# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

TEST_DIRS += ["tests"]

XPIDL_SOURCES += [
    "nsICertificateDialogs.idl",
    "nsICertOverrideService.idl",
    "nsICertStorage.idl",
    "nsICertTree.idl",
    "nsIClientAuthDialogService.idl",
    "nsIClientAuthRememberService.idl",
    "nsIContentSignatureVerifier.idl",
    "nsICryptoHash.idl",
    "nsIDataStorage.idl",
    "nsINSSComponent.idl",
    "nsINSSErrorsService.idl",
    "nsINSSVersion.idl",
    "nsIOSKeyStore.idl",
    "nsIOSReauthenticator.idl",
    "nsIPK11Token.idl",
    "nsIPK11TokenDB.idl",
    "nsIPKCS11Module.idl",
    "nsIPKCS11ModuleDB.idl",
    "nsIPKCS11Slot.idl",
    "nsIPublicKeyPinningService.idl",
    "nsISecretDecoderRing.idl",
    "nsISecurityUITelemetry.idl",
    "nsISiteSecurityService.idl",
    "nsITLSSocketControl.idl",
    "nsITokenPasswordDialogs.idl",
    "nsITransportSecurityInfo.idl",
    "nsIX509Cert.idl",
    "nsIX509CertDB.idl",
    "nsIX509CertValidity.idl",
]

XPIDL_MODULE = "pipnss"

XPCOM_MANIFESTS += [
    "components.conf",
]

EXTRA_JS_MODULES.psm += [
    "ClientAuthDialogService.sys.mjs",
    "DER.sys.mjs",
    "RemoteSecuritySettings.sys.mjs",
    "X509.sys.mjs",
]

EXPORTS += [
    "CommonSocketControl.h",
    "CryptoTask.h",
    "EnterpriseRoots.h",
    "nsClientAuthRemember.h",
    "nsNSSCallbacks.h",
    "nsNSSCertificate.h",
    "nsNSSComponent.h",
    "nsNSSHelper.h",
    "nsRandomGenerator.h",
    "nsSecureBrowserUI.h",
    "nsSecurityHeaderParser.h",
    "NSSErrorsService.h",
    "nsSSLSocketProvider.h",
    "nsTLSSocketProvider.h",
    "RootCertificateTelemetryUtils.h",
    "ScopedNSSTypes.h",
    "SharedCertVerifier.h",
    "SSLServerCertVerification.h",
    "TransportSecurityInfo.h",
]

EXPORTS.mozilla += [
    "crypto_hash/crypto_hash_sha2.h",
    "PublicSSL.h",
]

EXPORTS.mozilla.psm += [
    "IPCClientCertsChild.h",
    "IPCClientCertsParent.h",
    "SelectTLSClientAuthCertChild.h",
    "SelectTLSClientAuthCertParent.h",
    "TransportSecurityInfo.h",
    "VerifySSLServerCertChild.h",
    "VerifySSLServerCertParent.h",
]

UNIFIED_SOURCES += [
    "AppSignatureVerification.cpp",
    "AppTrustDomain.cpp",
    "CertStorageMemoryReporting.cpp",
    "CommonSocketControl.cpp",
    "ContentSignatureVerifier.cpp",
    "CryptoTask.cpp",
    "DataStorageManager.cpp",
    "EnterpriseRoots.cpp",
    "IPCClientCertsChild.cpp",
    "IPCClientCertsParent.cpp",
    "md4.c",
    "nsCertOverrideService.cpp",
    "nsCertTree.cpp",
    "nsClientAuthRemember.cpp",
    "nsNSSCallbacks.cpp",
    "nsNSSCertHelper.cpp",
    "nsNSSCertificate.cpp",
    "nsNSSCertificateDB.cpp",
    "nsNSSCertTrust.cpp",
    "nsNSSComponent.cpp",
    "nsNSSIOLayer.cpp",
    "nsNSSModule.cpp",
    "nsNSSVersion.cpp",
    "nsNTLMAuthModule.cpp",
    "nsPK11TokenDB.cpp",
    "nsPKCS11Slot.cpp",
    "nsPKCS12Blob.cpp",
    "nsRandomGenerator.cpp",
    "nsSecureBrowserUI.cpp",
    "nsSecurityHeaderParser.cpp",
    "NSSErrorsService.cpp",
    "nsSiteSecurityService.cpp",
    "NSSKeyStore.cpp",
    "nsSSLSocketProvider.cpp",
    "NSSSocketControl.cpp",
    "nsTLSSocketProvider.cpp",
    "OSKeyStore.cpp",
    "PKCS11ModuleDB.cpp",
    "PSMRunnable.cpp",
    "PublicKeyPinningService.cpp",
    "RootCertificateTelemetryUtils.cpp",
    "SecretDecoderRing.cpp",
    "SSLServerCertVerification.cpp",
    "TLSClientAuthCertSelection.cpp",
    "TransportSecurityInfo.cpp",
    "VerifySSLServerCertChild.cpp",
    "VerifySSLServerCertParent.cpp",
    "X509CertValidity.cpp",
]

