mirror of
https://github.com/roytam1/palemoon27.git
synced 2026-05-26 14:30:27 +00:00
roytam1
c7dc12e90f
- Bug 1251253 - prevent null pointer dereference of |aContext| in CacheStorageService::DoomStorageEntries. r=mayhemer (35b449c612)
- Bug 1260498 - Make test_rel_preconnect work in e10s mode. r=mcmanus (e6823ce4c4)
- Bug 1016628 - Add prefetch abilities to the predictor. r=mayhemer (53ab180c97)
- Bug 1258482 - FileList should contain only Files, not Directories, r=smaug (ff78125454)
- Bug 1258694 - Implement Directory::GetFiles(), r=smaug (305784524e)
- Bug 1263992 - patch 1 - Remove DirectoryType enum, r=smaug (89e1a59041)
- Bug 1263992 - patch 2 - Support the creation of directories from FileSystemTasks, r=smaug (c569092cef)
- Bug 1243586 - Implement Upgrade-Insecure-Requests HTTP Request Header Field. r=rbarnes (4b8a84c656)
- Bug 1262572 - http 0.9 telemetry. r=hurley (6006881336)
- Bug 587177 - Update all comments before SetOriginalURI to reflect reality, r=mcmanus (b2fedb0728)
- Bug 1261632 - Assert that OnStopRequest is called only once. r=michal (c35b1922b9)
- Bug 1232422 - Convert 5 tests within netwerk/test to use AsyncOpen2 (r=mcmanus) (4af8d43814)
- Bug 831450 - No Range Requests against weak Etag r=mayhemer (9b4a159e1e)
- Bug 1214277 - Avoid bypassing opening a cache entry for possibly intercepted channels; r=mcmanus (c5b0de6990)
- partial apply Bug 1234369 - Convert 25 tests within netwerk/test to use AsyncOpen2 (1b81d5a303)
- Bug 299031 - heuristic cache rule for 410 should be longer r=mayhemer (848834fc31)
- Bug 1121447 - trust cache less for error codes r=mayhemer (0424fec819)
- Bug 1125916 - Check whether loadInfo and loadContext match. r=sicking, r=jduell (6740850922)
- Bug 1258778 - Purge the skia glyph cache when receiving a low memory notice. r=erahm (633c60b0c6)
- Bug 1125916 - Add SEC_FORCE_PRIVATE_BROWSING to LoadInfo. r=sicking, r=jduell (10b5a1cacb)
- Bug 1105556 - test fixes. r=sicking, ckerschb (845d0dbd65)
- Bug 1258481 - Use RegionBuilder for nsRegion IPC. r=jrmuizel (616c279297)
- Bug 1014691 - Fix an include-what-you-use error in TestCompositor.cpp. r=kats (2797f83f1d)
- Bug 1256408 - Add graphics microbenchmarking. r=mstange (49b11b051b)
- Bug 1258481 - Add a RegionBuilder for accumulating rects. r=jrmuizel (acd79192db)
- Track whether or not remote layers have acknowledged compositor changes. (bug 1256517 part 1, r=mattwoodrow) (e3cc77ed41)
- Move compositable field out of individual compositable ops. (bug 1256517 part 2, r=mattwoodrow) (1d4a063df3)
- Bug 1241058: Assure several operations properly operate on the current group target. r=jrmuizel (6119e2b4db)
- Bug 1247700: Avoid crash from invalid fonts. r=bas (c4c2799b94)
- Bug 1242421 - remove useless null check. r=roc@ocallahan.org (44faf6556d)
- Add instrumentation for when content processes fail to acquire D3D11 devices. (bug 1247539, r=milan) (bd9265d78e)
- Make access to gfxWindowsPlatform D3D11 devices thread-safe. (bug 1258174, r=bas) (032e74b163)
- Disable device access on textures created against stale layers. (bug 1256517 part 3, r=nical) (ffcebbdee6)
- Block compositable updates from stale layers. (bug 1256517 part 4, r=mattwoodrow,nical) (fc83339f2d)
- Fix build bustage for bug 1256517 r=broken tree (3952871373)
- Bug 1256678 - Replace DrawTargetCairo::FillGlyphs crashes with other crashes - r=bobowen (b7245ba436)
- Bug 1120485. Log CloseHandle error reason during MessageChannel shutdown failure. r=milan (2f81d9c2aa)
- Bug 1242448 - Ensure the tile pool does not hold textures during shutdown. r=edwin (d31c304258)
- Bug 1258851 - Propagate the isScrollbarContainer layer flag to the compositor. r=mattwoodrow (b9906d7557)
- Bug 1260391: Transfer |CompositableOperation| in |AsyncChildMessageData|, r=dvander (1def34c5f8)
- Bug 1252324 - add DrawTarget API for 3D transforms for use in layers. r=jrmuizel (bc80529422)
- Bug 1255342 - implement DrawTargetCairo::LockBits for Cairo Win32 surfaces. r=sotaro (6f5661691b)
- Bug 1263480 - Don't let cairo go into an error state when DrawSurface is called with an empty destination rectangle. r=lsalzman (4300940101)
- Bug 1251241 - return from DrawTargetCairo::FillGlyphs if |aFont| is ullptr. r=roc (bb92f95ccd)
- Bug 1255320 - Create DrawTarget with DIB as similar DrawTarget r=jrmuizel (03f1da030d)
- Bug 1215265 - Put shutting down gfx ipdl protocols for child processes behind a pref. r=sotaro (aa781b37f9)
- Bug 1262898: Keep the GeckoChildProcessHost alive for the lifetime of the CompositorBridge and ImageBridge parent actors. r=jimm r=nical (dcca3b54e1)
- Bug 1251619: Remove unused gfxPlatform::CreateDrawTargetForUpdateSurface r=mchang (b29565995e)
- Bug 1255973 - Remove redundant overrides from gfxPlatform subclasses. r=jfkthame (d45f8a6640)
- Bug 1259466. Rename layers.offmainthreadcomposition.enabled. r=milan We would rather people not use this pref. (f362da1bd3)
- Bug 881609: Call InitLayersAccelerationPrefs only once. r=nrc (faed10a0d4)
- Bug 1209780. Mark some DrawResult's as unused in layout/svg. r=seth (48192d6b34)
- Bug 1251115 - Fix incorrect rendering result while mask path is not resolvable; r=mstange (a52b478fdf)
- Bug 1228354 - Part1 - Support luminance mask mode. r=mstange r=bas (b03abbe8a6)
- Bug 1228354 - Part2. Add test case for mask-mode. r=heycam (6bea36a70c)
- Bug 1259802: Add type replacement annotations to simplify rust binding generation for nsStyleStruct.h, r=bholley (48c13e62f2)
- Bug 1261754 - Part 1: Improve static assertions for style struct bits. r=dholbert (2ce6d994a5)
- Bug 1261552 - Reimplement default placement-new for style structs. r=heycam (db9d7782e2)
- Bug 1261552 - Introduce StaticPresData and hoist some shared functionality into it. r=heycam (adf2e16b4d)
- Bug 1226627 - Truncate the result in ZoomText/UnZoomText rather than rounding it for better performance. r=roc (f1d1084ba1)
- Bug 1247777 - Part1: parse and compute -webkit-text-fill-color property. r=heycam (fc4161355c)
- Bug 1247777 - Part2: implement -webkit-text-fill-color rendering. r=jfkthame (0f30da9c5b)
- Bug 1247777 - Part3: reftests for -webkit-text-fill-color. r=jfkthame Add this test into web-platform-tests. (02e41db8cc)
- Bug 1043461 - Followup to ensure we still test custom property position when the UA style sheet doesn't have custom properties in it. r=dholbert (48df73d684)
- Bug 1247777 - Part4.1: replace windows-style line endings with unix-style line endings. r=bz (be8ba60960)
- Bug 1247777 - Part4.2: add compatible webkit prefixed properties in CSS properties ordering check test. r=bz (7b78825e14)
- Bug 1261552 - Introduce StyleStructContext, and make all style struct constructors take it. r=heycam (65b3966841)
- Bug 1258017 - Use an nsCOMPtr to hold onto the nsIStyleRule. r=dbaron (e88d7e368f)
- Bug 1258017 - Use a RefPtr to hold onto the parent style context. r=dbaron (6a7289ca43)
- Bug 1258017 - Redesign and simplify rule tree GC. r=dbaron (3bf60a9b04)
- Bug 1253149 - Remove the #ifdef __cplusplus bits from ServoBindings.h. r=SimonSapin (bf2b18a470)
- Bug 1251496 - Forward stylesheet management to RawServoStyleSet. r=heycam (0a3aa90b2d)
- Bug 1260310 - Generalize nsStyleContext to support resolving styles from either nsRuleNode or ServoComputedValues. r=heycam (82b6d5d008)
- Bug 1258017 - Cleanup fixes for trunk. r=me (674a65815a)
- Bug 1236400 part 1: Add internal enum values to represent "display: -webkit-box" & "display: -webkit-inline-box". r=mats (509c94da15)
- Bug 1236400 part 2: Extend NeedsAnonFlexOrGridItem() & related code to wrap all inline-level -webkit-box children in an anonymous flex item. r=mats (dc11b9b09f)
- Bug 1236400 part 3: If webkit prefix support is enabled, skip CSS Parser code that converts "display: -webkit-box" directly to "display: flex". r=mats (e09b459124)
- Bug 1236400 part 4: Add reftests to test how non-block-level content gets wrapped inside a -webkit-box. (no review) (46e4d8cb07)
- Bug 1261754 - Part 2: Make quotes computed values shareable between different structs. r=dholbert (a78e43b706)
- Bug 1261754 - Part 3: Move quotes from nsStyleQuotes to nsStyleList and delete nsStyleQuotes. r=dholbert (fdcd9aaa3f)
- Bug 1209273 - Part 1: Support for adjust-color CSS property. r=dbaron (818a7fe0ff)
- Bug 1209273 - Part 2: Force printing background if color-adjust: exact. r=dbaron (ffd52c0dbc)
