Bug 891066, part 2: Move CertVerifier to security/certverifier, r=keeler

--HG--
extra : rebase_source : dd59a391825b776b075e855660c2488105e2d741

build/dumbmake-dependencies

@@ -18,10 +18,9 @@ toolkit/library
   gfx
   toolkit/components/build
     toolkit/components
-  security/build
   security/manager
-  security/dbm
-  security/nss
+    security/certverifier
+      security/build
   accessible
   dom
   content

security/certverifier/CertVerifier.cpp

@@ -3,6 +3,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "CertVerifier.h"
+#include "ExtendedValidation.h"
 #include "ScopedNSSTypes.h"
 #include "cert.h"
 #include "secerr.h"
@@ -14,9 +15,6 @@ extern PRLogModuleInfo* gPIPNSSLog;
 
 namespace mozilla { namespace psm {
 
-extern SECStatus getFirstEVPolicy(CERTCertificate* cert, SECOidTag& outOidTag);
-extern CERTCertList* getRootsForOid(SECOidTag oid_tag);
-
 const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
 const CertVerifier::Flags CertVerifier::FLAG_NO_DV_FALLBACK_FOR_EV = 2;
 
@@ -159,10 +157,10 @@ CertVerifier::VerifyCert(CERTCertificate* cert,
 
   // Do EV checking only for sslserver usage
   if (usage == certificateUsageSSLServer) {
-    SECStatus srv = getFirstEVPolicy(cert, evPolicy);
+    SECStatus srv = GetFirstEVPolicy(cert, evPolicy);
     if (srv == SECSuccess) {
       if (evPolicy != SEC_OID_UNKNOWN) {
-        trustAnchors = getRootsForOid(evPolicy);
+        trustAnchors = GetRootsForOid(evPolicy);
       }
       if (!trustAnchors) {
         return SECFailure;

security/certverifier/ExtendedValidation.h

@@ -0,0 +1,23 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_psm_ExtendedValidation_h
+#define mozilla_psm_ExtendedValidation_h
+
+#include "certt.h"
+#include "prtypes.h"
+
+namespace mozilla { namespace psm {
+
+#ifndef NSS_NO_LIBPKIX
+void EnsureIdentityInfoLoaded();
+SECStatus GetFirstEVPolicy(CERTCertificate *cert, SECOidTag &outOidTag);
+CERTCertList* GetRootsForOid(SECOidTag oid_tag);
+void CleanupIdentityInfo();
+#endif
+
+} } // namespace mozilla::psm
+
+#endif // mozilla_psm_ExtendedValidation_h

security/certverifier/moz.build

@@ -0,0 +1,20 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+UNIFIED_SOURCES += [
+    'CertVerifier.cpp',
+]
+
+if not CONFIG['NSS_NO_LIBPKIX']:
+    UNIFIED_SOURCES += [
+        'ExtendedValidation.cpp',
+    ]
+
+LOCAL_INCLUDES += [
+    '../insanity/include',
+]
+
+FINAL_LIBRARY = 'xul'

security/manager/ssl/src/SSLServerCertVerification.cpp

@@ -97,6 +97,8 @@
 #include <cstring>
 
 #include "CertVerifier.h"
+#include "CryptoTask.h"
+#include "ExtendedValidation.h"
 #include "nsIBadCertListener2.h"
 #include "nsICertOverrideService.h"
 #include "nsISiteSecurityService.h"
@@ -1343,33 +1345,16 @@ AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig, PRBool isServer)
 }
 
 #ifndef NSS_NO_LIBPKIX
-class InitializeIdentityInfo : public nsRunnable
-                             , public nsNSSShutDownObject
+class InitializeIdentityInfo : public CryptoTask
 {
-private:
-  NS_IMETHOD Run()
+  virtual nsresult CalculateResult() MOZ_OVERRIDE
   {
-    nsNSSShutDownPreventionLock nssShutdownPrevention;
-    if (isAlreadyShutDown())
-      return NS_OK;
-
-    nsresult rv;
-    nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
-    if (NS_SUCCEEDED(rv))
-      inss->EnsureIdentityInfoLoaded();
+    EnsureIdentityInfoLoaded();
     return NS_OK;
   }
 
-  virtual void virtualDestroyNSSReference()
-  {
-  }
-
-  ~InitializeIdentityInfo()
-  {
-    nsNSSShutDownPreventionLock nssShutdownPrevention;
-    if (!isAlreadyShutDown())
-      shutdown(calledFromObject);
-  }
+  virtual void ReleaseNSSResources() MOZ_OVERRIDE { } // no-op
+  virtual void CallCallback(nsresult rv) MOZ_OVERRIDE { } // no-op
 };
 #endif
 

security/manager/ssl/src/moz.build

@@ -16,7 +16,6 @@ EXPORTS.mozilla += [
 ]
 
