[tor-commits] [tor-browser/tor-browser-31.3.0esr-4.5-1] Bug 13379: Sign our MAR files (backport Mozilla patches).
brade at torproject.org
brade at torproject.org
Wed Dec 17 22:06:24 UTC 2014
commit 40b509e6d7408a73c5a81a3d971dfc6daf5f7510
Author: Kathy Brade <brade at pearlcrescent.com>
Date: Fri Nov 14 11:24:14 2014 -0500
Bug 13379: Sign our MAR files (backport Mozilla patches).
Backport reviewed patches from these two Mozilla bugs:
903135 - Link updater to NSS and enable MAR verification on Linux and OSX
903126 - Implement a platform independent way to determine which cert to use
for verifying mars
Configure browser build with --enable-signmar and --enable-verify-mar.
---
browser/confvars.sh | 5 +
configure.in | 6 +-
modules/libmar/moz.build | 6 +-
modules/libmar/src/mar.h | 30 ++++-
modules/libmar/src/mar_cmdline.h | 32 -----
modules/libmar/tool/mar.c | 109 +++++++++--------
modules/libmar/verify/cryptox.c | 32 ++---
modules/libmar/verify/cryptox.h | 29 ++---
modules/libmar/verify/mar_verify.c | 143 +++++++---------------
toolkit/mozapps/update/updater/Makefile.in | 12 +-
toolkit/mozapps/update/updater/archivereader.cpp | 29 +----
toolkit/mozapps/update/updater/updater.cpp | 19 +++
12 files changed, 197 insertions(+), 255 deletions(-)
diff --git a/browser/confvars.sh b/browser/confvars.sh
index 8914379..8e7cf7e 100644
--- a/browser/confvars.sh
+++ b/browser/confvars.sh
@@ -8,6 +8,11 @@ MOZ_APP_VENDOR=Mozilla
MOZ_UPDATER=1
MOZ_PHOENIX=1
+MOZ_VERIFY_MAR_SIGNATURE=1
+
+# Enable building ./signmar and running libmar signature tests
+MOZ_ENABLE_SIGNMAR=1
+
MOZ_CHROME_FILE_FORMAT=omni
MOZ_DISABLE_EXPORT_JS=1
MOZ_SAFE_BROWSING=1
diff --git a/configure.in b/configure.in
index b97a1e6..3093a3f 100644
--- a/configure.in
+++ b/configure.in
@@ -6351,11 +6351,7 @@ MOZ_ARG_ENABLE_BOOL(verify-mar,
MOZ_VERIFY_MAR_SIGNATURE= )
if test -n "$MOZ_VERIFY_MAR_SIGNATURE"; then
- if test "$OS_ARCH" = "WINNT"; then
- AC_DEFINE(MOZ_VERIFY_MAR_SIGNATURE)
- else
- AC_MSG_ERROR([Can only build with --enable-verify-mar with a Windows target])
- fi
+ AC_DEFINE(MOZ_VERIFY_MAR_SIGNATURE)
fi
dnl ========================================================
diff --git a/modules/libmar/moz.build b/modules/libmar/moz.build
index 44191c3..d9a8b34 100644
--- a/modules/libmar/moz.build
+++ b/modules/libmar/moz.build
@@ -9,11 +9,7 @@ DIRS += ['src']
if CONFIG['MOZ_ENABLE_SIGNMAR']:
DIRS += ['sign', 'verify']
TEST_DIRS += ['tests']
-elif CONFIG['OS_ARCH'] == 'WINNT':
- # On Windows we don't verify with NSS and updater needs to link to it
- DIRS += ['verify']
-elif CONFIG['OS_ARCH'] == 'Darwin':
- # On OSX we don't verify with NSS and updater needs to link to it.
+elif CONFIG['MOZ_VERIFY_MAR_SIGNATURE']:
DIRS += ['verify']
# If we are building ./sign and ./verify then ./tool must come after it
diff --git a/modules/libmar/src/mar.h b/modules/libmar/src/mar.h
index 4e53d2c..98b454d 100644
--- a/modules/libmar/src/mar.h
+++ b/modules/libmar/src/mar.h
@@ -134,6 +134,26 @@ int mar_create(const char *dest,
*/
int mar_extract(const char *path);
+#define MAR_MAX_CERT_SIZE (16*1024) // Way larger than necessary
+
+/* Read the entire file (not a MAR file) into a newly-allocated buffer.
