Change certificate store infrastructure to key off of the Subject Key

Id rather than sha1 hash, since that is rarely used in modern
certs. The previous form was storing trusted certs using an empty sha1
hash value as the key, which meant most certificates matched... not good.

Modify the LLCertException to pass certificate information back as
LLSD rather than an LLPointer<LLCertificate>, because when the
exception is being thown from the certificate constructor that results
in one of a couple of other exceptions (even refcounting won't save
you when the problem is that the thing you're pointing to never
finished coming into being properly).

Update the certificates in the llsechandler_basic_test to modern
conventions, and extend the classes to allow for an optional
validation date so that the test can use a fixed date. Also make all
the certificates include the plain text form for ease of reference.

autobuild.xml

@@ -1483,16 +1483,16 @@
             <key>archive</key>
             <map>
               <key>hash</key>
-              <string>62b92325634c6d41f9a9f80d392f1a70</string>
+              <string>2fd372be3084c956de10a2dbe034bf37</string>
               <key>url</key>
-              <string>http://automated-builds-secondlife-com.s3.amazonaws.com/ct2/2997/6974/llca-201702281708.502986-common-502986.tar.bz2</string>
+              <string>http://automated-builds-secondlife-com.s3.amazonaws.com/ct2/3948/10818/llca-201704032213.503937-common-503937.tar.bz2</string>
             </map>
             <key>name</key>
             <string>common</string>
           </map>
         </map>
         <key>version</key>
-        <string>201702281708.502986</string>
+        <string>201704032213.503937</string>
       </map>
       <key>llceflib</key>
       <map>

indra/llcommon/llthread.cpp

@@ -408,7 +408,7 @@ LLThreadSafeRefCount::~LLThreadSafeRefCount()
 { 
 	if (mRef != 0)
 	{
-		LL_ERRS() << "deleting non-zero reference" << LL_ENDL;
+		LL_ERRS() << "deleting referenced object mRef = " << mRef << LL_ENDL;
 	}
 }
 

indra/llcorehttp/httpcommon.h

@@ -188,6 +188,7 @@
 ///
 
 #include "linden_common.h"		// Modifies curl/curl.h interfaces
+#include "llsd.h"
 #include "boost/intrusive_ptr.hpp"
 #include "boost/shared_ptr.hpp"
 #include "boost/weak_ptr.hpp"
@@ -447,14 +448,14 @@ struct HttpStatus
 		mDetails->mMessage = message;
 	}
 
-	/// Retrieves an optionally recorded SSL certificate.
-	void * getErrorData() const
+	/// Retrieves data about an optionally recorded SSL certificate.
+	LLSD getErrorData() const
 	{
 		return mDetails->mErrorData;
 	}
 
 	/// Optionally sets an SSL certificate on this status.
-	void setErrorData(void *data)
+	void setErrorData(LLSD data)
 	{
 		mDetails->mErrorData = data;
 	}
@@ -467,7 +468,7 @@ private:
 			mType(type),
 			mStatus(status),
 			mMessage(),
-			mErrorData(NULL)
+			mErrorData()
 		{}
 
 		Details(const Details &rhs) :
@@ -485,7 +486,7 @@ private:
 		type_enum_t	mType;
 		short		mStatus;
 		std::string	mMessage;
-		void *		mErrorData;
+		LLSD		mErrorData;
 	};
 
     boost::shared_ptr<Details> mDetails;

