Bug 1531236 - Accessor for certificate DER, r=jcj

Summary:
Forgot to put this up.  This will make the neqo wrapper considerably more
hygenic.  Having to explode the entire CERTCertificate struct (which is public
and never should have been) into the FFI is a complete disaster.  Better to
treat it as opaque and use an accessor function.

Reviewers: jcj

Tags: #secure-revision

Bug #: 1531236

Differential Revision: https://phabricator.services.mozilla.com/D24129

2 files changed, 17 insertions, 0 deletions

diff --git a/lib/certdb/cert.h b/lib/certdb/cert.h
index 333ba4c9d..1981b8f54 100644
--- a/lib/certdb/cert.h
+++ b/lib/certdb/cert.h
@@ -215,6 +215,12 @@ extern void CERT_DestroyCertificate(CERTCertificate *cert);
 */
 extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
 
+/* Access the DER of the certificate. This only creates a reference to the DER
+ * in the outparam not a copy.  To avoid the pointer becoming invalid, use
+ * CERT_DupCertificate() and keep a reference to the duplicate alive.
+ */
+extern SECStatus CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der);
+
 /*
 ** Create a new certificate request. This result must be wrapped with an
 ** CERTSignedData to create a signed certificate request.
diff --git a/lib/certdb/certdb.c b/lib/certdb/certdb.c
index 85b5f2917..7eede8d0e 100644
--- a/lib/certdb/certdb.c
+++ b/lib/certdb/certdb.c
@@ -1314,6 +1314,17 @@ CERT_DupCertificate(CERTCertificate *c)
     return c;
 }
 
+SECStatus
+CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der)
+{
+    if (!c || !der) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *der = c->derCert;
+    return SECSuccess;
+}
+
 /*
  * Allow use of default cert database, so that apps(such as mozilla) don't
  * have to pass the handle all over the place.