCert = CERT_FindCertByDERCert(certdb, &der);  if (!tmpCert)     tmpCert = CERT_NewTempCertificate(certdb, &der,                                      nsnull, PR_FALSE, PR_TRUE);  nsMemory::Free(der.data);  der.data = nsnull;  der.len = 0;  if (!tmpCert) {    NS_ASSERTION(0,"Couldn't create cert from DER blob/n");    return NS_ERROR_FAILURE;  }  if (tmpCert->isperm) {    CERT_DestroyCertificate(tmpCert);    return NS_OK;  }  CERTCertificateCleaner tmpCertCleaner(tmpCert);  nsXPIDLCString nickname;  nickname.Adopt(CERT_MakeCANickname(tmpCert));  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick /"%s/"/n", nickname.get()));  SECStatus srv = CERT_AddTempCertToPerm(tmpCert,                                          const_cast<char*>(nickname.get()),                                          trust.GetTrust());   return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;}

/* bypass the default SSL_AuthCertificate() hook in case we do not want to * verify peer */static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,                                    PRBool isServer){  struct connectdata *conn = (struct connectdata *)arg;  if(!conn->data->set.ssl.verifypeer) {    infof(conn->data, "skipping SSL peer certificate verification/n");    return SECSuccess;  }  return SSL_AuthCertificate(CERT_GetDefaultCertDB(), fd, checksig, isServer);}

SECStatusNSSCertDBTrustDomain::FindPotentialIssuers(  const SECItem* encodedIssuerName, PRTime time,  /*out*/ mozilla::pkix::ScopedCERTCertList& results){  // TODO: normalize encodedIssuerName  // TODO: NSS seems to be ambiguous between "no potential issuers found" and  // "there was an error trying to retrieve the potential issuers."  results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),                                       encodedIssuerName, time, true);  return SECSuccess;}

CERTCertificate *getCert(const char *name, PRBool isAscii, const char * progName){    CERTCertificate * cert;    CERTCertDBHandle *defaultDB;    PRFileDesc*     fd;    SECStatus       rv;    SECItem         item        = {0, NULL, 0};    defaultDB = CERT_GetDefaultCertDB();    /* First, let's try to find the cert in existing DB. */    cert = CERT_FindCertByNicknameOrEmailAddr(defaultDB, name);    if (cert) {        return cert;    }    /* Don't have a cert with name "name" in the DB. Try to     * open a file with such name and get the cert from there.*/    fd = PR_Open(name, PR_RDONLY, 0777);     if (!fd) {	PRIntn err = PR_GetError();    	fprintf(stderr, "open of %s failed, %d = %s/n", 	        name, err, SECU_Strerror(err));	return cert;    }    rv = SECU_ReadDERFromFile(&item, fd, isAscii);    PR_Close(fd);    if (rv != SECSuccess) {	fprintf(stderr, "%s: SECU_ReadDERFromFile failed/n", progName);	return cert;    }    if (!item.len) { /* file was empty */	fprintf(stderr, "cert file %s was empty./n", name);	return cert;    }    cert = CERT_NewTempCertificate(defaultDB, &item,                                    NULL     /* nickname */,                                    PR_FALSE /* isPerm */, 				   PR_TRUE  /* copyDER */);    if (!cert) {	PRIntn err = PR_GetError();	fprintf(stderr, "couldn't import %s, %d = %s/n",	        name, err, SECU_Strerror(err));    }    PORT_Free(item.data);    return cert;}

