Revert "ported from UXP: Issue #1966 - Remove support for Firefox Marketplace "apps" (11680c89)"

This reverts commit 111fb139c7.

security/apps/AppTrustDomain.cpp

@@ -0,0 +1,382 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "AppTrustDomain.h"
+#include "MainThreadUtils.h"
+#include "certdb.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Preferences.h"
+#include "nsComponentManagerUtils.h"
+#include "nsIFile.h"
+#include "nsIFileStreams.h"
+#include "nsIX509CertDB.h"
+#include "nsNSSCertificate.h"
+#include "nsNetUtil.h"
+#include "pkix/pkixnss.h"
+#include "prerror.h"
+
+// Generated in Makefile.in
+#include "marketplace-prod-public.inc"
+#include "marketplace-prod-reviewers.inc"
+#include "marketplace-dev-public.inc"
+#include "marketplace-dev-reviewers.inc"
+#include "marketplace-stage.inc"
+#include "xpcshell.inc"
+// Trusted Hosted Apps Certificates
+#include "manifest-signing-root.inc"
+#include "manifest-signing-test-root.inc"
+// Add-on signing Certificates
+#include "addons-public.inc"
+#include "addons-stage.inc"
+// Privileged Package Certificates
+#include "privileged-package-root.inc"
+
+using namespace mozilla::pkix;
+
+extern mozilla::LazyLogModule gPIPNSSLog;
+
+static const unsigned int DEFAULT_MIN_RSA_BITS = 2048;
+static char kDevImportedDER[] =
+  "network.http.signed-packages.developer-root";
+
+namespace mozilla { namespace psm {
+
+StaticMutex AppTrustDomain::sMutex;
+UniquePtr<unsigned char[]> AppTrustDomain::sDevImportedDERData;
+unsigned int AppTrustDomain::sDevImportedDERLen = 0;
+
+AppTrustDomain::AppTrustDomain(UniqueCERTCertList& certChain, void* pinArg)
+  : mCertChain(certChain)
+  , mPinArg(pinArg)
+  , mMinRSABits(DEFAULT_MIN_RSA_BITS)
+{
+}
+
+nsresult
+AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot)
+{
+  SECItem trustedDER;
+
+  // Load the trusted certificate into the in-memory NSS database so that
+  // CERT_CreateSubjectCertList can find it.
+
+  switch (trustedRoot)
+  {
+    case nsIX509CertDB::AppMarketplaceProdPublicRoot:
+      trustedDER.data = const_cast<uint8_t*>(marketplaceProdPublicRoot);
+      trustedDER.len = mozilla::ArrayLength(marketplaceProdPublicRoot);
+      break;
+
+    case nsIX509CertDB::AppMarketplaceProdReviewersRoot:
+      trustedDER.data = const_cast<uint8_t*>(marketplaceProdReviewersRoot);
+      trustedDER.len = mozilla::ArrayLength(marketplaceProdReviewersRoot);
+      break;
+
+    case nsIX509CertDB::AppMarketplaceDevPublicRoot:
+      trustedDER.data = const_cast<uint8_t*>(marketplaceDevPublicRoot);
+      trustedDER.len = mozilla::ArrayLength(marketplaceDevPublicRoot);
+      break;
+
+    case nsIX509CertDB::AppMarketplaceDevReviewersRoot:
+      trustedDER.data = const_cast<uint8_t*>(marketplaceDevReviewersRoot);
+      trustedDER.len = mozilla::ArrayLength(marketplaceDevReviewersRoot);
+      break;
+
+    case nsIX509CertDB::AppMarketplaceStageRoot:
+      trustedDER.data = const_cast<uint8_t*>(marketplaceStageRoot);
+      trustedDER.len = mozilla::ArrayLength(marketplaceStageRoot);
+      // The staging root was generated with a 1024-bit key.
+      mMinRSABits = 1024u;
+      break;
+
+    case nsIX509CertDB::AppXPCShellRoot:
+      trustedDER.data = const_cast<uint8_t*>(xpcshellRoot);
+      trustedDER.len = mozilla::ArrayLength(xpcshellRoot);
+      break;
+
+    case nsIX509CertDB::AddonsPublicRoot:
+      trustedDER.data = const_cast<uint8_t*>(addonsPublicRoot);
+      trustedDER.len = mozilla::ArrayLength(addonsPublicRoot);
+      break;
+
+    case nsIX509CertDB::AddonsStageRoot:
+      trustedDER.data = const_cast<uint8_t*>(addonsStageRoot);
+      trustedDER.len = mozilla::ArrayLength(addonsStageRoot);
+      break;
+
+    case nsIX509CertDB::PrivilegedPackageRoot:
+      trustedDER.data = const_cast<uint8_t*>(privilegedPackageRoot);
+      trustedDER.len = mozilla::ArrayLength(privilegedPackageRoot);
+      break;
+
+    case nsIX509CertDB::DeveloperImportedRoot: {
+      StaticMutexAutoLock lock(sMutex);
+      if (!sDevImportedDERData) {
+        MOZ_ASSERT(!NS_IsMainThread());
+        nsCOMPtr<nsIFile> file(do_CreateInstance("@mozilla.org/file/local;1"));
+        if (!file) {
