301 lines
7.8 KiB
Python
301 lines
7.8 KiB
Python
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
|
|
# vim: set filetype=python:
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
TEST_DIRS += ["tests"]
|
|
|
|
XPIDL_SOURCES += [
|
|
"nsICertificateDialogs.idl",
|
|
"nsICertOverrideService.idl",
|
|
"nsICertStorage.idl",
|
|
"nsICertTree.idl",
|
|
"nsIClientAuthDialogService.idl",
|
|
"nsIClientAuthRememberService.idl",
|
|
"nsIContentSignatureVerifier.idl",
|
|
"nsICryptoHash.idl",
|
|
"nsIDataStorage.idl",
|
|
"nsINSSComponent.idl",
|
|
"nsINSSErrorsService.idl",
|
|
"nsINSSVersion.idl",
|
|
"nsIOSKeyStore.idl",
|
|
"nsIOSReauthenticator.idl",
|
|
"nsIPK11Token.idl",
|
|
"nsIPK11TokenDB.idl",
|
|
"nsIPKCS11Module.idl",
|
|
"nsIPKCS11ModuleDB.idl",
|
|
"nsIPKCS11Slot.idl",
|
|
"nsIPublicKeyPinningService.idl",
|
|
"nsISecretDecoderRing.idl",
|
|
"nsISecurityUITelemetry.idl",
|
|
"nsISiteSecurityService.idl",
|
|
"nsITLSSocketControl.idl",
|
|
"nsITokenPasswordDialogs.idl",
|
|
"nsITransportSecurityInfo.idl",
|
|
"nsIX509Cert.idl",
|
|
"nsIX509CertDB.idl",
|
|
"nsIX509CertValidity.idl",
|
|
]
|
|
|
|
XPIDL_MODULE = "pipnss"
|
|
|
|
XPCOM_MANIFESTS += [
|
|
"components.conf",
|
|
]
|
|
|
|
EXTRA_JS_MODULES.psm += [
|
|
"ClientAuthDialogService.sys.mjs",
|
|
"DER.sys.mjs",
|
|
"RemoteSecuritySettings.sys.mjs",
|
|
"X509.sys.mjs",
|
|
]
|
|
|
|
EXPORTS += [
|
|
"CommonSocketControl.h",
|
|
"CryptoTask.h",
|
|
"EnterpriseRoots.h",
|
|
"nsClientAuthRemember.h",
|
|
"nsNSSCallbacks.h",
|
|
"nsNSSCertificate.h",
|
|
"nsNSSComponent.h",
|
|
"nsNSSHelper.h",
|
|
"nsRandomGenerator.h",
|
|
"nsSecureBrowserUI.h",
|
|
"nsSecurityHeaderParser.h",
|
|
"NSSErrorsService.h",
|
|
"nsSSLSocketProvider.h",
|
|
"nsTLSSocketProvider.h",
|
|
"RootCertificateTelemetryUtils.h",
|
|
"ScopedNSSTypes.h",
|
|
"SharedCertVerifier.h",
|
|
"SSLServerCertVerification.h",
|
|
"TransportSecurityInfo.h",
|
|
]
|
|
|
|
EXPORTS.mozilla += [
|
|
"crypto_hash/crypto_hash_sha2.h",
|
|
"PublicSSL.h",
|
|
]
|
|
|
|
EXPORTS.mozilla.psm += [
|
|
"IPCClientCertsChild.h",
|
|
"IPCClientCertsParent.h",
|
|
"SelectTLSClientAuthCertChild.h",
|
|
"SelectTLSClientAuthCertParent.h",
|
|
"TransportSecurityInfo.h",
|
|
"VerifySSLServerCertChild.h",
|
|
"VerifySSLServerCertParent.h",
|
|
]
|
|
|
|
UNIFIED_SOURCES += [
|
|
"AppSignatureVerification.cpp",
|
|
"AppTrustDomain.cpp",
|
|
"CertStorageMemoryReporting.cpp",
|
|
"CommonSocketControl.cpp",
|
|
"ContentSignatureVerifier.cpp",
|
|
"CryptoTask.cpp",
|
|
"DataStorageManager.cpp",
|
|
"EnterpriseRoots.cpp",
