mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-01-27 07:34:20 +00:00
Bug 891066, part 2: Move CertVerifier to security/certverifier, r=keeler
--HG-- extra : rebase_source : dd59a391825b776b075e855660c2488105e2d741
This commit is contained in:
parent
efdf583668
commit
c1583f22ce
@ -18,10 +18,9 @@ toolkit/library
|
||||
gfx
|
||||
toolkit/components/build
|
||||
toolkit/components
|
||||
security/build
|
||||
security/manager
|
||||
security/dbm
|
||||
security/nss
|
||||
security/certverifier
|
||||
security/build
|
||||
accessible
|
||||
dom
|
||||
content
|
||||
|
@ -3,6 +3,7 @@
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "CertVerifier.h"
|
||||
#include "ExtendedValidation.h"
|
||||
#include "ScopedNSSTypes.h"
|
||||
#include "cert.h"
|
||||
#include "secerr.h"
|
||||
@ -14,9 +15,6 @@ extern PRLogModuleInfo* gPIPNSSLog;
|
||||
|
||||
namespace mozilla { namespace psm {
|
||||
|
||||
extern SECStatus getFirstEVPolicy(CERTCertificate* cert, SECOidTag& outOidTag);
|
||||
extern CERTCertList* getRootsForOid(SECOidTag oid_tag);
|
||||
|
||||
const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
|
||||
const CertVerifier::Flags CertVerifier::FLAG_NO_DV_FALLBACK_FOR_EV = 2;
|
||||
|
||||
@ -159,10 +157,10 @@ CertVerifier::VerifyCert(CERTCertificate* cert,
|
||||
|
||||
// Do EV checking only for sslserver usage
|
||||
if (usage == certificateUsageSSLServer) {
|
||||
SECStatus srv = getFirstEVPolicy(cert, evPolicy);
|
||||
SECStatus srv = GetFirstEVPolicy(cert, evPolicy);
|
||||
if (srv == SECSuccess) {
|
||||
if (evPolicy != SEC_OID_UNKNOWN) {
|
||||
trustAnchors = getRootsForOid(evPolicy);
|
||||
trustAnchors = GetRootsForOid(evPolicy);
|
||||
}
|
||||
if (!trustAnchors) {
|
||||
return SECFailure;
|
File diff suppressed because it is too large
Load Diff
23
security/certverifier/ExtendedValidation.h
Normal file
23
security/certverifier/ExtendedValidation.h
Normal file
@ -0,0 +1,23 @@
|
||||
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef mozilla_psm_ExtendedValidation_h
|
||||
#define mozilla_psm_ExtendedValidation_h
|
||||
|
||||
#include "certt.h"
|
||||
#include "prtypes.h"
|
||||
|
||||
namespace mozilla { namespace psm {
|
||||
|
||||
#ifndef NSS_NO_LIBPKIX
|
||||
void EnsureIdentityInfoLoaded();
|
||||
SECStatus GetFirstEVPolicy(CERTCertificate *cert, SECOidTag &outOidTag);
|
||||
CERTCertList* GetRootsForOid(SECOidTag oid_tag);
|
||||
void CleanupIdentityInfo();
|
||||
#endif
|
||||
|
||||
} } // namespace mozilla::psm
|
||||
|
||||
#endif // mozilla_psm_ExtendedValidation_h
|
20
security/certverifier/moz.build
Normal file
20
security/certverifier/moz.build
Normal file
@ -0,0 +1,20 @@
|
||||
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python:
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
UNIFIED_SOURCES += [
|
||||
'CertVerifier.cpp',
|
||||
]
|
||||
|
||||
if not CONFIG['NSS_NO_LIBPKIX']:
|
||||
UNIFIED_SOURCES += [
|
||||
'ExtendedValidation.cpp',
|
||||
]
|
||||
|
||||
LOCAL_INCLUDES += [
|
||||
'../insanity/include',
|
||||
]
|
||||
|
||||
FINAL_LIBRARY = 'xul'
|
@ -97,6 +97,8 @@
|
||||
#include <cstring>
|
||||
|
||||
#include "CertVerifier.h"
|
||||
#include "CryptoTask.h"
|
||||
#include "ExtendedValidation.h"
|
||||
#include "nsIBadCertListener2.h"
|
||||
#include "nsICertOverrideService.h"
|
||||
#include "nsISiteSecurityService.h"
|
||||
@ -1343,33 +1345,16 @@ AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig, PRBool isServer)
|
||||
}
|
||||
|
||||
#ifndef NSS_NO_LIBPKIX
|
||||
class InitializeIdentityInfo : public nsRunnable
