Bug 1493788 - move certificate/binary transparency implementation to its own directory r=jcj

Our current certificate transparency implementation (and the start of the binary transparency implementation) can almost be used by itself as a standalone library (for comparison, mozilla::pkix already has this property, as evidenced by the "Library('mozillapkix')" line in security/pkix/moz.build and the "'mozillapkix'" line in the USE_LIBS section of security/manager/ssl/tests/unit/tlsserver/cmd/moz.build). These changes make this code re-usable as a library so that we'll be able to use it in the updater to verify binary/certificate transparency information. This first patch simply moves the code to its own directory. Differential Revision: https://phabricator.services.mozilla.com/D6844 --HG-- rename : security/certverifier/BTInclusionProof.h => security/ct/BTInclusionProof.h rename : security/certverifier/BTVerifier.cpp => security/ct/BTVerifier.cpp rename : security/certverifier/BTVerifier.h => security/ct/BTVerifier.h rename : security/certverifier/Buffer.cpp => security/ct/Buffer.cpp rename : security/certverifier/Buffer.h => security/ct/Buffer.h rename : security/certverifier/CTDiversityPolicy.cpp => security/ct/CTDiversityPolicy.cpp rename : security/certverifier/CTDiversityPolicy.h => security/ct/CTDiversityPolicy.h rename : security/certverifier/CTKnownLogs.h => security/ct/CTKnownLogs.h rename : security/certverifier/CTLog.h => security/ct/CTLog.h rename : security/certverifier/CTLogVerifier.cpp => security/ct/CTLogVerifier.cpp rename : security/certverifier/CTLogVerifier.h => security/ct/CTLogVerifier.h rename : security/certverifier/CTObjectsExtractor.cpp => security/ct/CTObjectsExtractor.cpp rename : security/certverifier/CTObjectsExtractor.h => security/ct/CTObjectsExtractor.h rename : security/certverifier/CTPolicyEnforcer.cpp => security/ct/CTPolicyEnforcer.cpp rename : security/certverifier/CTPolicyEnforcer.h => security/ct/CTPolicyEnforcer.h rename : security/certverifier/CTSerialization.cpp => security/ct/CTSerialization.cpp rename : security/certverifier/CTSerialization.h => security/ct/CTSerialization.h rename : security/certverifier/CTUtils.h => security/ct/CTUtils.h rename : security/certverifier/CTVerifyResult.cpp => security/ct/CTVerifyResult.cpp rename : security/certverifier/CTVerifyResult.h => security/ct/CTVerifyResult.h rename : security/certverifier/MultiLogCTVerifier.cpp => security/ct/MultiLogCTVerifier.cpp rename : security/certverifier/MultiLogCTVerifier.h => security/ct/MultiLogCTVerifier.h rename : security/certverifier/SignedCertificateTimestamp.cpp => security/ct/SignedCertificateTimestamp.cpp rename : security/certverifier/SignedCertificateTimestamp.h => security/ct/SignedCertificateTimestamp.h rename : security/certverifier/SignedTreeHead.h => security/ct/SignedTreeHead.h rename : security/certverifier/moz.build => security/ct/moz.build rename : security/certverifier/tests/gtest/BTSerializationTest.cpp => security/ct/tests/gtest/BTSerializationTest.cpp rename : security/certverifier/tests/gtest/CTDiversityPolicyTest.cpp => security/ct/tests/gtest/CTDiversityPolicyTest.cpp rename : security/certverifier/tests/gtest/CTLogVerifierTest.cpp => security/ct/tests/gtest/CTLogVerifierTest.cpp rename : security/certverifier/tests/gtest/CTObjectsExtractorTest.cpp => security/ct/tests/gtest/CTObjectsExtractorTest.cpp rename : security/certverifier/tests/gtest/CTPolicyEnforcerTest.cpp => security/ct/tests/gtest/CTPolicyEnforcerTest.cpp rename : security/certverifier/tests/gtest/CTSerializationTest.cpp => security/ct/tests/gtest/CTSerializationTest.cpp rename : security/certverifier/tests/gtest/CTTestUtils.cpp => security/ct/tests/gtest/CTTestUtils.cpp rename : security/certverifier/tests/gtest/CTTestUtils.h => security/ct/tests/gtest/CTTestUtils.h rename : security/certverifier/tests/gtest/MultiLogCTVerifierTest.cpp => security/ct/tests/gtest/MultiLogCTVerifierTest.cpp rename : security/certverifier/tests/gtest/moz.build => security/ct/tests/gtest/moz.build extra : moz-landing-system : lando
2018-10-01 16:20:41 +00:00 · 2018-10-01 16:20:41 +00:00 · 24a8ad1851
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@ -9,34 +9,16 @@ with Files("**"):

