Bug 891066, part 2: Move CertVerifier to security/certverifier, r=keeler

--HG-- extra : rebase_source : dd59a391825b776b075e855660c2488105e2d741
2024-09-13 09:24:08 -07:00 · 2014-01-26 19:36:28 -08:00 · 2014-01-26 19:36:28 -08:00 · ab6d498dc5
commit ab6d498dc5
parent e3600ee3dd
14 changed files with 417 additions and 660 deletions
--- a/build/dumbmake-dependencies
+++ b/build/dumbmake-dependencies
@ -18,10 +18,9 @@ toolkit/library
  gfx
  toolkit/components/build
    toolkit/components
-  security/build
  security/manager
-  security/dbm
-  security/nss
+    security/certverifier
+      security/build
  accessible
  dom
  content
--- a/security/manager/ssl/src/CertVerifier.cpp
+++ b/security/manager/ssl/src/CertVerifier.cpp
@ -3,6 +3,7 @@
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 #include "CertVerifier.h"
+#include "ExtendedValidation.h"
 #include "ScopedNSSTypes.h"
 #include "cert.h"
 #include "secerr.h"
@ -14,9 +15,6 @@ extern PRLogModuleInfo* gPIPNSSLog;

 namespace mozilla { namespace psm {

-extern SECStatus getFirstEVPolicy(CERTCertificate* cert, SECOidTag& outOidTag);
-extern CERTCertList* getRootsForOid(SECOidTag oid_tag);
-
 const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
 const CertVerifier::Flags CertVerifier::FLAG_NO_DV_FALLBACK_FOR_EV = 2;

@ -159,10 +157,10 @@ CertVerifier::VerifyCert(CERTCertificate* cert,

  // Do EV checking only for sslserver usage
  if (usage == certificateUsageSSLServer) {
-    SECStatus srv = getFirstEVPolicy(cert, evPolicy);
+    SECStatus srv = GetFirstEVPolicy(cert, evPolicy);
    if (srv == SECSuccess) {
      if (evPolicy != SEC_OID_UNKNOWN) {
-        trustAnchors = getRootsForOid(evPolicy);
+        trustAnchors = GetRootsForOid(evPolicy);
      }
      if (!trustAnchors) {
        return SECFailure;
--- a/security/manager/ssl/src/CertVerifier.h
+++ b/security/manager/ssl/src/CertVerifier.h
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
--- a/security/certverifier/ExtendedValidation.h
+++ b/security/certverifier/ExtendedValidation.h
@ -0,0 +1,23 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_psm_ExtendedValidation_h
+#define mozilla_psm_ExtendedValidation_h
+
+#include "certt.h"
+#include "prtypes.h"
+
+namespace mozilla { namespace psm {
+
+#ifndef NSS_NO_LIBPKIX
+void EnsureIdentityInfoLoaded();
+SECStatus GetFirstEVPolicy(CERTCertificate *cert, SECOidTag &outOidTag);
+CERTCertList* GetRootsForOid(SECOidTag oid_tag);
+void CleanupIdentityInfo();
+#endif
+
+} } // namespace mozilla::psm
+
+#endif // mozilla_psm_ExtendedValidation_h
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@ -0,0 +1,20 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+UNIFIED_SOURCES += [
+    'CertVerifier.cpp',
+]
+
+if not CONFIG['NSS_NO_LIBPKIX']:
+    UNIFIED_SOURCES += [
+        'ExtendedValidation.cpp',
+    ]
+
+LOCAL_INCLUDES += [
+    '../insanity/include',
+]
+
+FINAL_LIBRARY = 'xul'
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@ -97,6 +97,8 @@
 #include <cstring>

 #include "CertVerifier.h"
+#include "CryptoTask.h"
+#include "ExtendedValidation.h"
 #include "nsIBadCertListener2.h"
 #include "nsICertOverrideService.h"
 #include "nsISiteSecurityService.h"
@ -1343,33 +1345,16 @@ AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig, PRBool isServer)
 }