+ * This function does not write to stderr. Instead, the caller should
+ * write whatever error messages it sees fit. The caller must free the returned
+ * buffer using free().
+ *
+ * @param filePath The path to the file that should be read.
+ * @param maxSize The maximum valid file size.
+ * @param data On success, *data will point to a newly-allocated buffer
+ * with the file's contents in it.
+ * @param size On success, *size will be the size of the created buffer.
+ *
+ * @return 0 on success, -1 on error
+ */
+int mar_read_entire_file(const char * filePath,
+ uint32_t maxSize,
+ /*out*/ const uint8_t * *data,
+ /*out*/ uint32_t *size);
+
/**
* Verifies a MAR file by verifying each signature with the corresponding
* certificate. That is, the first signature will be verified using the first
@@ -154,12 +174,10 @@ int mar_extract(const char *path);
* a negative number if there was an error
* a positive number if the signature does not verify
*/
-#ifdef XP_WIN
-int mar_verify_signaturesW(MarFile *mar,
- const uint8_t * const *certData,
- const uint32_t *certDataSizes,
- uint32_t certCount);
-#endif
+int mar_verify_signatures(MarFile *mar,
+ const uint8_t * const *certData,
+ const uint32_t *certDataSizes,
+ uint32_t certCount);
/**
* Reads the product info block from the MAR file's additional block section.
diff --git a/modules/libmar/src/mar_cmdline.h b/modules/libmar/src/mar_cmdline.h
index e8645ec..e2c9ed5 100644
--- a/modules/libmar/src/mar_cmdline.h
+++ b/modules/libmar/src/mar_cmdline.h
@@ -38,38 +38,6 @@ int get_mar_file_info(const char *path,
uint32_t *offsetAdditionalBlocks,
uint32_t *numAdditionalBlocks);
-/**
- * Verifies a MAR file by verifying each signature with the corresponding
- * certificate. That is, the first signature will be verified using the first
- * certificate given, the second signature will be verified using the second
- * certificate given, etc. The signature count must exactly match the number of
- * certificates given, and all signature verifications must succeed.
- * This is only used by the signmar program when used with arguments to verify
- * a MAR. This should not be used to verify a MAR that will be extracted in the
- * same operation by updater code. This function prints the error message if
- * verification fails.
- *
- * @param pathToMAR The path of the MAR file whose signature should be
- * checked
- * @param certData Pointer to the first element in an array of certificate
- * file data.
- * @param certDataSizes Pointer to the first element in an array for size of
- * the cert data.
- * @param certNames Pointer to the first element in an array of certificate
- * names.
- * Used only if compiled with NSS support
- * @param certCount The number of elements in certData, certDataSizes,
- * and certNames
- * @return 0 on success
- * a negative number if there was an error
- * a positive number if the signature does not verify
- */
-int mar_verify_signatures(const char *pathToMAR,
- const uint8_t * const *certData,
- const uint32_t *certDataSizes,
- const char * const *certNames,
- uint32_t certCount);
-
/**
* Reads the product info block from the MAR file's additional block section.