- Bug 1261754 - Part 4: Move image-rendering from nsStyleSVG to nsStyleVisibility. r=dholbert (ee8372fb94)
- Bug 1261754 - Part 5: Move text-rendering from nsStyleSVG to nsStyleText. r=dholbert (c13a11313d)
- Bug 1261754 - Part 6: Move vertical-align from nsStyleTextReset to nsStyleDisplay. r=dholbert (d374b3700b)
- Bug 1261754 - Part 7: Move pointer-events from nsStyleVisibility to nsStyleUserInterface. r=dholbert (8693251243)
- Bug 1261754 - Part 8: Move box-shadow from nsStyleBorder to a new nsStyleEffects struct. r=dholbert (8263476827)
- Bug 1261754 - Part 9: Move clip from nsStyleDisplay to nsStyleEffects. r=dholbert (5418597309)
- Bug 1261754 - Part 10: Move mix-blend-mode from nsStyleDisplay to nsStyleEffects. r=dholbert (ebae613929)
- Bug 1261754 - Part 11: Move opacity from nsStyleDisplay to nsStyleEffects. r=dholbert (589292af44)
- Bug 1187851 patch 6 - Make dynamic changes to filter change fixed position containing block for descendants. r=roc (003a3aa6ce)
- Bug 1261754 - Part 12: Move filter from nsStyleSVGReset to nsStyleEffects. r=dholbert (78d87914f9)
- Bug 1259513: Make gfxContext constructor private, use a utility function that can return nullptr. r=bas,lsalzman (43df6e429f)
- Bug 1259785: Do a proper flush when taking a snapshot so our dependent targets and command lists get appropriately cleared. r=jrmuizel (9f7372cce1)
- Bug 1251431 - Part 1: Allow usage of an A8 source pattern to MaskSurface for D2D 1.1 Moz2D backend. r=jwatt (632eb6d2da)
- Bug 1251431 - Part 2: Do not apply the device transform when drawing to an already intermediate surface. r=jwatt (3a24f4a5c6)
- Bug 1251431 - GCC compilation fixup. (2356f0a58c)
- Bug 1238328: Purge stored command lists by calling EndDraw/BeginDraw on a regular basis when they're used. r=jrmuizel (33f47b281f)
- Bug 1246641: Also execute an occasional EndDraw for CommandLists used by non-operator OVER drawing. r=jrmuizel (b3e03ad111)
- Bug 1258168: Push ClearType compatible clipping layers when the last pushed layer was marked as opaque. r=jrmuizel (bd069ad7b6)
- Bug 1264736: Crash sooner if we can't get a valid command list, at least in nightly/aurora. r=bas (fb4bb56815)
- Bug 1255438 - create nsI{Mutable,}Array directly; r=keeler (1b802b23b7)
- Bug 1255438 - fix OS X warning bustage and reopen this CLOSED TREE; r=me (07a05910a6)
- bug 1197314: Remove PR_snprintf calls in security/manager/ssl/ r=keeler (f2271aad87)
- Bug 1258298 - Switch more Scoped.h templates in PSM to UniquePtr equivalents. r=keeler (2ee1a85d8e)
- Bug 1191414 - gather telemetry on usage of <keygen>. r=keeler,r=vladan (150bad38a1)
- Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler (9e8ad9c0d4)
- Bug 1247250 - Enable TLS 1.3 anti-downgrade on non-secure fallback. r=keeler (7a950b427a)
- Bug 1215796 - Remove the static fallback whitelist. r=keeler (fa55b5920b)
- bug 1254667 - change certificate verification SHA1 policy to "allow or locally-installed roots" r=jcj (5d0bb9e8b1)
- bug 1245280 - add policy mechanism to optionally enforce BRs for falling back to subject CN r=Cykesiopka,mgoodwin (ecd4f2180a)
- Bug 1254653 - Add telemetry to measure how often we encounter EV certificates r=keeler (9da287b490)
- Bug 1259909 - Obviate char PORT_Free() calls in PSM. r=keeler (b7ba2a47da)
- Bug 1252882 - Add a Content Signature Service r=keeler,r=franziskus,r=Cykesiopka (8b806022a0)
- Bug 1255784 - u2f tests should use SpecialPowers.pushPrefEnv, r=jjones (839a58476f)
- Bug 1244960 - Complete FIDO u2f NSSToken (Part 1). r=keeler, r=baku (3d64aa2b7c)
- Bug 1244960 - FIDO u2f NSSToken (Part 2): Use Attestation Certificates. r=keeler (aee3ffc830)
- Bug 1244960 - FIDO u2f NSSToken (Part 3): Review updates. r=keeler (b2f81c2b72)
- Bug 1244960 - FIDO u2f NSSToken (Part 4): Correct FacetID base algorithm. r=keeler (9e70506580)
- Bug 1244960 - FIDO u2f NSSToken (Part 5): Review updates. r=keeler (62a28f2502)
- Bug 1231643 - Part 1. Create skia-A8-surface for mask composition when backendtype of the source DrawTarget is CG; r=mstange (dd03d86f55)
- Bug 1244598 - Move resource files of w3c-css/masking into ./support subdir. r=dbaron (4c9e789191)
- Bug 1243675 - Part 1. Add mask-image property reftest. r=dbaron (18e5dfa90b)
- Bug 1243675 - Part 2. Add mask-clip property reftest. r=dbaron (ddf834d408)
- Bug 1243675 - Part 3. Add mask-position property reftest. r=dbaron (68cae7c7e6)
- Bug 1243675 - Part 4. Add mask-repeat property reftest. r=dbaron (0a3ed45377)
- Bug 1243675 - Part 5. Add mask-origin property reftest. r=dbaron (f5785145a7)
- Bug 1243675 - Part 6. Add mask-size property reftest. r=dbaron (1ab2040973)
- Bug 1231643 - Part 2. Enable mask-composite reftest; r=dbaron (8c3b863d97)
- Bug 1263622 - Fixed nsNSSComponent.cpp compilation on mingw. r=dkeeler,ted (0e651c0211)
- Bug 1266249 - Remove mHasCachedOutline. r=dbaron (c46459acf2)
- Bug 1235634 - Construct nsNSSShutdownList::singleton lazily on first use r=keeler (1b53753c2e)
- Bug 1262645 - Address misc issues with nsGetUserCertChoice(). r=keeler (ec675be29a)
- Bug 1238001 - Allow TLS info to be updated on renegotiation, r=keeler (a2ec0c8a07)
- Bug 1201437 - Add new WebProgress state flag for user-overridden cert. r=keeler (0b9edbc8d8)
- Bug 1201437 - Make cert override tests check for STATE_CERT_USER_OVERRIDDEN. r=keeler (5246515084)
- bug 1261936 - stop using the subject common name in certificate verification error messages r=Cykesiopka (982cf43a11)
- bug 1230234 - fix a leak in client auth certificate handling r=Cykesiopka (6e83f81218)
- Bug 1260643 - Convert most uses of ScopedCERTCertificate in PSM to UniqueCERTCertificate. r=keeler (806b895c41)
- Bug 1207137 - Set a security state flag when weak crypto override is needed. r=keeler Bug 1254306 - Do not check the fallback limit version for the RC4 fallback. r=keeler (8b5cb7101f)
- Bug 1253010 - part 3 - create all nsIDateTimeFormat instances directly; r=smontagu (c1aa5d1d62)
- Bug 1260310 - Create servo style contexts from ServoStyleSet. r=heycam (05f876eb13)
- Bug 759568 - Part 1. Parse background-clip:text; r=dholbert r=heycam (d013b8fd84)
- Bug 1251995 part 6 - Use struct to pass params for nsTextFrame::PainText* functions. r=jfkthame (3b9c163eab)
- Bug 759568 - Part 2. Render background-clip:text; r=jfkthame (e534e048bf)
- Bug 759568 - Part 4. mochitest for background-clip:text; r=heycom (3e548ebf99)
- Bug 759568 - Part 5. reftest for background-clip:text; r=dbaron (43d2915305)
- Bug 759568 - Part 6. Remove unused nsDisplayList::mVisibleRect; r=jfkthame (960a85de40)
- Bug 1264910 - Simplify pref callback register/unregister in nsLayoutUtils. r=dholbert (f50219f117)
- Bug 1097499 part 1 - Control support of 'text-combine-upright: digits' via a separate pref. r=heycam (37df36e815)
- Bug 1261062 - When constraining the displayport by the max texture size, maintain the relative distribution of the margins. r=dvander (9a9423bdf1)
- Bug 1246290 - Add a pref to allow disabling APZ on documents which have scroll-linked effects. r=botond (781b63c578)
- Bug 1263347 - When checking if displayport changes should schedule a paint, make sure to use the proper displayport. r=mstange (998f59843e)
- Bug 1097499 part 15 - Add reftests for text-combine-upright. r=jfkthame (843bea00bc)
- Bug 1097499 followup - Fix metadata of tests submitted to w3c. DONTBUILD (e671b5b38b)
- Bug 1097499 followup 2 - Fix metadata of tests submitted to w3c. DONTBUILD (abf0895450)
- Bug 1097499 part 2 - Add a macro to simplify usage of nsStyleContext::GetUniqueStyleData. r=heycam (10486f1f24)
- Bug 1097499 part 3 - Add a separate anonbox for text nodes. r=heycam (7dd4347215)
- Bug 1097499 part 4 - Adjust computed value of writing-mode on text frames when text-combine-upright is used. r=heycam (c193f14b27)
- Bug 1097499 part 5 - Layout text combine upright. r=jfkthame (c21422930b)
- Bug 1097499 part 6 - Inherit move direction from parent for horizontal-in-vertical text. r=jfkthame (cf436b8494)
- Bug 1097499 part 7 - Add reverse function of GetFullWidth. r=emk (32d02e7437)
- Bug 1097499 part 8 - Move CountGraphemeClusters to mozilla::unicode. r=emk (e2b8942e53)
- Bug 1156588 - Add crashtest. (237adb0604)
- Bug 1234622. Tweak how nsDocumentViewer::FindContainerView finds the parent presshell. r=bz (d1e76ae2e9)
- Bug 1245978 part 1: Make nsDocumentViewer::CreateStyleSet directly return the thing it creates. r=heycam (ede16260a4)