+          return NS_ERROR_FAILURE;
+        }
+        nsresult rv = file->InitWithNativePath(
+          Preferences::GetCString(kDevImportedDER));
+        if (NS_FAILED(rv)) {
+          return rv;
+        }
+
+        nsCOMPtr<nsIInputStream> inputStream;
+        rv = NS_NewLocalFileInputStream(getter_AddRefs(inputStream), file, -1,
+                                        -1, nsIFileInputStream::CLOSE_ON_EOF);
+        if (NS_FAILED(rv)) {
+          return rv;
+        }
+
+        uint64_t length;
+        rv = inputStream->Available(&length);
+        if (NS_FAILED(rv)) {
+          return rv;
+        }
+
+        auto data = MakeUnique<char[]>(length);
+        rv = inputStream->Read(data.get(), length, &sDevImportedDERLen);
+        if (NS_FAILED(rv)) {
+          return rv;
+        }
+
+        MOZ_ASSERT(length == sDevImportedDERLen);
+        sDevImportedDERData.reset(
+          BitwiseCast<unsigned char*, char*>(data.release()));
+      }
+
+      trustedDER.data = sDevImportedDERData.get();
+      trustedDER.len = sDevImportedDERLen;
+      break;
+    }
+
+    default:
+      return NS_ERROR_INVALID_ARG;
+  }
+
+  mTrustedRoot.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+                                             &trustedDER, nullptr, false, true));
+  if (!mTrustedRoot) {
+    return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+  }
+
+  return NS_OK;
+}
+
+Result
+AppTrustDomain::FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
+                           Time)
+
+{
+  MOZ_ASSERT(mTrustedRoot);
+  if (!mTrustedRoot) {
+    return Result::FATAL_ERROR_INVALID_STATE;
+  }
+
+  // TODO(bug 1035418): If/when mozilla::pkix relaxes the restriction that
+  // FindIssuer must only pass certificates with a matching subject name to
+  // checker.Check, we can stop using CERT_CreateSubjectCertList and instead
+  // use logic like this:
+  //
+  // 1. First, try the trusted trust anchor.
+  // 2. Secondly, iterate through the certificates that were stored in the CMS
+  //    message, passing each one to checker.Check.
+  SECItem encodedIssuerNameSECItem =
+    UnsafeMapInputToSECItem(encodedIssuerName);
+  UniqueCERTCertList
+    candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
+                                          &encodedIssuerNameSECItem, 0,
+                                          false));
+  if (candidates) {
+    for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
+         !CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
+      Input certDER;
+      Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
+      if (rv != Success) {
+        continue; // probably too big
+      }
+
+      bool keepGoing;
+      rv = checker.Check(certDER, nullptr/*additionalNameConstraints*/,
+                         keepGoing);
+      if (rv != Success) {
+        return rv;
+      }
+      if (!keepGoing) {
+        break;
+      }
+    }
+  }
+
+  return Success;
+}
+
+Result
+AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
+                             const CertPolicyId& policy,
+                             Input candidateCertDER,
+                     /*out*/ TrustLevel& trustLevel)
+{
+  MOZ_ASSERT(policy.IsAnyPolicy());
+  MOZ_ASSERT(mTrustedRoot);
+  if (!policy.IsAnyPolicy()) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+  if (!mTrustedRoot) {
+    return Result::FATAL_ERROR_INVALID_STATE;
+  }
+
+  // Handle active distrust of the certificate.
+
+  // XXX: This would be cleaner and more efficient if we could get the trust
+  // information without constructing a CERTCertificate here, but NSS doesn't
+  // expose it in any other easy-to-use fashion.
+  SECItem candidateCertDERSECItem =
+    UnsafeMapInputToSECItem(candidateCertDER);
+  UniqueCERTCertificate candidateCert(
+    CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem,
+                            nullptr, false, true));
+  if (!candidateCert) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+
+  CERTCertTrust trust;
+  if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {
+    uint32_t flags = SEC_GET_TRUST_FLAGS(&trust, trustObjectSigning);
+