* The caller is responsible for freeing the fields in infoBlock
diff --git a/modules/libmar/tool/mar.c b/modules/libmar/tool/mar.c
index 8abbac7..821813c 100644
--- a/modules/libmar/tool/mar.c
+++ b/modules/libmar/tool/mar.c
@@ -19,6 +19,8 @@
#endif
#if !defined(NO_SIGN_VERIFY) && (!defined(XP_WIN) || defined(MAR_NSS))
+#include "cert.h"
+#include "pk11pub.h"
int NSSInitCryptoContext(const char *NSSConfigDir);
#endif
@@ -120,15 +122,13 @@ int main(int argc, char **argv) {
uint32_t certCount = 0;
int32_t sigIndex = -1;
-#if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY)
- HANDLE certFile;
- uint8_t *certBuffers[MAX_SIGNATURES];
-#endif
-#if !defined(NO_SIGN_VERIFY) && ((!defined(MAR_NSS) && defined(XP_WIN)) || \
- defined(XP_MACOSX))
- char* DERFilePaths[MAX_SIGNATURES];
+#if !defined(NO_SIGN_VERIFY)
uint32_t fileSizes[MAX_SIGNATURES];
- uint32_t read;
+ uint8_t* certBuffers[MAX_SIGNATURES];
+ char* DERFilePaths[MAX_SIGNATURES];
+#if (!defined(XP_WIN) && !defined(XP_MACOSX)) || defined(MAR_NSS)
+ CERTCertificate* certs[MAX_SIGNATURES];
+#endif
#endif
memset(certNames, 0, sizeof(certNames));
@@ -319,43 +319,68 @@ int main(int argc, char **argv) {
return import_signature(argv[2], sigIndex, argv[3], argv[4]);
case 'v':
-
-#if defined(XP_WIN) && !defined(MAR_NSS)
if (certCount == 0) {
print_usage();
return -1;
}
+#if (!defined(XP_WIN) && !defined(XP_MACOSX)) || defined(MAR_NSS)
+ if (!NSSConfigDir || certCount == 0) {
+ print_usage();
+ return -1;
+ }
+
+ if (NSSInitCryptoContext(NSSConfigDir)) {
+ fprintf(stderr, "ERROR: Could not initialize crypto library.\n");
+ return -1;
+ }
+#endif
+
+ rv = 0;
for (k = 0; k < certCount; ++k) {
- /* If the mar program was built using CryptoAPI, then read in the buffer
- containing the cert from disk. */
- certFile = CreateFileA(DERFilePaths[k], GENERIC_READ,
- FILE_SHARE_READ |
- FILE_SHARE_WRITE |
- FILE_SHARE_DELETE,
- NULL,
- OPEN_EXISTING,
- 0, NULL);
- if (INVALID_HANDLE_VALUE == certFile) {
- return -1;
+#if (defined(XP_WIN) || defined(XP_MACOSX)) && !defined(MAR_NSS)
+ rv = mar_read_entire_file(DERFilePaths[k], MAR_MAX_CERT_SIZE,
+ &certBuffers[k], &fileSizes[k]);
+#else
+ /* It is somewhat circuitous to look up a CERTCertificate and then pass
+ * in its DER encoding just so we can later re-create that
+ * CERTCertificate to extract the public key out of it. However, by doing
+ * things this way, we maximize the reuse of the mar_verify_signatures
+ * function and also we keep the control flow as similar as possible
+ * between programs and operating systems, at least for the functions
+ * that are critically important to security.
+ */
+ certs[k] = PK11_FindCertFromNickname(certNames[k], NULL);
+ if (certs[k]) {
+ certBuffers[k] = certs[k]->derCert.data;
+ fileSizes[k] = certs[k]->derCert.len;
+ } else {
+ rv = -1;
}
- fileSizes[k] = GetFileSize(certFile, NULL);
- certBuffers[k] = malloc(fileSizes[k]);
- if (!ReadFile(certFile, certBuffers[k], fileSizes[k], &read, NULL) ||
- fileSizes[k] != read) {
- CloseHandle(certFile);
- for (i = 0; i <= k; i++) {
- free(certBuffers[i]);
- }
- return -1;
+#endif
+ if (rv) {
+ fprintf(stderr, "ERROR: could not read file %s", DERFilePaths[k]);
+ break;
}
- CloseHandle(certFile);
}
- rv = mar_verify_signatures(argv[2], certBuffers, fileSizes,
- NULL, certCount);
+ if (!rv) {
+ MarFile *mar = mar_open(argv[2]);
+ if (mar) {
+ rv = mar_verify_signatures(mar, certBuffers, fileSizes, certCount);
+ mar_close(mar);
+ } else {
+ fprintf(stderr, "ERROR: Could not open MAR file.\n");
+ rv = -1;
+ }
+ }
for (k = 0; k < certCount; ++k) {
+#if (defined(XP_WIN) || defined(XP_MACOSX)) && !defined(MAR_NSS)
free(certBuffers[k]);
+#else
+ /* certBuffers[k] is owned by certs[k] so don't free it */
+ CERT_DestroyCertificate(certs[k]);
+#endif
}
if (rv) {
/* Determine if the source MAR file has the new fields for signing */
@@ -369,26 +394,8 @@ int main(int argc, char **argv) {
}
return -1;
}
-
return 0;
-#elif defined(XP_MACOSX)
- return mar_verify_signatures(argv[2], (const uint8_t* const*)DERFilePaths,
- 0, NULL, certCount);
-#else
- if (!NSSConfigDir || certCount == 0) {
- print_usage();
- return -1;
- }
-
- if (NSSInitCryptoContext(NSSConfigDir)) {
- fprintf(stderr, "ERROR: Could not initialize crypto library.\n");
- return -1;
- }
-
- return mar_verify_signatures(argv[2], NULL, 0, certNames, certCount);
-
-#endif /* defined(XP_WIN) && !defined(MAR_NSS) */
case 's':
if (!NSSConfigDir || certCount == 0 || argc < 4) {
print_usage();
diff --git a/modules/libmar/verify/cryptox.c b/modules/libmar/verify/cryptox.c
index 48fbecd..af34210 100644
--- a/modules/libmar/verify/cryptox.c
+++ b/modules/libmar/verify/cryptox.c
@@ -16,29 +16,32 @@
/**
* Loads the public key for the specified cert name from the NSS store.