- Bug 1245978 part 2: Drop redundant 'virtual' keyword from NS_DECL_NSIDOCUMENTVIEWERPRINT macro (which already includes 'override' keyword). r=heycam (42b8962e4f)
- Bug 1183879 - Soften "non-subdocument frame" warning to also allow dummy nsFrames, which exist while subdocument is loading. r=dholbert (6ebcb53421)
- Bug 1259246. Move nsIPresShell::GetRealPrimaryFrameFor to nsLayoutUtils::GetRealPrimaryFrameFor. r=dholbert (d3efd2f03a)
- Bug 645647 part 1 - Don't let empty bullet frames block suppressing white-space in intrinsic size calculations. r=dholbert (2ce0a86bfb)
- Bug 645647 part 2 - Reftests. (496e491990)
- Bug 645647 part 3 - Remove unused trailingTextFrame member. r=dholbert (bd26ea25e6)
- Bug 645647 part 4 - Add an 'm' prefix to some members to follow our naming conventions. r=dholbert (fe3c5240c9)
- Bug 1097499 part 9 - Transform full-width characters to non-full-width correspondents for combined text. r=jfkthame (5b1eafe2a7)
- Bug 1097499 part 10 - Add fwid/hwid/twid/qwid font feature support to gfx. r=jfkthame (682698dd38)
- Bug 1097499 part 11 - Set width variant for text-combined frame. r=jfkthame (937f61e0e9)
- Bug 1097499 part 12 - Handle spacing sensibly for text-combine-upright. r=jfkthame (9ae1ab2941)
- Bug 1220438 - Correct baseline offset computation of text decoration for vertical-rl. r=jfkthame (10ad32d702)
- Bug 1258636 part 1 - Use structs to pass params for decoration-related functions in nsCSSRendering. r=jfkthame (deef7071f1)
- Bug 1258636 part 2 - Use struct to pass params for nsTextFrame::PaintDecorationLine. r=jfkthame (df5bde2547)
- Bug 1229743 part 1 - Simplify text decoration handling code with lambda function and range-based for loop. r=jfkthame (51cd3ea4ca)
- Bug 1229743 part 2 - Fix up decoration rect computation for vertical-rl and sideways-lr. r=jfkthame (0113279f53)
- Bug 1251995 part 7 - Use struct to pass params for nsTextFrame::Paint*Shadow functions. r=jfkthame (e81ba231aa)
- Bug 759568 - Part 3. Render text-selection beneath background image; r=jfkthame (e6757762ff)
- Bug 1097499 part 13 - Draw decoration line properly for text-combine-upright. r=jfkthame (8f4be7f987)
- Bug 1264120. Remove usage of nsAutoPtr from gfx/src. r=jfkthame (6831454d8c)
- Bug 1119619 - Allow font-selection to fall back to an alternative face within the same family if the first-found face was not Regular, to handle cases where some styled faces have a reduced character set. r=m_kato (d8851b2877)
- Bug 1243226 - relax the limit on fontconfig generics. r=heycam, a=me (05df737d0e)
- Bug 1245811 - part 1 (based on patch by Andrew Comminos) - Replace gfxPlatformFontList::FindFamily with FindAndAddFamilies to allow for the possibility of the implementation returning multiple font families (e.g. when fontconfig has 'prefer' aliases). r=karlt (2bef9fafb0)
- Bug 1245811 - part 2 (based on patch by Andrew Comminos) - Let gfxFcPlatformFontList return multiple families for a given name once fontconfig substitutions have been applied. r=karlt (1ffb425a0e)
- Bug 1265452 - Remove use of nsAutoPtr from gfx/thebes. r=jrmuizel (d02c913ad5)
- Bug 1265459 - Replace uses of nsAutoPtr<gfxTextRun> with UniquePtr, and let MakeTextRun and similar methods return a UniquePtr. r=jrmuizel (da32e376b7)
- Bug 1097499 part 14 - Draw emphasis marks properly for text-combine-upright. r=jfkthame (c9115615c6)
- Bug 1097499 part 16 - Enable text-combine-upright by default. r=jfkthame (b616987f95)
- Bug 1261699 - preserve user fontconfig autohint settings in Cairo glyph rendering options. r=jfkthame (3e46dff5ff)
- Bug 1216001 - Fix a typo that eliminated a possible paint optimization. r=xidorn (6a350cadb7)
- Bug 1261568 - part1: take -webkit-text-fill-color into consideration while (d49cf427ab)
- Bug 1261568 - part2.1: update manifest before adding test. r=jgraham Bug 1261568 - part2.2: add reftest. r=jfkthame (ef3c22cfb4)
1516 lines
46 KiB
C++
1516 lines
46 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=2 et sw=2 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "nsNSSCertificateDB.h"
|
|
|
|
#include "AppTrustDomain.h"
|
|
#include "CryptoTask.h"
|
|
#include "NSSCertDBTrustDomain.h"
|
|
#include "ScopedNSSTypes.h"
|
|
#include "base64.h"
|
|
#include "certdb.h"
|
|
#include "mozilla/Logging.h"
|
|
#include "mozilla/RefPtr.h"
|
|
#include "mozilla/UniquePtr.h"
|
|
#include "nsCOMPtr.h"
|
|
#include "nsComponentManagerUtils.h"
|
|
#include "nsDataSignatureVerifier.h"
|
|
#include "nsHashKeys.h"
|
|
#include "nsIDirectoryEnumerator.h"
|
|
#include "nsIFile.h"
|
|
#include "nsIFileStreams.h"
|
|
#include "nsIInputStream.h"
|
|
#include "nsIStringEnumerator.h"
|
|
#include "nsIZipReader.h"
|
|
#include "nsNSSCertificate.h"
|
|
#include "nsNetUtil.h"
|
|
#include "nsProxyRelease.h"
|
|
#include "nsString.h"
|
|
#include "nsTHashtable.h"
|
|
#include "nssb64.h"
|
|
#include "pkix/pkix.h"
|
|
#include "pkix/pkixnss.h"
|
|
#include "plstr.h"
|
|
#include "secmime.h"
|
|
|
|
|
|
using namespace mozilla::pkix;
|
|
using namespace mozilla;
|
|
using namespace mozilla::psm;
|
|
|
|
extern mozilla::LazyLogModule gPIPNSSLog;
|
|
|
|
namespace {
|
|
|
|
// Reads a maximum of 1MB from a stream into the supplied buffer.
|
|
// The reason for the 1MB limit is because this function is used to read
|
|
// signature-related files and we want to avoid OOM. The uncompressed length of
|
|
// an entry can be hundreds of times larger than the compressed version,
|
|
// especially if someone has specifically crafted the entry to cause OOM or to
|
|
// consume massive amounts of disk space.
|
|
//
|
|
// @param stream The input stream to read from.
|
|
// @param buf The buffer that we read the stream into, which must have
|
|
// already been allocated.
|
|
nsresult
|
|
ReadStream(const nsCOMPtr<nsIInputStream>& stream, /*out*/ SECItem& buf)
|
|
{
|
|
// The size returned by Available() might be inaccurate so we need
|
|
// to check that Available() matches up with the actual length of
|
|
// the file.
|
|
uint64_t length;
|
|
nsresult rv = stream->Available(&length);
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
return rv;
|
|
}
|
|
|
|
// Cap the maximum accepted size of signature-related files at 1MB (which is
|
|
// still crazily huge) to avoid OOM. The uncompressed length of an entry can be
|
|
// hundreds of times larger than the compressed version, especially if
|
|
// someone has speifically crafted the entry to cause OOM or to consume
|
|
// massive amounts of disk space.
|
|
static const uint32_t MAX_LENGTH = 1024 * 1024;
|
|
if (length > MAX_LENGTH) {
|
|
return NS_ERROR_FILE_TOO_BIG;
|
|
}
|
|
|
|
// With bug 164695 in mind we +1 to leave room for null-terminating
|
|
// the buffer.
|
|
SECITEM_AllocItem(buf, static_cast<uint32_t>(length + 1));
|
|
|
|
// buf.len == length + 1. We attempt to read length + 1 bytes
|
|
// instead of length, so that we can check whether the metadata for
|
|
// the entry is incorrect.
|
|
uint32_t bytesRead;
|
|
rv = stream->Read(char_ptr_cast(buf.data), buf.len, &bytesRead);
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
return rv;
|
|
}
|
|
if (bytesRead != length) {
|
|
return NS_ERROR_FILE_CORRUPTED;
|
|
}
|
|
|
|
buf.data[buf.len - 1] = 0; // null-terminate
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
// Finds exactly one (signature metadata) JAR entry that matches the given
|
|
// search pattern, and then load it. Fails if there are no matches or if
|
|
// there is more than one match. If bugDigest is not null then on success
|
|
// bufDigest will contain the SHA-1 digeset of the entry.
|
|
nsresult
|
|
FindAndLoadOneEntry(nsIZipReader * zip,
|
|
const nsACString & searchPattern,
|
|
/*out*/ nsACString & filename,
|
|
/*out*/ SECItem & buf,
|
|
/*optional, out*/ Digest * bufDigest)
|
|
{
|
|
nsCOMPtr<nsIUTF8StringEnumerator> files;
|
|
nsresult rv = zip->FindEntries(searchPattern, getter_AddRefs(files));
|
|
if (NS_FAILED(rv) || !files) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
bool more;
|
|
rv = files->HasMore(&more);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
if (!more) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
rv = files->GetNext(filename);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
// Check if there is more than one match, if so then error!