|
||||
, public nsNSSShutDownObject
|
||||
class InitializeIdentityInfo : public CryptoTask
|
||||
{
|
||||
private:
|
||||
NS_IMETHOD Run()
|
||||
virtual nsresult CalculateResult() MOZ_OVERRIDE
|
||||
{
|
||||
nsNSSShutDownPreventionLock nssShutdownPrevention;
|
||||
if (isAlreadyShutDown())
|
||||
return NS_OK;
|
||||
|
||||
nsresult rv;
|
||||
nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
|
||||
if (NS_SUCCEEDED(rv))
|
||||
inss->EnsureIdentityInfoLoaded();
|
||||
EnsureIdentityInfoLoaded();
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
virtual void virtualDestroyNSSReference()
|
||||
{
|
||||
}
|
||||
|
||||
~InitializeIdentityInfo()
|
||||
{
|
||||
nsNSSShutDownPreventionLock nssShutdownPrevention;
|
||||
if (!isAlreadyShutDown())
|
||||
shutdown(calledFromObject);
|
||||
}
|
||||
virtual void ReleaseNSSResources() MOZ_OVERRIDE { } // no-op
|
||||
virtual void CallCallback(nsresult rv) MOZ_OVERRIDE { } // no-op
|
||||
};
|
||||
#endif
|
||||
|
||||
|
@ -16,7 +16,6 @@ EXPORTS.mozilla += [
|
||||
]
|
||||
|
||||
UNIFIED_SOURCES += [
|
||||
'CertVerifier.cpp',
|
||||
'CryptoTask.cpp',
|
||||
'nsCertificatePrincipal.cpp',
|
||||
'nsCertOverrideService.cpp',
|
||||
@ -27,7 +26,6 @@ UNIFIED_SOURCES += [
|
||||
'nsCMSSecureMessage.cpp',
|
||||
'nsCrypto.cpp',
|
||||
'nsDataSignatureVerifier.cpp',
|
||||
'nsIdentityChecking.cpp',
|
||||
'nsKeygenHandler.cpp',
|
||||
'nsKeygenThread.cpp',
|
||||
'nsKeyModule.cpp',
|
||||
@ -94,7 +92,8 @@ UNIFIED_SOURCES += [
|
||||
FINAL_LIBRARY = 'xul'
|
||||
|
||||
LOCAL_INCLUDES += [
|
||||
'../../../insanity/include',
|
||||
'../../../certverifier',
|
||||
'../../../insanity/include',
|
||||
]
|
||||
|
||||
|
||||
|
@ -9,6 +9,7 @@
|
||||
|
||||
#include "nsNSSCertificate.h"
|
||||
#include "CertVerifier.h"
|
||||
#include "ExtendedValidation.h"
|
||||
#include "nsNSSComponent.h" // for PIPNSS string bundle calls.
|
||||
#include "nsNSSCleaner.h"
|
||||
#include "nsCOMPtr.h"
|
||||
@ -1481,6 +1482,125 @@ char* nsNSSCertificate::defaultServerNickname(CERTCertificate* cert)
|
||||
return nickname;
|
||||
}
|
||||
|
||||
#ifndef NSS_NO_LIBPKIX
|
||||
|
||||
nsresult
|
||||
nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
if (isAlreadyShutDown())
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
|
||||
EnsureIdentityInfoLoaded();
|
||||
|
||||
RefPtr<mozilla::psm::SharedCertVerifier>
|
||||
certVerifier(mozilla::psm::GetDefaultCertVerifier());
|
||||
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
|
||||
|
||||
validEV = false;
|
||||
resultOidTag = SEC_OID_UNKNOWN;
|
||||
|
||||
uint32_t flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY |
|
||||
mozilla::psm::CertVerifier::FLAG_NO_DV_FALLBACK_FOR_EV;
|
||||
SECStatus rv = certVerifier->VerifyCert(mCert,
|
||||
certificateUsageSSLServer, PR_Now(),
|
||||
nullptr /* XXX pinarg */,
|
||||
flags, nullptr, &resultOidTag);
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
resultOidTag = SEC_OID_UNKNOWN;
|
||||
}
|
||||
if (resultOidTag != SEC_OID_UNKNOWN) {
|
||||
validEV = true;
|
||||
}
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsresult
|
||||
nsNSSCertificate::getValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
|
||||
{
|
||||
if (mCachedEVStatus != ev_status_unknown) {
|
||||
validEV = (mCachedEVStatus == ev_status_valid);
|
||||
if (validEV) {
|
||||
resultOidTag = mCachedEVOidTag;
|
||||
}
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsresult rv = hasValidEVOidTag(resultOidTag, validEV);
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
