2012-11-15 03:31:39 +04:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
|
/* vim: set ts=2 et sw=2 tw=80: */
|
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
|
|
#include "nsNSSCertificateDB.h"
|
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
#include "AppTrustDomain.h"
|
2016-04-09 11:03:59 +03:00
|
|
|
#include "CryptoTask.h"
|
|
|
|
|
#include "NSSCertDBTrustDomain.h"
|
|
|
|
|
#include "ScopedNSSTypes.h"
|
2017-10-24 23:18:14 +03:00
|
|
|
#include "SharedCertVerifier.h"
|
2015-04-13 08:57:48 +03:00
|
|
|
#include "certdb.h"
|
2017-10-24 23:18:14 +03:00
|
|
|
#include "cms.h"
|
2017-03-17 18:31:40 +03:00
|
|
|
#include "mozilla/Base64.h"
|
2016-05-19 07:20:56 +03:00
|
|
|
#include "mozilla/Casting.h"
|
2016-04-09 11:03:59 +03:00
|
|
|
#include "mozilla/Logging.h"
|
2017-11-29 01:24:11 +03:00
|
|
|
#include "mozilla/Preferences.h"
|
2015-10-18 08:24:48 +03:00
|
|
|
#include "mozilla/RefPtr.h"
|
2015-04-13 08:57:48 +03:00
|
|
|
#include "mozilla/UniquePtr.h"
|
2017-10-24 23:18:14 +03:00
|
|
|
#include "mozilla/Unused.h"
|
2012-11-15 03:31:39 +04:00
|
|
|
#include "nsCOMPtr.h"
|
2016-04-09 11:03:59 +03:00
|
|
|
#include "nsComponentManagerUtils.h"
|
2017-03-17 18:31:40 +03:00
|
|
|
#include "nsDependentString.h"
|
2012-11-15 03:31:39 +04:00
|
|
|
#include "nsHashKeys.h"
|
2016-04-09 11:03:59 +03:00
|
|
|
#include "nsIDirectoryEnumerator.h"
|
2012-11-15 03:31:39 +04:00
|
|
|
#include "nsIFile.h"
|
2014-09-22 18:58:59 +04:00
|
|
|
#include "nsIFileStreams.h"
|
2012-11-15 03:31:39 +04:00
|
|
|
#include "nsIInputStream.h"
|
|
|
|
|
#include "nsIStringEnumerator.h"
|
|
|
|
|
#include "nsIZipReader.h"
|
|
|
|
|
#include "nsNSSCertificate.h"
|
2016-04-09 11:03:59 +03:00
|
|
|
#include "nsNetUtil.h"
|
2013-05-09 23:43:25 +04:00
|
|
|
#include "nsProxyRelease.h"
|
2012-11-15 03:31:39 +04:00
|
|
|
#include "nsString.h"
|
|
|
|
|
#include "nsTHashtable.h"
|
2015-04-13 08:57:48 +03:00
|
|
|
#include "pkix/pkix.h"
|
|
|
|
|
#include "pkix/pkixnss.h"
|
2016-04-09 11:03:59 +03:00
|
|
|
#include "plstr.h"
|
2015-04-13 08:57:48 +03:00
|
|
|
#include "secmime.h"
|
|
|
|
|
|
2012-11-15 03:31:39 +04:00
|
|
|
|
2014-03-21 01:29:21 +04:00
|
|
|
using namespace mozilla::pkix;
|
2012-11-15 03:31:39 +04:00
|
|
|
using namespace mozilla;
|
2014-02-15 02:37:07 +04:00
|
|
|
using namespace mozilla::psm;
|
2012-11-15 03:31:39 +04:00
|
|
|
|
2016-01-28 21:36:00 +03:00
|
|
|
extern mozilla::LazyLogModule gPIPNSSLog;
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
|
|
2017-10-09 23:53:23 +03:00
|
|
|
// A convenient way to pair the bytes of a digest with the algorithm that
|
|
|
|
|
// purportedly produced those bytes. Only SHA-1 and SHA-256 are supported.
|
|
|
|
|
struct DigestWithAlgorithm
|
|
|
|
|
{
|
|
|
|
|
nsresult ValidateLength() const
|
|
|
|
|
{
|
|
|
|
|
size_t hashLen;
|
|
|
|
|
switch (mAlgorithm) {
|
|
|
|
|
case SEC_OID_SHA256:
|
|
|
|
|
hashLen = SHA256_LENGTH;
|
|
|
|
|
break;
|
|
|
|
|
case SEC_OID_SHA1:
|
|
|
|
|
hashLen = SHA1_LENGTH;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
MOZ_ASSERT_UNREACHABLE(
|
|
|
|
|
"unsupported hash type in DigestWithAlgorithm::ValidateLength");
|
|
|
|
|
return NS_ERROR_FAILURE;
|
|
|
|
|
}
|
|
|
|
|
if (mDigest.Length() != hashLen) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsAutoCString mDigest;
|
|
|
|
|
SECOidTag mAlgorithm;
|
|
|
|
|
};
|
|
|
|
|
|
2017-03-17 18:31:40 +03:00
|
|
|
// The digest must have a lifetime greater than or equal to the returned string.
|
|
|
|
|
inline nsDependentCSubstring
|
|
|
|
|
DigestToDependentString(const Digest& digest)
|
|
|
|
|
{
|
|
|
|
|
return nsDependentCSubstring(
|
|
|
|
|
BitwiseCast<char*, unsigned char*>(digest.get().data),
|
|
|
|
|
digest.get().len);
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-20 07:13:47 +04:00
|
|
|
// Reads a maximum of 1MB from a stream into the supplied buffer.
|
|
|
|
|
// The reason for the 1MB limit is because this function is used to read
|
|
|
|
|
// signature-related files and we want to avoid OOM. The uncompressed length of
|
|
|
|
|
// an entry can be hundreds of times larger than the compressed version,
|
|
|
|
|
// especially if someone has specifically crafted the entry to cause OOM or to
|
|
|
|
|
// consume massive amounts of disk space.
|
|
|
|
|
//
|
|
|
|
|
// @param stream The input stream to read from.
|
|
|
|
|
// @param buf The buffer that we read the stream into, which must have
|
|
|
|
|
// already been allocated.
|
|
|
|
|
nsresult
|
|
|
|
|
ReadStream(const nsCOMPtr<nsIInputStream>& stream, /*out*/ SECItem& buf)
|
|
|
|
|
{
|
|
|
|
|
// The size returned by Available() might be inaccurate so we need
|
|
|
|
|
// to check that Available() matches up with the actual length of
|
|
|
|
|
// the file.
|
|
|
|
|
uint64_t length;
|
|
|
|
|
nsresult rv = stream->Available(&length);
|
|
|
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Cap the maximum accepted size of signature-related files at 1MB (which is
|
|
|
|
|
// still crazily huge) to avoid OOM. The uncompressed length of an entry can be
|
|
|
|
|
// hundreds of times larger than the compressed version, especially if
|
|
|
|
|
// someone has speifically crafted the entry to cause OOM or to consume
|
|
|
|
|
// massive amounts of disk space.
|
|
|
|
|
static const uint32_t MAX_LENGTH = 1024 * 1024;
|
|
|
|
|
if (length > MAX_LENGTH) {
|
|
|
|
|
return NS_ERROR_FILE_TOO_BIG;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// With bug 164695 in mind we +1 to leave room for null-terminating
|
|
|
|
|
// the buffer.