|
|
rv = files->HasMore(&more);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
if (more) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
nsCOMPtr<nsIInputStream> stream;
|
|
rv = zip->GetInputStream(filename, getter_AddRefs(stream));
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
rv = ReadStream(stream, buf);
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
|
|
}
|
|
|
|
if (bufDigest) {
|
|
rv = bufDigest->DigestBuf(SEC_OID_SHA1, buf.data, buf.len - 1);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
// Verify the digest of an entry. We avoid loading the entire entry into memory
|
|
// at once, which would require memory in proportion to the size of the largest
|
|
// entry. Instead, we require only a small, fixed amount of memory.
|
|
//
|
|
// @param stream an input stream from a JAR entry or file depending on whether
|
|
// it is from a signed archive or unpacked into a directory
|
|
// @param digestFromManifest The digest that we're supposed to check the file's
|
|
// contents against, from the manifest
|
|
// @param buf A scratch buffer that we use for doing the I/O, which must have
|
|
// already been allocated. The size of this buffer is the unit
|
|
// size of our I/O.
|
|
nsresult
|
|
VerifyStreamContentDigest(nsIInputStream* stream,
|
|
const SECItem& digestFromManifest, SECItem& buf)
|
|
{
|
|
MOZ_ASSERT(buf.len > 0);
|
|
if (digestFromManifest.len != SHA1_LENGTH)
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
nsresult rv;
|
|
uint64_t len64;
|
|
rv = stream->Available(&len64);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
if (len64 > UINT32_MAX) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE;
|
|
}
|
|
|
|
ScopedPK11Context digestContext(PK11_CreateDigestContext(SEC_OID_SHA1));
|
|
if (!digestContext) {
|
|
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
|
|
}
|
|
|
|
rv = MapSECStatus(PK11_DigestBegin(digestContext));
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
uint64_t totalBytesRead = 0;
|
|
for (;;) {
|
|
uint32_t bytesRead;
|
|
rv = stream->Read(char_ptr_cast(buf.data), buf.len, &bytesRead);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
if (bytesRead == 0) {
|
|
break; // EOF
|
|
}
|
|
|
|
totalBytesRead += bytesRead;
|
|
if (totalBytesRead >= UINT32_MAX) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE;
|
|
}
|
|
|
|
rv = MapSECStatus(PK11_DigestOp(digestContext, buf.data, bytesRead));
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
}
|
|
|
|
if (totalBytesRead != len64) {
|
|
// The metadata we used for Available() doesn't match the actual size of
|
|
// the entry.
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
|
|
}
|
|
|
|
// Verify that the digests match.
|
|
Digest digest;
|
|
rv = digest.End(SEC_OID_SHA1, digestContext);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
if (SECITEM_CompareItem(&digestFromManifest, &digest.get()) != SECEqual) {
|
|
return NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY;
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
nsresult
|
|
VerifyEntryContentDigest(nsIZipReader* zip, const nsACString& aFilename,
|
|
const SECItem& digestFromManifest, SECItem& buf)
|
|
{
|
|
nsCOMPtr<nsIInputStream> stream;
|
|
nsresult rv = zip->GetInputStream(aFilename, getter_AddRefs(stream));
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
|
|
}
|
|
|
|
return VerifyStreamContentDigest(stream, digestFromManifest, buf);
|
|
}
|
|
|
|
// @oaram aDir directory containing the unpacked signed archive
|
|
// @param aFilename path of the target file relative to aDir
|
|
// @param digestFromManifest The digest that we're supposed to check the file's
|
|
// contents against, from the manifest
|
|
// @param buf A scratch buffer that we use for doing the I/O
|
|
nsresult
|
|
VerifyFileContentDigest(nsIFile* aDir, const nsAString& aFilename,
|
|
const SECItem& digestFromManifest, SECItem& buf)
|
|
{
|
|
// Find the file corresponding to the manifest path
|
|
nsCOMPtr<nsIFile> file;
|
|
nsresult rv = aDir->Clone(getter_AddRefs(file));
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// We don't know how to handle JARs with signed directory entries.
|
|
// It's technically possible in the manifest but makes no sense on disk.
|
|
// Inside an archive we just ignore them, but here we have to treat it
|
|
// as an error because the signed bytes never got unpacked.
|
|
int32_t pos = 0;
|
|
int32_t slash;
|
|
int32_t namelen = aFilename.Length();
|
|
if (namelen == 0 || aFilename[namelen - 1] == '/') {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
|
|
}
|
|
|
|
// Append path segments one by one
|
|
do {
|
|
slash = aFilename.FindChar('/', pos);
|
|
int32_t segend = (slash == kNotFound) ? namelen : slash;
|
|
rv = file->Append(Substring(aFilename, pos, (segend - pos)));
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
|
|
}
|
|
pos = slash + 1;
|
|
} while (pos < namelen && slash != kNotFound);
|
|
|
|
bool exists;
|
|
rv = file->Exists(&exists);
|
|
if (NS_FAILED(rv) || !exists) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
|
|
}
|
|
|
|
bool isDir;
|
|
rv = file->IsDirectory(&isDir);
|
|
if (NS_FAILED(rv) || isDir) {
|
|
// We only support signed files, not directory entries
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
|
|
}
|
|
|
|
// Open an input stream for that file and verify it.
|
|
nsCOMPtr<nsIInputStream> stream;
|
|
rv = NS_NewLocalFileInputStream(getter_AddRefs(stream), file, -1, -1,
|
|
nsIFileInputStream::CLOSE_ON_EOF);
|
|
if (NS_FAILED(rv) || !stream) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
|
|
}
|
|
|
|
return VerifyStreamContentDigest(stream, digestFromManifest, buf);
|
|
}
|
|
|
|
// On input, nextLineStart is the start of the current line. On output,
|
|
// nextLineStart is the start of the next line.
|
|
nsresult
|
|
ReadLine(/*in/out*/ const char* & nextLineStart, /*out*/ nsCString & line,
|
|
bool allowContinuations = true)
|
|
{
|
|
line.Truncate();
|
|
size_t previousLength = 0;
|
|
size_t currentLength = 0;
|
|
for (;;) {
|
|
const char* eol = PL_strpbrk(nextLineStart, "\r\n");
|
|
|
|
if (!eol) { // Reached end of file before newline
|
|
eol = nextLineStart + strlen(nextLineStart);
|
|
}
|
|
|
|
previousLength = currentLength;
|
|
line.Append(nextLineStart, eol - nextLineStart);
|
|
currentLength = line.Length();
|
|
|
|
// The spec says "No line may be longer than 72 bytes (not characters)"
|
|
// in its UTF8-encoded form.
|
|
static const size_t lineLimit = 72;
|
|
if (currentLength - previousLength > lineLimit) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// The spec says: "Implementations should support 65535-byte
|
|
// (not character) header values..."
|
|
if (currentLength > 65535) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
if (*eol == '\r') {
|
|
++eol;
|
|
}
|
|
if (*eol == '\n') {
|
|
++eol;
|
|
}
|
|
|
|
nextLineStart = eol;
|
|
|
|
if (*eol != ' ') {
|
|
// not a continuation
|
|
return NS_OK;
|
|
}
|
|
|
|
// continuation
|
|
if (!allowContinuations) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
++nextLineStart; // skip space and keep appending
|
|
}
|
|
}
|
|
|
|
// The header strings are defined in the JAR specification.
|
|
#define JAR_MF_SEARCH_STRING "(M|/M)ETA-INF/(M|m)(ANIFEST|anifest).(MF|mf)$"
|
|
#define JAR_SF_SEARCH_STRING "(M|/M)ETA-INF/*.(SF|sf)$"
|
|
#define JAR_RSA_SEARCH_STRING "(M|/M)ETA-INF/*.(RSA|rsa)$"
|
|
#define JAR_META_DIR "META-INF"
|
|
#define JAR_MF_HEADER "Manifest-Version: 1.0"
|
|
#define JAR_SF_HEADER "Signature-Version: 1.0"
|
|
|
|
nsresult
|
|
ParseAttribute(const nsAutoCString & curLine,
|
|
/*out*/ nsAutoCString & attrName,
|
|
/*out*/ nsAutoCString & attrValue)
|
|
{
|
|
// Find the colon that separates the name from the value.
|
|
int32_t colonPos = curLine.FindChar(':');
|
|
if (colonPos == kNotFound) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// set attrName to the name, skipping spaces between the name and colon
|
|
int32_t nameEnd = colonPos;
|
|
for (;;) {
|
|
if (nameEnd == 0) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; // colon with no name
|
|
}
|
|
if (curLine[nameEnd - 1] != ' ')
|
|
break;
|
|
--nameEnd;
|
|
}
|
|
curLine.Left(attrName, nameEnd);
|
|
|
|
// Set attrValue to the value, skipping spaces between the colon and the
|
|
// value. The value may be empty.
|
|
int32_t valueStart = colonPos + 1;
|
|
int32_t curLineLength = curLine.Length();
|
|
while (valueStart != curLineLength && curLine[valueStart] == ' ') {
|
|
++valueStart;
|
|
}
|
|
curLine.Right(attrValue, curLineLength - valueStart);
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
// Parses the version line of the MF or SF header.
|
|
nsresult
|
|
CheckManifestVersion(const char* & nextLineStart,
|
|
const nsACString & expectedHeader)
|
|
{
|
|
// The JAR spec says: "Manifest-Version and Signature-Version must be first,
|
|
// and in exactly that case (so that they can be recognized easily as magic
|
|
// strings)."