/*********************************************************************** * * G e n e r a t e C e r t * * Runs the whole process of creating a new cert, getting info from the * user, etc. */intGenerateCert(char *nickname, int keysize, char *token){    CERTCertDBHandle * db;    CERTCertificate * cert;    char	*subject;    unsigned long	serial;    char	stdinbuf[160];    /* Print warning about having the browser open */    PR_fprintf(PR_STDOUT /*always go to console*/,        "/nWARNING: Performing this operation while the browser is running could cause"        "/ncorruption of your security databases. If the browser is currently running,"        "/nyou should exit the browser before continuing this operation. Enter "        "/n/"y/" to continue, or anything else to abort: ");    pr_fgets(stdinbuf, 160, PR_STDIN);    PR_fprintf(PR_STDOUT, "/n");    if (tolower(stdinbuf[0]) != 'y') {	PR_fprintf(errorFD, "Operation aborted at user's request./n");	errorCount++;	return - 1;    }    db = CERT_GetDefaultCertDB();    if (!db) {	FatalError("Unable to open certificate database");    }    if (PK11_FindCertFromNickname(nickname, &pwdata)) {	PR_fprintf(errorFD,	    "ERROR: Certificate with nickname /"%s/" already exists in database. You/n"	    "must choose a different nickname./n", nickname);	errorCount++;	exit(ERRX);    }    LL_L2UI(serial, PR_Now());    subject = GetSubjectFromUser(serial);    cert = GenerateSelfSignedObjectSigningCert(nickname, db, subject,         		serial, keysize, token);    if (cert) {	output_ca_cert(cert, db);	CERT_DestroyCertificate(cert);    }    PORT_Free(subject);    return 0;}

NS_IMETHODIMP nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken,                                   nsIX509Cert **_cert){  nsNSSShutDownPreventionLock locker;  SECItem keyItem = {siBuffer, nsnull, 0};  SECItem *dummy;  CERTIssuerAndSN issuerSN;  unsigned long moduleID,slotID;  *_cert = nsnull;   if (!aDBkey || !*aDBkey)    return NS_ERROR_INVALID_ARG;  dummy = NSSBase64_DecodeBuffer(nsnull, &keyItem, aDBkey,                                 (PRUint32)PL_strlen(aDBkey));   if (!dummy || keyItem.len < NS_NSS_LONG*4) {    PR_FREEIF(keyItem.data);    return NS_ERROR_INVALID_ARG;  }  CERTCertificate *cert;  // someday maybe we can speed up the search using the moduleID and slotID  moduleID = NS_NSS_GET_LONG(keyItem.data);  slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]);  // build the issuer/SN structure  issuerSN.serialNumber.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*2]);  issuerSN.derIssuer.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*3]);  if (issuerSN.serialNumber.len == 0 || issuerSN.derIssuer.len == 0      || issuerSN.serialNumber.len + issuerSN.derIssuer.len         != keyItem.len - NS_NSS_LONG*4) {    PR_FREEIF(keyItem.data);    return NS_ERROR_INVALID_ARG;  }  issuerSN.serialNumber.data= &keyItem.data[NS_NSS_LONG*4];  issuerSN.derIssuer.data= &keyItem.data[NS_NSS_LONG*4+                                              issuerSN.serialNumber.len];  cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), &issuerSN);  PR_FREEIF(keyItem.data);  if (cert) {    nsNSSCertificate *nssCert = new nsNSSCertificate(cert);    CERT_DestroyCertificate(cert);    if (nssCert == nsnull)      return NS_ERROR_OUT_OF_MEMORY;    NS_ADDREF(nssCert);    *_cert = static_cast<nsIX509Cert*>(nssCert);  }  return NS_OK;}

static voidcamel_smime_context_init(CamelSMIMEContext *context){	CamelCipherContext *cipher =(CamelCipherContext *) context;	cipher->sign_protocol = "application/x-pkcs7-signature";	cipher->encrypt_protocol = "application/x-pkcs7-mime";	cipher->key_protocol = "application/x-pkcs7-signature";	context->priv = g_malloc0(sizeof(*context->priv));	context->priv->certdb = CERT_GetDefaultCertDB();	context->priv->sign_mode = CAMEL_SMIME_SIGN_CLEARSIGN;	context->priv->password_tries = 0;}

nsresultnsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInterfaceRequestor *ctx){  CERTCertList *certList = NULL;  SECItem **rawArray;  // build a CertList for filtering  certList = CERT_NewCertList();  if (certList == NULL) {    return NS_ERROR_FAILURE;  }  CERTCertListCleaner listCleaner(certList);  // get all certs into temp store  SECStatus srv = SECFailure;  CERTCertificate **certArray = NULL;  rawArray = (SECItem **) PORT_Alloc(sizeof(SECItem *) * numCACerts);  if ( !rawArray ) {    return NS_ERROR_FAILURE;  }  for (int i=0; i < numCACerts; i++) {    rawArray[i] = &CACerts[i];  }  srv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageAnyCA, numCACerts, rawArray,                          &certArray, PR_FALSE, PR_TRUE, NULL);  PORT_Free(rawArray);  rawArray = NULL;  if (srv != SECSuccess) {    return NS_ERROR_FAILURE;  }  for (int i2=0; i2 < numCACerts; i2++) {    CERTCertificate *cacert = certArray[i2];    if (cacert)      cacert = CERT_DupCertificate(cacert);    if (cacert)      CERT_AddCertToListTail(certList, cacert);  }  CERT_DestroyCertArray(certArray, numCACerts);  return ImportValidCACertsInList(certList, ctx);}

CryptoCertcrypto_cert_read(uint8 * data, uint32 len){	CryptoCert crypto_cert = xmalloc(sizeof(*crypto_cert));	CERTCertDBHandle * handle = CERT_GetDefaultCertDB();	SECItem derCert;	derCert.type = siBuffer;	derCert.data = data;	derCert.len = len;	crypto_cert->cert = CERT_NewTempCertificate(handle, &derCert, NULL, PR_FALSE, PR_TRUE);	ASSERT(crypto_cert->cert);	return crypto_cert;}

boolRTCCertificate::ReadCertificate(JSStructuredCloneReader* aReader,                                const nsNSSShutDownPreventionLock& /*proof*/){  CryptoBuffer cert;  if (!ReadBuffer(aReader, cert) || cert.Length() == 0) {    return false;  }  SECItem der = { siBuffer, cert.Elements(),                  static_cast<unsigned int>(cert.Length()) };  mCertificate.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),                                             &der, nullptr, true, true));  return !!mCertificate;}

SECStatusAppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot){  SECItem trustedDER;  // Load the trusted certificate into the in-memory NSS database so that  // CERT_CreateSubjectCertList can find it.  switch (trustedRoot)  {    case nsIX509CertDB::AppMarketplaceProdPublicRoot:      trustedDER.data = const_cast<uint8_t*>(marketplaceProdPublicRoot);      trustedDER.len = mozilla::ArrayLength(marketplaceProdPublicRoot);      break;    case nsIX509CertDB::AppMarketplaceProdReviewersRoot:      trustedDER.data = const_cast<uint8_t*>(marketplaceProdReviewersRoot);      trustedDER.len = mozilla::ArrayLength(marketplaceProdReviewersRoot);      break;    case nsIX509CertDB::AppMarketplaceDevPublicRoot:      trustedDER.data = const_cast<uint8_t*>(marketplaceDevPublicRoot);      trustedDER.len = mozilla::ArrayLength(marketplaceDevPublicRoot);      break;    case nsIX509CertDB::AppMarketplaceDevReviewersRoot:      trustedDER.data = const_cast<uint8_t*>(marketplaceDevReviewersRoot);      trustedDER.len = mozilla::ArrayLength(marketplaceDevReviewersRoot);      break;    case nsIX509CertDB::AppXPCShellRoot:      trustedDER.data = const_cast<uint8_t*>(xpcshellRoot);      trustedDER.len = mozilla::ArrayLength(xpcshellRoot);      break;    default:      PR_SetError(SEC_ERROR_INVALID_ARGS, 0);      return SECFailure;  }  mTrustedRoot = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),                                         &trustedDER, nullptr, false, true);  if (!mTrustedRoot) {    return SECFailure;  }  return SECSuccess;}

CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr){    CERTCertificate *cert;    SECStatus rv;    SECItem der;    rv = ATOB_ConvertAsciiToItem(&der, certstr);    if (rv != SECSuccess)	return NULL;    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),                                    &der, NULL, PR_FALSE, PR_TRUE);    PORT_Free(der.data);    return cert;}