|
|
|
|
|
SECITEM_AllocItem(buf, static_cast<uint32_t>(length + 1));
|
|
|
|
|
|
|
|
|
|
// buf.len == length + 1. We attempt to read length + 1 bytes
|
|
|
|
|
// instead of length, so that we can check whether the metadata for
|
|
|
|
|
// the entry is incorrect.
|
|
|
|
|
uint32_t bytesRead;
|
2016-09-08 15:46:26 +03:00
|
|
|
rv = stream->Read(BitwiseCast<char*, unsigned char*>(buf.data), buf.len,
|
|
|
|
|
&bytesRead);
|
2014-09-20 07:13:47 +04:00
|
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
if (bytesRead != length) {
|
|
|
|
|
return NS_ERROR_FILE_CORRUPTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buf.data[buf.len - 1] = 0; // null-terminate
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 21:21:00 +03:00
|
|
|
// Finds exactly one (signature metadata) JAR entry that matches the given
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
// search pattern, and then loads it. Fails if there are no matches or if
|
|
|
|
|
// there is more than one match. If bufDigest is not null then on success
|
2017-10-09 23:53:23 +03:00
|
|
|
// bufDigest will contain the digeset of the entry using the given digest
|
|
|
|
|
// algorithm.
|
2012-11-15 03:31:39 +04:00
|
|
|
nsresult
|
2017-10-09 23:53:23 +03:00
|
|
|
FindAndLoadOneEntry(nsIZipReader* zip,
|
|
|
|
|
const nsACString& searchPattern,
|
|
|
|
|
/*out*/ nsACString& filename,
|
|
|
|
|
/*out*/ SECItem& buf,
|
|
|
|
|
/*optional, in*/ SECOidTag digestAlgorithm = SEC_OID_SHA1,
|
|
|
|
|
/*optional, out*/ Digest* bufDigest = nullptr)
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
|
|
|
|
nsCOMPtr<nsIUTF8StringEnumerator> files;
|
|
|
|
|
nsresult rv = zip->FindEntries(searchPattern, getter_AddRefs(files));
|
|
|
|
|
if (NS_FAILED(rv) || !files) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool more;
|
|
|
|
|
rv = files->HasMore(&more);
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
if (!more) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rv = files->GetNext(filename);
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
|
|
|
|
|
// Check if there is more than one match, if so then error!
|
|
|
|
|
rv = files->HasMore(&more);
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
if (more) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsCOMPtr<nsIInputStream> stream;
|
|
|
|
|
rv = zip->GetInputStream(filename, getter_AddRefs(stream));
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
|
2014-09-20 07:13:47 +04:00
|
|
|
rv = ReadStream(stream, buf);
|
|
|
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
2012-11-15 03:31:39 +04:00
|
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (bufDigest) {
|
2017-10-09 23:53:23 +03:00
|
|
|
rv = bufDigest->DigestBuf(digestAlgorithm, buf.data, buf.len - 1);
|
2012-11-15 03:31:39 +04:00
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify the digest of an entry. We avoid loading the entire entry into memory
|
|
|
|
|
// at once, which would require memory in proportion to the size of the largest
|
|
|
|
|
// entry. Instead, we require only a small, fixed amount of memory.
|
|
|
|
|
//
|
2015-05-05 21:21:00 +03:00
|
|
|
// @param stream an input stream from a JAR entry or file depending on whether
|
|
|
|
|
// it is from a signed archive or unpacked into a directory
|
2012-11-15 03:31:39 +04:00
|
|
|
// @param digestFromManifest The digest that we're supposed to check the file's
|
|
|
|
|
// contents against, from the manifest
|
|
|
|
|
// @param buf A scratch buffer that we use for doing the I/O, which must have
|
|
|
|
|
// already been allocated. The size of this buffer is the unit
|
|
|
|
|
// size of our I/O.
|
|
|
|
|
nsresult
|
2015-05-05 21:21:00 +03:00
|
|
|
VerifyStreamContentDigest(nsIInputStream* stream,
|
2017-10-09 23:53:23 +03:00
|
|
|
const DigestWithAlgorithm& digestFromManifest,
|
|
|
|
|
SECItem& buf)
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
|
|
|
|
MOZ_ASSERT(buf.len > 0);
|
2017-10-09 23:53:23 +03:00
|
|
|
nsresult rv = digestFromManifest.ValidateLength();
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
2017-03-17 18:31:40 +03:00
|
|
|
}
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
uint64_t len64;
|
|
|
|
|
rv = stream->Available(&len64);
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
if (len64 > UINT32_MAX) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-09 23:53:23 +03:00
|
|
|
UniquePK11Context digestContext(
|
|
|
|
|
PK11_CreateDigestContext(digestFromManifest.mAlgorithm));
|
2012-11-15 03:31:39 +04:00
|
|
|
if (!digestContext) {
|
2014-05-29 02:28:03 +04:00
|
|
|
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
|
2012-11-15 03:31:39 +04:00
|
|
|
}
|
|
|
|
|
|
2016-05-13 15:53:57 +03:00
|
|
|
rv = MapSECStatus(PK11_DigestBegin(digestContext.get()));
|
2012-11-15 03:31:39 +04:00
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
|
|
|
|
|
uint64_t totalBytesRead = 0;
|
|
|
|
|
for (;;) {
|
|
|
|
|
uint32_t bytesRead;
|
2016-09-08 15:46:26 +03:00
|
|
|
rv = stream->Read(BitwiseCast<char*, unsigned char*>(buf.data), buf.len,
|
|
|
|
|
&bytesRead);
|
2012-11-15 03:31:39 +04:00
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
|
|
|
|
|
if (bytesRead == 0) {
|
|
|
|
|
break; // EOF
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
totalBytesRead += bytesRead;
|
|
|
|
|
if (totalBytesRead >= UINT32_MAX) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE;
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-13 15:53:57 +03:00
|
|
|
rv = MapSECStatus(PK11_DigestOp(digestContext.get(), buf.data, bytesRead));
|
2012-11-15 03:31:39 +04:00
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (totalBytesRead != len64) {
|
|
|
|
|
// The metadata we used for Available() doesn't match the actual size of
|
|
|
|
|
// the entry.