if (validEV) {
|
||||
mCachedEVOidTag = resultOidTag;
|
||||
}
|
||||
mCachedEVStatus = validEV ? ev_status_valid : ev_status_invalid;
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
|
||||
#endif // NSS_NO_LIBPKIX
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsNSSCertificate::GetIsExtendedValidation(bool* aIsEV)
|
||||
{
|
||||
#ifdef NSS_NO_LIBPKIX
|
||||
*aIsEV = false;
|
||||
return NS_OK;
|
||||
#else
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
if (isAlreadyShutDown()) {
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
|
||||
NS_ENSURE_ARG(aIsEV);
|
||||
*aIsEV = false;
|
||||
|
||||
if (mCachedEVStatus != ev_status_unknown) {
|
||||
*aIsEV = (mCachedEVStatus == ev_status_valid);
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
SECOidTag oid_tag;
|
||||
return getValidEVOidTag(oid_tag, *aIsEV);
|
||||
#endif
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsNSSCertificate::GetValidEVPolicyOid(nsACString& outDottedOid)
|
||||
{
|
||||
outDottedOid.Truncate();
|
||||
|
||||
#ifndef NSS_NO_LIBPKIX
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
if (isAlreadyShutDown()) {
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
|
||||
SECOidTag oid_tag;
|
||||
bool valid;
|
||||
nsresult rv = getValidEVOidTag(oid_tag, valid);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
if (valid) {
|
||||
SECOidData* oid_data = SECOID_FindOIDByTag(oid_tag);
|
||||
if (!oid_data) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
char* oid_str = CERT_GetOidString(&oid_data->oid);
|
||||
if (!oid_str) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
outDottedOid.Assign(oid_str);
|
||||
PR_smprintf_free(oid_str);
|
||||
}
|
||||
#endif
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMPL_ISUPPORTS1(nsNSSCertList, nsIX509CertList)
|
||||
|
||||
nsNSSCertList::nsNSSCertList(CERTCertList* certList,
|
||||
|
@ -11,6 +11,7 @@
|
||||
#include "nsNSSCertificateDB.h"
|
||||
|
||||
#include "CertVerifier.h"
|
||||
#include "ExtendedValidation.h"
|
||||
#include "nsNSSComponent.h"
|
||||
#include "mozilla/Base64.h"
|
||||
#include "nsCOMPtr.h"
|
||||
@ -1698,13 +1699,8 @@ nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
|
||||
nsresult rv;
|
||||
#ifndef NSS_NO_LIBPKIX
|
||||
nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
|
||||
if (NS_FAILED(rv)) {
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
inss->EnsureIdentityInfoLoaded();
|
||||
EnsureIdentityInfoLoaded();
|
||||
#endif
|
||||
|
||||
nsCOMPtr<nsIX509Cert2> x509Cert = do_QueryInterface(aCert);
|
||||
|
@ -10,6 +10,7 @@
|
||||
|
||||
#include "nsNSSComponent.h"
|
||||
|
||||
#include "ExtendedValidation.h"
|
||||
#include "mozilla/Telemetry.h"
|
||||
#include "nsCertVerificationThread.h"
|
||||
#include "nsAppDirectoryServiceDefs.h"
|
||||
@ -220,12 +221,6 @@ nsNSSComponent::nsNSSComponent()
|
||||
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::ctor\n"));
|
||||
mObserversRegistered = false;
|
||||
|
||||
#ifndef NSS_NO_LIBPKIX
|
||||
// In order to keep startup time lower, we delay loading and
|
||||
// registering all identity data until first needed.
|
||||
memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
|
||||
#endif
|
||||
|
||||
NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!");
|
||||
++mInstanceCount;
|
||||
mShutdownObjectList = nsNSSShutDownList::construct();
|
||||
@ -904,12 +899,11 @@ setNonPkixOcspEnabled(int32_t ocspEnabled)
|
||||
{
|
||||
// Note: this preference is numeric vs boolean because previously we
|
||||
// supported more than two options.
