Bug 891066, part 2: Move CertVerifier to security/certverifier, r=keeler

--HG--
extra : rebase_source : dd59a391825b776b075e855660c2488105e2d741
This commit is contained in:
Brian Smith 2014-01-26 19:36:28 -08:00
parent efdf583668
commit c1583f22ce
14 changed files with 417 additions and 660 deletions

View File

@ -18,10 +18,9 @@ toolkit/library
gfx
toolkit/components/build
toolkit/components
security/build
security/manager
security/dbm
security/nss
security/certverifier
security/build
accessible
dom
content

View File

@ -3,6 +3,7 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "CertVerifier.h"
#include "ExtendedValidation.h"
#include "ScopedNSSTypes.h"
#include "cert.h"
#include "secerr.h"
@ -14,9 +15,6 @@ extern PRLogModuleInfo* gPIPNSSLog;
namespace mozilla { namespace psm {
extern SECStatus getFirstEVPolicy(CERTCertificate* cert, SECOidTag& outOidTag);
extern CERTCertList* getRootsForOid(SECOidTag oid_tag);
const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
const CertVerifier::Flags CertVerifier::FLAG_NO_DV_FALLBACK_FOR_EV = 2;
@ -159,10 +157,10 @@ CertVerifier::VerifyCert(CERTCertificate* cert,
// Do EV checking only for sslserver usage
if (usage == certificateUsageSSLServer) {
SECStatus srv = getFirstEVPolicy(cert, evPolicy);
SECStatus srv = GetFirstEVPolicy(cert, evPolicy);
if (srv == SECSuccess) {
if (evPolicy != SEC_OID_UNKNOWN) {
trustAnchors = getRootsForOid(evPolicy);
trustAnchors = GetRootsForOid(evPolicy);
}
if (!trustAnchors) {
return SECFailure;

View File

@ -0,0 +1,23 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_psm_ExtendedValidation_h
#define mozilla_psm_ExtendedValidation_h
#include "certt.h"
#include "prtypes.h"
namespace mozilla { namespace psm {
#ifndef NSS_NO_LIBPKIX
void EnsureIdentityInfoLoaded();
SECStatus GetFirstEVPolicy(CERTCertificate *cert, SECOidTag &outOidTag);
CERTCertList* GetRootsForOid(SECOidTag oid_tag);
void CleanupIdentityInfo();
#endif
} } // namespace mozilla::psm
#endif // mozilla_psm_ExtendedValidation_h

View File

@ -0,0 +1,20 @@
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
UNIFIED_SOURCES += [
'CertVerifier.cpp',
]
if not CONFIG['NSS_NO_LIBPKIX']:
UNIFIED_SOURCES += [
'ExtendedValidation.cpp',
]
LOCAL_INCLUDES += [
'../insanity/include',
]
FINAL_LIBRARY = 'xul'

View File

@ -97,6 +97,8 @@
#include <cstring>
#include "CertVerifier.h"
#include "CryptoTask.h"
#include "ExtendedValidation.h"
#include "nsIBadCertListener2.h"
#include "nsICertOverrideService.h"
#include "nsISiteSecurityService.h"
@ -1343,33 +1345,16 @@ AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig, PRBool isServer)
}
#ifndef NSS_NO_LIBPKIX
class InitializeIdentityInfo : public nsRunnable
, public nsNSSShutDownObject
class InitializeIdentityInfo : public CryptoTask
{
private:
NS_IMETHOD Run()
virtual nsresult CalculateResult() MOZ_OVERRIDE
{
nsNSSShutDownPreventionLock nssShutdownPrevention;
if (isAlreadyShutDown())
return NS_OK;
nsresult rv;
nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
if (NS_SUCCEEDED(rv))
inss->EnsureIdentityInfoLoaded();
EnsureIdentityInfoLoaded();
return NS_OK;
}
virtual void virtualDestroyNSSReference()
{
}
~InitializeIdentityInfo()
{
nsNSSShutDownPreventionLock nssShutdownPrevention;
if (!isAlreadyShutDown())
shutdown(calledFromObject);
}
virtual void ReleaseNSSResources() MOZ_OVERRIDE { } // no-op
virtual void CallCallback(nsresult rv) MOZ_OVERRIDE { } // no-op
};
#endif