 EXPORTS += [
    'BRNameMatchingPolicy.h',
-    'BTInclusionProof.h',
-    'BTVerifier.h',
-    'Buffer.h',
    'CertVerifier.h',
-    'CTLog.h',
-    'CTPolicyEnforcer.h',
-    'CTVerifyResult.h',
    'OCSPCache.h',
-    'SignedCertificateTimestamp.h',
-    'SignedTreeHead.h',
 ]

 UNIFIED_SOURCES += [
    'BRNameMatchingPolicy.cpp',
-    'BTVerifier.cpp',
-    'Buffer.cpp',
    'CertVerifier.cpp',
-    'CTDiversityPolicy.cpp',
-    'CTLogVerifier.cpp',
-    'CTObjectsExtractor.cpp',
-    'CTPolicyEnforcer.cpp',
-    'CTSerialization.cpp',
-    'CTVerifyResult.cpp',
-    'MultiLogCTVerifier.cpp',
    'NSSCertDBTrustDomain.cpp',
    'OCSPCache.cpp',
    'OCSPVerificationTrustDomain.cpp',
-    'SignedCertificateTimestamp.cpp',
 ]

 if not CONFIG['NSS_NO_EV_CERTS']:
@ -45,12 +27,14 @@ if not CONFIG['NSS_NO_EV_CERTS']:
    ]

 LOCAL_INCLUDES += [
+    '/security/ct',
    '/security/manager/ssl',
    '/security/pkix/include',
    '/security/pkix/lib',
 ]

 DIRS += [
+    '../ct',
    '../pkix',
 ]

--- a/security/certverifier/tests/gtest/moz.build
+++ b/security/certverifier/tests/gtest/moz.build
@ -5,22 +5,12 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

 SOURCES += [
-    'BTSerializationTest.cpp',
-    'CTDiversityPolicyTest.cpp',
-    'CTLogVerifierTest.cpp',
-    'CTObjectsExtractorTest.cpp',
-    'CTPolicyEnforcerTest.cpp',
-    'CTSerializationTest.cpp',
-    'CTTestUtils.cpp',
-    'MultiLogCTVerifierTest.cpp',
    'TrustOverrideTest.cpp',
 ]

 LOCAL_INCLUDES += [
    '/security/certverifier',
    '/security/manager/ssl',
-    '/security/pkix/include',
-    '/security/pkix/lib',
 ]

 FINAL_LIBRARY = 'xul-gtest'
--- a/security/certverifier/BTInclusionProof.h
+++ b/security/certverifier/BTInclusionProof.h
--- a/security/certverifier/BTVerifier.cpp
+++ b/security/certverifier/BTVerifier.cpp
--- a/security/certverifier/BTVerifier.h
+++ b/security/certverifier/BTVerifier.h
--- a/security/certverifier/Buffer.cpp
+++ b/security/certverifier/Buffer.cpp
--- a/security/certverifier/Buffer.h
+++ b/security/certverifier/Buffer.h
--- a/security/certverifier/CTDiversityPolicy.cpp
+++ b/security/certverifier/CTDiversityPolicy.cpp
--- a/security/certverifier/CTDiversityPolicy.h
+++ b/security/certverifier/CTDiversityPolicy.h
--- a/security/certverifier/CTKnownLogs.h
+++ b/security/certverifier/CTKnownLogs.h
--- a/security/certverifier/CTLog.h
+++ b/security/certverifier/CTLog.h
--- a/security/certverifier/CTLogVerifier.cpp
+++ b/security/certverifier/CTLogVerifier.cpp
--- a/security/certverifier/CTLogVerifier.h
+++ b/security/certverifier/CTLogVerifier.h
--- a/security/certverifier/CTObjectsExtractor.cpp
+++ b/security/certverifier/CTObjectsExtractor.cpp
--- a/security/certverifier/CTObjectsExtractor.h
+++ b/security/certverifier/CTObjectsExtractor.h
--- a/security/certverifier/CTPolicyEnforcer.cpp
+++ b/security/certverifier/CTPolicyEnforcer.cpp
--- a/security/certverifier/CTPolicyEnforcer.h
+++ b/security/certverifier/CTPolicyEnforcer.h
--- a/security/certverifier/CTSerialization.cpp
+++ b/security/certverifier/CTSerialization.cpp
--- a/security/certverifier/CTSerialization.h
+++ b/security/certverifier/CTSerialization.h
--- a/security/certverifier/CTUtils.h
+++ b/security/certverifier/CTUtils.h
@ -17,13 +17,14 @@ namespace mozilla { namespace ct {
 // Note: checks if the output parameter overflows while reading.
 // |length| indicates the size (in bytes) of the serialized integer.
 template <size_t length, typename T>
-pkix::Result ReadUint(Reader& in, T& out);
+mozilla::pkix::Result ReadUint(mozilla::pkix::Reader& in, T& out);