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify that the digests match.
|
|
|
|
|
Digest digest;
|
2017-10-09 23:53:23 +03:00
|
|
|
rv = digest.End(digestFromManifest.mAlgorithm, digestContext);
|
2012-11-15 03:31:39 +04:00
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
|
2017-03-17 18:31:40 +03:00
|
|
|
nsDependentCSubstring digestStr(DigestToDependentString(digest));
|
2017-10-09 23:53:23 +03:00
|
|
|
if (!digestStr.Equals(digestFromManifest.mDigest)) {
|
2012-11-15 03:31:39 +04:00
|
|
|
return NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 21:21:00 +03:00
|
|
|
nsresult
|
|
|
|
|
VerifyEntryContentDigest(nsIZipReader* zip, const nsACString& aFilename,
|
2017-10-09 23:53:23 +03:00
|
|
|
const DigestWithAlgorithm& digestFromManifest,
|
|
|
|
|
SECItem& buf)
|
2015-05-05 21:21:00 +03:00
|
|
|
{
|
|
|
|
|
nsCOMPtr<nsIInputStream> stream;
|
|
|
|
|
nsresult rv = zip->GetInputStream(aFilename, getter_AddRefs(stream));
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return VerifyStreamContentDigest(stream, digestFromManifest, buf);
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-15 03:31:39 +04:00
|
|
|
// On input, nextLineStart is the start of the current line. On output,
|
|
|
|
|
// nextLineStart is the start of the next line.
|
|
|
|
|
nsresult
|
|
|
|
|
ReadLine(/*in/out*/ const char* & nextLineStart, /*out*/ nsCString & line,
|
|
|
|
|
bool allowContinuations = true)
|
|
|
|
|
{
|
|
|
|
|
line.Truncate();
|
2013-05-17 05:45:30 +04:00
|
|
|
size_t previousLength = 0;
|
|
|
|
|
size_t currentLength = 0;
|
2012-11-15 03:31:39 +04:00
|
|
|
for (;;) {
|
|
|
|
|
const char* eol = PL_strpbrk(nextLineStart, "\r\n");
|
|
|
|
|
|
|
|
|
|
if (!eol) { // Reached end of file before newline
|
2013-05-08 07:40:12 +04:00
|
|
|
eol = nextLineStart + strlen(nextLineStart);
|
2012-11-15 03:31:39 +04:00
|
|
|
}
|
|
|
|
|
|
2013-05-17 05:45:30 +04:00
|
|
|
previousLength = currentLength;
|
2012-11-15 03:31:39 +04:00
|
|
|
line.Append(nextLineStart, eol - nextLineStart);
|
2013-05-17 05:45:30 +04:00
|
|
|
currentLength = line.Length();
|
|
|
|
|
|
|
|
|
|
// The spec says "No line may be longer than 72 bytes (not characters)"
|
|
|
|
|
// in its UTF8-encoded form.
|
|
|
|
|
static const size_t lineLimit = 72;
|
|
|
|
|
if (currentLength - previousLength > lineLimit) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The spec says: "Implementations should support 65535-byte
|
|
|
|
|
// (not character) header values..."
|
|
|
|
|
if (currentLength > 65535) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
if (*eol == '\r') {
|
|
|
|
|
++eol;
|
|
|
|
|
}
|
|
|
|
|
if (*eol == '\n') {
|
|
|
|
|
++eol;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nextLineStart = eol;
|
|
|
|
|
|
|
|
|
|
if (*eol != ' ') {
|
|
|
|
|
// not a continuation
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// continuation
|
|
|
|
|
if (!allowContinuations) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
++nextLineStart; // skip space and keep appending
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The header strings are defined in the JAR specification.
|
|
|
|
|
#define JAR_MF_SEARCH_STRING "(M|/M)ETA-INF/(M|m)(ANIFEST|anifest).(MF|mf)$"
|
|
|
|
|
#define JAR_SF_SEARCH_STRING "(M|/M)ETA-INF/*.(SF|sf)$"
|
|
|
|
|
#define JAR_RSA_SEARCH_STRING "(M|/M)ETA-INF/*.(RSA|rsa)$"
|
2015-05-05 21:21:00 +03:00
|
|
|
#define JAR_META_DIR "META-INF"
|
2013-08-22 11:38:57 +04:00
|
|
|
#define JAR_MF_HEADER "Manifest-Version: 1.0"
|
|
|
|
|
#define JAR_SF_HEADER "Signature-Version: 1.0"
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
nsresult
|
|
|
|
|
ParseAttribute(const nsAutoCString & curLine,
|
|
|
|
|
/*out*/ nsAutoCString & attrName,
|
|
|
|
|
/*out*/ nsAutoCString & attrValue)
|
|
|
|
|
{
|
|
|
|
|
// Find the colon that separates the name from the value.
|
|
|
|
|
int32_t colonPos = curLine.FindChar(':');
|
|
|
|
|
if (colonPos == kNotFound) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// set attrName to the name, skipping spaces between the name and colon
|
|
|
|
|
int32_t nameEnd = colonPos;
|
|
|
|
|
for (;;) {
|
|
|
|
|
if (nameEnd == 0) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; // colon with no name
|
|
|
|
|
}
|
|
|
|
|
if (curLine[nameEnd - 1] != ' ')
|
|
|
|
|
break;
|
|
|
|
|
--nameEnd;
|
|
|
|
|
}
|
|
|
|
|
curLine.Left(attrName, nameEnd);
|
|
|
|
|
|
|
|
|
|
// Set attrValue to the value, skipping spaces between the colon and the
|
|
|
|
|
// value. The value may be empty.
|
|
|
|
|
int32_t valueStart = colonPos + 1;
|
|
|
|
|
int32_t curLineLength = curLine.Length();
|
|
|
|
|
while (valueStart != curLineLength && curLine[valueStart] == ' ') {
|
|
|
|
|
++valueStart;
|
|
|
|
|
}
|
|
|
|
|
curLine.Right(attrValue, curLineLength - valueStart);
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parses the version line of the MF or SF header.
|
|
|
|
|
nsresult
|
|
|
|
|
CheckManifestVersion(const char* & nextLineStart,
|
|
|
|
|
const nsACString & expectedHeader)
|
|
|
|
|
{
|
|
|
|
|
// The JAR spec says: "Manifest-Version and Signature-Version must be first,
|
|
|
|
|
// and in exactly that case (so that they can be recognized easily as magic
|
|
|
|
|
// strings)."
|
|
|
|
|
nsAutoCString curLine;
|
|
|
|
|
nsresult rv = ReadLine(nextLineStart, curLine, false);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
if (!curLine.Equals(expectedHeader)) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-09 23:53:23 +03:00
|
|
|
// Parses a signature file (SF) based on the JDK 8 JAR Specification.
|
2012-11-15 03:31:39 +04:00
|
|
|
//
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
// The SF file must contain a SHA*-Digest-Manifest attribute in the main
|
|
|
|
|
// section (where the * is either 1 or 256, depending on the given digest
|
|
|
|
|
// algorithm). All other sections are ignored. This means that this will NOT
|
|
|
|
|
// parse old-style signature files that have separate digests per entry.
|
2012-11-15 03:31:39 +04:00
|
|
|
// The JDK8 x-Digest-Manifest variant is better because:
|
|
|
|
|
//
|
|
|
|
|
// (1) It allows us to follow the principle that we should minimize the
|
|
|
|
|
// processing of data that we do before we verify its signature. In
|
|
|
|
|
// particular, with the x-Digest-Manifest style, we can verify the digest
|
|
|
|
|
// of MANIFEST.MF before we parse it, which prevents malicious JARs
|
|
|
|
|
// exploiting our MANIFEST.MF parser.
|
|
|
|
|
// (2) It is more time-efficient and space-efficient to have one
|
|
|
|
|
// x-Digest-Manifest instead of multiple x-Digest values.
|
|
|
|
|
//
|
|
|
|
|
// filebuf must be null-terminated. On output, mfDigest will contain the
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
// decoded value of the appropriate SHA*-DigestManifest, if found.