*
- * @param certName The cert name to find.
+ * @param certData The DER-encoded X509 certificate to extract the key from.
+ * @param certDataSize The size of certData.
* @param publicKey Out parameter for the public key to use.
- * @param cert Out parameter for the certificate to use.
* @return CryptoX_Success on success, CryptoX_Error on error.
*/
CryptoX_Result
-NSS_LoadPublicKey(const char *certNickname,
- SECKEYPublicKey **publicKey,
- CERTCertificate **cert)
+NSS_LoadPublicKey(const unsigned char *certData, unsigned int certDataSize,
+ SECKEYPublicKey **publicKey)
{
- secuPWData pwdata = { PW_NONE, 0 };
- if (!cert || !publicKey || !cert) {
+ CERTCertificate * cert;
+ SECItem certDataItem = { siBuffer, (unsigned char*) certData, certDataSize };
+
+ if (!certData || !publicKey) {
return CryptoX_Error;
}
+ cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDataItem, NULL,
+ PR_FALSE, PR_TRUE);
/* Get the cert and embedded public key out of the database */
- *cert = PK11_FindCertFromNickname(certNickname, &pwdata);
- if (!*cert) {
+ if (!cert) {
return CryptoX_Error;
}
- *publicKey = CERT_ExtractPublicKey(*cert);
+ *publicKey = CERT_ExtractPublicKey(cert);
+ CERT_DestroyCertificate(cert);
+
if (!*publicKey) {
- CERT_DestroyCertificate(*cert);
return CryptoX_Error;
}
return CryptoX_Success;
@@ -150,12 +153,11 @@ CryptoX_Result
CryptoAPI_LoadPublicKey(HCRYPTPROV provider,
BYTE *certData,
DWORD sizeOfCertData,
- HCRYPTKEY *publicKey,
- HCERTSTORE *certStore)
+ HCRYPTKEY *publicKey)
{
CRYPT_DATA_BLOB blob;
CERT_CONTEXT *context;
- if (!provider || !certData || !publicKey || !certStore) {
+ if (!provider || !certData || !publicKey) {
return CryptoX_Error;
}
@@ -165,7 +167,7 @@ CryptoAPI_LoadPublicKey(HCRYPTPROV provider,
CERT_QUERY_CONTENT_FLAG_CERT,
CERT_QUERY_FORMAT_FLAG_BINARY,
0, NULL, NULL, NULL,
- certStore, NULL, (const void **)&context)) {
+ NULL, NULL, (const void **)&context)) {
return CryptoX_Error;
}
diff --git a/modules/libmar/verify/cryptox.h b/modules/libmar/verify/cryptox.h
index 2dd93ef..ec8f5ac 100644
--- a/modules/libmar/verify/cryptox.h
+++ b/modules/libmar/verify/cryptox.h
@@ -15,7 +15,9 @@
#if defined(MAR_NSS)
-#include "nss_secutil.h"
+#include "cert.h"
+#include "keyhi.h"
+#include "cryptohi.h"
#define CryptoX_InvalidHandleValue NULL
#define CryptoX_ProviderHandle void*
@@ -26,9 +28,9 @@
#ifdef __cplusplus
extern "C" {
#endif
-CryptoX_Result NSS_LoadPublicKey(const char *certNickname,
- SECKEYPublicKey **publicKey,
- CERTCertificate **cert);
+CryptoX_Result NSS_LoadPublicKey(const unsigned char* certData,
+ unsigned int certDataSize,
+ SECKEYPublicKey** publicKey);
CryptoX_Result NSS_VerifyBegin(VFYContext **ctx,
SECKEYPublicKey * const *publicKey);
CryptoX_Result NSS_VerifySignature(VFYContext * const *ctx ,
@@ -46,9 +48,8 @@ CryptoX_Result NSS_VerifySignature(VFYContext * const *ctx ,
VFY_DestroyContext(*SignatureHandle, PR_TRUE)
#define CryptoX_VerifyUpdate(SignatureHandle, buf, len) \
VFY_Update(*SignatureHandle, (const unsigned char*)(buf), len)
-#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, \
- publicKey, certName, cert) \
- NSS_LoadPublicKey(certName, publicKey, cert)
+#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, publicKey) \