 // Reads a length-prefixed variable amount of bytes from |in|, updating |out|
 // on success. |prefixLength| indicates the number of bytes needed to represent
 // the length.
 template <size_t prefixLength>
-pkix::Result ReadVariableBytes(Reader& in, Input& out);
+mozilla::pkix::Result ReadVariableBytes(mozilla::pkix::Reader& in,
+                                        mozilla::pkix::Input& out);

 } } // namespace mozilla::ct

--- a/security/certverifier/CTVerifyResult.cpp
+++ b/security/certverifier/CTVerifyResult.cpp
--- a/security/certverifier/CTVerifyResult.h
+++ b/security/certverifier/CTVerifyResult.h
--- a/security/certverifier/MultiLogCTVerifier.cpp
+++ b/security/certverifier/MultiLogCTVerifier.cpp
--- a/security/certverifier/MultiLogCTVerifier.h
+++ b/security/certverifier/MultiLogCTVerifier.h
--- a/security/certverifier/SignedCertificateTimestamp.cpp
+++ b/security/certverifier/SignedCertificateTimestamp.cpp
--- a/security/certverifier/SignedCertificateTimestamp.h
+++ b/security/certverifier/SignedCertificateTimestamp.h
--- a/security/certverifier/SignedTreeHead.h
+++ b/security/certverifier/SignedTreeHead.h
--- a/security/ct/moz.build
+++ b/security/ct/moz.build
@ -0,0 +1,137 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+with Files("**"):
+    BUG_COMPONENT = ("Core", "Security: PSM")
+
+EXPORTS += [
+    'BTInclusionProof.h',
+    'BTVerifier.h',
+    'Buffer.h',
+    'CTLog.h',
+    'CTPolicyEnforcer.h',
+    'CTVerifyResult.h',
+    'SignedCertificateTimestamp.h',
+    'SignedTreeHead.h',
+]
+
+UNIFIED_SOURCES += [
+    'BTVerifier.cpp',
+    'Buffer.cpp',
+    'CTDiversityPolicy.cpp',
+    'CTLogVerifier.cpp',
+    'CTObjectsExtractor.cpp',
+    'CTPolicyEnforcer.cpp',
+    'CTSerialization.cpp',
+    'CTVerifyResult.cpp',
+    'MultiLogCTVerifier.cpp',
+    'SignedCertificateTimestamp.cpp',
+]
+
+LOCAL_INCLUDES += [
+    '/security/pkix/include',
+    '/security/pkix/lib',
+]
+
+DIRS += [
+    '../pkix',
+]
+
+TEST_DIRS += [
+    'tests/gtest',
+]
+
+if CONFIG['CC_TYPE'] == 'clang-cl':
+    # -Wall on clang-cl maps to -Weverything, which turns on way too
+    # much, so we're passing through -Wall using -Xclang.
+    CXXFLAGS += ['-Xclang']
+CXXFLAGS += ['-Wall']
+
+if CONFIG['CC_TYPE'] == 'msvc':
+    # -Wall with Visual C++ enables too many problematic warnings
+    CXXFLAGS += [
+        '-wd4324', # structure was padded due to __declspec(align())
+        '-wd4355', # 'this' used in base member initializer list
+        '-wd4464', # relative include path contains '..'
+        '-wd4480', # nonstandard extension used: specifying underlying type for
+                   # enum 'enum'
+        '-wd4481', # nonstandard extension used: override specifier 'keyword'
+        '-wd4510', # default constructor could not be generated
+        '-wd4512', # assignment operator could not be generated
+        '-wd4514', # 'function': unreferenced inline function has been removed
+        '-wd4610', # struct 'symbol' can never be instantiated - user defined
+                   # constructor required
+        '-wd4619', # pragma warning: there is no warning 'warning'
+        '-wd4623', # default constructor could not be generated because a base
+                   # class default constructor is inaccessible or deleted
+        '-wd4625', # copy constructor could not be generated because a base
+                   # class copy constructor is inaccessible or deleted
+        '-wd4626', # assignment operator could not be generated because a base
+                   # class assignment operator is inaccessible or deleted
+        '-wd4628', # digraphs not supported with -Ze (nsThreadUtils.h includes
+                   # what would be the digraph "<:" in the expression
+                   # "mozilla::EnableIf<::detail::...". Since we don't want it
+                   # interpreted as a digraph anyway, we can disable the
+                   # warning.)