|
2012-11-15 03:31:39 +04:00
|
|
|
nsresult
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
ParseSF(const char* filebuf, SECOidTag digestAlgorithm,
|
|
|
|
|
/*out*/ nsAutoCString& mfDigest)
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
const char* digestNameToFind = nullptr;
|
|
|
|
|
switch (digestAlgorithm) {
|
|
|
|
|
case SEC_OID_SHA256:
|
|
|
|
|
digestNameToFind = "sha256-digest-manifest";
|
|
|
|
|
break;
|
|
|
|
|
case SEC_OID_SHA1:
|
|
|
|
|
digestNameToFind = "sha1-digest-manifest";
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
MOZ_ASSERT_UNREACHABLE("bad argument to ParseSF");
|
|
|
|
|
return NS_ERROR_FAILURE;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-15 03:31:39 +04:00
|
|
|
const char* nextLineStart = filebuf;
|
2017-03-17 18:31:40 +03:00
|
|
|
nsresult rv = CheckManifestVersion(nextLineStart,
|
|
|
|
|
NS_LITERAL_CSTRING(JAR_SF_HEADER));
|
|
|
|
|
if (NS_FAILED(rv)) {
|
2012-11-15 03:31:39 +04:00
|
|
|
return rv;
|
2017-03-17 18:31:40 +03:00
|
|
|
}
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
nsAutoCString curLine;
|
|
|
|
|
rv = ReadLine(nextLineStart, curLine);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (curLine.Length() == 0) {
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
// End of main section (blank line or end-of-file). We didn't find the
|
|
|
|
|
// SHA*-Digest-Manifest we were looking for.
|
2012-11-15 03:31:39 +04:00
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsAutoCString attrName;
|
|
|
|
|
nsAutoCString attrValue;
|
|
|
|
|
rv = ParseAttribute(curLine, attrName, attrValue);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
if (attrName.EqualsIgnoreCase(digestNameToFind)) {
|
|
|
|
|
rv = Base64Decode(attrValue, mfDigest);
|
2012-11-15 03:31:39 +04:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-09 23:53:23 +03:00
|
|
|
// There could be multiple SHA*-Digest-Manifest attributes, which
|
2012-11-15 03:31:39 +04:00
|
|
|
// would be an error, but it's better to just skip any erroneous
|
|
|
|
|
// duplicate entries rather than trying to detect them, because:
|
|
|
|
|
//
|
|
|
|
|
// (1) It's simpler, and simpler generally means more secure
|
|
|
|
|
// (2) An attacker can't make us accept a JAR we would otherwise
|
2017-10-09 23:53:23 +03:00
|
|
|
// reject just by adding additional SHA*-Digest-Manifest
|
2012-11-15 03:31:39 +04:00
|
|
|
// attributes.
|
2017-10-09 23:53:23 +03:00
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-15 03:31:39 +04:00
|
|
|
// ignore unrecognized attributes
|
|
|
|
|
}
|
|
|
|
|
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
MOZ_ASSERT_UNREACHABLE("somehow exited loop in ParseSF without returning");
|
|
|
|
|
return NS_ERROR_FAILURE;
|
2012-11-15 03:31:39 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parses MANIFEST.MF. The filenames of all entries will be returned in
|
|
|
|
|
// mfItems. buf must be a pre-allocated scratch buffer that is used for doing
|
2017-10-09 23:53:23 +03:00
|
|
|
// I/O. Each file's contents are verified against the entry in the manifest with
|
|
|
|
|
// the digest algorithm that matches the given one. This algorithm comes from
|
|
|
|
|
// the signature file. If the signature file has a SHA-256 digest, then SHA-256
|
|
|
|
|
// entries must be present in the manifest file. If the signature file only has
|
|
|
|
|
// a SHA-1 digest, then only SHA-1 digests will be used in the manifest file.
|
2012-11-15 03:31:39 +04:00
|
|
|
nsresult
|
2017-10-09 23:53:23 +03:00
|
|
|
ParseMF(const char* filebuf, nsIZipReader* zip, SECOidTag digestAlgorithm,
|
|
|
|
|
/*out*/ nsTHashtable<nsCStringHashKey>& mfItems, ScopedAutoSECItem& buf)
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
2017-10-09 23:53:23 +03:00
|
|
|
const char* digestNameToFind = nullptr;
|
|
|
|
|
switch (digestAlgorithm) {
|
|
|
|
|
case SEC_OID_SHA256:
|
|
|
|
|
digestNameToFind = "sha256-digest";
|
|
|
|
|
break;
|
|
|
|
|
case SEC_OID_SHA1:
|
|
|
|
|
digestNameToFind = "sha1-digest";
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
MOZ_ASSERT_UNREACHABLE("bad argument to ParseMF");
|
|
|
|
|
return NS_ERROR_FAILURE;
|
|
|
|
|
}
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
const char* nextLineStart = filebuf;
|
2017-10-09 23:53:23 +03:00
|
|
|
nsresult rv = CheckManifestVersion(nextLineStart,
|
|
|
|
|
NS_LITERAL_CSTRING(JAR_MF_HEADER));
|
2012-11-15 03:31:39 +04:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Skip the rest of the header section, which ends with a blank line.
|
|
|
|
|
{
|
|
|
|
|
nsAutoCString line;
|
|
|
|
|
do {
|
|
|
|
|
rv = ReadLine(nextLineStart, line);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
} while (line.Length() > 0);
|
|
|
|
|
|
|
|
|
|
// Manifest containing no file entries is OK, though useless.
|
|
|
|
|
if (*nextLineStart == '\0') {
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsAutoCString curItemName;
|
2017-03-17 18:31:40 +03:00
|
|
|
nsAutoCString digest;
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
nsAutoCString curLine;
|
|
|
|
|
rv = ReadLine(nextLineStart, curLine);
|
2017-10-09 23:53:23 +03:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
if (curLine.Length() == 0) {
|
|
|
|
|
// end of section (blank line or end-of-file)
|
|
|
|
|
|
|
|
|
|
if (curItemName.Length() == 0) {
|
|
|
|
|
// '...Each section must start with an attribute with the name as
|
|
|
|
|
// "Name",...', so every section must have a Name attribute.
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-17 18:31:40 +03:00
|
|
|
if (digest.IsEmpty()) {
|
2012-11-15 03:31:39 +04:00
|
|
|
// We require every entry to have a digest, since we require every
|
|
|
|
|
// entry to be signed and we don't allow duplicate entries.
