bug 386654, Implement notification for EV certs r=rrelyea, sr=bzbarsky, a=bzbarsky

security/manager/boot/src/nsSecureBrowserUIImpl.cpp

@@ -65,12 +65,14 @@
 #include "nsPIDOMWindow.h"
 #include "nsIContent.h"
 #include "nsIWebProgress.h"
+#include "nsIWebProgressListener.h"
 #include "nsIChannel.h"
 #include "nsIHttpChannel.h"
 #include "nsIFileChannel.h"
 #include "nsIWyciwygChannel.h"
 #include "nsIFTPChannel.h"
 #include "nsITransportSecurityInfo.h"
+#include "nsIIdentityInfo.h"
 #include "nsIURI.h"
 #include "nsISecurityEventSink.h"
 #include "nsIPrompt.h"
@@ -139,6 +141,7 @@ nsSecureBrowserUIImpl::nsSecureBrowserUIImpl()
 {
   mTransferringRequests.ops = nsnull;
   mNewToplevelSecurityState = STATE_IS_INSECURE;
+  mNewToplevelIsEV = PR_FALSE;
   mNewToplevelSecurityStateKnown = PR_TRUE;
   ResetStateTracking();
   
@@ -429,9 +432,10 @@ nsSecureBrowserUIImpl::EvaluateAndUpdateSecurityState(nsIRequest *aRequest)
 {
   nsCOMPtr<nsIChannel> channel(do_QueryInterface(aRequest));
 
-  if (!channel) {
-    mNewToplevelSecurityState = nsIWebProgressListener::STATE_IS_INSECURE;
-  } else {
+  mNewToplevelSecurityState = nsIWebProgressListener::STATE_IS_INSECURE;
+  mNewToplevelIsEV = PR_FALSE;
+
+  if (channel) {
     mNewToplevelSecurityState = GetSecurityStateFromChannel(channel);
 
     PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
@@ -452,6 +456,13 @@ nsSecureBrowserUIImpl::EvaluateAndUpdateSecurityState(nsIRequest *aRequest)
       if (secInfo) {
         secInfo->GetShortSecurityDescription(getter_Copies(mInfoTooltip));
       }
+
+      nsCOMPtr<nsIIdentityInfo> idinfo = do_QueryInterface(info);
+      if (idinfo) {
+        PRBool aTemp;
+        if (NS_SUCCEEDED(idinfo->GetIsExtendedValidation(&aTemp)))
+          mNewToplevelIsEV = aTemp;
+      }
     }
   }
 
@@ -1139,6 +1150,9 @@ nsresult nsSecureBrowserUIImpl::UpdateSecurityState(nsIRequest* aRequest)
            ("SecureUI:%p: UpdateSecurityState: calling OnSecurityChange\n", this
             ));
 
+    if (mNewToplevelIsEV)
+      newState |= nsIWebProgressListener::STATE_IDENTITY_EV_TOPLEVEL;
+
     mToplevelEventSink->OnSecurityChange(aRequest, newState);
   }
   else

security/manager/boot/src/nsSecureBrowserUIImpl.h

@@ -110,6 +110,7 @@ protected:
 
   void ResetStateTracking();
   PRUint32 mNewToplevelSecurityState;
+  PRPackedBool mNewToplevelIsEV;
   PRPackedBool mNewToplevelSecurityStateKnown;
   PRPackedBool mIsViewSource;
 

security/manager/ssl/public/Makefile.in

@@ -57,6 +57,7 @@ SDK_XPIDLSRCS = \
     nsIX509Cert.idl \
     nsIX509CertDB.idl \
     nsIX509CertValidity.idl \
+    nsIIdentityInfo.idl \
     $(NULL)
 
 XPIDLSRCS = \

security/manager/ssl/public/nsIIdentityInfo.idl

@@ -0,0 +1,44 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is Google Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2006
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Kai Engert <kengert@redhat.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(e72546a4-9b57-4766-a3aa-c05cbc7d8156)]
+interface nsIIdentityInfo : nsISupports
+{
+  readonly attribute boolean isExtendedValidation;
+};
+

security/manager/ssl/src/Makefile.in

@@ -95,6 +95,7 @@ CPPSRCS = 				\
   nsSmartCardEvent.cpp \
   nsStreamCipher.cpp \
   nsKeyModule.cpp \
+  nsIdentityChecking.cpp \
 	$(NULL)
 
 ifdef MOZ_XUL

security/manager/ssl/src/nsIdentityChecking.cpp

@@ -0,0 +1,11 @@
+#include "nsNSSIOLayer.h"
+
+NS_IMETHODIMP
+nsNSSSocketInfo::GetIsExtendedValidation(PRBool* aIsEV)
+{
+  NS_ENSURE_ARG(aIsEV);
+  *aIsEV = PR_FALSE;
+
+  return NS_OK;
+}
+

security/manager/ssl/src/nsNSSCallbacks.cpp

@@ -843,8 +843,13 @@ void PR_CALLBACK HandshakeCallback(PRFileDesc* fd, void* client_data) {
 