 UNIFIED_SOURCES += [
-    'CertVerifier.cpp',
     'CryptoTask.cpp',
     'nsCertificatePrincipal.cpp',
     'nsCertOverrideService.cpp',
@@ -27,7 +26,6 @@ UNIFIED_SOURCES += [
     'nsCMSSecureMessage.cpp',
     'nsCrypto.cpp',
     'nsDataSignatureVerifier.cpp',
-    'nsIdentityChecking.cpp',
     'nsKeygenHandler.cpp',
     'nsKeygenThread.cpp',
     'nsKeyModule.cpp',
@@ -94,7 +92,8 @@ UNIFIED_SOURCES += [
 FINAL_LIBRARY = 'xul'
 
 LOCAL_INCLUDES += [
-	'../../../insanity/include',
+    '../../../certverifier',
+    '../../../insanity/include',
 ]
 
 

security/manager/ssl/src/nsNSSCertificate.cpp

@@ -9,6 +9,7 @@
 
 #include "nsNSSCertificate.h"
 #include "CertVerifier.h"
+#include "ExtendedValidation.h"
 #include "nsNSSComponent.h" // for PIPNSS string bundle calls.
 #include "nsNSSCleaner.h"
 #include "nsCOMPtr.h"
@@ -1481,6 +1482,125 @@ char* nsNSSCertificate::defaultServerNickname(CERTCertificate* cert)
   return nickname;
 }
 
+#ifndef NSS_NO_LIBPKIX
+
+nsresult
+nsNSSCertificate::hasValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
+{
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown())
+    return NS_ERROR_NOT_AVAILABLE;
+
+  EnsureIdentityInfoLoaded();
+
+  RefPtr<mozilla::psm::SharedCertVerifier>
+    certVerifier(mozilla::psm::GetDefaultCertVerifier());
+  NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
+
+  validEV = false;
+  resultOidTag = SEC_OID_UNKNOWN;
+
+  uint32_t flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY |
+    mozilla::psm::CertVerifier::FLAG_NO_DV_FALLBACK_FOR_EV;
+  SECStatus rv = certVerifier->VerifyCert(mCert,
+    certificateUsageSSLServer, PR_Now(),
+    nullptr /* XXX pinarg */,
+    flags, nullptr, &resultOidTag);
+
+  if (rv != SECSuccess) {
+    resultOidTag = SEC_OID_UNKNOWN;
+  }
+  if (resultOidTag != SEC_OID_UNKNOWN) {
+    validEV = true;
+  }
+  return NS_OK;
+}
+
+nsresult
+nsNSSCertificate::getValidEVOidTag(SECOidTag& resultOidTag, bool& validEV)
+{
+  if (mCachedEVStatus != ev_status_unknown) {
+    validEV = (mCachedEVStatus == ev_status_valid);
+    if (validEV) {
+      resultOidTag = mCachedEVOidTag;
+    }
+    return NS_OK;
+  }
+
+  nsresult rv = hasValidEVOidTag(resultOidTag, validEV);
+  if (NS_SUCCEEDED(rv)) {
+    if (validEV) {
+      mCachedEVOidTag = resultOidTag;
+    }
+    mCachedEVStatus = validEV ? ev_status_valid : ev_status_invalid;
+  }
+  return rv;
+}
+
+#endif // NSS_NO_LIBPKIX
+
+NS_IMETHODIMP
+nsNSSCertificate::GetIsExtendedValidation(bool* aIsEV)
+{
+#ifdef NSS_NO_LIBPKIX
+  *aIsEV = false;
+  return NS_OK;
+#else
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  NS_ENSURE_ARG(aIsEV);
+  *aIsEV = false;
+
+  if (mCachedEVStatus != ev_status_unknown) {
+    *aIsEV = (mCachedEVStatus == ev_status_valid);
+    return NS_OK;
+  }
+
+  SECOidTag oid_tag;
+  return getValidEVOidTag(oid_tag, *aIsEV);
+#endif
+}
+
+NS_IMETHODIMP
+nsNSSCertificate::GetValidEVPolicyOid(nsACString& outDottedOid)
+{
+  outDottedOid.Truncate();
+
+#ifndef NSS_NO_LIBPKIX
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  SECOidTag oid_tag;
+  bool valid;
+  nsresult rv = getValidEVOidTag(oid_tag, valid);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  if (valid) {
+    SECOidData* oid_data = SECOID_FindOIDByTag(oid_tag);
+    if (!oid_data) {
+      return NS_ERROR_FAILURE;
+    }
+
+    char* oid_str = CERT_GetOidString(&oid_data->oid);
+    if (!oid_str) {
+      return NS_ERROR_FAILURE;
+    }
+
+    outDottedOid.Assign(oid_str);
+    PR_smprintf_free(oid_str);
+  }
+#endif
+
+  return NS_OK;
+}
+
 NS_IMPL_ISUPPORTS1(nsNSSCertList, nsIX509CertList)
 
 nsNSSCertList::nsNSSCertList(CERTCertList* certList,

security/manager/ssl/src/nsNSSCertificateDB.cpp

@@ -11,6 +11,7 @@
 #include "nsNSSCertificateDB.h"
 
 #include "CertVerifier.h"
+#include "ExtendedValidation.h"
 #include "nsNSSComponent.h"
 #include "mozilla/Base64.h"
 #include "nsCOMPtr.h"
@@ -1698,13 +1699,8 @@ nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
     return NS_ERROR_NOT_AVAILABLE;
   }
 