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (mfItems.Contains(curItemName)) {
|
|
|
|
|
// Duplicate entry
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify that the entry's content digest matches the digest from this
|
|
|
|
|
// MF section.
|
2017-10-09 23:53:23 +03:00
|
|
|
DigestWithAlgorithm digestWithAlgorithm = { digest, digestAlgorithm };
|
|
|
|
|
rv = VerifyEntryContentDigest(zip, curItemName, digestWithAlgorithm, buf);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
2012-11-15 03:31:39 +04:00
|
|
|
return rv;
|
2017-10-09 23:53:23 +03:00
|
|
|
}
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
mfItems.PutEntry(curItemName);
|
|
|
|
|
|
2017-10-09 23:53:23 +03:00
|
|
|
if (*nextLineStart == '\0') {
|
|
|
|
|
// end-of-file
|
2012-11-15 03:31:39 +04:00
|
|
|
break;
|
2017-10-09 23:53:23 +03:00
|
|
|
}
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
// reset so we know we haven't encountered either of these for the next
|
|
|
|
|
// item yet.
|
|
|
|
|
curItemName.Truncate();
|
2017-03-17 18:31:40 +03:00
|
|
|
digest.Truncate();
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
continue; // skip the rest of the loop below
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsAutoCString attrName;
|
|
|
|
|
nsAutoCString attrValue;
|
|
|
|
|
rv = ParseAttribute(curLine, attrName, attrValue);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Lines to look for:
|
|
|
|
|
|
|
|
|
|
// (1) Digest:
|
2017-10-09 23:53:23 +03:00
|
|
|
if (attrName.EqualsIgnoreCase(digestNameToFind)) {
|
|
|
|
|
if (!digest.IsEmpty()) { // multiple SHA* digests in section
|
2012-11-15 03:31:39 +04:00
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
2017-03-17 18:31:40 +03:00
|
|
|
}
|
2012-11-15 03:31:39 +04:00
|
|
|
|
2017-03-17 18:31:40 +03:00
|
|
|
rv = Base64Decode(attrValue, digest);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
2012-11-15 03:31:39 +04:00
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
2017-03-17 18:31:40 +03:00
|
|
|
}
|
2012-11-15 03:31:39 +04:00
|
|
|
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// (2) Name: associates this manifest section with a file in the jar.
|
2017-10-09 23:53:23 +03:00
|
|
|
if (attrName.LowerCaseEqualsLiteral("name")) {
|
2012-11-15 03:31:39 +04:00
|
|
|
if (MOZ_UNLIKELY(curItemName.Length() > 0)) // multiple names in section
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
|
|
|
|
|
if (MOZ_UNLIKELY(attrValue.Length() == 0))
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
|
|
|
|
|
curItemName = attrValue;
|
|
|
|
|
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// (3) Magic: the only other must-understand attribute
|
|
|
|
|
if (attrName.LowerCaseEqualsLiteral("magic")) {
|
|
|
|
|
// We don't understand any magic, so we can't verify an entry that
|
|
|
|
|
// requires magic. Since we require every entry to have a valid
|
|
|
|
|
// signature, we have no choice but to reject the entry.
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// unrecognized attributes must be ignored
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
nsresult
|
2017-10-24 23:32:02 +03:00
|
|
|
VerifyCertificate(CERTCertificate* signerCert, AppTrustedRoot trustedRoot,
|
|
|
|
|
/*out*/ UniqueCERTCertList& builtChain)
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
2017-10-24 23:32:02 +03:00
|
|
|
if (NS_WARN_IF(!signerCert)) {
|
2014-06-23 05:50:22 +04:00
|
|
|
return NS_ERROR_INVALID_ARG;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
2017-10-24 23:32:02 +03:00
|
|
|
// TODO: pinArg is null.
|
|
|
|
|
AppTrustDomain trustDomain(builtChain, nullptr);
|
|
|
|
|
nsresult rv = trustDomain.SetTrustedRoot(trustedRoot);
|
2016-12-14 15:10:25 +03:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
2014-07-31 23:17:31 +04:00
|
|
|
Input certDER;
|
2016-12-14 15:10:25 +03:00
|
|
|
mozilla::pkix::Result result = certDER.Init(signerCert->derCert.data,
|
|
|
|
|
signerCert->derCert.len);
|
|
|
|
|
if (result != Success) {
|
|
|
|
|
return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = BuildCertChain(trustDomain, certDER, Now(),
|
|
|
|
|
EndEntityOrCA::MustBeEndEntity,
|
|
|
|
|
KeyUsage::digitalSignature,
|
|
|
|
|
KeyPurposeId::id_kp_codeSigning,
|
|
|
|
|
CertPolicyId::anyPolicy,
|
|
|
|
|
nullptr /*stapledOCSPResponse*/);
|
|
|
|
|
if (result == mozilla::pkix::Result::ERROR_EXPIRED_CERTIFICATE) {
|
2016-04-26 21:54:08 +03:00
|
|
|
// For code-signing you normally need trusted 3rd-party timestamps to
|
|
|
|
|
// handle expiration properly. The signer could always mess with their
|
|
|
|
|
// system clock so you can't trust the certificate was un-expired when
|
|
|
|
|
// the signing took place. The choice is either to ignore expiration
|
|
|
|
|
// or to enforce expiration at time of use. The latter leads to the
|
|
|
|
|
// user-hostile result that perfectly good code stops working.
|
|
|
|
|
//
|
|
|
|
|
// Our package format doesn't support timestamps (nor do we have a
|
|
|
|
|
// trusted 3rd party timestamper), but since we sign all of our apps and
|
|
|
|
|
// add-ons ourselves we can trust ourselves not to mess with the clock
|
|
|
|
|
// on the signing systems. We also have a revocation mechanism if we
|
|
|
|
|
// need it. It's OK to ignore cert expiration under these conditions.
|
|
|
|
|
//
|
|
|
|
|
// This is an invalid approach if
|
|
|
|
|
// * we issue certs to let others sign their own packages
|
|
|
|
|
// * mozilla::pkix returns "expired" when there are "worse" problems
|
|
|
|
|
// with the certificate or chain.
|
|
|
|
|
// (see bug 1267318)
|
2016-12-14 15:10:25 +03:00
|
|
|
result = Success;
|
2016-04-26 21:54:08 +03:00
|
|
|
}
|
2016-12-14 15:10:25 +03:00
|
|
|
if (result != Success) {
|
|
|
|
|
return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
|
2014-06-23 05:50:22 +04:00
|
|
|
return NS_OK;
|
|
|
|
|
}
|
2014-02-15 02:37:07 +04:00
|
|
|
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
// Given a SECOidTag representing a digest algorithm (either SEC_OID_SHA1 or
|
|
|
|
|
// SEC_OID_SHA256), returns the first signerInfo in the given signedData that
|
|
|
|
|
// purports to have been created using that digest algorithm, or nullptr if
|
|
|
|
|
// there is none.
|
|
|
|
|
// The returned signerInfo is owned by signedData, so the caller must ensure
|
|
|
|
|
// that the lifetime of the signerInfo is contained by the lifetime of the
|
|
|
|
|
// signedData.
|
|
|
|
|
NSSCMSSignerInfo*
|
|
|
|
|
GetSignerInfoForDigestAlgorithm(NSSCMSSignedData* signedData,
|
|
|
|
|
SECOidTag digestAlgorithm)
|
|
|
|
|
{
|
|
|
|
|
MOZ_ASSERT(digestAlgorithm == SEC_OID_SHA1 ||
|
|
|
|
|
digestAlgorithm == SEC_OID_SHA256);
|
|
|
|
|
if (digestAlgorithm != SEC_OID_SHA1 && digestAlgorithm != SEC_OID_SHA256) {
|
|
|
|
|
return nullptr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int numSigners = NSS_CMSSignedData_SignerInfoCount(signedData);
|
|
|
|
|
if (numSigners < 1) {
|
|
|
|
|
return nullptr;
|
|
|
|
|
}
|
|
|
|
|
for (int i = 0; i < numSigners; i++) {
|
|
|
|
|
NSSCMSSignerInfo* signerInfo =
|
|
|
|
|
NSS_CMSSignedData_GetSignerInfo(signedData, i);
|
|
|
|
|
// NSS_CMSSignerInfo_GetDigestAlgTag isn't exported from NSS.