if CONFIG["OS_ARCH"] == "WINNT":
    # On Windows this file includes ntsecapi.h, which contains definitions that
    # conflict with headers included in remaining source files. We compile this
    # one independently to prevent that interferance.
    SOURCES += [
        "OSReauthenticator.cpp",
    ]
else:
    UNIFIED_SOURCES += [
        "OSReauthenticator.cpp",
    ]

if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
    UNIFIED_SOURCES += [
        "LibSecret.cpp",
    ]
    CFLAGS += CONFIG["GLIB_CFLAGS"]
    CXXFLAGS += CONFIG["GLIB_CFLAGS"]
    CFLAGS += CONFIG["MOZ_GTK3_CFLAGS"]
    CXXFLAGS += CONFIG["MOZ_GTK3_CFLAGS"]

if CONFIG["TARGET_KERNEL"] == "Darwin":
    UNIFIED_SOURCES += [
        "KeychainSecret.cpp",
        "OSReauthenticatorDarwin.mm",
    ]
    OS_LIBS += [
        "-framework CoreFoundation",
        "-framework LocalAuthentication",
        "-framework Security",
    ]

IPDL_SOURCES += [
    "PIPCClientCerts.ipdl",
    "PSelectTLSClientAuthCert.ipdl",
    "PSMIPCTypes.ipdlh",
    "PVerifySSLServerCert.ipdl",
]

# Required by OSClientCerts, IPCClientCerts and CredentialManagerSecret.
if CONFIG["OS_ARCH"] == "WINNT":
    OS_LIBS += [
        "advapi32",
        "bcrypt",
        "credui",
        "crypt32",
        "kernel32",
        "ncrypt",
        "userenv",
        "ws2_32",
        "ntdll",
    ]

    UNIFIED_SOURCES += [
        "CredentialManagerSecret.cpp",
    ]
    # Version string comparison is generally wrong, but by the time it would
    # actually matter, either bug 1489995 would be fixed, or the build would
    # require version >= 1.78.
    if CONFIG["RUSTC_VERSION"] and CONFIG["RUSTC_VERSION"] >= "1.78.0":
        OS_LIBS += [
            "synchronization",
        ]

FINAL_LIBRARY = "xul"

LOCAL_INCLUDES += [
    "!/dist/public/nss",
    "/dom/base",
    "/dom/crypto",
    "/netwerk/base",
    "/security/certverifier",
    "/third_party/rust/cose-c/include",
    "/xpcom/build",
]

GeneratedFile(
    "nsSTSPreloadListGenerated.inc",
    script="../../../xpcom/ds/tools/make_dafsa.py",
    inputs=["nsSTSPreloadList.inc"],
)

DEFINES["SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES"] = "True"
DEFINES["NSS_ENABLE_ECC"] = "True"
if CONFIG["MOZ_SYSTEM_NSS"]:
    DEFINES["MOZ_SYSTEM_NSS"] = True

# mozpkix is linked statically from the in-tree sources independent of whether
# system NSS is used or not.
USE_LIBS += ["mozpkix"]

include("/ipc/chromium/chromium-config.mozbuild")

if CONFIG["CC_TYPE"] in ("clang", "gcc"):
    CXXFLAGS += [
        "-Wextra",
        # -Wextra enables this warning, but it's too noisy to be useful.
        "-Wno-missing-field-initializers",
    ]

    # Gecko headers aren't warning-free enough for us to enable these warnings.
    CXXFLAGS += [
        "-Wno-unused-parameter",
    ]

headers_arrays_certs = [
    (
        "xpcshell.inc",
        "xpcshellRoots",
        [
            "tests/unit/test_signed_apps/xpcshellTestRoot.pem",
            "tests/unit/test_signed_apps/xpcshellTestRoot2.pem",
        ],
    ),
    ("addons-public.inc", "addonsPublicRoots", ["addons-public.pem"]),
    (
        "addons-public-intermediate.inc",
        "addonsPublicIntermediates",
        [
            "addons-public-intermediate.pem",
            "addons-public-2018-intermediate.pem",
        ],
    ),
    ("addons-stage.inc", "addonsStageRoots", ["addons-stage.pem"]),
    (
        "addons-stage-intermediate.inc",
        "addonsStageIntermediates",
        ["addons-stage-intermediate.pem"],
    ),
    (
        "content-signature-prod.inc",
        "contentSignatureProdRoots",
        ["content-signature-prod.pem"],
    ),
    (
        "content-signature-stage.inc",
        "contentSignatureStageRoots",
        ["content-signature-stage.pem"],
    ),
    # The dev root is the same as the stage root.
    (
        "content-signature-dev.inc",
        "contentSignatureDevRoots",
        ["content-signature-stage.pem"],
    ),
    (
        "content-signature-local.inc",
        "contentSignatureLocalRoots",
        ["content-signature-local.pem"],
    ),
]

for header, array_name, certs in headers_arrays_certs:
    GeneratedFile(
        header,
        script="gen_cert_header.py",
        entry_point="generate",
        inputs=certs,
        flags=[array_name],
    )