     CERTCertificate *serverCert = SSL_PeerCertificate(fd);
     if (serverCert) {
-      status->mServerCert = new nsNSSCertificate(serverCert);
+      nsRefPtr<nsNSSCertificate> nssc = new nsNSSCertificate(serverCert);
       CERT_DestroyCertificate(serverCert);
+      serverCert = nsnull;
+      infoObject->SetCert(nssc);
+      if (!status->mServerCert) {
+        status->mServerCert = nssc;
+      }
     }
 
     status->mKeyLength = keyLength;

security/manager/ssl/src/nsNSSIOLayer.cpp

@@ -231,11 +231,12 @@ void nsNSSSocketInfo::destructorSafeDestroyNSSReference()
   }
 }
 
-NS_IMPL_THREADSAFE_ISUPPORTS4(nsNSSSocketInfo,
+NS_IMPL_THREADSAFE_ISUPPORTS5(nsNSSSocketInfo,
                               nsITransportSecurityInfo,
                               nsISSLSocketControl,
                               nsIInterfaceRequestor,
-                              nsISSLStatusProvider)
+                              nsISSLStatusProvider,
+                              nsIIdentityInfo)
 
 nsresult
 nsNSSSocketInfo::GetHandshakePending(PRBool *aHandshakePending)
@@ -504,6 +505,23 @@ nsresult nsNSSSocketInfo::SetFileDescPtr(PRFileDesc* aFilePtr)
   return NS_OK;
 }
 
+nsresult nsNSSSocketInfo::GetCert(nsNSSCertificate** _result)
+{
+  NS_ENSURE_ARG_POINTER(_result);
+
+  *_result = mCert;
+  NS_IF_ADDREF(*_result);
+
+  return NS_OK;
+}
+
+nsresult nsNSSSocketInfo::SetCert(nsNSSCertificate *aCert)
+{
+  mCert = aCert;
+
+  return NS_OK;
+}
+
 nsresult nsNSSSocketInfo::GetSSLStatus(nsISupports** _result)
 {
   NS_ENSURE_ARG_POINTER(_result);

security/manager/ssl/src/nsNSSIOLayer.h

@@ -51,8 +51,11 @@
 #include "nsISSLSocketControl.h"
 #include "nsISSLStatus.h"
 #include "nsISSLStatusProvider.h"
+#include "nsIIdentityInfo.h"
 #include "nsXPIDLString.h"
 #include "nsNSSShutDown.h"
+#include "nsAutoPtr.h"
+#include "nsNSSCertificate.h"
 
 class nsIChannel;
 class nsSSLThread;
@@ -123,6 +126,7 @@ class nsNSSSocketInfo : public nsITransportSecurityInfo,
                         public nsISSLSocketControl,
                         public nsIInterfaceRequestor,
                         public nsISSLStatusProvider,
+                        public nsIIdentityInfo,
                         public nsNSSShutDownObject,
                         public nsOnPK11LogoutCancelObject
 {
@@ -135,6 +139,7 @@ public:
   NS_DECL_NSISSLSOCKETCONTROL
   NS_DECL_NSIINTERFACEREQUESTOR
   NS_DECL_NSISSLSTATUSPROVIDER
+  NS_DECL_NSIIDENTITYINFO
 
   nsresult SetSecurityState(PRUint32 aState);
   nsresult SetShortSecurityDescription(const PRUnichar *aText);
@@ -155,6 +160,9 @@ public:
   nsresult GetPort(PRInt32 *aPort);
   nsresult SetPort(PRInt32 aPort);
 
+  nsresult GetCert(nsNSSCertificate** _result);
+  nsresult SetCert(nsNSSCertificate *aCert);
+
   void SetCanceled(PRBool aCanceled);
   PRBool GetCanceled();
   
@@ -187,6 +195,7 @@ public:
 protected:
   nsCOMPtr<nsIInterfaceRequestor> mCallbacks;
   PRFileDesc* mFd;
+  nsRefPtr<nsNSSCertificate> mCert;
   enum { 
     blocking_state_unknown, is_nonblocking_socket, is_blocking_socket 
   } mBlockingState;