|
|
|
|
|
SECOidData* digestAlgOID = SECOID_FindOID(&signerInfo->digestAlg.algorithm);
|
|
|
|
|
if (!digestAlgOID) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (digestAlgorithm == digestAlgOID->offset) {
|
|
|
|
|
return signerInfo;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nullptr;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-24 23:18:14 +03:00
|
|
|
nsresult
|
2017-10-24 23:32:02 +03:00
|
|
|
VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer,
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
const SECItem& detachedSHA1Digest,
|
|
|
|
|
const SECItem& detachedSHA256Digest,
|
|
|
|
|
/*out*/ SECOidTag& digestAlgorithm,
|
2017-10-24 23:32:02 +03:00
|
|
|
/*out*/ UniqueCERTCertList& builtChain)
|
2017-10-24 23:18:14 +03:00
|
|
|
{
|
2017-10-24 23:32:02 +03:00
|
|
|
// Currently, this function is only called within the CalculateResult() method
|
|
|
|
|
// of CryptoTasks. As such, NSS should not be shut down at this point and the
|
|
|
|
|
// CryptoTask implementation should already hold a nsNSSShutDownPreventionLock.
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
|
|
|
|
|
if (NS_WARN_IF(!buffer.data || buffer.len == 0 || !detachedSHA1Digest.data ||
|
|
|
|
|
detachedSHA1Digest.len == 0 || !detachedSHA256Digest.data ||
|
|
|
|
|
detachedSHA256Digest.len == 0)) {
|
2017-10-24 23:18:14 +03:00
|
|
|
return NS_ERROR_INVALID_ARG;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
UniqueNSSCMSMessage
|
|
|
|
|
cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
|
|
|
|
|
nullptr, nullptr, nullptr, nullptr,
|
|
|
|
|
nullptr));
|
|
|
|
|
if (!cmsMsg) {
|
2017-10-27 21:20:33 +03:00
|
|
|
return NS_ERROR_CMS_VERIFY_NOT_SIGNED;
|
2017-10-24 23:18:14 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!NSS_CMSMessage_IsSigned(cmsMsg.get())) {
|
|
|
|
|
return NS_ERROR_CMS_VERIFY_NOT_SIGNED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NSSCMSContentInfo* cinfo = NSS_CMSMessage_ContentLevel(cmsMsg.get(), 0);
|
|
|
|
|
if (!cinfo) {
|
|
|
|
|
return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We're expecting this to be a PKCS#7 signedData content info.
|
|
|
|
|
if (NSS_CMSContentInfo_GetContentTypeTag(cinfo)
|
|
|
|
|
!= SEC_OID_PKCS7_SIGNED_DATA) {
|
|
|
|
|
return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// signedData is non-owning
|
|
|
|
|
NSSCMSSignedData* signedData =
|
|
|
|
|
static_cast<NSSCMSSignedData*>(NSS_CMSContentInfo_GetContent(cinfo));
|
|
|
|
|
if (!signedData) {
|
|
|
|
|
return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse the certificates into CERTCertificate objects held in memory so
|
|
|
|
|
// verifyCertificate will be able to find them during path building.
|
|
|
|
|
UniqueCERTCertList certs(CERT_NewCertList());
|
|
|
|
|
if (!certs) {
|
|
|
|
|
return NS_ERROR_OUT_OF_MEMORY;
|
|
|
|
|
}
|
|
|
|
|
if (signedData->rawCerts) {
|
|
|
|
|
for (size_t i = 0; signedData->rawCerts[i]; ++i) {
|
|
|
|
|
UniqueCERTCertificate
|
|
|
|
|
cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
|
|
|
|
|
signedData->rawCerts[i], nullptr, false,
|
|
|
|
|
true));
|
|
|
|
|
// Skip certificates that fail to parse
|
|
|
|
|
if (!cert) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (CERT_AddCertToListTail(certs.get(), cert.get()) != SECSuccess) {
|
|
|
|
|
return NS_ERROR_OUT_OF_MEMORY;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Unused << cert.release(); // Ownership transferred to the cert list.
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
NSSCMSSignerInfo* signerInfo =
|
|
|
|
|
GetSignerInfoForDigestAlgorithm(signedData, SEC_OID_SHA256);
|
|
|
|
|
const SECItem* detachedDigest = &detachedSHA256Digest;
|
|
|
|
|
digestAlgorithm = SEC_OID_SHA256;
|
|
|
|
|
if (!signerInfo) {
|
|
|
|
|
signerInfo = GetSignerInfoForDigestAlgorithm(signedData, SEC_OID_SHA1);
|
|
|
|
|
if (!signerInfo) {
|
|
|
|
|
return NS_ERROR_CMS_VERIFY_NOT_SIGNED;
|
|
|
|
|
}
|
|
|
|
|
detachedDigest = &detachedSHA1Digest;
|
|
|
|
|
digestAlgorithm = SEC_OID_SHA1;
|
2017-10-24 23:18:14 +03:00
|
|
|
}
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
|
|
|
|
|
// Get the end-entity certificate.
|
2017-10-24 23:18:14 +03:00
|
|
|
CERTCertificate* signerCert =
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
NSS_CMSSignerInfo_GetSigningCertificate(signerInfo,
|
|
|
|
|
CERT_GetDefaultCertDB());
|
2017-10-24 23:18:14 +03:00
|
|
|
if (!signerCert) {
|
|
|
|
|
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-24 23:32:02 +03:00
|
|
|
nsresult rv = VerifyCertificate(signerCert, trustedRoot, builtChain);
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
if (NS_FAILED(rv)) {
|
2017-10-24 23:18:14 +03:00
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
// Ensure that the PKCS#7 data OID is present as the PKCS#9 contentType.
|
|
|
|
|
const char* pkcs7DataOidString = "1.2.840.113549.1.7.1";
|
|
|
|
|
ScopedAutoSECItem pkcs7DataOid;
|
|
|
|
|
if (SEC_StringToOID(nullptr, &pkcs7DataOid, pkcs7DataOidString, 0)
|
|
|
|
|
!= SECSuccess) {
|
2017-10-24 23:18:14 +03:00
|
|
|
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
|
|
|
|
|
}
|
|
|
|
|
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
return MapSECStatus(
|
|
|
|
|
NSS_CMSSignerInfo_Verify(signerInfo, const_cast<SECItem*>(detachedDigest),
|
|
|
|
|
&pkcs7DataOid));
|
2017-10-24 23:18:14 +03:00
|
|
|
}
|
|
|
|
|
|
2017-11-29 01:24:11 +03:00
|
|
|
// This corresponds to the preference "security.signed_app_signatures.policy".