View File

@ -16,7 +16,6 @@ EXPORTS.mozilla += [
]
UNIFIED_SOURCES += [
'CertVerifier.cpp',
'CryptoTask.cpp',
'nsCertificatePrincipal.cpp',
'nsCertOverrideService.cpp',
@ -27,7 +26,6 @@ UNIFIED_SOURCES += [
'nsCMSSecureMessage.cpp',
'nsCrypto.cpp',
'nsDataSignatureVerifier.cpp',
'nsIdentityChecking.cpp',
'nsKeygenHandler.cpp',
'nsKeygenThread.cpp',
'nsKeyModule.cpp',
@ -94,7 +92,8 @@ UNIFIED_SOURCES += [
FINAL_LIBRARY = 'xul'
LOCAL_INCLUDES += [
'../../../insanity/include',
'../../../certverifier',
'../../../insanity/include',
]

View File

@ -9,6 +9,7 @@
#include "nsNSSCertificate.h"
#include "CertVerifier.h"
#include "ExtendedValidation.h"
#include "nsNSSComponent.h" // for PIPNSS string bundle calls.
#include "nsNSSCleaner.h"
#include "nsCOMPtr.h"
@ -1481,6 +1482,125 @@ char* nsNSSCertificate::defaultServerNickname(CERTCertificate* cert)
return nickname;
}
#ifndef NSS_NO_LIBPKIX
nsresult
nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
EnsureIdentityInfoLoaded();
RefPtr<mozilla::psm::SharedCertVerifier>
certVerifier(mozilla::psm::GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
validEV = false;
resultOidTag = SEC_OID_UNKNOWN;
uint32_t flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY |
mozilla::psm::CertVerifier::FLAG_NO_DV_FALLBACK_FOR_EV;
SECStatus rv = certVerifier->VerifyCert(mCert,
certificateUsageSSLServer, PR_Now(),
nullptr /* XXX pinarg */,
flags, nullptr, &resultOidTag);
if (rv != SECSuccess) {
resultOidTag = SEC_OID_UNKNOWN;
}
if (resultOidTag != SEC_OID_UNKNOWN) {
validEV = true;
}
return NS_OK;
}
nsresult
nsNSSCertificate::getValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
{
if (mCachedEVStatus != ev_status_unknown) {
validEV = (mCachedEVStatus == ev_status_valid);
if (validEV) {
resultOidTag = mCachedEVOidTag;
}
return NS_OK;
}
nsresult rv = hasValidEVOidTag(resultOidTag, validEV);
if (NS_SUCCEEDED(rv)) {
if (validEV) {
mCachedEVOidTag = resultOidTag;
}
mCachedEVStatus = validEV ? ev_status_valid : ev_status_invalid;
}
return rv;
}
#endif // NSS_NO_LIBPKIX
NS_IMETHODIMP
nsNSSCertificate::GetIsExtendedValidation(bool* aIsEV)
{
#ifdef NSS_NO_LIBPKIX
*aIsEV = false;
return NS_OK;
#else
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
NS_ENSURE_ARG(aIsEV);
*aIsEV = false;
if (mCachedEVStatus != ev_status_unknown) {
*aIsEV = (mCachedEVStatus == ev_status_valid);
return NS_OK;
}
SECOidTag oid_tag;
return getValidEVOidTag(oid_tag, *aIsEV);
#endif
}
NS_IMETHODIMP
nsNSSCertificate::GetValidEVPolicyOid(nsACString& outDottedOid)
{
outDottedOid.Truncate();
#ifndef NSS_NO_LIBPKIX
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
SECOidTag oid_tag;
bool valid;
nsresult rv = getValidEVOidTag(oid_tag, valid);
if (NS_FAILED(rv)) {
return rv;
}
if (valid) {
SECOidData* oid_data = SECOID_FindOIDByTag(oid_tag);
if (!oid_data) {
return NS_ERROR_FAILURE;
}
char* oid_str = CERT_GetOidString(&oid_data->oid);
if (!oid_str) {
return NS_ERROR_FAILURE;
}
outDottedOid.Assign(oid_str);
PR_smprintf_free(oid_str);
}
#endif
return NS_OK;
}
NS_IMPL_ISUPPORTS1(nsNSSCertList, nsIX509CertList)
nsNSSCertList::nsNSSCertList(CERTCertList* certList,

View File

@ -11,6 +11,7 @@
#include "nsNSSCertificateDB.h"
#include "CertVerifier.h"
#include "ExtendedValidation.h"
#include "nsNSSComponent.h"
#include "mozilla/Base64.h"
#include "nsCOMPtr.h"
@ -1698,13 +1699,8 @@ nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
return NS_ERROR_NOT_AVAILABLE;
}
nsresult rv;
#ifndef NSS_NO_LIBPKIX
nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
if (NS_FAILED(rv)) {
return NS_ERROR_NOT_AVAILABLE;
}
inss->EnsureIdentityInfoLoaded();
EnsureIdentityInfoLoaded();
#endif
nsCOMPtr<nsIX509Cert2> x509Cert = do_QueryInterface(aCert);

