зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1137437 - move security/apps/ cert header generation to moz.build; r=mshal,keeler
Moving the cert header generation to GENERATED_FILES means that we can delete all the manually-written out rules; we can also delete the export:: rule because the build system automatically builds GENERATED_FILES during the export phase. For ease of converion, we opt to create an empty trusted-app-public.der cert for manifest-signing-root.inc; partners are free to overwrite that cert with their own.
This commit is contained in:
Родитель
be34868969
Коммит
5389bbbf54
|
@ -1,48 +0,0 @@
|
|||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
GEN_CERT_HEADER = $(srcdir)/gen_cert_header.py
|
||||
TEST_SSL_PATH = $(srcdir)/../manager/ssl/tests/unit/test_signed_manifest/
|
||||
|
||||
marketplace-prod-public.inc: marketplace-prod-public.crt $(GEN_CERT_HEADER)
|
||||
$(PYTHON) $(GEN_CERT_HEADER) marketplaceProdPublicRoot $< > $@
|
||||
|
||||
marketplace-prod-reviewers.inc: marketplace-prod-reviewers.crt $(GEN_CERT_HEADER)
|
||||
$(PYTHON) $(GEN_CERT_HEADER) marketplaceProdReviewersRoot $< > $@
|
||||
|
||||
marketplace-dev-public.inc: marketplace-dev-public.crt $(GEN_CERT_HEADER)
|
||||
$(PYTHON) $(GEN_CERT_HEADER) marketplaceDevPublicRoot $< > $@
|
||||
|
||||
marketplace-dev-reviewers.inc: marketplace-dev-reviewers.crt $(GEN_CERT_HEADER)
|
||||
$(PYTHON) $(GEN_CERT_HEADER) marketplaceDevReviewersRoot $< > $@
|
||||
|
||||
marketplace-stage.inc: marketplace-stage.crt $(GEN_CERT_HEADER)
|
||||
$(PYTHON) $(GEN_CERT_HEADER) marketplaceStageRoot $< > $@
|
||||
|
||||
ifeq ($(shell test -s trusted-app-public.der; echo $$?),0)
|
||||
TRUSTED_APP_PUBLIC=trusted-app-public.der
|
||||
else
|
||||
TRUSTED_APP_PUBLIC=
|
||||
endif
|
||||
|
||||
manifest-signing-root.inc: $(TRUSTED_APP_PUBLIC) $(GEN_CERT_HEADER)
|
||||
$(PYTHON) $(GEN_CERT_HEADER) trustedAppPublicRoot $(TRUSTED_APP_PUBLIC) > $@
|
||||
|
||||
manifest-signing-test-root.inc: $(TEST_SSL_PATH)trusted_ca1.der $(GEN_CERT_HEADER)
|
||||
$(PYTHON) $(GEN_CERT_HEADER) trustedAppTestRoot $< > $@
|
||||
|
||||
xpcshell.inc: $(srcdir)/../manager/ssl/tests/unit/test_signed_apps/trusted_ca1.der $(GEN_CERT_HEADER)
|
||||
$(PYTHON) $(GEN_CERT_HEADER) xpcshellRoot $< > $@
|
||||
|
||||
export:: \
|
||||
marketplace-prod-public.inc \
|
||||
marketplace-prod-reviewers.inc \
|
||||
marketplace-dev-public.inc \
|
||||
marketplace-dev-reviewers.inc \
|
||||
marketplace-stage.inc \
|
||||
manifest-signing-root.inc \
|
||||
manifest-signing-test-root.inc \
|
||||
xpcshell.inc \
|
||||
$(NULL)
|
|
@ -2,38 +2,41 @@
|
|||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
import sys
|
||||
import binascii
|
||||
|
||||
def file_byte_generator(filename, block_size = 512):
|
||||
def _file_byte_generator(filename):
|
||||
with open(filename, "rb") as f:
|
||||
while True:
|
||||
block = f.read(block_size)
|
||||
if block:
|
||||
for byte in block:
|
||||
yield byte
|
||||
else:
|
||||
break
|
||||
contents = f.read()
|
||||
|
||||
def create_header(array_name, in_filename):
|
||||
hexified = ["0x" + binascii.hexlify(byte) for byte in file_byte_generator(in_filename)]
|
||||
print "const uint8_t " + array_name + "[] = {"
|
||||
print ", ".join(hexified)
|
||||
print "};"