|
|
"IPCClientCertsChild.cpp",
|
|
"IPCClientCertsParent.cpp",
|
|
"md4.c",
|
|
"nsCertOverrideService.cpp",
|
|
"nsCertTree.cpp",
|
|
"nsClientAuthRemember.cpp",
|
|
"nsNSSCallbacks.cpp",
|
|
"nsNSSCertHelper.cpp",
|
|
"nsNSSCertificate.cpp",
|
|
"nsNSSCertificateDB.cpp",
|
|
"nsNSSCertTrust.cpp",
|
|
"nsNSSComponent.cpp",
|
|
"nsNSSIOLayer.cpp",
|
|
"nsNSSModule.cpp",
|
|
"nsNSSVersion.cpp",
|
|
"nsNTLMAuthModule.cpp",
|
|
"nsPK11TokenDB.cpp",
|
|
"nsPKCS11Slot.cpp",
|
|
"nsPKCS12Blob.cpp",
|
|
"nsRandomGenerator.cpp",
|
|
"nsSecureBrowserUI.cpp",
|
|
"nsSecurityHeaderParser.cpp",
|
|
"NSSErrorsService.cpp",
|
|
"nsSiteSecurityService.cpp",
|
|
"NSSKeyStore.cpp",
|
|
"nsSSLSocketProvider.cpp",
|
|
"NSSSocketControl.cpp",
|
|
"nsTLSSocketProvider.cpp",
|
|
"OSKeyStore.cpp",
|
|
"PKCS11ModuleDB.cpp",
|
|
"PSMRunnable.cpp",
|
|
"PublicKeyPinningService.cpp",
|
|
"RootCertificateTelemetryUtils.cpp",
|
|
"SecretDecoderRing.cpp",
|
|
"SSLServerCertVerification.cpp",
|
|
"TLSClientAuthCertSelection.cpp",
|
|
"TransportSecurityInfo.cpp",
|
|
"VerifySSLServerCertChild.cpp",
|
|
"VerifySSLServerCertParent.cpp",
|
|
"X509CertValidity.cpp",
|
|
]
|
|
|
|
if CONFIG["OS_ARCH"] == "WINNT":
|
|
# On Windows this file includes ntsecapi.h, which contains definitions that
|
|
# conflict with headers included in remaining source files. We compile this
|
|
# one independently to prevent that interferance.
|
|
SOURCES += [
|
|
"OSReauthenticator.cpp",
|
|
]
|
|
else:
|
|
UNIFIED_SOURCES += [
|
|
"OSReauthenticator.cpp",
|
|
]
|
|
|
|
if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
|
|
UNIFIED_SOURCES += [
|
|
"LibSecret.cpp",
|
|
]
|
|
CFLAGS += CONFIG["GLIB_CFLAGS"]
|
|
CXXFLAGS += CONFIG["GLIB_CFLAGS"]
|
|
CFLAGS += CONFIG["MOZ_GTK3_CFLAGS"]
|
|
CXXFLAGS += CONFIG["MOZ_GTK3_CFLAGS"]
|
|
|
|
if CONFIG["TARGET_KERNEL"] == "Darwin":
|
|
UNIFIED_SOURCES += [
|
|
"KeychainSecret.cpp",
|
|
"OSReauthenticatorDarwin.mm",
|
|
]
|
|
OS_LIBS += [
|
|
"-framework CoreFoundation",
|
|
"-framework LocalAuthentication",
|
|
"-framework Security",
|
|
]
|
|
|
|
IPDL_SOURCES += [
|
|
"PIPCClientCerts.ipdl",
|
|
"PSelectTLSClientAuthCert.ipdl",
|
|
"PSMIPCTypes.ipdlh",
|
|
"PVerifySSLServerCert.ipdl",
|
|
]
|
|
|
|
# Required by OSClientCerts, IPCClientCerts and CredentialManagerSecret.
|
|
if CONFIG["OS_ARCH"] == "WINNT":
|
|
OS_LIBS += [
|
|
"advapi32",
|
|
"bcrypt",
|
|
"credui",
|
|
"crypt32",
|
|
"kernel32",
|
|
"ncrypt",
|
|
"userenv",
|
|
"ws2_32",
|
|
"ntdll",
|
|
]
|
|
|
|
UNIFIED_SOURCES += [
|
|
"CredentialManagerSecret.cpp",
|
|
]