|
|
|
|
|
enum class SignaturePolicy {
|
|
|
|
|
PKCS7WithSHA1OrSHA256 = 0,
|
|
|
|
|
PKCS7WithSHA256 = 1,
|
|
|
|
|
};
|
|
|
|
|
|
2017-10-09 23:53:23 +03:00
|
|
|
nsresult
|
2014-02-15 02:37:07 +04:00
|
|
|
OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
|
2017-11-29 01:24:11 +03:00
|
|
|
SignaturePolicy aPolicy,
|
2014-02-15 02:37:07 +04:00
|
|
|
/*out, optional */ nsIZipReader** aZipReader,
|
2014-07-04 09:09:24 +04:00
|
|
|
/*out, optional */ nsIX509Cert** aSignerCert)
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
|
|
|
|
NS_ENSURE_ARG_POINTER(aJarFile);
|
|
|
|
|
|
|
|
|
|
if (aZipReader) {
|
|
|
|
|
*aZipReader = nullptr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (aSignerCert) {
|
|
|
|
|
*aSignerCert = nullptr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsresult rv;
|
|
|
|
|
|
|
|
|
|
static NS_DEFINE_CID(kZipReaderCID, NS_ZIPREADER_CID);
|
|
|
|
|
nsCOMPtr<nsIZipReader> zip = do_CreateInstance(kZipReaderCID, &rv);
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
|
|
|
|
|
rv = zip->Open(aJarFile);
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
|
|
|
|
|
// Signature (RSA) file
|
|
|
|
|
nsAutoCString sigFilename;
|
|
|
|
|
ScopedAutoSECItem sigBuffer;
|
|
|
|
|
rv = FindAndLoadOneEntry(zip, nsLiteralCString(JAR_RSA_SEARCH_STRING),
|
2017-10-09 23:53:23 +03:00
|
|
|
sigFilename, sigBuffer);
|
2012-11-15 03:31:39 +04:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_NOT_SIGNED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Signature (SF) file
|
|
|
|
|
nsAutoCString sfFilename;
|
|
|
|
|
ScopedAutoSECItem sfBuffer;
|
|
|
|
|
rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_SF_SEARCH_STRING),
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
sfFilename, sfBuffer);
|
2012-11-15 03:31:39 +04:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
// Calculate both the SHA-1 and SHA-256 hashes of the signature file - we
|
|
|
|
|
// don't know what algorithm the PKCS#7 signature used.
|
|
|
|
|
Digest sfCalculatedSHA1Digest;
|
|
|
|
|
rv = sfCalculatedSHA1Digest.DigestBuf(SEC_OID_SHA1, sfBuffer.data,
|
|
|
|
|
sfBuffer.len - 1);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
Digest sfCalculatedSHA256Digest;
|
|
|
|
|
rv = sfCalculatedSHA256Digest.DigestBuf(SEC_OID_SHA256, sfBuffer.data,
|
|
|
|
|
sfBuffer.len - 1);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
sigBuffer.type = siBuffer;
|
2016-05-06 00:56:36 +03:00
|
|
|
UniqueCERTCertList builtChain;
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
SECOidTag digestToUse;
|
|
|
|
|
rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedSHA1Digest.get(),
|
|
|
|
|
sfCalculatedSHA256Digest.get(), digestToUse, builtChain);
|
2014-02-15 02:37:07 +04:00
|
|
|
if (NS_FAILED(rv)) {
|
2012-11-15 03:31:39 +04:00
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-29 01:24:11 +03:00
|
|
|
switch (aPolicy) {
|
|
|
|
|
case SignaturePolicy::PKCS7WithSHA256:
|
|
|
|
|
if (digestToUse != SEC_OID_SHA256) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case SignaturePolicy::PKCS7WithSHA1OrSHA256:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
nsAutoCString mfDigest;
|
|
|
|
|
rv = ParseSF(BitwiseCast<char*, unsigned char*>(sfBuffer.data), digestToUse,
|
|
|
|
|
mfDigest);
|
2012-11-15 03:31:39 +04:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Manifest (MF) file
|
|
|
|
|
nsAutoCString mfFilename;
|
|
|
|
|
ScopedAutoSECItem manifestBuffer;
|
|
|
|
|
Digest mfCalculatedDigest;
|
|
|
|
|
rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_MF_SEARCH_STRING),
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
mfFilename, manifestBuffer, digestToUse,
|
2017-10-09 23:53:23 +03:00
|
|
|
&mfCalculatedDigest);
|
2012-11-15 03:31:39 +04:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-17 18:31:40 +03:00
|
|
|
nsDependentCSubstring calculatedDigest(
|
|
|
|
|
DigestToDependentString(mfCalculatedDigest));
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
if (!mfDigest.Equals(calculatedDigest)) {
|
2012-11-15 03:31:39 +04:00
|
|
|
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Allocate the I/O buffer only once per JAR, instead of once per entry, in
|
|
|
|
|
// order to minimize malloc/free calls and in order to avoid fragmenting
|
|
|
|
|
// memory.
|
|
|
|
|
ScopedAutoSECItem buf(128 * 1024);
|
|
|
|
|
|
|
|
|
|
nsTHashtable<nsCStringHashKey> items;
|
|
|
|
|
|
2016-09-08 15:46:26 +03:00
|
|
|
rv = ParseMF(BitwiseCast<char*, unsigned char*>(manifestBuffer.data), zip,
|
bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-25 01:27:53 +03:00
|
|
|
digestToUse, items, buf);
|
2012-11-15 03:31:39 +04:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify every entry in the file.
|
|
|
|
|
nsCOMPtr<nsIUTF8StringEnumerator> entries;
|
2013-08-22 11:38:57 +04:00
|
|
|
rv = zip->FindEntries(EmptyCString(), getter_AddRefs(entries));
|
2012-11-15 03:31:39 +04:00
|
|
|
if (NS_SUCCEEDED(rv) && !entries) {
|
|
|
|
|
rv = NS_ERROR_UNEXPECTED;
|
|
|
|
|
}
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
bool hasMore;
|
|
|
|
|
rv = entries->HasMore(&hasMore);
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
|
|
|
|
|
if (!hasMore) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsAutoCString entryFilename;
|
|
|
|
|
rv = entries->GetNext(entryFilename);
|
|
|
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
|
|
2015-06-04 01:25:57 +03:00
|
|
|
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Verifying digests for %s",
|
2012-11-15 03:31:39 +04:00
|
|
|
entryFilename.get()));
|
|
|
|
|
|
|
|
|
|
// The files that comprise the signature mechanism are not covered by the
|
|
|
|
|
// signature.
|
|
|
|
|
//
|
|
|
|
|
// XXX: This is OK for a single signature, but doesn't work for
|
|
|
|
|
// multiple signatures, because the metadata for the other signatures
|
|
|
|
|
// is not signed either.
|
|
|
|
|
if (entryFilename == mfFilename ||
|
|
|
|
|
entryFilename == sfFilename ||
|
|
|
|
|
entryFilename == sigFilename) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (entryFilename.Length() == 0) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Entries with names that end in "/" are directory entries, which are not
|
|
|
|
|
// signed.
|
|
|
|
|
//
|
|
|
|
|
// XXX: As long as we don't unpack the JAR into the filesystem, the "/"
|
|
|
|
|
// entries are harmless. But, it is not clear what the security
|
|
|
|
|
// implications of directory entries are if/when we were to unpackage the
|
|
|
|
|
// JAR into the filesystem.
|
|
|
|
|
if (entryFilename[entryFilename.Length() - 1] == '/') {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsCStringHashKey * item = items.GetEntry(entryFilename);
|
|
|
|
|
if (!item) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Remove the item so we can check for leftover items later
|
2015-09-25 06:44:31 +03:00
|
|
|
items.RemoveEntry(item);
|
2012-11-15 03:31:39 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We verified that every entry that we require to be signed is signed. But,
|
|
|
|
|
// were there any missing entries--that is, entries that are mentioned in the
|
|
|
|
|
// manifest but missing from the archive?
