Bug 1508730 - Expose full X509Certificate in `SecurityInfo` object r=geckoview-reviewers,droeh,agi

Differential Revision: https://phabricator.services.mozilla.com/D58154 --HG-- extra : moz-landing-system : lando
2020-01-10 15:24:36 +00:00 · 2020-01-10 15:24:36 +00:00 · c1f7515ff8
--- a/mobile/android/chrome/geckoview/GeckoViewProgressChild.js
+++ b/mobile/android/chrome/geckoview/GeckoViewProgressChild.js
@ -110,12 +110,12 @@ class GeckoViewProgressChild extends GeckoViewChildModule {
 }

 const ProgressTracker = {
-  onInit: function(aModule) {
+  onInit(aModule) {
    this._module = aModule;
    this.clear();
  },

-  start: function(aUri) {
+  start(aUri) {
    debug`ProgressTracker start ${aUri}`;

    if (this._tracking) {
@ -152,7 +152,7 @@ const ProgressTracker = {
    this.updateProgress();
  },

-  changeLocation: function(aUri) {
+  changeLocation(aUri) {
    debug`ProgressTracker changeLocation ${aUri}`;

    let data = this._data;
@ -160,7 +160,7 @@ const ProgressTracker = {
    data.uri = aUri;
  },

-  stop: function() {
+  stop() {
    debug`ProgressTracker stop`;

    let data = this._data;
@ -196,7 +196,7 @@ const ProgressTracker = {
    return this._module.eventDispatcher;
  },

-  handleEvent: function(aEvent) {
+  handleEvent(aEvent) {
    let data = this._data;

    const target = aEvent.originalTarget;
@ -242,7 +242,7 @@ const ProgressTracker = {
    }
  },

-  clear: function() {
+  clear() {
    this._data = {
      prev: 0,
      uri: null,
@ -255,7 +255,7 @@ const ProgressTracker = {
    };
  },

-  _debugData: function() {
+  _debugData() {
    return {
      prev: this._data.prev,
      uri: this._data.uri,
@ -268,7 +268,7 @@ const ProgressTracker = {
    };
  },

-  updateProgress: function() {
+  updateProgress() {
    debug`ProgressTracker updateProgress`;

    let data = this._data;
--- a/mobile/android/geckoview/api.txt
+++ b/mobile/android/geckoview/api.txt
@ -52,6 +52,7 @@ import java.lang.Throwable;
 import java.lang.Void;
 import java.net.InetAddress;
 import java.nio.ByteBuffer;
+import java.security.cert.X509Certificate;
 import java.util.AbstractSequentialList;
 import java.util.Collection;
 import java.util.List;
@ -830,17 +831,14 @@ package org.mozilla.geckoview {
    field public static final int SECURITY_MODE_IDENTIFIED = 1;
    field public static final int SECURITY_MODE_UNKNOWN = 0;
    field public static final int SECURITY_MODE_VERIFIED = 2;
+    field @Nullable public final X509Certificate certificate;
    field @NonNull public final String host;
    field public final boolean isException;
    field public final boolean isSecure;
-    field @NonNull public final String issuerCommonName;
-    field @NonNull public final String issuerOrganization;
    field public final int mixedModeActive;
    field public final int mixedModePassive;
-    field @NonNull public final String organization;
    field @Nullable public final String origin;
    field public final int securityMode;
-    field @NonNull public final String subjectName;
  }

  public static interface GeckoSession.PromptDelegate {
--- a/mobile/android/geckoview/src/androidTest/java/org/mozilla/geckoview/test/ProgressDelegateTest.kt
+++ b/mobile/android/geckoview/src/androidTest/java/org/mozilla/geckoview/test/ProgressDelegateTest.kt
@ -191,18 +191,12 @@ class ProgressDelegateTest : BaseSessionTest() {
                assertThat("Host should match",
                           securityInfo.host,
                           equalTo("example.com"))
-                assertThat("Organization should match",
-                           securityInfo.organization,
-                           equalTo(""))
-                assertThat("Subject name should match",
-                           securityInfo.subjectName,
-                           equalTo("CN=example.com"))
-                assertThat("Issuer common name should match",
-                           securityInfo.issuerCommonName,
-                           equalTo("Temporary Certificate Authority"))
-                assertThat("Issuer organization should match",
-                           securityInfo.issuerOrganization,
-                           equalTo("Mozilla Testing"))
+                assertThat("Subject should match",
+                        securityInfo.certificate?.subjectX500Principal?.name,
+                        equalTo("CN=example.com"))
+                assertThat("Issuer should match",
+                        securityInfo.certificate?.issuerX500Principal?.name,
+                        equalTo("OU=Profile Guided Optimization,O=Mozilla Testing,CN=Temporary Certificate Authority"))
                assertThat("Security mode should match",
                           securityInfo.securityMode,
                           equalTo(GeckoSession.ProgressDelegate.SecurityInformation.SECURITY_MODE_IDENTIFIED))
@ -237,18 +231,12 @@ class ProgressDelegateTest : BaseSessionTest() {
                assertThat("Host should match",
                           securityInfo.host,
                           equalTo("mozilla-modern.badssl.com"))
-                assertThat("Organization should match",
-                           securityInfo.organization,
-                           equalTo("Lucas Garron"))
-                assertThat("Subject name should match",
-                           securityInfo.subjectName,
+                assertThat("Subject should match",
+                           securityInfo.certificate?.subjectX500Principal?.name,
                           equalTo("CN=*.badssl.com,O=Lucas Garron,L=Walnut Creek,ST=California,C=US"))
-                assertThat("Issuer common name should match",
-                           securityInfo.issuerCommonName,
-                           equalTo("DigiCert SHA2 Secure Server CA"))
-                assertThat("Issuer organization should match",
-                           securityInfo.issuerOrganization,
-                           equalTo("DigiCert Inc"))
+                assertThat("Issuer should match",
+                           securityInfo.certificate?.issuerX500Principal?.name,
+                           equalTo("CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"))
                assertThat("Security mode should match",
                           securityInfo.securityMode,
                           equalTo(GeckoSession.ProgressDelegate.SecurityInformation.SECURITY_MODE_IDENTIFIED))
--- a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java
+++ b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java
@ -6,10 +6,14 @@

 package org.mozilla.geckoview;