+    // For DISTRUST, we use the CERTDB_TRUSTED or CERTDB_TRUSTED_CA bit,
+    // because we can have active distrust for either type of cert. Note that
+    // CERTDB_TERMINAL_RECORD means "stop trying to inherit trust" so if the
+    // relevant trust bit isn't set then that means the cert must be considered
+    // distrusted.
+    uint32_t relevantTrustBit = endEntityOrCA == EndEntityOrCA::MustBeCA
+                              ? CERTDB_TRUSTED_CA
+                              : CERTDB_TRUSTED;
+    if (((flags & (relevantTrustBit | CERTDB_TERMINAL_RECORD)))
+            == CERTDB_TERMINAL_RECORD) {
+      trustLevel = TrustLevel::ActivelyDistrusted;
+      return Success;
+    }
+  }
+
+  // mTrustedRoot is the only trust anchor for this validation.
+  if (CERT_CompareCerts(mTrustedRoot.get(), candidateCert.get())) {
+    trustLevel = TrustLevel::TrustAnchor;
+    return Success;
+  }
+
+  trustLevel = TrustLevel::InheritsTrust;
+  return Success;
+}
+
+Result
+AppTrustDomain::DigestBuf(Input item,
+                          DigestAlgorithm digestAlg,
+                          /*out*/ uint8_t* digestBuf,
+                          size_t digestBufLen)
+{
+  return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
+}
+
+Result
+AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                                /*optional*/ const Input*,
+                                /*optional*/ const Input*,
+                                /*optional*/ const Input*)
+{
+  // We don't currently do revocation checking. If we need to distrust an Apps
+  // certificate, we will use the active distrust mechanism.
+  return Success;
+}
+
+Result
+AppTrustDomain::IsChainValid(const DERArray& certChain, Time time,
+                             const CertPolicyId& requiredPolicy)
+{
+  SECStatus srv = ConstructCERTCertListFromReversedDERArray(certChain,
+                                                            mCertChain);
+  if (srv != SECSuccess) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+  return Success;
+}
+
+Result
+AppTrustDomain::CheckSignatureDigestAlgorithm(DigestAlgorithm,
+                                              EndEntityOrCA,
+                                              Time)
+{
+  // TODO: We should restrict signatures to SHA-256 or better.
+  return Success;
+}
+
+Result
+AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
+  EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits)
+{
+  if (modulusSizeInBits < mMinRSABits) {
+    return Result::ERROR_INADEQUATE_KEY_SIZE;
+  }
+  return Success;
+}
+
+Result
+AppTrustDomain::VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+                                           Input subjectPublicKeyInfo)
+{
+  // TODO: We should restrict signatures to SHA-256 or better.
+  return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
+                                       mPinArg);
+}
+
+Result
+AppTrustDomain::CheckECDSACurveIsAcceptable(EndEntityOrCA /*endEntityOrCA*/,
+                                            NamedCurve curve)
+{
+  switch (curve) {
+    case NamedCurve::secp256r1: // fall through
+    case NamedCurve::secp384r1: // fall through
+    case NamedCurve::secp521r1:
+      return Success;
+  }
+
+  return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+}
+
+Result
+AppTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest,
+                                        Input subjectPublicKeyInfo)
+{
+  return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
+                                    mPinArg);
+}
+
+Result
+AppTrustDomain::CheckValidityIsAcceptable(Time /*notBefore*/, Time /*notAfter*/,
+                                          EndEntityOrCA /*endEntityOrCA*/,
+                                          KeyPurposeId /*keyPurpose*/)
+{
+  return Success;
+}
+
+Result
+AppTrustDomain::NetscapeStepUpMatchesServerAuth(Time /*notBefore*/,
+                                                /*out*/ bool& matches)
+{
+  matches = false;
+  return Success;
+}
+
+void
+AppTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension /*extension*/,
+                                       Input /*extensionData*/)
+{
+}
+
+} } // namespace mozilla::psm