|
||||
return 0
|
||||
# Treat empty files the same as a file containing a lone 0;
|
||||
# a single-element array will fail cert verifcation just as an
|
||||
# empty array would.
|
||||
if not contents:
|
||||
return ['\0']
|
||||
|
||||
def create_empty_header(array_name):
|
||||
# mfbt/ArrayUtils.h will not be able to pick up the
|
||||
# correct specialization for ArrayLength(const array[0])
|
||||
# so add a value of 0 which will fail cert verification
|
||||
# just the same as an empty array
|
||||
print "const uint8_t " + array_name + "[] = { 0x0 };"
|
||||
return 0
|
||||
return contents
|
||||
|
||||
if __name__ == '__main__':
|
||||
if len(sys.argv) < 2:
|
||||
print 'ERROR: usage: gen_cert_header.py array_name in_filename'
|
||||
sys.exit(1);
|
||||
if len(sys.argv) == 2:
|
||||
sys.exit(create_empty_header(sys.argv[1]))
|
||||
sys.exit(create_header(sys.argv[1], sys.argv[2]))
|
||||
def _create_header(array_name, cert_bytes):
|
||||
hexified = ["0x" + binascii.hexlify(byte) for byte in cert_bytes]
|
||||
substs = { 'array_name': array_name, 'bytes': ', '.join(hexified) }
|
||||
return "const uint8_t %(array_name)s[] = {\n%(bytes)s\n};\n" % substs
|
||||
|
||||
# Create functions named the same as the data arrays that we're going to
|
||||
# write to the headers, so we don't have to duplicate the names like so:
|
||||
#
|
||||
# def arrayName(header, cert_filename):
|
||||
# header.write(_create_header("arrayName", cert_filename))
|
||||
array_names = [
|
||||
'marketplaceProdPublicRoot',
|
||||
'marketplaceProdReviewersRoot',
|
||||
'marketplaceDevPublicRoot',
|
||||
'marketplaceDevReviewersRoot',
|
||||
'marketplaceStageRoot',
|
||||
'trustedAppPublicRoot',
|
||||
'trustedAppTestRoot',
|
||||
'xpcshellRoot',
|
||||
]
|
||||
|
||||
for n in array_names:
|
||||
# Make sure the lambda captures the right string.
|
||||
globals()[n] = lambda header, cert_filename, name=n: header.write(_create_header(name, _file_byte_generator(cert_filename)))
|
||||
|
|
|
@ -22,3 +22,22 @@ LOCAL_INCLUDES += [
|
|||
DEFINES['NSS_ENABLE_ECC'] = 'True'
|
||||
for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
|
||||
DEFINES[var] = '"%s"' % CONFIG[var]
|
||||
|
||||
test_ssl_path = TOPSRCDIR + '/security/manager/ssl/tests/unit'
|
||||
|
||||
headers_arrays_certs = [
|
||||
('marketplace-prod-public.inc', 'marketplaceProdPublicRoot', 'marketplace-prod-public.crt'),
|
||||
('marketplace-prod-reviewers.inc', 'marketplaceProdReviewersRoot', 'marketplace-prod-reviewers.crt'),
|
||||
('marketplace-dev-public.inc', 'marketplaceDevPublicRoot', 'marketplace-dev-public.crt'),
|
||||
('marketplace-dev-reviewers.inc', 'marketplaceDevReviewersRoot', 'marketplace-dev-reviewers.crt'),
|
||||
('marketplace-stage.inc', 'marketplaceStageRoot', 'marketplace-stage.crt'),
|
||||
('manifest-signing-root.inc', 'trustedAppPublicRoot', 'trusted-app-public.der'),
|
||||
('manifest-signing-test-root.inc', 'trustedAppTestRoot', test_ssl_path + '/test_signed_manifest/trusted_ca1.der'),
|
||||
('xpcshell.inc', 'xpcshellRoot', test_ssl_path + '/test_signed_apps/trusted_ca1.der'),
|
||||
]
|
||||
|
||||
for header, array_name, cert in headers_arrays_certs:
|
||||
GENERATED_FILES += [header]
|
||||
h = GENERATED_FILES[header]
|
||||
h.script = 'gen_cert_header.py:' + array_name
|
||||
h.inputs = [cert]
|
||||
|
|
Загрузка…
Ссылка в новой задаче