+ NSS_LoadPublicKey(certData, dataSize, publicKey)
#define CryptoX_VerifySignature(hash, publicKey, signedData, len) \
NSS_VerifySignature(hash, (const unsigned char *)(signedData), len)
#define CryptoX_FreePublicKey(key) \
@@ -91,7 +92,7 @@ void CryptoMac_FreePublicKey(CryptoX_PublicKey* aPublicKey);
#define CryptoX_VerifyUpdate(aInputData, aBuf, aLen) \
CryptoMac_VerifyUpdate(aInputData, aBuf, aLen)
#define CryptoX_LoadPublicKey(aProviderHandle, aCertData, aDataSize, \
- aPublicKey, aCertName, aCert) \
+ aPublicKey) \
CryptoMac_LoadPublicKey(aCertData, aPublicKey)
#define CryptoX_VerifySignature(aInputData, aPublicKey, aSignature, \
aSignatureLen) \
@@ -111,8 +112,7 @@ CryptoX_Result CryptoAPI_InitCryptoContext(HCRYPTPROV *provider);
CryptoX_Result CryptoAPI_LoadPublicKey(HCRYPTPROV hProv,
BYTE *certData,
DWORD sizeOfCertData,
- HCRYPTKEY *publicKey,
- HCERTSTORE *cert);
+ HCRYPTKEY *publicKey);
CryptoX_Result CryptoAPI_VerifyBegin(HCRYPTPROV provider, HCRYPTHASH* hash);
CryptoX_Result CryptoAPI_VerifyUpdate(HCRYPTHASH* hash,
BYTE *buf, DWORD len);
@@ -133,10 +133,8 @@ CryptoX_Result CyprtoAPI_VerifySignature(HCRYPTHASH *hash,
#define CryptoX_FreeSignatureHandle(SignatureHandle)
#define CryptoX_VerifyUpdate(SignatureHandle, buf, len) \
CryptoAPI_VerifyUpdate(SignatureHandle, (BYTE *)(buf), len)
-#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, \
- publicKey, certName, cert) \
- CryptoAPI_LoadPublicKey(CryptoHandle, (BYTE*)(certData), \
- dataSize, publicKey, cert)
+#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, publicKey) \
+ CryptoAPI_LoadPublicKey(CryptoHandle, (BYTE*)(certData), dataSize, publicKey)
#define CryptoX_VerifySignature(hash, publicKey, signedData, len) \
CyprtoAPI_VerifySignature(hash, publicKey, signedData, len)
#define CryptoX_FreePublicKey(key) \
@@ -163,8 +161,7 @@ CryptoX_Result CyprtoAPI_VerifySignature(HCRYPTHASH *hash,
CryptoX_Error
#define CryptoX_FreeSignatureHandle(SignatureHandle)
#define CryptoX_VerifyUpdate(SignatureHandle, buf, len) CryptoX_Error
-#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, \
- publicKey, certName, cert) \
+#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, publicKey) \
CryptoX_Error
#define CryptoX_VerifySignature(hash, publicKey, signedData, len) CryptoX_Error
#define CryptoX_FreePublicKey(key) CryptoX_Error
diff --git a/modules/libmar/verify/mar_verify.c b/modules/libmar/verify/mar_verify.c
index 7578b62..165a802 100644
--- a/modules/libmar/verify/mar_verify.c
+++ b/modules/libmar/verify/mar_verify.c
@@ -17,6 +17,46 @@
#include "mar.h"
#include "cryptox.h"
+int
+mar_read_entire_file(const char * filePath, uint32_t maxSize,
+ /*out*/ const uint8_t * *data,
+ /*out*/ uint32_t *size)
+{
+ int result;
+ FILE * f;
+
+ if (!filePath || !data || !size) {
+ return -1;
+ }
+
+ f = fopen(filePath, "rb");
+ if (!f) {
+ return -1;
+ }
+
+ result = -1;
+ if (!fseeko(f, 0, SEEK_END)) {
+ int64_t fileSize = ftello(f);
+ if (fileSize > 0 && fileSize <= maxSize && !fseeko(f, 0, SEEK_SET)) {
+ unsigned char * fileData;
+
+ *size = (unsigned int) fileSize;
+ fileData = malloc(*size);
+ if (fileData) {
+ if (fread(fileData, *size, 1, f) == 1) {
+ *data = fileData;
+ result = 0;
+ } else {