indra/newview/llappcorehttp.cpp

@@ -547,9 +547,8 @@ LLCore::HttpStatus LLAppCoreHttp::sslVerify(const std::string &url,
 		// error codes.  Should be refactored with login refactoring, perhaps.
 		result = LLCore::HttpStatus(LLCore::HttpStatus::EXT_CURL_EASY, CURLE_SSL_CACERT);
 		result.setMessage(cert_exception.what());
-		LLPointer<LLCertificate> cert = cert_exception.getCert();
-		cert->ref(); // adding an extra ref here
-		result.setErrorData(cert.get());
+		LLSD certdata = cert_exception.getCertData();
+		result.setErrorData(certdata);
 		// We should probably have a more generic way of passing information
 		// back to the error handlers.
 	}
@@ -557,9 +556,8 @@ LLCore::HttpStatus LLAppCoreHttp::sslVerify(const std::string &url,
 	{
 		result = LLCore::HttpStatus(LLCore::HttpStatus::EXT_CURL_EASY, CURLE_SSL_PEER_CERTIFICATE);
 		result.setMessage(cert_exception.what());
-		LLPointer<LLCertificate> cert = cert_exception.getCert();
-		cert->ref(); // adding an extra ref here
-		result.setErrorData(cert.get());
+		LLSD certdata = cert_exception.getCertData();
+		result.setErrorData(certdata);
 	}
 	catch (...)
 	{

indra/newview/llsecapi.h

@@ -334,24 +334,21 @@ std::ostream& operator <<(std::ostream& s, const LLCredential& cred);
 class LLCertException: public LLException
 {
 public:
-	LLCertException(LLPointer<LLCertificate> cert, const std::string& msg):
-		LLException(msg)
+	LLCertException(const LLSD& cert_data, const std::string& msg): LLException(msg),
+        mCertData(cert_data)
 	{
-
-		mCert = cert;
-
 		LL_WARNS("SECAPI") << "Certificate Error: " << msg << LL_ENDL;
 	}
 	virtual ~LLCertException() throw() {}
-	LLPointer<LLCertificate> getCert() const { return mCert; }
+	LLSD getCertData() const { return mCertData; }
 protected:
-	LLPointer<LLCertificate> mCert;
+	LLSD mCertData;
 };
 
 class LLInvalidCertificate : public LLCertException
 {
 public:
-	LLInvalidCertificate(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertInvalid")
+	LLInvalidCertificate(const LLSD& cert_data) : LLCertException(cert_data, "CertInvalid")
 	{
 	}
 	virtual ~LLInvalidCertificate() throw() {}
@@ -361,7 +358,7 @@ protected:
 class LLCertValidationTrustException : public LLCertException
 {
 public:
-	LLCertValidationTrustException(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertUntrusted")
+	LLCertValidationTrustException(const LLSD& cert_data) : LLCertException(cert_data, "CertUntrusted")
 	{
 	}
 	virtual ~LLCertValidationTrustException() throw() {}
@@ -372,7 +369,7 @@ class LLCertValidationHostnameException : public LLCertException
 {
 public:
 	LLCertValidationHostnameException(std::string hostname,
-									  LLPointer<LLCertificate> cert) : LLCertException(cert, "CertInvalidHostname")
+									  const LLSD& cert_data) : LLCertException(cert_data, "CertInvalidHostname")
 	{
 		mHostname = hostname;
 	}
@@ -385,8 +382,8 @@ protected:
 class LLCertValidationExpirationException : public LLCertException
 {
 public:
-	LLCertValidationExpirationException(LLPointer<LLCertificate> cert,
-										LLDate current_time) : LLCertException(cert, "CertExpired")
+	LLCertValidationExpirationException(const LLSD& cert_data,
+										LLDate current_time) : LLCertException(cert_data, "CertExpired")
 	{
 		mTime = current_time;
 	}
@@ -399,7 +396,7 @@ protected:
 class LLCertKeyUsageValidationException : public LLCertException
 {
 public:
-	LLCertKeyUsageValidationException(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertKeyUsage")
+	LLCertKeyUsageValidationException(const LLSD& cert_data) : LLCertException(cert_data, "CertKeyUsage")
 	{
 	}
 	virtual ~LLCertKeyUsageValidationException() throw() {}
@@ -409,7 +406,7 @@ protected:
 class LLCertBasicConstraintsValidationException : public LLCertException
 {
 public:
-	LLCertBasicConstraintsValidationException(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertBasicConstraints")
+	LLCertBasicConstraintsValidationException(const LLSD& cert_data) : LLCertException(cert_data, "CertBasicConstraints")
 	{
 	}
 	virtual ~LLCertBasicConstraintsValidationException() throw() {}
@@ -419,7 +416,7 @@ protected:
 class LLCertValidationInvalidSignatureException : public LLCertException
 {
 public:
-	LLCertValidationInvalidSignatureException(LLPointer<LLCertificate> cert) : LLCertException(cert, "CertInvalidSignature")
+	LLCertValidationInvalidSignatureException(const LLSD& cert_data) : LLCertException(cert_data, "CertInvalidSignature")
 	{
 	}
 	virtual ~LLCertValidationInvalidSignatureException() throw() {}