security/apps/AppTrustDomain.h

@@ -0,0 +1,90 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef AppTrustDomain_h
+#define AppTrustDomain_h
+
+#include "pkix/pkixtypes.h"
+#include "mozilla/StaticMutex.h"
+#include "mozilla/UniquePtr.h"
+#include "nsDebug.h"
+#include "nsIX509CertDB.h"
+#include "ScopedNSSTypes.h"
+
+namespace mozilla { namespace psm {
+
+class AppTrustDomain final : public mozilla::pkix::TrustDomain
+{
+public:
+  typedef mozilla::pkix::Result Result;
+
+  AppTrustDomain(UniqueCERTCertList& certChain, void* pinArg);
+
+  nsresult SetTrustedRoot(AppTrustedRoot trustedRoot);
+
+  virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
+                              const mozilla::pkix::CertPolicyId& policy,
+                              mozilla::pkix::Input candidateCertDER,
+                              /*out*/ mozilla::pkix::TrustLevel& trustLevel)
+                              override;
+  virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
+                            IssuerChecker& checker,
+                            mozilla::pkix::Time time) override;
+  virtual Result CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
+                                 const mozilla::pkix::CertID& certID,
+                                 mozilla::pkix::Time time,
+                                 mozilla::pkix::Duration validityDuration,
+                    /*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
+                    /*optional*/ const mozilla::pkix::Input* aiaExtension,
+                    /*optional*/ const mozilla::pkix::Input* sctExtension) override;
+  virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain,
+                              mozilla::pkix::Time time,
+                              const mozilla::pkix::CertPolicyId& requiredPolicy) override;
+  virtual Result CheckSignatureDigestAlgorithm(
+                   mozilla::pkix::DigestAlgorithm digestAlg,
+                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
+                   mozilla::pkix::Time notBefore) override;
+  virtual Result CheckRSAPublicKeyModulusSizeInBits(
+                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
+                   unsigned int modulusSizeInBits) override;
+  virtual Result VerifyRSAPKCS1SignedDigest(
+                   const mozilla::pkix::SignedDigest& signedDigest,
+                   mozilla::pkix::Input subjectPublicKeyInfo) override;
+  virtual Result CheckECDSACurveIsAcceptable(
+                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
+                   mozilla::pkix::NamedCurve curve) override;
+  virtual Result VerifyECDSASignedDigest(
+                   const mozilla::pkix::SignedDigest& signedDigest,
+                   mozilla::pkix::Input subjectPublicKeyInfo) override;
+  virtual Result CheckValidityIsAcceptable(
+                   mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
+                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
+                   mozilla::pkix::KeyPurposeId keyPurpose) override;
+  virtual Result NetscapeStepUpMatchesServerAuth(
+                   mozilla::pkix::Time notBefore,
+                   /*out*/ bool& matches) override;
+  virtual void NoteAuxiliaryExtension(
+                   mozilla::pkix::AuxiliaryExtension extension,
+                   mozilla::pkix::Input extensionData) override;
+  virtual Result DigestBuf(mozilla::pkix::Input item,
+                           mozilla::pkix::DigestAlgorithm digestAlg,
+                           /*out*/ uint8_t* digestBuf,
+                           size_t digestBufLen) override;
+
+private:
+  /*out*/ UniqueCERTCertList& mCertChain;
+  void* mPinArg; // non-owning!
+  UniqueCERTCertificate mTrustedRoot;
+  unsigned int mMinRSABits;
+
+  static StaticMutex sMutex;
+  static UniquePtr<unsigned char[]> sDevImportedDERData;
+  static unsigned int sDevImportedDERLen;
+};
+
+} } // namespace mozilla::psm
+
+#endif // AppTrustDomain_h