 #ifndef NSS_NO_LIBPKIX
-class InitializeIdentityInfo : public nsRunnable
-                             , public nsNSSShutDownObject
+class InitializeIdentityInfo : public CryptoTask
 {
-private:
-  NS_IMETHOD Run()
+  virtual nsresult CalculateResult() MOZ_OVERRIDE
  {
-    nsNSSShutDownPreventionLock nssShutdownPrevention;
-    if (isAlreadyShutDown())
-      return NS_OK;
-
-    nsresult rv;
-    nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
-    if (NS_SUCCEEDED(rv))
-      inss->EnsureIdentityInfoLoaded();
+    EnsureIdentityInfoLoaded();
    return NS_OK;
  }

-  virtual void virtualDestroyNSSReference()
-  {
-  }
-
-  ~InitializeIdentityInfo()
-  {
-    nsNSSShutDownPreventionLock nssShutdownPrevention;
-    if (!isAlreadyShutDown())
-      shutdown(calledFromObject);
-  }
+  virtual void ReleaseNSSResources() MOZ_OVERRIDE { } // no-op
+  virtual void CallCallback(nsresult rv) MOZ_OVERRIDE { } // no-op
 };
 #endif

--- a/security/manager/ssl/src/moz.build
+++ b/security/manager/ssl/src/moz.build
@ -16,7 +16,6 @@ EXPORTS.mozilla += [
 ]

 UNIFIED_SOURCES += [
-    'CertVerifier.cpp',
    'CryptoTask.cpp',
    'nsCertificatePrincipal.cpp',
    'nsCertOverrideService.cpp',
@ -27,7 +26,6 @@ UNIFIED_SOURCES += [
    'nsCMSSecureMessage.cpp',
    'nsCrypto.cpp',
    'nsDataSignatureVerifier.cpp',
-    'nsIdentityChecking.cpp',
    'nsKeygenHandler.cpp',
    'nsKeygenThread.cpp',
    'nsKeyModule.cpp',
@ -94,7 +92,8 @@ UNIFIED_SOURCES += [
 FINAL_LIBRARY = 'xul'

 LOCAL_INCLUDES += [
-	'../../../insanity/include',
+    '../../../certverifier',
+    '../../../insanity/include',
 ]


--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@ -9,6 +9,7 @@

 #include "nsNSSCertificate.h"
 #include "CertVerifier.h"
+#include "ExtendedValidation.h"
 #include "nsNSSComponent.h" // for PIPNSS string bundle calls.
 #include "nsNSSCleaner.h"
 #include "nsCOMPtr.h"
@ -1481,6 +1482,125 @@ char* nsNSSCertificate::defaultServerNickname(CERTCertificate* cert)
  return nickname;
 }