+ free(fileData);
+ }
+ }
+ }
+ fclose(f);
+ }
+
+ return result;
+}
+
int mar_extract_and_verify_signatures_fp(FILE *fp,
CryptoX_ProviderHandle provider,
CryptoX_PublicKey *keys,
@@ -81,92 +121,8 @@ ReadAndUpdateVerifyContext(FILE *fp,
* certificate given, the second signature will be verified using the second
* certificate given, etc. The signature count must exactly match the number of
* certificates given, and all signature verifications must succeed.
- * This is only used by the signmar program when used with arguments to verify
- * a MAR. This should not be used to verify a MAR that will be extracted in the
- * same operation by updater code. This function prints the error message if
- * verification fails.
*
- * @param pathToMARFile The path of the MAR file to verify.
- * @param certData Pointer to the first element in an array of certificate
- * file data.
- * @param certDataSizes Pointer to the first element in an array for size of the
- * cert data.
- * @param certNames Pointer to the first element in an array of certificate names.
- * Used only if compiled as NSS, specifies the certificate names
- * @param certCount The number of elements in certData, certDataSizes, and certNames
- * @return 0 on success
- * a negative number if there was an error
- * a positive number if the signature does not verify
- */
-int
-mar_verify_signatures(const char *pathToMARFile,
- const uint8_t * const *certData,
- const uint32_t *certDataSizes,
- const char * const *certNames,
- uint32_t certCount) {
- int rv;
- CryptoX_ProviderHandle provider = CryptoX_InvalidHandleValue;
- CryptoX_Certificate certs[MAX_SIGNATURES];
- CryptoX_PublicKey keys[MAX_SIGNATURES];
- FILE *fp;
- uint32_t k;
-
- memset(certs, 0, sizeof(certs));
- memset(keys, 0, sizeof(keys));
-
- if (!pathToMARFile || certCount == 0) {
- fprintf(stderr, "ERROR: Invalid parameter specified.\n");
- return CryptoX_Error;
- }
-
- fp = fopen(pathToMARFile, "rb");
- if (!fp) {
- fprintf(stderr, "ERROR: Could not open MAR file.\n");
- return CryptoX_Error;
- }
-
- if (CryptoX_Failed(CryptoX_InitCryptoProvider(&provider))) {
- fclose(fp);
- fprintf(stderr, "ERROR: Could not init crytpo library.\n");
- return CryptoX_Error;
- }
-
- /* Load the certs and keys */
- for (k = 0; k < certCount; k++) {
- if (CryptoX_Failed(CryptoX_LoadPublicKey(provider, certData[k], certDataSizes[k],
- &keys[k], certNames[k], &certs[k]))) {
- fclose(fp);
- fprintf(stderr, "ERROR: Could not load public key.\n");
- return CryptoX_Error;
- }
- }
-
- rv = mar_extract_and_verify_signatures_fp(fp, provider, keys, certCount);
- fclose(fp);
-
- /* Cleanup the allocated keys and certs */
- for (k = 0; k < certCount; k++) {
- if (keys[k]) {
- CryptoX_FreePublicKey(&keys[k]);
- }
-
- if (certs[k]) {
- CryptoX_FreeCertificate(&certs[k]);
- }
- }
- return rv;
-}
-
-#ifdef XP_WIN
-/**
- * Verifies a MAR file by verifying each signature with the corresponding
- * certificate. That is, the first signature will be verified using the first
- * certificate given, the second signature will be verified using the second
- * certificate given, etc. The signature count must exactly match the number of
- * certificates given, and all signature verifications must succeed.