security/apps/gen_cert_header.py

@@ -0,0 +1,45 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import binascii
+
+def _file_byte_generator(filename):
+  with open(filename, "rb") as f:
+    contents = f.read()
+
+    # Treat empty files the same as a file containing a lone 0;
+    # a single-element array will fail cert verifcation just as an
+    # empty array would.
+    if not contents:
+      return ['\0']
+
+    return contents
+
+def _create_header(array_name, cert_bytes):
+  hexified = ["0x" + binascii.hexlify(byte) for byte in cert_bytes]
+  substs = { 'array_name': array_name, 'bytes': ', '.join(hexified) }
+  return "const uint8_t %(array_name)s[] = {\n%(bytes)s\n};\n" % substs
+
+# Create functions named the same as the data arrays that we're going to
+# write to the headers, so we don't have to duplicate the names like so:
+#
+#   def arrayName(header, cert_filename):
+#     header.write(_create_header("arrayName", cert_filename))
+array_names = [
+  'marketplaceProdPublicRoot',
+  'marketplaceProdReviewersRoot',
+  'marketplaceDevPublicRoot',
+  'marketplaceDevReviewersRoot',
+  'marketplaceStageRoot',
+  'trustedAppPublicRoot',
+  'trustedAppTestRoot',
+  'xpcshellRoot',
+  'addonsPublicRoot',
+  'addonsStageRoot',
+  'privilegedPackageRoot',
+]
+
+for n in array_names:
+  # Make sure the lambda captures the right string.
+  globals()[n] = lambda header, cert_filename, name=n: header.write(_create_header(name, _file_byte_generator(cert_filename)))

security/apps/moz.build

@@ -0,0 +1,44 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+UNIFIED_SOURCES += [
+    'AppSignatureVerification.cpp',
+    'AppTrustDomain.cpp',
+]
+
+FINAL_LIBRARY = 'xul'
+
+LOCAL_INCLUDES += [
+    '/security/certverifier',
+    '/security/manager/ssl',
+    '/security/pkix/include',
+]
+
+DEFINES['NSS_ENABLE_ECC'] = 'True'
+for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
+    DEFINES[var] = '"%s"' % CONFIG[var]
+
+test_ssl_path = '/security/manager/ssl/tests/unit'
+
+headers_arrays_certs = [
+    ('marketplace-prod-public.inc', 'marketplaceProdPublicRoot', 'marketplace-prod-public.crt'),
+    ('marketplace-prod-reviewers.inc', 'marketplaceProdReviewersRoot', 'marketplace-prod-reviewers.crt'),
+    ('marketplace-dev-public.inc', 'marketplaceDevPublicRoot', 'marketplace-dev-public.crt'),
+    ('marketplace-dev-reviewers.inc', 'marketplaceDevReviewersRoot', 'marketplace-dev-reviewers.crt'),
+    ('marketplace-stage.inc', 'marketplaceStageRoot', 'marketplace-stage.crt'),
+    ('manifest-signing-root.inc', 'trustedAppPublicRoot', 'trusted-app-public.der'),
+    ('manifest-signing-test-root.inc', 'trustedAppTestRoot', test_ssl_path + '/test_signed_manifest/trusted_ca1.der'),
+    ('xpcshell.inc', 'xpcshellRoot', test_ssl_path + '/test_signed_apps/trusted_ca1.der'),
+    ('addons-public.inc', 'addonsPublicRoot', 'addons-public.crt'),
+    ('addons-stage.inc', 'addonsStageRoot', 'addons-stage.crt'),
+    ('privileged-package-root.inc', 'privilegedPackageRoot', 'privileged-package-root.der'),
+]
+
+for header, array_name, cert in headers_arrays_certs:
+    GENERATED_FILES += [header]
+    h = GENERATED_FILES[header]
+    h.script = 'gen_cert_header.py:' + array_name
+    h.inputs = [cert]

security/manager/ssl/nsIX509CertDB.idl

@@ -234,11 +234,74 @@ interface nsIX509CertDB : nsISupports {
    */
   nsIX509Cert constructX509(in string certDER, in unsigned long length);
 
