1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";
const lazy = {};
XPCOMUtils.defineLazyServiceGetters(lazy, {
gCertDB: ["@mozilla.org/security/x509certdb;1", "nsIX509CertDB"],
});
/**
* Tools for verifying internal files in Mozilla products.
*/
export const Corroborate = {
async init() {},
/**
* Verify signed state of arbitrary JAR file. Currently only JAR files signed
* with Mozilla-internal keys are supported.
*
* @argument file - an nsIFile pointing to the JAR to verify.
*
* @returns {Promise} - resolves true if file exists and is valid, false otherwise.
* Never rejects.
*/
verifyJar(file) {
let root = Ci.nsIX509CertDB.AddonsPublicRoot;
let expectedOrganizationalUnit = "Mozilla Components";
return new Promise(resolve => {
lazy.gCertDB.openSignedAppFileAsync(
root,
file,
(rv, _zipReader, signatureInfos) => {
// aSignatureInfos is an array of nsIAppSignatureInfo.
// This implementation could be modified to iterate through the array to
// determine if one or all of the verified signatures used a satisfactory
// algorithm and signing certificate.
// For now, though, it maintains existing behavior by inspecting the
// first signing certificate encountered.
resolve(
Components.isSuccessCode(rv) &&
signatureInfos.length &&
signatureInfos[0].signerCert.organizationalUnit ==
expectedOrganizationalUnit
);
}
);
});
},
};
|