Bug 1137437 - move security/apps/ cert header generation to moz.build; r=mshal,keeler

Moving the cert header generation to GENERATED_FILES means that we can
delete all the manually-written out rules; we can also delete the
export:: rule because the build system automatically builds
GENERATED_FILES during the export phase.  For ease of converion, we opt
to create an empty trusted-app-public.der cert for manifest-signing-root.inc;
partners are free to overwrite that cert with their own.

security/apps/Makefile.in

@@ -1,48 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-GEN_CERT_HEADER = $(srcdir)/gen_cert_header.py
-TEST_SSL_PATH = $(srcdir)/../manager/ssl/tests/unit/test_signed_manifest/
-
-marketplace-prod-public.inc: marketplace-prod-public.crt $(GEN_CERT_HEADER)
-	$(PYTHON) $(GEN_CERT_HEADER) marketplaceProdPublicRoot $< > $@
-
-marketplace-prod-reviewers.inc: marketplace-prod-reviewers.crt $(GEN_CERT_HEADER)
-	$(PYTHON) $(GEN_CERT_HEADER) marketplaceProdReviewersRoot $< > $@
-
-marketplace-dev-public.inc: marketplace-dev-public.crt $(GEN_CERT_HEADER)
-	$(PYTHON) $(GEN_CERT_HEADER) marketplaceDevPublicRoot $< > $@
-
-marketplace-dev-reviewers.inc: marketplace-dev-reviewers.crt $(GEN_CERT_HEADER)
-	$(PYTHON) $(GEN_CERT_HEADER) marketplaceDevReviewersRoot $< > $@
-
-marketplace-stage.inc: marketplace-stage.crt $(GEN_CERT_HEADER)
-	$(PYTHON) $(GEN_CERT_HEADER) marketplaceStageRoot $< > $@
-
-ifeq ($(shell test -s trusted-app-public.der; echo $$?),0)
-TRUSTED_APP_PUBLIC=trusted-app-public.der
-else
-TRUSTED_APP_PUBLIC=
-endif
-
-manifest-signing-root.inc: $(TRUSTED_APP_PUBLIC) $(GEN_CERT_HEADER)
-	$(PYTHON) $(GEN_CERT_HEADER) trustedAppPublicRoot $(TRUSTED_APP_PUBLIC) > $@
-
-manifest-signing-test-root.inc: $(TEST_SSL_PATH)trusted_ca1.der $(GEN_CERT_HEADER)
-	$(PYTHON) $(GEN_CERT_HEADER) trustedAppTestRoot $< > $@
-
-xpcshell.inc: $(srcdir)/../manager/ssl/tests/unit/test_signed_apps/trusted_ca1.der $(GEN_CERT_HEADER)
-	$(PYTHON) $(GEN_CERT_HEADER) xpcshellRoot $< > $@
-
-export:: \
-  marketplace-prod-public.inc \
-  marketplace-prod-reviewers.inc \
-  marketplace-dev-public.inc \
-  marketplace-dev-reviewers.inc \
-  marketplace-stage.inc \
-  manifest-signing-root.inc \
-  manifest-signing-test-root.inc \
-  xpcshell.inc \
-  $(NULL)

security/apps/gen_cert_header.py

@@ -2,38 +2,41 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-import sys
 import binascii
 
-def file_byte_generator(filename, block_size = 512):
+def _file_byte_generator(filename):
   with open(filename, "rb") as f:
-    while True:
-      block = f.read(block_size)
-      if block:
-        for byte in block:
-          yield byte
-      else:
-        break
+    contents = f.read()
 
-def create_header(array_name, in_filename):
-  hexified = ["0x" + binascii.hexlify(byte) for byte in file_byte_generator(in_filename)]
-  print "const uint8_t " + array_name + "[] = {"
-  print ", ".join(hexified)
-  print "};"
-  return 0
+    # Treat empty files the same as a file containing a lone 0;
+    # a single-element array will fail cert verifcation just as an
+    # empty array would.
+    if not contents:
+      return ['\0']
 
-def create_empty_header(array_name):
-  # mfbt/ArrayUtils.h will not be able to pick up the
-  # correct specialization for ArrayLength(const array[0])
-  # so add a value of 0 which will fail cert verification
-  # just the same as an empty array
-  print "const uint8_t " + array_name + "[] = { 0x0 };"
-  return 0
+    return contents
 
-if __name__ == '__main__':
-  if len(sys.argv) < 2:
-    print 'ERROR: usage: gen_cert_header.py array_name in_filename'
-    sys.exit(1);
-  if len(sys.argv) == 2:
-    sys.exit(create_empty_header(sys.argv[1]))
-  sys.exit(create_header(sys.argv[1], sys.argv[2]))
+def _create_header(array_name, cert_bytes):
+  hexified = ["0x" + binascii.hexlify(byte) for byte in cert_bytes]
+  substs = { 'array_name': array_name, 'bytes': ', '.join(hexified) }
+  return "const uint8_t %(array_name)s[] = {\n%(bytes)s\n};\n" % substs
+
+# Create functions named the same as the data arrays that we're going to
+# write to the headers, so we don't have to duplicate the names like so:
+#
+#   def arrayName(header, cert_filename):
+#     header.write(_create_header("arrayName", cert_filename))
+array_names = [
+  'marketplaceProdPublicRoot',
+  'marketplaceProdReviewersRoot',
+  'marketplaceDevPublicRoot',
+  'marketplaceDevReviewersRoot',
+  'marketplaceStageRoot',
+  'trustedAppPublicRoot',
+  'trustedAppTestRoot',
+  'xpcshellRoot',
+]
+
+for n in array_names:
+  # Make sure the lambda captures the right string.
+  globals()[n] = lambda header, cert_filename, name=n: header.write(_create_header(name, _file_byte_generator(cert_filename)))

security/apps/moz.build

@@ -22,3 +22,22 @@ LOCAL_INCLUDES += [
 DEFINES['NSS_ENABLE_ECC'] = 'True'
 for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
     DEFINES[var] = '"%s"' % CONFIG[var]
+
+test_ssl_path = TOPSRCDIR + '/security/manager/ssl/tests/unit'
+
+headers_arrays_certs = [
+    ('marketplace-prod-public.inc', 'marketplaceProdPublicRoot', 'marketplace-prod-public.crt'),
+    ('marketplace-prod-reviewers.inc', 'marketplaceProdReviewersRoot', 'marketplace-prod-reviewers.crt'),
+    ('marketplace-dev-public.inc', 'marketplaceDevPublicRoot', 'marketplace-dev-public.crt'),
+    ('marketplace-dev-reviewers.inc', 'marketplaceDevReviewersRoot', 'marketplace-dev-reviewers.crt'),
+    ('marketplace-stage.inc', 'marketplaceStageRoot', 'marketplace-stage.crt'),
+    ('manifest-signing-root.inc', 'trustedAppPublicRoot', 'trusted-app-public.der'),
+    ('manifest-signing-test-root.inc', 'trustedAppTestRoot', test_ssl_path + '/test_signed_manifest/trusted_ca1.der'),
+    ('xpcshell.inc', 'xpcshellRoot', test_ssl_path + '/test_signed_apps/trusted_ca1.der'),
+]
+
+for header, array_name, cert in headers_arrays_certs:
+    GENERATED_FILES += [header]
+    h = GENERATED_FILES[header]
+    h.script = 'gen_cert_header.py:' + array_name
+    h.inputs = [cert]