|
|
|
|
|
if (items.Count() != 0) {
|
|
|
|
|
return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Return the reader to the caller if they want it
|
|
|
|
|
if (aZipReader) {
|
|
|
|
|
zip.forget(aZipReader);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Return the signer's certificate to the reader if they want it.
|
2014-07-07 02:55:38 +04:00
|
|
|
// XXX: We should return an nsIX509CertList with the whole validated chain.
|
2012-11-15 03:31:39 +04:00
|
|
|
if (aSignerCert) {
|
2017-02-23 02:07:05 +03:00
|
|
|
CERTCertListNode* signerCertNode = CERT_LIST_HEAD(builtChain);
|
|
|
|
|
if (!signerCertNode || CERT_LIST_END(signerCertNode, builtChain) ||
|
|
|
|
|
!signerCertNode->cert) {
|
|
|
|
|
return NS_ERROR_FAILURE;
|
|
|
|
|
}
|
2014-07-04 09:09:24 +04:00
|
|
|
nsCOMPtr<nsIX509Cert> signerCert =
|
2017-02-23 02:07:05 +03:00
|
|
|
nsNSSCertificate::Create(signerCertNode->cert);
|
2012-11-15 03:31:39 +04:00
|
|
|
NS_ENSURE_TRUE(signerCert, NS_ERROR_OUT_OF_MEMORY);
|
|
|
|
|
signerCert.forget(aSignerCert);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-21 19:28:04 +03:00
|
|
|
class OpenSignedAppFileTask final : public CryptoTask
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
|
|
|
|
public:
|
2014-02-15 02:37:07 +04:00
|
|
|
OpenSignedAppFileTask(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
|
2017-11-29 01:24:11 +03:00
|
|
|
SignaturePolicy aPolicy,
|
2014-02-15 02:37:07 +04:00
|
|
|
nsIOpenSignedAppFileCallback* aCallback)
|
|
|
|
|
: mTrustedRoot(aTrustedRoot)
|
|
|
|
|
, mJarFile(aJarFile)
|
2017-11-29 01:24:11 +03:00
|
|
|
, mPolicy(aPolicy)
|
2017-06-14 04:27:17 +03:00
|
|
|
, mCallback(new nsMainThreadPtrHolder<nsIOpenSignedAppFileCallback>(
|
|
|
|
|
"OpenSignedAppFileTask::mCallback", aCallback))
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private:
|
2015-03-21 19:28:04 +03:00
|
|
|
virtual nsresult CalculateResult() override
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
2017-11-29 01:24:11 +03:00
|
|
|
return OpenSignedAppFile(mTrustedRoot, mJarFile, mPolicy,
|
2014-02-15 02:37:07 +04:00
|
|
|
getter_AddRefs(mZipReader),
|
2012-11-15 03:31:39 +04:00
|
|
|
getter_AddRefs(mSignerCert));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// nsNSSCertificate implements nsNSSShutdownObject, so there's nothing that
|
|
|
|
|
// needs to be released
|
2015-03-21 19:28:04 +03:00
|
|
|
virtual void ReleaseNSSResources() override { }
|
2012-11-15 03:31:39 +04:00
|
|
|
|
2015-03-21 19:28:04 +03:00
|
|
|
virtual void CallCallback(nsresult rv) override
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
2014-02-15 02:37:07 +04:00
|
|
|
(void) mCallback->OpenSignedAppFileFinished(rv, mZipReader, mSignerCert);
|
2012-11-15 03:31:39 +04:00
|
|
|
}
|
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
const AppTrustedRoot mTrustedRoot;
|
2012-11-15 03:31:39 +04:00
|
|
|
const nsCOMPtr<nsIFile> mJarFile;
|
2017-11-29 01:24:11 +03:00
|
|
|
const SignaturePolicy mPolicy;
|
2014-02-15 02:37:07 +04:00
|
|
|
nsMainThreadPtrHandle<nsIOpenSignedAppFileCallback> mCallback;
|
2012-11-15 03:31:39 +04:00
|
|
|
nsCOMPtr<nsIZipReader> mZipReader; // out
|
2014-07-04 09:09:24 +04:00
|
|
|
nsCOMPtr<nsIX509Cert> mSignerCert; // out
|
2012-11-15 03:31:39 +04:00
|
|
|
};
|
|
|
|
|
|
2017-11-29 01:24:11 +03:00
|
|
|
static const SignaturePolicy sDefaultSignaturePolicy =
|
|
|
|
|
SignaturePolicy::PKCS7WithSHA1OrSHA256;
|
|
|
|
|
|
2012-11-15 03:31:39 +04:00
|
|
|
} // unnamed namespace
|
|
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2014-02-15 02:37:07 +04:00
|
|
|
nsNSSCertificateDB::OpenSignedAppFileAsync(
|
|
|
|
|
AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
|
|
|
|
|
nsIOpenSignedAppFileCallback* aCallback)
|
2012-11-15 03:31:39 +04:00
|
|
|
{
|
|
|
|
|
NS_ENSURE_ARG_POINTER(aJarFile);
|
|
|
|
|
NS_ENSURE_ARG_POINTER(aCallback);
|
2017-11-29 01:24:11 +03:00
|
|
|
if (!NS_IsMainThread()) {
|
|
|
|
|
return NS_ERROR_NOT_SAME_THREAD;
|
|
|
|
|
}
|
|
|
|
|
SignaturePolicy policy =
|
|
|
|
|
static_cast<SignaturePolicy>(
|
|
|
|
|
Preferences::GetInt("security.signed_app_signatures.policy",
|
|
|
|
|
static_cast<int32_t>(sDefaultSignaturePolicy)));
|
|
|
|
|
switch (policy) {
|
|
|
|
|
case SignaturePolicy::PKCS7WithSHA1OrSHA256:
|
|
|
|
|
break;
|
|
|
|
|
case SignaturePolicy::PKCS7WithSHA256:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
policy = sDefaultSignaturePolicy;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-10-18 08:24:48 +03:00
|
|
|
RefPtr<OpenSignedAppFileTask> task(new OpenSignedAppFileTask(aTrustedRoot,
|
2014-02-15 02:37:07 +04:00
|
|
|
aJarFile,
|
2017-11-29 01:24:11 +03:00
|
|
|
policy,
|
2012-11-15 03:31:39 +04:00
|
|
|
aCallback));
|
|
|
|
|
return task->Dispatch("SignedJAR");
|
|
|
|
|
}
|
2014-09-22 18:58:59 +04:00
|
|
|
|
2015-05-05 21:21:00 +03:00
|
|
|
NS_IMETHODIMP
|
2017-11-09 22:19:23 +03:00
|
|
|
nsNSSCertificateDB::VerifySignedDirectoryAsync(AppTrustedRoot, nsIFile*,
|
2015-05-05 21:21:00 +03:00
|
|
|
nsIVerifySignedDirectoryCallback* aCallback)
|
|
|
|
|
{
|
|
|
|
|
NS_ENSURE_ARG_POINTER(aCallback);
|
2017-11-09 22:19:23 +03:00
|
|
|
return aCallback->VerifySignedDirectoryFinished(
|
|
|
|
|
NS_ERROR_SIGNED_JAR_NOT_SIGNED, nullptr);
|
2015-05-05 21:21:00 +03:00
|
|
|
}
|