- *
- * @param pathToMARFile The path of the MAR file who's signature
- * should be calculated
+ * @param mar The file who's signature should be calculated
* @param certData Pointer to the first element in an array of
* certificate data
* @param certDataSizes Pointer to the first element in an array for size of
@@ -175,17 +131,15 @@ mar_verify_signatures(const char *pathToMARFile,
* @return 0 on success
*/
int
-mar_verify_signaturesW(MarFile *mar,
- const uint8_t * const *certData,
- const uint32_t *certDataSizes,
- uint32_t certCount) {
+mar_verify_signatures(MarFile *mar,
+ const uint8_t * const *certData,
+ const uint32_t *certDataSizes,
+ uint32_t certCount) {
int rv = -1;
CryptoX_ProviderHandle provider = CryptoX_InvalidHandleValue;
- CryptoX_Certificate certs[MAX_SIGNATURES];
CryptoX_PublicKey keys[MAX_SIGNATURES];
uint32_t k;
- memset(certs, 0, sizeof(certs));
memset(keys, 0, sizeof(keys));
if (!mar || !certData || !certDataSizes || certCount == 0) {
@@ -205,7 +159,7 @@ mar_verify_signaturesW(MarFile *mar,
for (k = 0; k < certCount; ++k) {
if (CryptoX_Failed(CryptoX_LoadPublicKey(provider, certData[k], certDataSizes[k],
- &keys[k], "", &certs[k]))) {
+ &keys[k]))) {
fprintf(stderr, "ERROR: Could not load public key.\n");
goto failure;
}
@@ -219,15 +173,10 @@ failure:
if (keys[k]) {
CryptoX_FreePublicKey(&keys[k]);
}
-
- if (certs[k]) {
- CryptoX_FreeCertificate(&certs[k]);
- }
}
return rv;
}
-#endif
/**
* Extracts each signature from the specified MAR file,
diff --git a/toolkit/mozapps/update/updater/Makefile.in b/toolkit/mozapps/update/updater/Makefile.in
index bd6716b..52cdbeb 100644
--- a/toolkit/mozapps/update/updater/Makefile.in
+++ b/toolkit/mozapps/update/updater/Makefile.in
@@ -18,9 +18,14 @@ LIBS += \
$(MOZ_BZ2_LIBS) \
$(NULL)
-ifeq ($(OS_ARCH),WINNT)
+LIBS += $(call EXPAND_LIBNAME_PATH,signmar,$(DEPTH)/modules/libmar/sign)
LIBS += $(call EXPAND_LIBNAME_PATH,verifymar,$(DEPTH)/modules/libmar/verify)
+ifeq ($(OS_ARCH),WINNT)
OS_LIBS += $(call EXPAND_LIBNAME,comctl32 ws2_32 shell32 shlwapi)
+else
+LIBS += $(DIST)/lib/$(LIB_PREFIX)nss3.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
+ $(NSPR_LIBS)
endif
ifdef MOZ_WIDGET_GTK
@@ -51,14 +56,13 @@ else ifneq (,$(filter nightly aurora nightly-elm nightly-profiling nightly-oak n
PRIMARY_CERT = nightly_aurora_level3_primary.der
SECONDARY_CERT = nightly_aurora_level3_secondary.der
else
- PRIMARY_CERT = dep1.der
- SECONDARY_CERT = dep2.der
+ PRIMARY_CERT = xpcshellCertificate.der
+ SECONDARY_CERT = xpcshellCertificate.der
endif
export::
$(PYTHON) $(srcdir)/gen_cert_header.py primaryCertData $(srcdir)/$(PRIMARY_CERT) > primaryCert.h
$(PYTHON) $(srcdir)/gen_cert_header.py secondaryCertData $(srcdir)/$(SECONDARY_CERT) > secondaryCert.h
- $(PYTHON) $(srcdir)/gen_cert_header.py xpcshellCertData $(srcdir)/xpcshellCertificate.der > xpcshellCert.h
ifdef MOZ_WIDGET_GTK
libs:: updater.png
diff --git a/toolkit/mozapps/update/updater/archivereader.cpp b/toolkit/mozapps/update/updater/archivereader.cpp