|
|
nsAutoCString curLine;
|
|
nsresult rv = ReadLine(nextLineStart, curLine, false);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
if (!curLine.Equals(expectedHeader)) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
return NS_OK;
|
|
}
|
|
|
|
// Parses a signature file (SF) as defined in the JDK 8 JAR Specification.
|
|
//
|
|
// The SF file *must* contain exactly one SHA1-Digest-Manifest attribute in
|
|
// the main section. All other sections are ignored. This means that this will
|
|
// NOT parse old-style signature files that have separate digests per entry.
|
|
// The JDK8 x-Digest-Manifest variant is better because:
|
|
//
|
|
// (1) It allows us to follow the principle that we should minimize the
|
|
// processing of data that we do before we verify its signature. In
|
|
// particular, with the x-Digest-Manifest style, we can verify the digest
|
|
// of MANIFEST.MF before we parse it, which prevents malicious JARs
|
|
// exploiting our MANIFEST.MF parser.
|
|
// (2) It is more time-efficient and space-efficient to have one
|
|
// x-Digest-Manifest instead of multiple x-Digest values.
|
|
//
|
|
// In order to get benefit (1), we do NOT implement the fallback to the older
|
|
// mechanism as the spec requires/suggests. Also, for simplity's sake, we only
|
|
// support exactly one SHA1-Digest-Manifest attribute, and no other
|
|
// algorithms.
|
|
//
|
|
// filebuf must be null-terminated. On output, mfDigest will contain the
|
|
// decoded value of SHA1-Digest-Manifest.
|
|
nsresult
|
|
ParseSF(const char* filebuf, /*out*/ SECItem & mfDigest)
|
|
{
|
|
nsresult rv;
|
|
|
|
const char* nextLineStart = filebuf;
|
|
rv = CheckManifestVersion(nextLineStart, NS_LITERAL_CSTRING(JAR_SF_HEADER));
|
|
if (NS_FAILED(rv))
|
|
return rv;
|
|
|
|
// Find SHA1-Digest-Manifest
|
|
for (;;) {
|
|
nsAutoCString curLine;
|
|
rv = ReadLine(nextLineStart, curLine);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
if (curLine.Length() == 0) {
|
|
// End of main section (blank line or end-of-file), and no
|
|
// SHA1-Digest-Manifest found.
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
nsAutoCString attrName;
|
|
nsAutoCString attrValue;
|
|
rv = ParseAttribute(curLine, attrName, attrValue);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
if (attrName.LowerCaseEqualsLiteral("sha1-digest-manifest")) {
|
|
rv = MapSECStatus(ATOB_ConvertAsciiToItem(&mfDigest, attrValue.get()));
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// There could be multiple SHA1-Digest-Manifest attributes, which
|
|
// would be an error, but it's better to just skip any erroneous
|
|
// duplicate entries rather than trying to detect them, because:
|
|
//
|
|
// (1) It's simpler, and simpler generally means more secure
|
|
// (2) An attacker can't make us accept a JAR we would otherwise
|
|
// reject just by adding additional SHA1-Digest-Manifest
|
|
// attributes.
|
|
break;
|
|
}
|
|
|
|
// ignore unrecognized attributes
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
// Parses MANIFEST.MF. The filenames of all entries will be returned in
|
|
// mfItems. buf must be a pre-allocated scratch buffer that is used for doing
|
|
// I/O.
|
|
nsresult
|
|
ParseMF(const char* filebuf, nsIZipReader * zip,
|
|
/*out*/ nsTHashtable<nsCStringHashKey> & mfItems,
|
|
ScopedAutoSECItem & buf)
|
|
{
|
|
nsresult rv;
|
|
|
|
const char* nextLineStart = filebuf;
|
|
|
|
rv = CheckManifestVersion(nextLineStart, NS_LITERAL_CSTRING(JAR_MF_HEADER));
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// Skip the rest of the header section, which ends with a blank line.
|
|
{
|
|
nsAutoCString line;
|
|
do {
|
|
rv = ReadLine(nextLineStart, line);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
} while (line.Length() > 0);
|
|
|
|
// Manifest containing no file entries is OK, though useless.
|
|
if (*nextLineStart == '\0') {
|
|
return NS_OK;
|
|
}
|
|
}
|
|
|
|
nsAutoCString curItemName;
|
|
ScopedAutoSECItem digest;
|
|
|
|
for (;;) {
|
|
nsAutoCString curLine;
|
|
rv = ReadLine(nextLineStart, curLine);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
if (curLine.Length() == 0) {
|
|
// end of section (blank line or end-of-file)
|
|
|
|
if (curItemName.Length() == 0) {
|
|
// '...Each section must start with an attribute with the name as
|
|
// "Name",...', so every section must have a Name attribute.
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
if (digest.len == 0) {
|
|
// We require every entry to have a digest, since we require every
|
|
// entry to be signed and we don't allow duplicate entries.
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
if (mfItems.Contains(curItemName)) {
|
|
// Duplicate entry
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// Verify that the entry's content digest matches the digest from this
|
|
// MF section.
|
|
rv = VerifyEntryContentDigest(zip, curItemName, digest, buf);
|
|
if (NS_FAILED(rv))
|
|
return rv;
|
|
|
|
mfItems.PutEntry(curItemName);
|
|
|
|
if (*nextLineStart == '\0') // end-of-file
|
|
break;
|
|
|
|
// reset so we know we haven't encountered either of these for the next
|
|
// item yet.
|
|
curItemName.Truncate();
|
|
digest.reset();
|
|
|
|
continue; // skip the rest of the loop below
|
|
}
|
|
|
|
nsAutoCString attrName;
|
|
nsAutoCString attrValue;
|
|
rv = ParseAttribute(curLine, attrName, attrValue);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// Lines to look for:
|
|
|
|
// (1) Digest:
|
|
if (attrName.LowerCaseEqualsLiteral("sha1-digest"))
|
|
{
|
|
if (digest.len > 0) // multiple SHA1 digests in section
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
rv = MapSECStatus(ATOB_ConvertAsciiToItem(&digest, attrValue.get()));
|
|
if (NS_FAILED(rv))
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
continue;
|
|
}
|
|
|
|
// (2) Name: associates this manifest section with a file in the jar.
|
|
if (attrName.LowerCaseEqualsLiteral("name"))
|
|
{
|
|
if (MOZ_UNLIKELY(curItemName.Length() > 0)) // multiple names in section
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
if (MOZ_UNLIKELY(attrValue.Length() == 0))
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
curItemName = attrValue;
|
|
|
|
continue;
|
|
}
|
|
|
|
// (3) Magic: the only other must-understand attribute
|
|
if (attrName.LowerCaseEqualsLiteral("magic")) {
|
|
// We don't understand any magic, so we can't verify an entry that
|
|
// requires magic. Since we require every entry to have a valid
|
|
// signature, we have no choice but to reject the entry.
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// unrecognized attributes must be ignored
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
struct VerifyCertificateContext {
|
|
AppTrustedRoot trustedRoot;
|
|
ScopedCERTCertList& builtChain;
|
|
};
|
|
|
|
nsresult
|
|
VerifyCertificate(CERTCertificate* signerCert, void* voidContext, void* pinArg)
|
|
{
|
|
// TODO: null pinArg is tolerated.
|
|
if (NS_WARN_IF(!signerCert) || NS_WARN_IF(!voidContext)) {
|
|
return NS_ERROR_INVALID_ARG;
|
|
}
|
|
const VerifyCertificateContext& context =
|
|
*reinterpret_cast<const VerifyCertificateContext*>(voidContext);
|
|
|
|
AppTrustDomain trustDomain(context.builtChain, pinArg);
|
|
if (trustDomain.SetTrustedRoot(context.trustedRoot) != SECSuccess) {
|
|
return MapSECStatus(SECFailure);
|
|
}
|
|
Input certDER;
|
|
Result rv = certDER.Init(signerCert->derCert.data, signerCert->derCert.len);
|
|
if (rv != Success) {
|
|
return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(rv));
|
|
}
|
|
|
|
rv = BuildCertChain(trustDomain, certDER, Now(),
|
|
EndEntityOrCA::MustBeEndEntity,
|
|
KeyUsage::digitalSignature,
|
|
KeyPurposeId::id_kp_codeSigning,
|
|
CertPolicyId::anyPolicy,
|
|
nullptr/*stapledOCSPResponse*/);
|
|
if (rv != Success) {
|
|
return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(rv));
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
nsresult
|
|
VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer,
|
|
const SECItem& detachedDigest,
|
|
/*out*/ ScopedCERTCertList& builtChain)
|
|
{
|
|
VerifyCertificateContext context = { trustedRoot, builtChain };
|
|
// XXX: missing pinArg
|
|
return VerifyCMSDetachedSignatureIncludingCertificate(buffer, detachedDigest,
|
|
VerifyCertificate,
|
|
&context, nullptr);
|
|
}
|
|
|
|
NS_IMETHODIMP
|
|
OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
|
|
/*out, optional */ nsIZipReader** aZipReader,
|
|
/*out, optional */ nsIX509Cert** aSignerCert)
|
|
{
|
|
NS_ENSURE_ARG_POINTER(aJarFile);
|
|
|
|
if (aZipReader) {
|
|
*aZipReader = nullptr;
|
|
}
|
|
|
|
if (aSignerCert) {
|
|
*aSignerCert = nullptr;
|
|
}
|
|
|
|
nsresult rv;
|
|
|
|
static NS_DEFINE_CID(kZipReaderCID, NS_ZIPREADER_CID);
|
|
nsCOMPtr<nsIZipReader> zip = do_CreateInstance(kZipReaderCID, &rv);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
rv = zip->Open(aJarFile);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
// Signature (RSA) file
|
|
nsAutoCString sigFilename;
|
|
ScopedAutoSECItem sigBuffer;
|
|
rv = FindAndLoadOneEntry(zip, nsLiteralCString(JAR_RSA_SEARCH_STRING),
|
|
sigFilename, sigBuffer, nullptr);
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_NOT_SIGNED;
|
|
}
|
|
|
|
// Signature (SF) file
|
|
nsAutoCString sfFilename;
|
|
ScopedAutoSECItem sfBuffer;
|
|
Digest sfCalculatedDigest;
|
|
rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_SF_SEARCH_STRING),
|
|
sfFilename, sfBuffer, &sfCalculatedDigest);
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
sigBuffer.type = siBuffer;
|
|
ScopedCERTCertList builtChain;
|
|
rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedDigest.get(),
|
|
builtChain);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
ScopedAutoSECItem mfDigest;
|
|
rv = ParseSF(char_ptr_cast(sfBuffer.data), mfDigest);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// Manifest (MF) file
|
|
nsAutoCString mfFilename;
|
|
ScopedAutoSECItem manifestBuffer;
|
|
Digest mfCalculatedDigest;
|
|
rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_MF_SEARCH_STRING),
|
|
mfFilename, manifestBuffer, &mfCalculatedDigest);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
if (SECITEM_CompareItem(&mfDigest, &mfCalculatedDigest.get()) != SECEqual) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// Allocate the I/O buffer only once per JAR, instead of once per entry, in
|
|
// order to minimize malloc/free calls and in order to avoid fragmenting
|
|
// memory.