+        '-wd4640', # construction of local static object is not thread-safe
+        '-wd4710', # 'function': function not inlined
+        '-wd4711', # function 'function' selected for inline expansion
+        '-wd4820', # 'bytes' bytes padding added after construct 'member_name'
+    ]
+
+    # Disable Spectre diagnostics only if optimization is disabled.
+    if not CONFIG['MOZ_OPTIMIZE']:
+        CXXFLAGS += [
+            '-wd5045', # Compiler will insert Spectre mitigation for memory
+                       # load if /Qspectre switch specified
+        ]
+
+    # MSVC 2010's headers trigger these
+    CXXFLAGS += [
+        '-wd4548', # expression before comma has no effect; ...
+        '-wd4668', # 'symbol' is not defined as a preprocessor macro...
+        '-wd4987', # nonstandard extension used
+    ]
+
+    # MSVC 2015 triggers these
+    CXXFLAGS += [
+        '-wd4456', # declaration of 'rv' hides previous local declaration
+        '-wd4458', # declaration of 'input' hides class member
+    ]
+
+    # The following warnings are disabled because MSVC 2017 headers aren't
+    # warning free at the -Wall level.
+    CXXFLAGS += [
+        '-wd4061', # enumerator 'identifier' in switch of enum 'enumeration' is
+                   # not explicitly handled by a case label
+        '-wd4365', # 'action' : conversion from 'type_1' to 'type_2',
+                   # signed/unsigned mismatch
+        '-wd4774', # '<function>' : format string expected in argument
+                   # <position> is not a string literal
+    ]
+
+    # Gecko headers aren't warning-free enough for us to enable these warnings
+    CXXFLAGS += [
+        '-wd4100', # 'symbol' : unreferenced formal parameter
+        '-wd4127', # conditional expression is constant
+        '-wd4946', # reinterpret_cast used between related types
+    ]
+
+if CONFIG['CC_TYPE'] in ('clang', 'clang-cl', 'gcc'):
+    CXXFLAGS += [
+        '-Wextra',
+        '-Wunreachable-code',
+    ]
+
+    # Gecko headers aren't warning-free enough for us to enable these warnings.
+    CXXFLAGS += [
+        '-Wno-unused-parameter',
+    ]
+
+FINAL_LIBRARY = 'xul'
+
+if CONFIG['CC_TYPE'] == 'clang-cl':
+    AllowCompilerWarnings()  # workaround for bug 1090497
--- a/security/certverifier/tests/gtest/BTSerializationTest.cpp
+++ b/security/certverifier/tests/gtest/BTSerializationTest.cpp
--- a/security/certverifier/tests/gtest/CTDiversityPolicyTest.cpp
+++ b/security/certverifier/tests/gtest/CTDiversityPolicyTest.cpp
--- a/security/certverifier/tests/gtest/CTLogVerifierTest.cpp
+++ b/security/certverifier/tests/gtest/CTLogVerifierTest.cpp
--- a/security/certverifier/tests/gtest/CTObjectsExtractorTest.cpp
+++ b/security/certverifier/tests/gtest/CTObjectsExtractorTest.cpp
--- a/security/certverifier/tests/gtest/CTPolicyEnforcerTest.cpp
+++ b/security/certverifier/tests/gtest/CTPolicyEnforcerTest.cpp
--- a/security/certverifier/tests/gtest/CTSerializationTest.cpp
+++ b/security/certverifier/tests/gtest/CTSerializationTest.cpp
--- a/security/certverifier/tests/gtest/CTTestUtils.cpp
+++ b/security/certverifier/tests/gtest/CTTestUtils.cpp
--- a/security/certverifier/tests/gtest/CTTestUtils.h
+++ b/security/certverifier/tests/gtest/CTTestUtils.h
--- a/security/certverifier/tests/gtest/MultiLogCTVerifierTest.cpp
+++ b/security/certverifier/tests/gtest/MultiLogCTVerifierTest.cpp
--- a/security/ct/tests/gtest/moz.build
+++ b/security/ct/tests/gtest/moz.build
@ -0,0 +1,24 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SOURCES += [
+    'BTSerializationTest.cpp',
+    'CTDiversityPolicyTest.cpp',
+    'CTLogVerifierTest.cpp',
+    'CTObjectsExtractorTest.cpp',
+    'CTPolicyEnforcerTest.cpp',
+    'CTSerializationTest.cpp',
+    'CTTestUtils.cpp',
+    'MultiLogCTVerifierTest.cpp',
+]
+
+LOCAL_INCLUDES += [
+    '../..',
+    '/security/pkix/include',
+    '/security/pkix/lib',
+]
+
+FINAL_LIBRARY = 'xul-gtest'