summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/AppSignatureVerification.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/AppSignatureVerification.cpp')
-rw-r--r--security/manager/ssl/AppSignatureVerification.cpp103
1 files changed, 71 insertions, 32 deletions
diff --git a/security/manager/ssl/AppSignatureVerification.cpp b/security/manager/ssl/AppSignatureVerification.cpp
index 399516dd9c..991006e1c1 100644
--- a/security/manager/ssl/AppSignatureVerification.cpp
+++ b/security/manager/ssl/AppSignatureVerification.cpp
@@ -1165,7 +1165,8 @@ nsresult VerifyPK7Signature(
AppTrustedRoot aTrustedRoot, nsIZipReader* aZip, SignaturePolicy& aPolicy,
/* out */ nsTHashtable<nsCStringHashKey>& aIgnoredFiles,
/* out */ bool& aVerified,
- /* out */ nsTArray<uint8_t>& aSignerCert) {
+ /* out */ nsTArray<uint8_t>& aSignerCert,
+ /* out */ SECOidTag& aHashAlgorithm) {
NS_ENSURE_ARG_POINTER(aZip);
bool required = aPolicy.PK7Required();
aVerified = false;
@@ -1255,22 +1256,50 @@ nsresult VerifyPK7Signature(
}
aVerified = true;
+ aHashAlgorithm = digestToUse;
return NS_OK;
}
-nsresult OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
- SignaturePolicy aPolicy,
- /* out, optional */ nsIZipReader** aZipReader,
- /* out, optional */ nsIX509Cert** aSignerCert) {
+class AppSignatureInfo final : public nsIAppSignatureInfo {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+
+ AppSignatureInfo(RefPtr<nsIX509Cert>&& signerCert,
+ nsIAppSignatureInfo::SignatureAlgorithm signatureAlgorithm)
+ : mSignerCert(std::move(signerCert)),
+ mSignatureAlgorithm(signatureAlgorithm) {}
+
+ NS_IMETHODIMP GetSignerCert(nsIX509Cert** signerCert) override {
+ *signerCert = do_AddRef(mSignerCert).take();
+ return NS_OK;
+ }
+
+ NS_IMETHODIMP GetSignatureAlgorithm(
+ nsIAppSignatureInfo::SignatureAlgorithm* signatureAlgorithm) override {
+ *signatureAlgorithm = mSignatureAlgorithm;
+ return NS_OK;
+ }
+
+ private:
+ ~AppSignatureInfo() = default;
+
+ RefPtr<nsIX509Cert> mSignerCert;
+ nsIAppSignatureInfo::SignatureAlgorithm mSignatureAlgorithm;
+};
+
+NS_IMPL_ISUPPORTS(AppSignatureInfo, nsIAppSignatureInfo)
+
+nsresult OpenSignedAppFile(
+ AppTrustedRoot aTrustedRoot, nsIFile* aJarFile, SignaturePolicy aPolicy,
+ /* out */ nsIZipReader** aZipReader,
+ /* out */ nsTArray<RefPtr<nsIAppSignatureInfo>>& aSignatureInfos) {
NS_ENSURE_ARG_POINTER(aJarFile);
if (aZipReader) {
*aZipReader = nullptr;
}
- if (aSignerCert) {
- *aSignerCert = nullptr;
- }
+ aSignatureInfos.Clear();
nsresult rv;
@@ -1281,10 +1310,11 @@ nsresult OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
rv = zip->Open(aJarFile);
NS_ENSURE_SUCCESS(rv, rv);
- bool pk7Verified = false;
- bool coseVerified = false;
nsTHashtable<nsCStringHashKey> ignoredFiles;
+ bool pk7Verified = false;
nsTArray<uint8_t> pkcs7CertDER;
+ SECOidTag pkcs7HashAlgorithm = SEC_OID_UNKNOWN;
+ bool coseVerified = false;
nsTArray<uint8_t> coseCertDER;
// First we have to verify the PKCS#7 signature if there is one.
