mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 1203787: When the add-on ID is longer than 64 characters compare the signing certificate's common name to the sha256 hash of the ID. r=dveditz
This commit is contained in:
parent
41b50933ff
commit
61a49e191c
@ -1454,14 +1454,28 @@ function verifyZipSigning(aZip, aCertificate) {
|
||||
* Returns the signedState for a given return code and certificate by verifying
|
||||
* it against the expected ID.
|
||||
*/
|
||||
function getSignedStatus(aRv, aCert, aExpectedID) {
|
||||
function getSignedStatus(aRv, aCert, aAddonID) {
|
||||
let expectedCommonName = aAddonID;
|
||||
if (aAddonID.length > 64) {
|
||||
let converter = Cc["@mozilla.org/intl/scriptableunicodeconverter"].
|
||||
createInstance(Ci.nsIScriptableUnicodeConverter);
|
||||
converter.charset = "UTF-8";
|
||||
let data = converter.convertToByteArray(aAddonID, {});
|
||||
|
||||
let crypto = Cc["@mozilla.org/security/hash;1"].
|
||||
createInstance(Ci.nsICryptoHash);
|
||||
crypto.init(Ci.nsICryptoHash.SHA256);
|
||||
crypto.update(data, data.length);
|
||||
expectedCommonName = getHashStringForCrypto(crypto);
|
||||
}
|
||||
|
||||
switch (aRv) {
|
||||
case Cr.NS_OK:
|
||||
if (aExpectedID != aCert.commonName)
|
||||
if (expectedCommonName != aCert.commonName)
|
||||
return AddonManager.SIGNEDSTATE_BROKEN;
|
||||
|
||||
let hotfixID = Preferences.get(PREF_EM_HOTFIX_ID, undefined);
|
||||
if (hotfixID && hotfixID == aExpectedID && Preferences.get(PREF_EM_CERT_CHECKATTRIBUTES, false)) {
|
||||
if (hotfixID && hotfixID == aAddonID && Preferences.get(PREF_EM_CERT_CHECKATTRIBUTES, false)) {
|
||||
// The hotfix add-on has some more rigorous certificate checks
|
||||
try {
|
||||
CertUtils.validateCert(aCert,
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
51
toolkit/mozapps/extensions/test/xpcshell/test_signed_long.js
Normal file
51
toolkit/mozapps/extensions/test/xpcshell/test_signed_long.js
Normal file
@ -0,0 +1,51 @@
|
||||
const PREF_XPI_SIGNATURES_DEV_ROOT = "xpinstall.signatures.dev-root";
|
||||
|
||||
// Disable update security
|
||||
Services.prefs.setBoolPref(PREF_EM_CHECK_UPDATE_SECURITY, false);
|
||||
|
||||
// The test add-ons were signed by the dev root
|
||||
Services.prefs.setBoolPref(PREF_XPI_SIGNATURES_DEV_ROOT, true);
|
||||
|
||||
const DATA = "data/signing_checks/";
|
||||
|
||||
const ID_63 = "123456789012345678901234567890123456789012345@tests.mozilla.org"
|
||||
const ID_64 = "1234567890123456789012345678901234567890123456@tests.mozilla.org"
|
||||
const ID_65 = "12345678901234567890123456789012345678901234568@tests.mozilla.org"
|
||||
|
||||
function run_test() {
|
||||
createAppInfo("xpcshell@tests.mozilla.org", "XPCShell", "1", "1");
|
||||
startupManager();
|
||||
|
||||
run_next_test();
|
||||
}
|
||||
|
||||
// Installs the cases that should be working
|
||||
add_task(function* test_working() {
|
||||
yield promiseInstallAllFiles([do_get_file(DATA + "long_63_plain.xpi"),
|
||||
do_get_file(DATA + "long_64_plain.xpi"),
|
||||
do_get_file(DATA + "long_65_hash.xpi")]);
|
||||
|
||||
let addons = yield promiseAddonsByIDs([ID_63, ID_64, ID_65]);
|
||||
|
||||
for (let addon of addons) {
|
||||
do_check_neq(addon, null);
|
||||
do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_SIGNED);
|
||||
|
||||
addon.uninstall();
|
||||
}
|
||||
});
|
||||
|
||||
// Installs the cases that should be broken
|
||||
add_task(function* test_broken() {
|
||||
yield promiseInstallAllFiles([do_get_file(DATA + "long_63_hash.xpi"),
|
||||
do_get_file(DATA + "long_64_hash.xpi")]);
|
||||
|
||||
let addons = yield promiseAddonsByIDs([ID_63, ID_64]);
|
||||
|
||||
for (let addon of addons) {
|
||||
do_check_neq(addon, null);
|
||||
do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_BROKEN);
|
||||
|
||||
addon.uninstall();
|
||||
}
|
||||
});
|
@ -247,6 +247,8 @@ run-if = addon_signing
|
||||
[test_signed_install.js]
|
||||
run-if = addon_signing
|
||||
run-sequentially = Uses hardcoded ports in xpi files.
|
||||
[test_signed_long.js]
|
||||
run-if = addon_signing
|
||||
[test_signed_migrate.js]
|
||||
run-if = addon_signing
|
||||
[test_signed_multi.js]
|
||||
|
@ -28,7 +28,4 @@ skip-if = appname != "firefox"
|
||||
[test_XPIcancel.js]
|
||||
[test_XPIStates.js]
|
||||
|
||||
|
||||
|
||||
|
||||
[include:xpcshell-shared.ini]
|
||||
|
Loading…
Reference in New Issue
Block a user