-  nsresult rv;
 #ifndef NSS_NO_LIBPKIX
-  nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-  inss->EnsureIdentityInfoLoaded();
+  EnsureIdentityInfoLoaded();
 #endif
 
   nsCOMPtr<nsIX509Cert2> x509Cert = do_QueryInterface(aCert);

security/manager/ssl/src/nsNSSComponent.cpp

@@ -10,6 +10,7 @@
 
 #include "nsNSSComponent.h"
 
+#include "ExtendedValidation.h"
 #include "mozilla/Telemetry.h"
 #include "nsCertVerificationThread.h"
 #include "nsAppDirectoryServiceDefs.h"
@@ -220,12 +221,6 @@ nsNSSComponent::nsNSSComponent()
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::ctor\n"));
   mObserversRegistered = false;
 
-#ifndef NSS_NO_LIBPKIX
-  // In order to keep startup time lower, we delay loading and
-  // registering all identity data until first needed.
-  memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
-#endif
-
   NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!");
   ++mInstanceCount;
   mShutdownObjectList = nsNSSShutDownList::construct();
@@ -904,12 +899,11 @@ setNonPkixOcspEnabled(int32_t ocspEnabled)
 {
   // Note: this preference is numeric vs boolean because previously we
   // supported more than two options.
+  CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
   if (!ocspEnabled) {
     CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
-    CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
   } else {
     CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
-    CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
   }
 }
 

security/manager/ssl/src/nsNSSComponent.h

@@ -107,10 +107,6 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports {
                            const nsAString& token) = 0;
 #endif
 
-#ifndef NSS_NO_LIBPKIX
-  NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
-#endif
-
   NS_IMETHOD IsNSSInitialized(bool* initialized) = 0;
 
   virtual ::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
@@ -175,9 +171,6 @@ public:
                                  const nsAString& token);
 #endif
 
-#ifndef NSS_NO_LIBPKIX
-  NS_IMETHOD EnsureIdentityInfoLoaded();
-#endif
   NS_IMETHOD IsNSSInitialized(bool* initialized);
 
   ::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
@@ -189,7 +182,6 @@ private:
 
   void InstallLoadableRoots();
   void UnloadLoadableRoots();
-  void CleanupIdentityInfo();
   void setValidationOptions(bool isInitialSetting);
   nsresult setEnabledTLSVersions();
   nsresult InitializePIPNSSBundle();
@@ -226,7 +218,6 @@ private:
 
 
   static PRStatus IdentityInfoInit(void);
-  PRCallOnceType mIdentityInfoCallOnce;
 };
 
 class nsNSSErrors

security/manager/ssl/src/nsSSLStatus.cpp

@@ -7,6 +7,7 @@
 #include "nsSSLStatus.h"
 #include "plstr.h"
 #include "nsIClassInfoImpl.h"
+#include "nsIIdentityInfo.h"
 #include "nsIProgrammingLanguage.h"
 #include "nsIObjectOutputStream.h"
 #include "nsIObjectInputStream.h"
@@ -88,6 +89,39 @@ nsSSLStatus::GetIsUntrusted(bool* _result)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+nsSSLStatus::GetIsExtendedValidation(bool* aIsEV)
+{
+  NS_ENSURE_ARG_POINTER(aIsEV);
+  *aIsEV = false;
+
+#ifdef NSS_NO_LIBPKIX
+  return NS_OK;
+#else
+  nsCOMPtr<nsIX509Cert> cert = mServerCert;
+  nsresult rv;
+  nsCOMPtr<nsIIdentityInfo> idinfo = do_QueryInterface(cert, &rv);
+
+  // mServerCert should never be null when this method is called because
+  // nsSSLStatus objects always have mServerCert set right after they are
+  // constructed and before they are returned. GetIsExtendedValidation should
+  // only be called in the chrome process (in e10s), and mServerCert will always
+  // implement nsIIdentityInfo in the chrome process.
+  if (!idinfo) {
+    NS_ERROR("nsSSLStatus has null mServerCert or was called in the content "
+             "process");
+    return NS_ERROR_UNEXPECTED;
+  }
+
+  // Never allow bad certs for EV, regardless of overrides.
+  if (mHaveCertErrorBits) {
+    return NS_OK;
+  }
+
+  return idinfo->GetIsExtendedValidation(aIsEV);
+#endif
+}
+
 NS_IMETHODIMP
 nsSSLStatus::Read(nsIObjectInputStream* stream)
 {

toolkit/toolkit.mozbuild

@@ -20,6 +20,10 @@ if CONFIG['COMPILE_ENVIRONMENT']:
 if CONFIG['MOZ_CONTENT_SANDBOX']:
     add_tier_dir('sandbox', 'security/sandbox')
 
+# Depends on NSS and NSPR, and must be built after sandbox or else B2G emulator
+# builds fail.
+add_tier_dir('platform', 'security/certverifier')
+
 # the signing related bits of libmar depend on nss
 if CONFIG['MOZ_UPDATER']:
     add_tier_dir('platform', 'modules/libmar')