|
|
ScopedAutoSECItem buf(128 * 1024);
|
|
|
|
nsTHashtable<nsCStringHashKey> items;
|
|
|
|
rv = ParseMF(char_ptr_cast(manifestBuffer.data), zip, items, buf);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// Verify every entry in the file.
|
|
nsCOMPtr<nsIUTF8StringEnumerator> entries;
|
|
rv = zip->FindEntries(EmptyCString(), getter_AddRefs(entries));
|
|
if (NS_SUCCEEDED(rv) && !entries) {
|
|
rv = NS_ERROR_UNEXPECTED;
|
|
}
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
for (;;) {
|
|
bool hasMore;
|
|
rv = entries->HasMore(&hasMore);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
if (!hasMore) {
|
|
break;
|
|
}
|
|
|
|
nsAutoCString entryFilename;
|
|
rv = entries->GetNext(entryFilename);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Verifying digests for %s",
|
|
entryFilename.get()));
|
|
|
|
// The files that comprise the signature mechanism are not covered by the
|
|
// signature.
|
|
//
|
|
// XXX: This is OK for a single signature, but doesn't work for
|
|
// multiple signatures, because the metadata for the other signatures
|
|
// is not signed either.
|
|
if (entryFilename == mfFilename ||
|
|
entryFilename == sfFilename ||
|
|
entryFilename == sigFilename) {
|
|
continue;
|
|
}
|
|
|
|
if (entryFilename.Length() == 0) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
|
|
}
|
|
|
|
// Entries with names that end in "/" are directory entries, which are not
|
|
// signed.
|
|
//
|
|
// XXX: As long as we don't unpack the JAR into the filesystem, the "/"
|
|
// entries are harmless. But, it is not clear what the security
|
|
// implications of directory entries are if/when we were to unpackage the
|
|
// JAR into the filesystem.
|
|
if (entryFilename[entryFilename.Length() - 1] == '/') {
|
|
continue;
|
|
}
|
|
|
|
nsCStringHashKey * item = items.GetEntry(entryFilename);
|
|
if (!item) {
|
|
return NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY;
|
|
}
|
|
|
|
// Remove the item so we can check for leftover items later
|
|
items.RemoveEntry(item);
|
|
}
|
|
|
|
// We verified that every entry that we require to be signed is signed. But,
|
|
// were there any missing entries--that is, entries that are mentioned in the
|
|
// manifest but missing from the archive?
|
|
if (items.Count() != 0) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
|
|
}
|
|
|
|
// Return the reader to the caller if they want it
|
|
if (aZipReader) {
|
|
zip.forget(aZipReader);
|
|
}
|
|
|
|
// Return the signer's certificate to the reader if they want it.
|
|
// XXX: We should return an nsIX509CertList with the whole validated chain.
|
|
if (aSignerCert) {
|
|
MOZ_ASSERT(CERT_LIST_HEAD(builtChain));
|
|
nsCOMPtr<nsIX509Cert> signerCert =
|
|
nsNSSCertificate::Create(CERT_LIST_HEAD(builtChain)->cert);
|
|
NS_ENSURE_TRUE(signerCert, NS_ERROR_OUT_OF_MEMORY);
|
|
signerCert.forget(aSignerCert);
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
nsresult
|
|
VerifySignedManifest(AppTrustedRoot aTrustedRoot,
|
|
nsIInputStream* aManifestStream,
|
|
nsIInputStream* aSignatureStream,
|
|
/*out, optional */ nsIX509Cert** aSignerCert)
|
|
{
|
|
NS_ENSURE_ARG(aManifestStream);
|
|
NS_ENSURE_ARG(aSignatureStream);
|
|
|
|
if (aSignerCert) {
|
|
*aSignerCert = nullptr;
|
|
}
|
|
|
|
// Load signature file in buffer
|
|
ScopedAutoSECItem signatureBuffer;
|
|
nsresult rv = ReadStream(aSignatureStream, signatureBuffer);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
signatureBuffer.type = siBuffer;
|
|
|
|
// Load manifest file in buffer
|
|
ScopedAutoSECItem manifestBuffer;
|
|
rv = ReadStream(aManifestStream, manifestBuffer);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// Calculate SHA1 digest of the manifest buffer
|
|
Digest manifestCalculatedDigest;
|
|
rv = manifestCalculatedDigest.DigestBuf(SEC_OID_SHA1,
|
|
manifestBuffer.data,
|
|
manifestBuffer.len - 1); // buffer is null terminated
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
return rv;
|
|
}
|
|
|
|
// Get base64 encoded string from manifest buffer digest
|
|
UniquePORTString
|
|
base64EncDigest(NSSBase64_EncodeItem(nullptr, nullptr, 0,
|
|
const_cast<SECItem*>(&manifestCalculatedDigest.get())));
|
|
if (NS_WARN_IF(!base64EncDigest)) {
|
|
return NS_ERROR_OUT_OF_MEMORY;
|
|
}
|
|
|
|
// Calculate SHA1 digest of the base64 encoded string
|
|
Digest doubleDigest;
|
|
rv = doubleDigest.DigestBuf(SEC_OID_SHA1,
|
|
reinterpret_cast<uint8_t*>(base64EncDigest.get()),
|
|
strlen(base64EncDigest.get()));
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
return rv;
|
|
}
|
|
|
|
// Verify the manifest signature (signed digest of the base64 encoded string)
|
|
ScopedCERTCertList builtChain;
|
|
rv = VerifySignature(aTrustedRoot, signatureBuffer,
|
|
doubleDigest.get(), builtChain);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// Return the signer's certificate to the reader if they want it.
|
|
if (aSignerCert) {
|
|
MOZ_ASSERT(CERT_LIST_HEAD(builtChain));
|
|
nsCOMPtr<nsIX509Cert> signerCert =
|
|
nsNSSCertificate::Create(CERT_LIST_HEAD(builtChain)->cert);
|
|
if (NS_WARN_IF(!signerCert)) {
|
|
return NS_ERROR_OUT_OF_MEMORY;
|
|
}
|
|
|
|
signerCert.forget(aSignerCert);
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
class OpenSignedAppFileTask final : public CryptoTask
|
|
{
|
|
public:
|
|
OpenSignedAppFileTask(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
|
|
nsIOpenSignedAppFileCallback* aCallback)
|
|
: mTrustedRoot(aTrustedRoot)
|
|
, mJarFile(aJarFile)
|
|
, mCallback(new nsMainThreadPtrHolder<nsIOpenSignedAppFileCallback>(aCallback))
|
|
{
|
|
}
|
|
|
|
private:
|
|
virtual nsresult CalculateResult() override
|
|
{
|
|
return OpenSignedAppFile(mTrustedRoot, mJarFile,
|
|
getter_AddRefs(mZipReader),
|
|
getter_AddRefs(mSignerCert));
|
|
}
|
|
|
|
// nsNSSCertificate implements nsNSSShutdownObject, so there's nothing that
|
|
// needs to be released
|
|
virtual void ReleaseNSSResources() override { }
|
|
|
|
virtual void CallCallback(nsresult rv) override
|
|
{
|
|
(void) mCallback->OpenSignedAppFileFinished(rv, mZipReader, mSignerCert);
|
|
}
|
|
|
|
const AppTrustedRoot mTrustedRoot;
|
|
const nsCOMPtr<nsIFile> mJarFile;
|
|
nsMainThreadPtrHandle<nsIOpenSignedAppFileCallback> mCallback;
|
|
nsCOMPtr<nsIZipReader> mZipReader; // out
|
|
nsCOMPtr<nsIX509Cert> mSignerCert; // out
|
|
};
|
|
|
|
class VerifySignedmanifestTask final : public CryptoTask
|
|
{
|
|
public:
|
|
VerifySignedmanifestTask(AppTrustedRoot aTrustedRoot,
|
|
nsIInputStream* aManifestStream,
|
|
nsIInputStream* aSignatureStream,
|
|
nsIVerifySignedManifestCallback* aCallback)
|
|
: mTrustedRoot(aTrustedRoot)
|
|
, mManifestStream(aManifestStream)
|
|
, mSignatureStream(aSignatureStream)
|
|
, mCallback(
|
|
new nsMainThreadPtrHolder<nsIVerifySignedManifestCallback>(aCallback))
|
|
{
|
|
}
|
|
|
|
private:
|
|
virtual nsresult CalculateResult() override
|
|
{
|
|
return VerifySignedManifest(mTrustedRoot, mManifestStream,
|
|
mSignatureStream, getter_AddRefs(mSignerCert));
|
|
}
|
|
|
|
// nsNSSCertificate implements nsNSSShutdownObject, so there's nothing that
|
|
// needs to be released
|
|
virtual void ReleaseNSSResources() override { }
|
|
|
|
virtual void CallCallback(nsresult rv) override
|
|
{
|
|
(void) mCallback->VerifySignedManifestFinished(rv, mSignerCert);
|
|
}
|
|
|
|
const AppTrustedRoot mTrustedRoot;
|
|
const nsCOMPtr<nsIInputStream> mManifestStream;
|
|