+#ifndef NSS_NO_LIBPKIX
+
+nsresult
+nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
+{
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown())
+    return NS_ERROR_NOT_AVAILABLE;
+
+  EnsureIdentityInfoLoaded();
+
+  RefPtr<mozilla::psm::SharedCertVerifier>
+    certVerifier(mozilla::psm::GetDefaultCertVerifier());
+  NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
+
+  validEV = false;
+  resultOidTag = SEC_OID_UNKNOWN;
+
+  uint32_t flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY |
+    mozilla::psm::CertVerifier::FLAG_NO_DV_FALLBACK_FOR_EV;
+  SECStatus rv = certVerifier->VerifyCert(mCert,
+    certificateUsageSSLServer, PR_Now(),
+    nullptr /* XXX pinarg */,
+    flags, nullptr, &resultOidTag);
+
+  if (rv != SECSuccess) {
+    resultOidTag = SEC_OID_UNKNOWN;
+  }
+  if (resultOidTag != SEC_OID_UNKNOWN) {
+    validEV = true;
+  }
+  return NS_OK;
+}
+
+nsresult
+nsNSSCertificate::getValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
+{
+  if (mCachedEVStatus != ev_status_unknown) {
+    validEV = (mCachedEVStatus == ev_status_valid);
+    if (validEV) {
+      resultOidTag = mCachedEVOidTag;
+    }
+    return NS_OK;
+  }
+
+  nsresult rv = hasValidEVOidTag(resultOidTag, validEV);
+  if (NS_SUCCEEDED(rv)) {
+    if (validEV) {
+      mCachedEVOidTag = resultOidTag;
+    }
+    mCachedEVStatus = validEV ? ev_status_valid : ev_status_invalid;
+  }
+  return rv;
+}
+
+#endif // NSS_NO_LIBPKIX
+
+NS_IMETHODIMP
+nsNSSCertificate::GetIsExtendedValidation(bool* aIsEV)
+{
+#ifdef NSS_NO_LIBPKIX
+  *aIsEV = false;
+  return NS_OK;
+#else
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  NS_ENSURE_ARG(aIsEV);
+  *aIsEV = false;
+
+  if (mCachedEVStatus != ev_status_unknown) {
+    *aIsEV = (mCachedEVStatus == ev_status_valid);
+    return NS_OK;
+  }
+
+  SECOidTag oid_tag;
+  return getValidEVOidTag(oid_tag, *aIsEV);
+#endif
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetValidEVPolicyOid(nsACString& outDottedOid)
+{
+  outDottedOid.Truncate();
+
+#ifndef NSS_NO_LIBPKIX
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  SECOidTag oid_tag;
+  bool valid;
+  nsresult rv = getValidEVOidTag(oid_tag, valid);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  if (valid) {
+    SECOidData* oid_data = SECOID_FindOIDByTag(oid_tag);
+    if (!oid_data) {
+      return NS_ERROR_FAILURE;
+    }
+
+    char* oid_str = CERT_GetOidString(&oid_data->oid);
+    if (!oid_str) {
+      return NS_ERROR_FAILURE;
+    }
+
+    outDottedOid.Assign(oid_str);
+    PR_smprintf_free(oid_str);
+  }
+#endif
+
+  return NS_OK;
+}
+
 NS_IMPL_ISUPPORTS1(nsNSSCertList, nsIX509CertList)

 nsNSSCertList::nsNSSCertList(CERTCertList* certList,
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@ -11,6 +11,7 @@
 #include "nsNSSCertificateDB.h"

 #include "CertVerifier.h"
+#include "ExtendedValidation.h"
 #include "nsNSSComponent.h"
 #include "mozilla/Base64.h"
 #include "nsCOMPtr.h"
@ -1698,13 +1699,8 @@ nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
    return NS_ERROR_NOT_AVAILABLE;
  }

-  nsresult rv;
 #ifndef NSS_NO_LIBPKIX
-  nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-  inss->EnsureIdentityInfoLoaded();
+  EnsureIdentityInfoLoaded();
 #endif

  nsCOMPtr<nsIX509Cert2> x509Cert = do_QueryInterface(aCert);
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@ -10,6 +10,7 @@

 #include "nsNSSComponent.h"

+#include "ExtendedValidation.h"
 #include "mozilla/Telemetry.h"
 #include "nsCertVerificationThread.h"
 #include "nsAppDirectoryServiceDefs.h"
@ -220,12 +221,6 @@ nsNSSComponent::nsNSSComponent()
  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::ctor\n"));
  mObserversRegistered = false;

-#ifndef NSS_NO_LIBPKIX
-  // In order to keep startup time lower, we delay loading and
-  // registering all identity data until first needed.
-  memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
-#endif
-
  NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!");
  ++mInstanceCount;
  mShutdownObjectList = nsNSSShutDownList::construct();
@ -904,12 +899,11 @@ setNonPkixOcspEnabled(int32_t ocspEnabled)
 {
  // Note: this preference is numeric vs boolean because previously we
  // supported more than two options.
+  CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
  if (!ocspEnabled) {
    CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
-    CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
  } else {
    CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
-    CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
  }
 }