index f0e6ea3..aa9ccc4 100644
--- a/toolkit/mozapps/update/updater/archivereader.cpp
+++ b/toolkit/mozapps/update/updater/archivereader.cpp
@@ -15,13 +15,10 @@
#include "updatehelper.h"
#endif
-#ifdef XP_WIN
// These are generated at compile time based on the DER file for the channel
// being used
#include "primaryCert.h"
#include "secondaryCert.h"
-#include "xpcshellCert.h"
-#endif
#define UPDATER_NO_STRING_GLUE_STL
#include "nsVersionComparator.cpp"
@@ -38,9 +35,6 @@ static int outbuf_size = 262144;
static char *inbuf = nullptr;
static char *outbuf = nullptr;
-#ifdef XP_WIN
-#include "resource.h"
-
/**
* Performs a verification on the opened MAR file with the passed in
* certificate name ID and type ID.
@@ -54,15 +48,13 @@ int
VerifyLoadedCert(MarFile *archive, const uint8_t (&certData)[SIZE])
{
const uint32_t size = SIZE;
- const uint8_t * const data = &certData[0];
- if (mar_verify_signaturesW(archive, &data, &size, 1)) {
+ const uint8_t* const data = &certData[0];
+ if (mar_verify_signatures(archive, &data, &size, 1)) {
return CERT_VERIFY_ERROR;
}
return OK;
}
-#endif
-
/**
* Performs a verification on the opened MAR file. Both the primary and backup
@@ -79,22 +71,11 @@ ArchiveReader::VerifySignature()
return ARCHIVE_NOT_OPEN;
}
-#ifdef XP_WIN
- // If the fallback key exists we're running an XPCShell test and we should
- // use the XPCShell specific cert for the signed MAR.
- int rv;
- if (DoesFallbackKeyExist()) {
- rv = VerifyLoadedCert(mArchive, xpcshellCertData);
- } else {
- rv = VerifyLoadedCert(mArchive, primaryCertData);
- if (rv != OK) {
- rv = VerifyLoadedCert(mArchive, secondaryCertData);
- }
+ int rv = VerifyLoadedCert(mArchive, primaryCertData);
+ if (rv != OK) {
+ rv = VerifyLoadedCert(mArchive, secondaryCertData);
}
return rv;
-#else
- return OK;
-#endif
}
/**
diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp
index 4cf24db..3a3968e 100644
--- a/toolkit/mozapps/update/updater/updater.cpp
+++ b/toolkit/mozapps/update/updater/updater.cpp
@@ -108,6 +108,11 @@ static bool sUseHardLinks = true;
# define MAYBE_USE_HARD_LINKS 0
#endif
+#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN)
+#include "nss.h"
+#include "prerror.h"
+#endif
+
#ifdef XP_WIN
#include "updatehelper.h"
@@ -2520,6 +2525,20 @@ int NS_main(int argc, NS_tchar **argv)
_exit(1);
}
#endif
+
+#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN)
+ // On Windows we rely on CyrptoAPI to do verifications so we don't need to
+ // initialize NSS at all there.
+ // Otherwise, minimize the amount of NSS we depend on by avoiding all the NSS
+ // databases.
+ if (NSS_NoDB_Init(NULL) != SECSuccess) {
+ PRErrorCode error = PR_GetError();
+ fprintf(stderr, "Could not initialize NSS: %s (%d)",
+ PR_ErrorToName(error), (int) error);
+ _exit(1);
+ }
+#endif
+
InitProgressUI(&argc, &argv);
// To process an update the updater command line must at a minimum have the
More information about the tor-commits
mailing list