View File

@ -10,6 +10,7 @@
#include "nsNSSComponent.h"
#include "ExtendedValidation.h"
#include "mozilla/Telemetry.h"
#include "nsCertVerificationThread.h"
#include "nsAppDirectoryServiceDefs.h"
@ -220,12 +221,6 @@ nsNSSComponent::nsNSSComponent()
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::ctor\n"));
mObserversRegistered = false;
#ifndef NSS_NO_LIBPKIX
// In order to keep startup time lower, we delay loading and
// registering all identity data until first needed.
memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
#endif
NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!");
++mInstanceCount;
mShutdownObjectList = nsNSSShutDownList::construct();
@ -904,12 +899,11 @@ setNonPkixOcspEnabled(int32_t ocspEnabled)
{
// Note: this preference is numeric vs boolean because previously we
// supported more than two options.
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
if (!ocspEnabled) {
CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
} else {
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
}
}

View File

@ -107,10 +107,6 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports {
const nsAString& token) = 0;
#endif
#ifndef NSS_NO_LIBPKIX
NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
#endif
NS_IMETHOD IsNSSInitialized(bool* initialized) = 0;
virtual ::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
@ -175,9 +171,6 @@ public:
const nsAString& token);
#endif
#ifndef NSS_NO_LIBPKIX
NS_IMETHOD EnsureIdentityInfoLoaded();
#endif
NS_IMETHOD IsNSSInitialized(bool* initialized);
::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
@ -189,7 +182,6 @@ private:
void InstallLoadableRoots();
void UnloadLoadableRoots();
void CleanupIdentityInfo();
void setValidationOptions(bool isInitialSetting);
nsresult setEnabledTLSVersions();
nsresult InitializePIPNSSBundle();
@ -226,7 +218,6 @@ private:
static PRStatus IdentityInfoInit(void);
PRCallOnceType mIdentityInfoCallOnce;
};
class nsNSSErrors

View File

@ -7,6 +7,7 @@
#include "nsSSLStatus.h"
#include "plstr.h"
#include "nsIClassInfoImpl.h"
#include "nsIIdentityInfo.h"
#include "nsIProgrammingLanguage.h"
#include "nsIObjectOutputStream.h"
#include "nsIObjectInputStream.h"
@ -88,6 +89,39 @@ nsSSLStatus::GetIsUntrusted(bool* _result)
return NS_OK;
}
NS_IMETHODIMP
nsSSLStatus::GetIsExtendedValidation(bool* aIsEV)
{
NS_ENSURE_ARG_POINTER(aIsEV);
*aIsEV = false;
#ifdef NSS_NO_LIBPKIX
return NS_OK;
#else
nsCOMPtr<nsIX509Cert> cert = mServerCert;
nsresult rv;
nsCOMPtr<nsIIdentityInfo> idinfo = do_QueryInterface(cert, &rv);
// mServerCert should never be null when this method is called because
// nsSSLStatus objects always have mServerCert set right after they are
// constructed and before they are returned. GetIsExtendedValidation should
// only be called in the chrome process (in e10s), and mServerCert will always
// implement nsIIdentityInfo in the chrome process.
if (!idinfo) {
NS_ERROR("nsSSLStatus has null mServerCert or was called in the content "
"process");
return NS_ERROR_UNEXPECTED;
}
// Never allow bad certs for EV, regardless of overrides.
if (mHaveCertErrorBits) {
return NS_OK;
}
return idinfo->GetIsExtendedValidation(aIsEV);
#endif
}
NS_IMETHODIMP
nsSSLStatus::Read(nsIObjectInputStream* stream)
{

View File

@ -20,6 +20,10 @@ if CONFIG['COMPILE_ENVIRONMENT']:
if CONFIG['MOZ_CONTENT_SANDBOX']:
add_tier_dir('sandbox', 'security/sandbox')
# Depends on NSS and NSPR, and must be built after sandbox or else B2G emulator
# builds fail.
add_tier_dir('platform', 'security/certverifier')
# the signing related bits of libmar depend on nss
if CONFIG['MOZ_UPDATER']:
add_tier_dir('platform', 'modules/libmar')