--- a/security/manager/ssl/src/nsNSSComponent.h
+++ b/security/manager/ssl/src/nsNSSComponent.h
@ -107,10 +107,6 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports {
                           const nsAString& token) = 0;
 #endif

-#ifndef NSS_NO_LIBPKIX
-  NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
-#endif
-
  NS_IMETHOD IsNSSInitialized(bool* initialized) = 0;

  virtual ::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
@ -175,9 +171,6 @@ public:
                                 const nsAString& token);
 #endif

-#ifndef NSS_NO_LIBPKIX
-  NS_IMETHOD EnsureIdentityInfoLoaded();
-#endif
  NS_IMETHOD IsNSSInitialized(bool* initialized);

  ::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
@ -189,7 +182,6 @@ private:

  void InstallLoadableRoots();
  void UnloadLoadableRoots();
-  void CleanupIdentityInfo();
  void setValidationOptions(bool isInitialSetting);
  nsresult setEnabledTLSVersions();
  nsresult InitializePIPNSSBundle();
@ -226,7 +218,6 @@ private:


  static PRStatus IdentityInfoInit(void);
-  PRCallOnceType mIdentityInfoCallOnce;
 };

 class nsNSSErrors
--- a/security/manager/ssl/src/nsSSLStatus.cpp
+++ b/security/manager/ssl/src/nsSSLStatus.cpp
@ -7,6 +7,7 @@
 #include "nsSSLStatus.h"
 #include "plstr.h"
 #include "nsIClassInfoImpl.h"
+#include "nsIIdentityInfo.h"
 #include "nsIProgrammingLanguage.h"
 #include "nsIObjectOutputStream.h"
 #include "nsIObjectInputStream.h"
@ -88,6 +89,39 @@ nsSSLStatus::GetIsUntrusted(bool* _result)
  return NS_OK;
 }

+NS_IMETHODIMP
+nsSSLStatus::GetIsExtendedValidation(bool* aIsEV)
+{
+  NS_ENSURE_ARG_POINTER(aIsEV);
+  *aIsEV = false;
+
+#ifdef NSS_NO_LIBPKIX
+  return NS_OK;
+#else
+  nsCOMPtr<nsIX509Cert> cert = mServerCert;
+  nsresult rv;
+  nsCOMPtr<nsIIdentityInfo> idinfo = do_QueryInterface(cert, &rv);
+
+  // mServerCert should never be null when this method is called because
+  // nsSSLStatus objects always have mServerCert set right after they are
+  // constructed and before they are returned. GetIsExtendedValidation should
+  // only be called in the chrome process (in e10s), and mServerCert will always
+  // implement nsIIdentityInfo in the chrome process.
+  if (!idinfo) {
+    NS_ERROR("nsSSLStatus has null mServerCert or was called in the content "
+             "process");
+    return NS_ERROR_UNEXPECTED;
+  }
+
+  // Never allow bad certs for EV, regardless of overrides.
+  if (mHaveCertErrorBits) {
+    return NS_OK;
+  }
+
+  return idinfo->GetIsExtendedValidation(aIsEV);
+#endif
+}
+
 NS_IMETHODIMP
 nsSSLStatus::Read(nsIObjectInputStream* stream)
 {
--- a/toolkit/toolkit.mozbuild
+++ b/toolkit/toolkit.mozbuild
@ -20,6 +20,10 @@ if CONFIG['COMPILE_ENVIRONMENT']:
 if CONFIG['MOZ_CONTENT_SANDBOX']:
    add_tier_dir('sandbox', 'security/sandbox')

+# Depends on NSS and NSPR, and must be built after sandbox or else B2G emulator
+# builds fail.
+add_tier_dir('platform', 'security/certverifier')
+
 # the signing related bits of libmar depend on nss
 if CONFIG['MOZ_UPDATER']:
    add_tier_dir('platform', 'modules/libmar')