@@ -1294,7 +1324,7 @@ nsresult OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
// signature verification.
if (aPolicy.ProcessPK7()) {
rv = VerifyPK7Signature(aTrustedRoot, zip, aPolicy, ignoredFiles,
- pk7Verified, pkcs7CertDER);
+ pk7Verified, pkcs7CertDER, pkcs7HashAlgorithm);
if (NS_FAILED(rv)) {
return rv;
}
@@ -1334,24 +1364,34 @@ nsresult OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
zip.forget(aZipReader);
}
- // Return the signer's certificate to the reader if they want it.
- if (aSignerCert) {
- // The COSE certificate is authoritative.
- if (aPolicy.COSERequired() || !coseCertDER.IsEmpty()) {
- if (coseCertDER.IsEmpty()) {
- return NS_ERROR_FAILURE;
- }
- nsCOMPtr<nsIX509Cert> signerCert(
- new nsNSSCertificate(std::move(coseCertDER)));
- signerCert.forget(aSignerCert);
- } else {
- if (pkcs7CertDER.IsEmpty()) {
+ // Return the signature information (a list of signing certificate and
+ // algorithm pairs). If present, the COSE signature will be first, followed
+ // by any PKCS7 signatures.
+ if (coseVerified && !coseCertDER.IsEmpty()) {
+ RefPtr<nsIX509Cert> signerCert(
+ new nsNSSCertificate(std::move(coseCertDER)));
+ aSignatureInfos.AppendElement(new AppSignatureInfo(
+ std::move(signerCert),
+ nsIAppSignatureInfo::SignatureAlgorithm::COSE_WITH_SHA256));
+ }
+ if (pk7Verified && !pkcs7CertDER.IsEmpty()) {
+ RefPtr<nsIX509Cert> signerCert(
+ new nsNSSCertificate(std::move(pkcs7CertDER)));
+ nsIAppSignatureInfo::SignatureAlgorithm signatureAlgorithm;
+ switch (pkcs7HashAlgorithm) {
+ case SEC_OID_SHA1:
+ signatureAlgorithm =
+ nsIAppSignatureInfo::SignatureAlgorithm::PKCS7_WITH_SHA1;
+ break;
+ case SEC_OID_SHA256:
+ signatureAlgorithm =
+ nsIAppSignatureInfo::SignatureAlgorithm::PKCS7_WITH_SHA256;
+ break;
+ default:
return NS_ERROR_FAILURE;
- }
- nsCOMPtr<nsIX509Cert> signerCert(
- new nsNSSCertificate(std::move(pkcs7CertDER)));
- signerCert.forget(aSignerCert);
}
+ aSignatureInfos.AppendElement(
+ new AppSignatureInfo(std::move(signerCert), signatureAlgorithm));
}
return NS_OK;
@@ -1371,20 +1411,19 @@ class OpenSignedAppFileTask final : public CryptoTask {
private:
virtual nsresult CalculateResult() override {
return OpenSignedAppFile(mTrustedRoot, mJarFile, mPolicy,
- getter_AddRefs(mZipReader),
- getter_AddRefs(mSignerCert));
+ getter_AddRefs(mZipReader), mSignatureInfos);
}
virtual void CallCallback(nsresult rv) override {
- (void)mCallback->OpenSignedAppFileFinished(rv, mZipReader, mSignerCert);
+ (void)mCallback->OpenSignedAppFileFinished(rv, mZipReader, mSignatureInfos);
}
const AppTrustedRoot mTrustedRoot;
const nsCOMPtr<nsIFile> mJarFile;
const SignaturePolicy mPolicy;
nsMainThreadPtrHandle<nsIOpenSignedAppFileCallback> mCallback;
- nsCOMPtr<nsIZipReader> mZipReader; // out
- nsCOMPtr<nsIX509Cert> mSignerCert; // out
+ nsCOMPtr<nsIZipReader> mZipReader; // out
+ nsTArray<RefPtr<nsIAppSignatureInfo>> mSignatureInfos; // out
};
static const int32_t sDefaultSignaturePolicy = 0b10;
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 02:49:49 +0000