const nsCOMPtr<nsIInputStream> mSignatureStream;
|
|
nsMainThreadPtrHandle<nsIVerifySignedManifestCallback> mCallback;
|
|
nsCOMPtr<nsIX509Cert> mSignerCert; // out
|
|
};
|
|
|
|
} // unnamed namespace
|
|
|
|
NS_IMETHODIMP
|
|
nsNSSCertificateDB::OpenSignedAppFileAsync(
|
|
AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
|
|
nsIOpenSignedAppFileCallback* aCallback)
|
|
{
|
|
NS_ENSURE_ARG_POINTER(aJarFile);
|
|
NS_ENSURE_ARG_POINTER(aCallback);
|
|
RefPtr<OpenSignedAppFileTask> task(new OpenSignedAppFileTask(aTrustedRoot,
|
|
aJarFile,
|
|
aCallback));
|
|
return task->Dispatch("SignedJAR");
|
|
}
|
|
|
|
NS_IMETHODIMP
|
|
nsNSSCertificateDB::VerifySignedManifestAsync(
|
|
AppTrustedRoot aTrustedRoot, nsIInputStream* aManifestStream,
|
|
nsIInputStream* aSignatureStream, nsIVerifySignedManifestCallback* aCallback)
|
|
{
|
|
NS_ENSURE_ARG_POINTER(aManifestStream);
|
|
NS_ENSURE_ARG_POINTER(aSignatureStream);
|
|
NS_ENSURE_ARG_POINTER(aCallback);
|
|
|
|
RefPtr<VerifySignedmanifestTask> task(
|
|
new VerifySignedmanifestTask(aTrustedRoot, aManifestStream,
|
|
aSignatureStream, aCallback));
|
|
return task->Dispatch("SignedManifest");
|
|
}
|
|
|
|
|
|
//
|
|
// Signature verification for archives unpacked into a file structure
|
|
//
|
|
|
|
// Finds the "*.rsa" signature file in the META-INF directory and returns
|
|
// the name. It is an error if there are none or more than one .rsa file
|
|
nsresult
|
|
FindSignatureFilename(nsIFile* aMetaDir,
|
|
/*out*/ nsAString& aFilename)
|
|
{
|
|
nsCOMPtr<nsISimpleEnumerator> entries;
|
|
nsresult rv = aMetaDir->GetDirectoryEntries(getter_AddRefs(entries));
|
|
nsCOMPtr<nsIDirectoryEnumerator> files = do_QueryInterface(entries);
|
|
if (NS_FAILED(rv) || !files) {
|
|
return NS_ERROR_SIGNED_JAR_NOT_SIGNED;
|
|
}
|
|
|
|
bool found = false;
|
|
nsCOMPtr<nsIFile> file;
|
|
rv = files->GetNextFile(getter_AddRefs(file));
|
|
|
|
while (NS_SUCCEEDED(rv) && file) {
|
|
nsAutoString leafname;
|
|
rv = file->GetLeafName(leafname);
|
|
if (NS_SUCCEEDED(rv)) {
|
|
if (StringEndsWith(leafname, NS_LITERAL_STRING(".rsa"))) {
|
|
if (!found) {
|
|
found = true;
|
|
aFilename = leafname;
|
|
} else {
|
|
// second signature file is an error
|
|
rv = NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
break;
|
|
}
|
|
}
|
|
rv = files->GetNextFile(getter_AddRefs(file));
|
|
}
|
|
}
|
|
|
|
if (!found) {
|
|
rv = NS_ERROR_SIGNED_JAR_NOT_SIGNED;
|
|
}
|
|
|
|
files->Close();
|
|
return rv;
|
|
}
|
|
|
|
// Loads the signature metadata file that matches the given filename in
|
|
// the passed-in Meta-inf directory. If bufDigest is not null then on
|
|
// success bufDigest will contain the SHA-1 digest of the entry.
|
|
nsresult
|
|
LoadOneMetafile(nsIFile* aMetaDir,
|
|
const nsAString& aFilename,
|
|
/*out*/ SECItem& aBuf,
|
|
/*optional, out*/ Digest* aBufDigest)
|
|
{
|
|
nsCOMPtr<nsIFile> metafile;
|
|
nsresult rv = aMetaDir->Clone(getter_AddRefs(metafile));
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
rv = metafile->Append(aFilename);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
bool exists;
|
|
rv = metafile->Exists(&exists);
|
|
if (NS_FAILED(rv) || !exists) {
|
|
// we can call a missing .rsa file "unsigned" but FindSignatureFilename()
|
|
// already found one: missing other metadata files means a broken signature.
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
nsCOMPtr<nsIInputStream> stream;
|
|
rv = NS_NewLocalFileInputStream(getter_AddRefs(stream), metafile);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
rv = ReadStream(stream, aBuf);
|
|
stream->Close();
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
if (aBufDigest) {
|
|
rv = aBufDigest->DigestBuf(SEC_OID_SHA1, aBuf.data, aBuf.len - 1);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
// Parses MANIFEST.MF and verifies the contents of the unpacked files
|
|
// listed in the manifest.
|
|
// The filenames of all entries will be returned in aMfItems. aBuf must
|
|
// be a pre-allocated scratch buffer that is used for doing I/O.
|
|
nsresult
|
|
ParseMFUnpacked(const char* aFilebuf, nsIFile* aDir,
|
|
/*out*/ nsTHashtable<nsStringHashKey>& aMfItems,
|
|
ScopedAutoSECItem& aBuf)
|
|
{
|
|
nsresult rv;
|
|
|
|
const char* nextLineStart = aFilebuf;
|
|
|
|
rv = CheckManifestVersion(nextLineStart, NS_LITERAL_CSTRING(JAR_MF_HEADER));
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// Skip the rest of the header section, which ends with a blank line.
|
|
{
|
|
nsAutoCString line;
|
|
do {
|
|
rv = ReadLine(nextLineStart, line);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
} while (line.Length() > 0);
|
|
|
|
// Manifest containing no file entries is OK, though useless.
|
|
if (*nextLineStart == '\0') {
|
|
return NS_OK;
|
|
}
|
|
}
|
|
|
|
nsAutoString curItemName;
|
|
ScopedAutoSECItem digest;
|
|
|
|
for (;;) {
|
|
nsAutoCString curLine;
|
|
rv = ReadLine(nextLineStart, curLine);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
if (curLine.Length() == 0) {
|
|
// end of section (blank line or end-of-file)
|
|
|
|
if (curItemName.Length() == 0) {
|
|
// '...Each section must start with an attribute with the name as
|
|
// "Name",...', so every section must have a Name attribute.
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
if (digest.len == 0) {
|
|
// We require every entry to have a digest, since we require every
|
|
// entry to be signed and we don't allow duplicate entries.
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
if (aMfItems.Contains(curItemName)) {
|
|
// Duplicate entry
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// Verify that the file's content digest matches the digest from this
|
|
// MF section.
|
|
rv = VerifyFileContentDigest(aDir, curItemName, digest, aBuf);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
aMfItems.PutEntry(curItemName);
|
|
|
|
if (*nextLineStart == '\0') {
|
|
// end-of-file
|
|
break;
|
|
}
|
|
|
|
// reset so we know we haven't encountered either of these for the next
|
|
// item yet.
|
|
curItemName.Truncate();
|
|
digest.reset();
|
|
|
|
continue; // skip the rest of the loop below
|
|
}
|
|
|
|
nsAutoCString attrName;
|
|
nsAutoCString attrValue;
|
|
rv = ParseAttribute(curLine, attrName, attrValue);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// Lines to look for:
|
|
|
|
// (1) Digest:
|
|
if (attrName.LowerCaseEqualsLiteral("sha1-digest")) {
|
|
if (digest.len > 0) {
|
|
// multiple SHA1 digests in section
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
rv = MapSECStatus(ATOB_ConvertAsciiToItem(&digest, attrValue.get()));
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
continue;
|
|
}
|
|
|
|
// (2) Name: associates this manifest section with a file in the jar.
|
|
if (attrName.LowerCaseEqualsLiteral("name")) {
|
|
if (MOZ_UNLIKELY(curItemName.Length() > 0)) {
|
|
// multiple names in section
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
if (MOZ_UNLIKELY(attrValue.Length() == 0)) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
curItemName = NS_ConvertUTF8toUTF16(attrValue);
|
|
|
|
continue;
|
|
}
|
|
|
|
// (3) Magic: the only other must-understand attribute
|
|
if (attrName.LowerCaseEqualsLiteral("magic")) {
|
|
// We don't understand any magic, so we can't verify an entry that
|
|
// requires magic. Since we require every entry to have a valid
|
|
// signature, we have no choice but to reject the entry.
