#if 0 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 * * The contents of this file are subject to the Mozilla Public License Version * 1.1 (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * http://www.mozilla.org/MPL/ * * Software distributed under the License is distributed on an "AS IS" basis, * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License * for the specific language governing rights and limitations under the * License. * * The Original Code is the Update Service. * * The Initial Developer of the Original Code is Ben Goodger. * Portions created by the Initial Developer are Copyright (C) 2004 * the Initial Developer. All Rights Reserved. * * Contributor(s): * Darin Fisher * Daniel Veditz * Jesper Kristensen * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), * in which case the provisions of the GPL or the LGPL are applicable instead * of those above. If you wish to allow use of your version of this file only * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ #endif EXPORTED_SYMBOLS = [ "BadCertHandler", "checkCert" ]; /** * Only allow built-in certs for HTTPS connections. See bug 340198. */ function checkCert(channel) { if (!channel.originalURI.schemeIs("https")) // bypass return; const Ci = Components.interfaces; var cert = channel.securityInfo.QueryInterface(Ci.nsISSLStatusProvider). SSLStatus.QueryInterface(Ci.nsISSLStatus).serverCert; var issuer = cert.issuer; while (issuer && !cert.equals(issuer)) { cert = issuer; issuer = cert.issuer; } var errorstring = "cert issuer is not built-in"; if (!issuer) throw errorstring; issuer = issuer.QueryInterface(Ci.nsIX509Cert3); var tokenNames = issuer.getAllTokenNames({}); if (!tokenNames.some(isBuiltinToken)) throw errorstring; } function isBuiltinToken(tokenName) { return tokenName == "Builtin Object Token"; } /** * This class implements nsIBadCertListener. Its job is to prevent "bad cert" * security dialogs from being shown to the user. It is better to simply fail * if the certificate is bad. See bug 304286. */ function BadCertHandler(aAllowNonBuiltInCerts) { this.allowNonBuiltInCerts = aAllowNonBuiltInCerts; } BadCertHandler.prototype = { // nsIChannelEventSink onChannelRedirect: function(oldChannel, newChannel, flags) { if (this.allowNonBuiltInCerts) return; // make sure the certificate of the old channel checks out before we follow // a redirect from it. See bug 340198. // Don't call checkCert for internal redirects. See bug 569648. if (!(flags & Components.interfaces.nsIChannelEventSink.REDIRECT_INTERNAL)) checkCert(oldChannel); }, // Suppress any certificate errors notifyCertProblem: function(socketInfo, status, targetSite) { return true; }, // Suppress any ssl errors notifySSLError: function(socketInfo, error, targetSite) { return true; }, // nsIInterfaceRequestor getInterface: function(iid) { return this.QueryInterface(iid); }, // nsISupports QueryInterface: function(iid) { if (!iid.equals(Components.interfaces.nsIChannelEventSink) && !iid.equals(Components.interfaces.nsIBadCertListener2) && !iid.equals(Components.interfaces.nsISSLErrorListener) && !iid.equals(Components.interfaces.nsIInterfaceRequestor) && !iid.equals(Components.interfaces.nsISupports)) throw Components.results.NS_ERROR_NO_INTERFACE; return this; } };