+import java.io.ByteArrayInputStream;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.ref.WeakReference;
 import java.nio.ByteBuffer;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 import java.util.AbstractSequentialList;
 import java.util.ArrayList;
 import java.util.Arrays;
@ -2814,22 +2818,12 @@ public class GeckoSession implements Parcelable {
             * Contains the host associated with the certificate.
             */
            public final @NonNull String host;
+
            /**
-             * Contains the human-readable name of the certificate subject.
+             * The server certificate in use, if any.
             */
-            public final @NonNull String organization;
-            /**
-             * Contains the full name of the certificate subject, including location.
-             */
-            public final @NonNull String subjectName;
-            /**
-             * Contains the common name of the issuing authority.
-             */
-            public final @NonNull String issuerCommonName;
-            /**
-             * Contains the full/proper name of the issuing authority.
-             */
-            public final @NonNull String issuerOrganization;
+            public final @Nullable X509Certificate certificate;
+
            /**
             * Indicates the security level of the site; possible values are SECURITY_MODE_UNKNOWN,
             * SECURITY_MODE_IDENTIFIED, and SECURITY_MODE_VERIFIED. SECURITY_MODE_IDENTIFIED
@ -2859,10 +2853,20 @@ public class GeckoSession implements Parcelable {
                isException = identityData.getBoolean("securityException");
                origin = identityData.getString("origin");
                host = identityData.getString("host");
-                organization = identityData.getString("organization");
-                subjectName = identityData.getString("subjectName");
-                issuerCommonName = identityData.getString("issuerCommonName");
-                issuerOrganization = identityData.getString("issuerOrganization");
+
+                X509Certificate decodedCert = null;
+                try {
+                    final CertificateFactory factory = CertificateFactory.getInstance("X.509");
+                    final String certString = identityData.getString("certificate");
+                    if (certString != null) {
+                        final byte[] certBytes = Base64.decode(certString, Base64.NO_WRAP);
+                        decodedCert = (X509Certificate) factory.generateCertificate(new ByteArrayInputStream(certBytes));
+                    }
+                } catch (CertificateException e) {
+                    Log.e(LOGTAG, "Failed to decode certificate", e);
+                }
+
+                certificate = decodedCert;
            }

            /**
@ -2876,10 +2880,7 @@ public class GeckoSession implements Parcelable {
                isException = false;
                origin = "";
                host = "";
-                organization = "";
-                subjectName = "";
-                issuerCommonName = "";
-                issuerOrganization = "";
+                certificate = null;
            }
        }

--- a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/doc-files/CHANGELOG.md
+++ b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/doc-files/CHANGELOG.md
@ -17,9 +17,13 @@ exclude: true
 - Added [`WebExtensionController.enable`][74.1] and [`disable`][74.2] to
  enable and disable extensions.
  ([bug 1599585]({{bugzilla}}1599585))
+- ⚠️ Added ['GeckoSession.ProgressDelegate.SecurityInformation#certificate'][74.3], which is the
+  full server certificate in use, if any. The other certificate-related fields were removed.
+  ([bug 1508730]({{bugzilla}}1508730))

 [74.1]: {{javadoc_uri}}/WebExtensionController.html#enable-org.mozilla.geckoview.WebExtension-int-
 [74.2]: {{javadoc_uri}}/WebExtensionController.html#disable-org.mozilla.geckoview.WebExtension-int-
+[74.3]: {{javadoc_uri}}/GeckoSession.ProgressDelegate.SecurityInformation.html#certificate

 ## v73
 - Added [`WebExtensionController.install`][73.1] and [`uninstall`][73.2] to
@ -530,4 +534,4 @@ exclude: true
 [65.24]: {{javadoc_uri}}/CrashReporter.html#sendCrashReport-android.content.Context-android.os.Bundle-java.lang.String-
 [65.25]: {{javadoc_uri}}/GeckoResult.html

-[api-version]: 45f21fe6c3c30f903b65a573540901e8f45affca
+[api-version]: fd18bfe91225a81545309da7f798c9a8a6031889
--- a/mobile/android/modules/geckoview/GeckoViewProgress.jsm
+++ b/mobile/android/modules/geckoview/GeckoViewProgress.jsm
@ -146,10 +146,7 @@ var IdentityHandler = {

    const cert = aBrowser.securityUI.secInfo.serverCert;

-    result.organization = cert.organization;
-    result.subjectName = cert.subjectName;
-    result.issuerOrganization = cert.issuerOrganization;
-    result.issuerCommonName = cert.issuerCommonName;
+    result.certificate = aBrowser.securityUI.secInfo.serverCert.getBase64DERString();

    try {
      result.securityException = OverrideService.hasMatchingOverride(
@ -325,7 +322,7 @@ class GeckoViewProgress extends GeckoViewModule {

    const message = {
      type: "GeckoView:SecurityChanged",
-      identity: identity,
+      identity,
    };

    this.eventDispatcher.sendRequest(message);