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// unrecognized attributes must be ignored
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
// recursively check a directory tree for files not in the list of
|
|
// verified files we found in the manifest. For each file we find
|
|
// Check it against the files found in the manifest. If the file wasn't
|
|
// in the manifest then it's unsigned and we can stop looking. Otherwise
|
|
// remove it from the collection so we can check leftovers later.
|
|
//
|
|
// @param aDir Directory to check
|
|
// @param aPath Relative path to that directory (to check against aItems)
|
|
// @param aItems All the files found
|
|
// @param *Filename signature files that won't be in the manifest
|
|
nsresult
|
|
CheckDirForUnsignedFiles(nsIFile* aDir,
|
|
const nsString& aPath,
|
|
/* in/out */ nsTHashtable<nsStringHashKey>& aItems,
|
|
const nsAString& sigFilename,
|
|
const nsAString& sfFilename,
|
|
const nsAString& mfFilename)
|
|
{
|
|
nsCOMPtr<nsISimpleEnumerator> entries;
|
|
nsresult rv = aDir->GetDirectoryEntries(getter_AddRefs(entries));
|
|
nsCOMPtr<nsIDirectoryEnumerator> files = do_QueryInterface(entries);
|
|
if (NS_FAILED(rv) || !files) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
|
|
}
|
|
|
|
bool inMeta = StringBeginsWith(aPath, NS_LITERAL_STRING(JAR_META_DIR));
|
|
|
|
while (NS_SUCCEEDED(rv)) {
|
|
nsCOMPtr<nsIFile> file;
|
|
rv = files->GetNextFile(getter_AddRefs(file));
|
|
if (NS_FAILED(rv) || !file) {
|
|
break;
|
|
}
|
|
|
|
nsAutoString leafname;
|
|
rv = file->GetLeafName(leafname);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
nsAutoString curName(aPath + leafname);
|
|
|
|
bool isDir;
|
|
rv = file->IsDirectory(&isDir);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// if it's a directory we need to recurse
|
|
if (isDir) {
|
|
curName.Append(NS_LITERAL_STRING("/"));
|
|
rv = CheckDirForUnsignedFiles(file, curName, aItems,
|
|
sigFilename, sfFilename, mfFilename);
|
|
} else {
|
|
// The files that comprise the signature mechanism are not covered by the
|
|
// signature.
|
|
//
|
|
// XXX: This is OK for a single signature, but doesn't work for
|
|
// multiple signatures because the metadata for the other signatures
|
|
// is not signed either.
|
|
if (inMeta && ( leafname == sigFilename ||
|
|
leafname == sfFilename ||
|
|
leafname == mfFilename )) {
|
|
continue;
|
|
}
|
|
|
|
// make sure the current file was found in the manifest
|
|
nsStringHashKey* item = aItems.GetEntry(curName);
|
|
if (!item) {
|
|
return NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY;
|
|
}
|
|
|
|
// Remove the item so we can check for leftover items later
|
|
aItems.RemoveEntry(item);
|
|
}
|
|
}
|
|
files->Close();
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* Verify the signature of a directory structure as if it were a
|
|
* signed JAR file (used for unpacked JARs)
|
|
*/
|
|
nsresult
|
|
VerifySignedDirectory(AppTrustedRoot aTrustedRoot,
|
|
nsIFile* aDirectory,
|
|
/*out, optional */ nsIX509Cert** aSignerCert)
|
|
{
|
|
NS_ENSURE_ARG_POINTER(aDirectory);
|
|
|
|
if (aSignerCert) {
|
|
*aSignerCert = nullptr;
|
|
}
|
|
|
|
// Make sure there's a META-INF directory
|
|
|
|
nsCOMPtr<nsIFile> metaDir;
|
|
nsresult rv = aDirectory->Clone(getter_AddRefs(metaDir));
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
rv = metaDir->Append(NS_LITERAL_STRING(JAR_META_DIR));
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
bool exists;
|
|
rv = metaDir->Exists(&exists);
|
|
if (NS_FAILED(rv) || !exists) {
|
|
return NS_ERROR_SIGNED_JAR_NOT_SIGNED;
|
|
}
|
|
bool isDirectory;
|
|
rv = metaDir->IsDirectory(&isDirectory);
|
|
if (NS_FAILED(rv) || !isDirectory) {
|
|
return NS_ERROR_SIGNED_JAR_NOT_SIGNED;
|
|
}
|
|
|
|
// Find and load the Signature (RSA) file
|
|
|
|
nsAutoString sigFilename;
|
|
rv = FindSignatureFilename(metaDir, sigFilename);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
ScopedAutoSECItem sigBuffer;
|
|
rv = LoadOneMetafile(metaDir, sigFilename, sigBuffer, nullptr);
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_NOT_SIGNED;
|
|
}
|
|
|
|
// Load the signature (SF) file and verify the signature.
|
|
// The .sf and .rsa files must have the same name apart from the extension.
|
|
|
|
nsAutoString sfFilename(Substring(sigFilename, 0, sigFilename.Length() - 3)
|
|
+ NS_LITERAL_STRING("sf"));
|
|
|
|
ScopedAutoSECItem sfBuffer;
|
|
Digest sfCalculatedDigest;
|
|
rv = LoadOneMetafile(metaDir, sfFilename, sfBuffer, &sfCalculatedDigest);
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
sigBuffer.type = siBuffer;
|
|
ScopedCERTCertList builtChain;
|
|
rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedDigest.get(),
|
|
builtChain);
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// Get the expected manifest hash from the signed .sf file
|
|
|
|
ScopedAutoSECItem mfDigest;
|
|
rv = ParseSF(char_ptr_cast(sfBuffer.data), mfDigest);
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// Load manifest (MF) file and verify signature
|
|
|
|
nsAutoString mfFilename(NS_LITERAL_STRING("manifest.mf"));
|
|
ScopedAutoSECItem manifestBuffer;
|
|
Digest mfCalculatedDigest;
|
|
rv = LoadOneMetafile(metaDir, mfFilename, manifestBuffer, &mfCalculatedDigest);
|
|
if (NS_FAILED(rv)) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
if (SECITEM_CompareItem(&mfDigest, &mfCalculatedDigest.get()) != SECEqual) {
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
}
|
|
|
|
// Parse manifest and verify signed hash of all listed files
|
|
|
|
// Allocate the I/O buffer only once per JAR, instead of once per entry, in
|
|
// order to minimize malloc/free calls and in order to avoid fragmenting
|
|
// memory.
|
|
ScopedAutoSECItem buf(128 * 1024);
|
|
|
|
nsTHashtable<nsStringHashKey> items;
|
|
rv = ParseMFUnpacked(char_ptr_cast(manifestBuffer.data),
|
|
aDirectory, items, buf);
|
|
if (NS_FAILED(rv)){
|
|
return rv;
|
|
}
|
|
|
|
// We've checked that everything listed in the manifest exists and is signed
|
|
// correctly. Now check on disk for extra (unsigned) files.
|
|
// Deletes found entries from items as it goes.
|
|
rv = CheckDirForUnsignedFiles(aDirectory, EmptyString(), items,
|
|
sigFilename, sfFilename, mfFilename);
|
|
if (NS_FAILED(rv)) {
|
|
return rv;
|
|
}
|
|
|
|
// We verified that every entry that we require to be signed is signed. But,
|
|
// were there any missing entries--that is, entries that are mentioned in the
|
|
// manifest but missing from the directory tree? (There shouldn't be given
|
|
// ParseMFUnpacked() checking them all, but it's a cheap sanity check.)
|
|
if (items.Count() != 0) {
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
|
|
}
|
|
|
|
// Return the signer's certificate to the reader if they want it.
|
|
// XXX: We should return an nsIX509CertList with the whole validated chain.
|
|
if (aSignerCert) {
|
|
MOZ_ASSERT(CERT_LIST_HEAD(builtChain));
|
|
nsCOMPtr<nsIX509Cert> signerCert =
|
|
nsNSSCertificate::Create(CERT_LIST_HEAD(builtChain)->cert);
|
|
NS_ENSURE_TRUE(signerCert, NS_ERROR_OUT_OF_MEMORY);
|
|
signerCert.forget(aSignerCert);
|
|
}
|
|
|
|
return NS_OK;
|
|
}
|
|
|
|
class VerifySignedDirectoryTask final : public CryptoTask
|
|
{
|
|
public:
|
|
VerifySignedDirectoryTask(AppTrustedRoot aTrustedRoot, nsIFile* aUnpackedJar,
|
|
nsIVerifySignedDirectoryCallback* aCallback)
|
|
: mTrustedRoot(aTrustedRoot)
|
|
, mDirectory(aUnpackedJar)
|
|
, mCallback(new nsMainThreadPtrHolder<nsIVerifySignedDirectoryCallback>(aCallback))
|
|
{
|
|
}
|
|
|
|
private:
|
|
virtual nsresult CalculateResult() override
|
|
{
|
|
return VerifySignedDirectory(mTrustedRoot,
|
|
mDirectory,
|
|
getter_AddRefs(mSignerCert));
|
|
}
|
|
|
|
// This class doesn't directly hold NSS resources so there's nothing that
|
|
// needs to be released
|
|
virtual void ReleaseNSSResources() override { }
|
|
|
|
virtual void CallCallback(nsresult rv) override
|
|
{
|
|
(void) mCallback->VerifySignedDirectoryFinished(rv, mSignerCert);
|
|
}
|
|
|
|
const AppTrustedRoot mTrustedRoot;
|
|
const nsCOMPtr<nsIFile> mDirectory;
|
|
nsMainThreadPtrHandle<nsIVerifySignedDirectoryCallback> mCallback;
|
|
nsCOMPtr<nsIX509Cert> mSignerCert; // out
|
|
};
|
|
|
|
NS_IMETHODIMP
|
|
nsNSSCertificateDB::VerifySignedDirectoryAsync(
|
|
AppTrustedRoot aTrustedRoot, nsIFile* aUnpackedJar,
|
|
nsIVerifySignedDirectoryCallback* aCallback)
|
|
{
|
|
NS_ENSURE_ARG_POINTER(aUnpackedJar);
|
|
NS_ENSURE_ARG_POINTER(aCallback);
|
|
RefPtr<VerifySignedDirectoryTask> task(new VerifySignedDirectoryTask(aTrustedRoot,
|
|
aUnpackedJar,
|
|
aCallback));
|
|
return task->Dispatch("UnpackedJar");
|
|
}
|