|
||||
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
|
||||
if (!ocspEnabled) {
|
||||
CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
|
||||
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
|
||||
} else {
|
||||
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
|
||||
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -107,10 +107,6 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports {
|
||||
const nsAString& token) = 0;
|
||||
#endif
|
||||
|
||||
#ifndef NSS_NO_LIBPKIX
|
||||
NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
|
||||
#endif
|
||||
|
||||
NS_IMETHOD IsNSSInitialized(bool* initialized) = 0;
|
||||
|
||||
virtual ::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
|
||||
@ -175,9 +171,6 @@ public:
|
||||
const nsAString& token);
|
||||
#endif
|
||||
|
||||
#ifndef NSS_NO_LIBPKIX
|
||||
NS_IMETHOD EnsureIdentityInfoLoaded();
|
||||
#endif
|
||||
NS_IMETHOD IsNSSInitialized(bool* initialized);
|
||||
|
||||
::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
|
||||
@ -189,7 +182,6 @@ private:
|
||||
|
||||
void InstallLoadableRoots();
|
||||
void UnloadLoadableRoots();
|
||||
void CleanupIdentityInfo();
|
||||
void setValidationOptions(bool isInitialSetting);
|
||||
nsresult setEnabledTLSVersions();
|
||||
nsresult InitializePIPNSSBundle();
|
||||
@ -226,7 +218,6 @@ private:
|
||||
|
||||
|
||||
static PRStatus IdentityInfoInit(void);
|
||||
PRCallOnceType mIdentityInfoCallOnce;
|
||||
};
|
||||
|
||||
class nsNSSErrors
|
||||
|
@ -7,6 +7,7 @@
|
||||
#include "nsSSLStatus.h"
|
||||
#include "plstr.h"
|
||||
#include "nsIClassInfoImpl.h"
|
||||
#include "nsIIdentityInfo.h"
|
||||
#include "nsIProgrammingLanguage.h"
|
||||
#include "nsIObjectOutputStream.h"
|
||||
#include "nsIObjectInputStream.h"
|
||||
@ -88,6 +89,39 @@ nsSSLStatus::GetIsUntrusted(bool* _result)
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsSSLStatus::GetIsExtendedValidation(bool* aIsEV)
|
||||
{
|
||||
NS_ENSURE_ARG_POINTER(aIsEV);
|
||||
*aIsEV = false;
|
||||
|
||||
#ifdef NSS_NO_LIBPKIX
|
||||
return NS_OK;
|
||||
#else
|
||||
nsCOMPtr<nsIX509Cert> cert = mServerCert;
|
||||
nsresult rv;
|
||||
nsCOMPtr<nsIIdentityInfo> idinfo = do_QueryInterface(cert, &rv);
|
||||
|
||||
// mServerCert should never be null when this method is called because
|
||||
// nsSSLStatus objects always have mServerCert set right after they are
|
||||
// constructed and before they are returned. GetIsExtendedValidation should
|
||||
// only be called in the chrome process (in e10s), and mServerCert will always
|
||||
// implement nsIIdentityInfo in the chrome process.
|
||||
if (!idinfo) {
|
||||
NS_ERROR("nsSSLStatus has null mServerCert or was called in the content "
|
||||
"process");
|
||||
return NS_ERROR_UNEXPECTED;
|
||||
}
|
||||
|
||||
// Never allow bad certs for EV, regardless of overrides.
|
||||
if (mHaveCertErrorBits) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
return idinfo->GetIsExtendedValidation(aIsEV);
|
||||
#endif
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsSSLStatus::Read(nsIObjectInputStream* stream)
|
||||
{
|
||||
|
@ -20,6 +20,10 @@ if CONFIG['COMPILE_ENVIRONMENT']:
|
||||
if CONFIG['MOZ_CONTENT_SANDBOX']:
|
||||
add_tier_dir('sandbox', 'security/sandbox')
|
||||
|
||||
# Depends on NSS and NSPR, and must be built after sandbox or else B2G emulator
|
||||
# builds fail.
|
||||
add_tier_dir('platform', 'security/certverifier')
|
||||
|
||||
# the signing related bits of libmar depend on nss
|
||||
if CONFIG['MOZ_UPDATER']:
|
||||
add_tier_dir('platform', 'modules/libmar')
|
||||
|
Loading…
x
Reference in New Issue
Block a user