Bug 1059216 - Verification of Trusted Hosted Apps manifest signature, part 2. r=sicking

dom/apps/TrustedHostedAppsUtils.jsm

@@ -40,8 +40,6 @@ let debug = Services.prefs.getBoolPref("dom.mozApps.debug") ?
 
 /**
  * Verification functions for Trusted Hosted Apps.
- * (Manifest signature verification is in Webapps.jsm as part of
- * regular signature verification.)
  */
 this.TrustedHostedAppsUtils = {
 
@@ -174,6 +172,7 @@ this.TrustedHostedAppsUtils = {
     aCertDb.verifySignedManifestAsync(
       root, aManifestStream, aSignatureStream,
       function(aRv, aCert) {
+        debug("Signature verification returned code, cert & root: " + aRv + " " + aCert + " " + root);
         if (Components.isSuccessCode(aRv)) {
           deferred.resolve(aCert);
         } else if (aRv == Cr.NS_ERROR_FILE_CORRUPTED ||
@@ -253,5 +252,21 @@ this.TrustedHostedAppsUtils = {
     }, deferred.reject);
 
     return deferred.promise;
+  },
+
+  verifyManifest: function(aData) {
+    return new Promise((resolve, reject) => {
+      // sanity check on manifest host's CA (proper CA check with
+      // pinning is done by regular networking code)
+      if (!this.isHostPinned(aData.app.manifestURL)) {
+        reject("TRUSTED_APPLICATION_HOST_CERTIFICATE_INVALID");
+        return;
+      }
+      if (!this.verifyCSPWhiteList(aData.app.manifest.csp)) {
+        reject("TRUSTED_APPLICATION_WHITELIST_VALIDATION_FAILED");
+        return;
+      }
+      this.verifySignedManifest(aData.app, aData.appId).then(resolve, reject);
+    });
   }
 };

dom/apps/Webapps.jsm

@@ -2292,24 +2292,16 @@ this.DOMApplicationRegistry = {
     // in which case we don't need to load it.
     if (app.manifest) {
       if (checkManifest()) {
-        if (this.kTrustedHosted == this.appKind(app, app.manifest)) {
-          // sanity check on manifest host's CA
-          // (proper CA check with pinning is done by regular networking code)
-          if (!TrustedHostedAppsUtils.isHostPinned(app.manifestURL)) {
-            sendError("TRUSTED_APPLICATION_HOST_CERTIFICATE_INVALID");
-            return;
-          }
-
-          // Signature of the manifest should be verified here.
-          // Bug 1059216.
-
-          if (!TrustedHostedAppsUtils.verifyCSPWhiteList(app.manifest.csp)) {
-            sendError("TRUSTED_APPLICATION_WHITELIST_VALIDATION_FAILED");
-            return;
-          }
+        debug("Installed manifest check OK");
+        if (this.kTrustedHosted !== this.appKind(app, app.manifest)) {
+          installApp();
+          return;
         }
-
-        installApp();
+        TrustedHostedAppsUtils.verifyManifest(aData)
+        	.then(installApp, sendError);
+      } else {
+        debug("Installed manifest check failed");
+        // checkManifest() sends error before return
       }
       return;
     }
@@ -2332,21 +2324,20 @@ this.DOMApplicationRegistry = {
 
         app.manifest = xhr.response;
         if (checkManifest()) {
+          debug("Downloaded manifest check OK");
           app.etag = xhr.getResponseHeader("Etag");
-          if (this.kTrustedHosted == this.appKind(app, app.manifest)) {
-            // checking trusted host for pinning is not needed here, since
-            // network code will have already done that
-
-            // Signature of the manifest should be verified here.
-            // Bug 1059216.
-
-            if (!TrustedHostedAppsUtils.verifyCSPWhiteList(app.manifest.csp)) {
-              sendError("TRUSTED_APPLICATION_WHITELIST_VALIDATION_FAILED");
-              return;
-            }
+          if (this.kTrustedHosted !== this.appKind(app, app.manifest)) {
+            installApp();
+            return;
           }
 
-          installApp();
+          debug("App kind: " + this.kTrustedHosted);
+          TrustedHostedAppsUtils.verifyManifest(aData)
+            .then(installApp, sendError);
+          return;
+        } else {
+          debug("Downloaded manifest check failed");
+          // checkManifest() sends error before return
         }
       } else {
         sendError("MANIFEST_URL_ERROR");