-  // Flags to indicate the type of cert root for signed extensions
-  // This can probably be removed eventually.
-  const AppTrustedRoot AddonsPublicRoot = 1;
-  const AppTrustedRoot AddonsStageRoot = 2;
-  const AppTrustedRoot PrivilegedPackageRoot = 3;
+  /**
+   *  Verifies the signature on the given JAR file to verify that it has a
+   *  valid signature.  To be considered valid, there must be exactly one
+   *  signature on the JAR file and that signature must have signed every
+   *  entry. Further, the signature must come from a certificate that
+   *  is trusted for code signing.
+   *
+   *  On success, NS_OK, a nsIZipReader, and the trusted certificate that
+   *  signed the JAR are returned.
+   *
+   *  On failure, an error code is returned.
+   *
+   *  This method returns a nsIZipReader, instead of taking an nsIZipReader
+   *  as input, to encourage users of the API to verify the signature as the
+   *  first step in opening the JAR.
+   */
+  const AppTrustedRoot AppMarketplaceProdPublicRoot = 1;
+  const AppTrustedRoot AppMarketplaceProdReviewersRoot = 2;
+  const AppTrustedRoot AppMarketplaceDevPublicRoot = 3;
+  const AppTrustedRoot AppMarketplaceDevReviewersRoot = 4;
+  const AppTrustedRoot AppMarketplaceStageRoot = 5;
+  const AppTrustedRoot AppXPCShellRoot = 6;
+  const AppTrustedRoot AddonsPublicRoot = 7;
+  const AppTrustedRoot AddonsStageRoot = 8;
+  const AppTrustedRoot PrivilegedPackageRoot = 9;
+  /*
+   * If DeveloperImportedRoot is set as trusted root, a CA from local file
+   * system will be imported. Only used when preference
+   * "network.http.packaged-apps-developer-mode" is set.
+   * The path of the CA is specified by preference
+   * "network.http.packaged-apps-developer-trusted-root".
+   */
+  const AppTrustedRoot DeveloperImportedRoot = 10;
+  void openSignedAppFileAsync(in AppTrustedRoot trustedRoot,
+                              in nsIFile aJarFile,
+                              in nsIOpenSignedAppFileCallback callback);
+
+  /**
+   *  Verifies the signature on a directory representing an unpacked signed
+   *  JAR file. To be considered valid, there must be exactly one signature
+   *  on the directory structure and that signature must have signed every
+   *  entry. Further, the signature must come from a certificate that
+   *  is trusted for code signing.
+   *
+   *  On success NS_OK and the trusted certificate that signed the
+   *  unpacked JAR are returned.
+   *
+   *  On failure, an error code is returned.
+   */
+  void verifySignedDirectoryAsync(in AppTrustedRoot trustedRoot,
+                                  in nsIFile aUnpackedDir,
+                                  in nsIVerifySignedDirectoryCallback callback);
+
+  /**
+   * Given streams containing a signature and a manifest file, verifies
+   * that the signature is valid for the manifest. The signature must
+   * come from a certificate that is trusted for code signing and that
+   * was issued by the given trusted root.
+   *
+   *  On success, NS_OK and the trusted certificate that signed the
+   *  Manifest are returned.
+   *
+   *  On failure, an error code is returned.
+   */
+  void verifySignedManifestAsync(in AppTrustedRoot trustedRoot,
+                                 in nsIInputStream aManifestStream,
+                                 in nsIInputStream aSignatureStream,
+                                 in nsIVerifySignedManifestCallback callback);
 
   /*
    * Add a cert to a cert DB from a binary string.

toolkit/toolkit.mozbuild

@@ -11,6 +11,8 @@ DIRS += [
     # Depends on NSS and NSPR, and must be built after sandbox or else B2G emulator
     # builds fail.
     '/security/certverifier',
+    # Depends on certverifier
+    '/security/apps',
 ]
 
 # the signing related bits of libmar depend on nss