indra/newview/llsechandler_basic.h

@@ -47,8 +47,9 @@ class LLBasicCertificate : public LLCertificate
 public:		
 	LOG_CLASS(LLBasicCertificate);
 
-	LLBasicCertificate(const std::string& pem_cert);
-	LLBasicCertificate(X509* openSSLX509);
+    // The optional validation_params allow us to make the unit test time-invariant
+	LLBasicCertificate(const std::string& pem_cert, const LLSD* validation_params = NULL);
+	LLBasicCertificate(X509* openSSLX509, const LLSD* validation_params = NULL);
 	
 	virtual ~LLBasicCertificate();
 	

indra/newview/llxmlrpclistener.cpp

@@ -379,14 +379,9 @@ public:
 		{
 			case CURLE_SSL_PEER_CERTIFICATE:
 			case CURLE_SSL_CACERT:
-			{
-				LLPointer<LLCertificate> error_cert(mTransaction->getErrorCert());
-				if(error_cert)
-				{
-					data["certificate"] = error_cert->getPem();
-				}
+                data["certificate"] = mTransaction->getErrorCertData();
 				break;
-			}
+
 			default:
 				break;
 		}

indra/newview/llxmlrpctransaction.cpp

@@ -206,7 +206,7 @@ public:
 	std::string			mResponseText;
 	XMLRPC_REQUEST		mResponse;
 	std::string         mCertStore;
-	LLPointer<LLCertificate> mErrorCert;
+	LLSD mErrorCertData;
 
 	Impl(const std::string& uri, XMLRPC_REQUEST request, bool useGzip);
 	Impl(const std::string& uri,
@@ -247,14 +247,8 @@ void LLXMLRPCTransaction::Handler::onCompleted(LLCore::HttpHandle handle,
 			// (a non cert error), then generate the error message as
 			// appropriate
 			mImpl->setHttpStatus(status);
-			LLCertificate *errordata = static_cast<LLCertificate *>(status.getErrorData());
-
-			if (errordata)
-			{
-				mImpl->mErrorCert = LLPointer<LLCertificate>(errordata);
-				status.setErrorData(NULL);
-				errordata->unref();
-			}
+			LLSD errordata = status.getErrorData();
+            mImpl->mErrorCertData = errordata;
 
 			LL_WARNS() << "LLXMLRPCTransaction error "
 				<< status.toHex() << ": " << status.toString() << LL_ENDL;
@@ -565,9 +559,9 @@ std::string LLXMLRPCTransaction::statusMessage()
 	return impl.mStatusMessage;
 }
 
-LLPointer<LLCertificate> LLXMLRPCTransaction::getErrorCert()
+LLSD LLXMLRPCTransaction::getErrorCertData()
 {
-	return impl.mErrorCert;
+	return impl.mErrorCertData;
 }
 
 std::string LLXMLRPCTransaction::statusURI()

indra/newview/llxmlrpctransaction.h

@@ -111,7 +111,7 @@ public:
 	EStatus status(int* curlCode);
 		// return status, and extended CURL code, if code isn't null
 	
-	LLPointer<LLCertificate> getErrorCert();
+	LLSD getErrorCertData();
 	std::string statusMessage();
 		// return a message string, suitable for showing the user
 	std::string statusURI();