|
|
# Version string comparison is generally wrong, but by the time it would
|
|
# actually matter, either bug 1489995 would be fixed, or the build would
|
|
# require version >= 1.78.
|
|
if CONFIG["RUSTC_VERSION"] and CONFIG["RUSTC_VERSION"] >= "1.78.0":
|
|
OS_LIBS += [
|
|
"synchronization",
|
|
]
|
|
|
|
FINAL_LIBRARY = "xul"
|
|
|
|
LOCAL_INCLUDES += [
|
|
"!/dist/public/nss",
|
|
"/dom/base",
|
|
"/dom/crypto",
|
|
"/netwerk/base",
|
|
"/security/certverifier",
|
|
"/third_party/rust/cose-c/include",
|
|
"/xpcom/build",
|
|
]
|
|
|
|
GeneratedFile(
|
|
"nsSTSPreloadListGenerated.inc",
|
|
script="../../../xpcom/ds/tools/make_dafsa.py",
|
|
inputs=["nsSTSPreloadList.inc"],
|
|
)
|
|
|
|
DEFINES["SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES"] = "True"
|
|
DEFINES["NSS_ENABLE_ECC"] = "True"
|
|
if CONFIG["MOZ_SYSTEM_NSS"]:
|
|
DEFINES["MOZ_SYSTEM_NSS"] = True
|
|
|
|
# mozpkix is linked statically from the in-tree sources independent of whether
|
|
# system NSS is used or not.
|
|
USE_LIBS += ["mozpkix"]
|
|
|
|
include("/ipc/chromium/chromium-config.mozbuild")
|
|
|
|
if CONFIG["CC_TYPE"] in ("clang", "gcc"):
|
|
CXXFLAGS += [
|
|
"-Wextra",
|
|
# -Wextra enables this warning, but it's too noisy to be useful.
|
|
"-Wno-missing-field-initializers",
|
|
]
|
|
|
|
# Gecko headers aren't warning-free enough for us to enable these warnings.
|
|
CXXFLAGS += [
|
|
"-Wno-unused-parameter",
|
|
]
|
|
|
|
headers_arrays_certs = [
|
|
(
|
|
"xpcshell.inc",
|
|
"xpcshellRoots",
|
|
[
|
|
"tests/unit/test_signed_apps/xpcshellTestRoot.pem",
|
|
"tests/unit/test_signed_apps/xpcshellTestRoot2.pem",
|
|
],
|
|
),
|
|
("addons-public.inc", "addonsPublicRoots", ["addons-public.pem"]),
|
|
(
|
|
"addons-public-intermediate.inc",
|
|
"addonsPublicIntermediates",
|
|
[
|
|
"addons-public-intermediate.pem",
|
|
"addons-public-2018-intermediate.pem",
|
|
],
|
|
),
|
|
("addons-stage.inc", "addonsStageRoots", ["addons-stage.pem"]),
|
|
(
|
|
"addons-stage-intermediate.inc",
|
|
"addonsStageIntermediates",
|
|
["addons-stage-intermediate.pem"],
|
|
),
|
|
(
|
|
"content-signature-prod.inc",
|
|
"contentSignatureProdRoots",
|
|
["content-signature-prod.pem"],
|
|
),
|
|
(
|
|
"content-signature-stage.inc",
|
|
"contentSignatureStageRoots",
|
|
["content-signature-stage.pem"],
|
|
),
|
|
# The dev root is the same as the stage root.
|
|
(
|
|
"content-signature-dev.inc",
|
|
"contentSignatureDevRoots",
|
|
["content-signature-stage.pem"],
|
|
),
|
|
(
|
|
"content-signature-local.inc",
|
|
"contentSignatureLocalRoots",
|
|
["content-signature-local.pem"],
|
|
),
|
|
]
|
|
|
|
for header, array_name, certs in headers_arrays_certs:
|
|
GeneratedFile(
|
|
header,
|
|
script="gen_cert_header.py",
|
|
entry_point="generate",
|
|
inputs=certs,
|
|
flags=[array_name],
|
|
)
|