Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

9 files changed, 99 insertions, 0 deletions

diff --git a/toolkit/components/corroborator/Corroborate.sys.mjs b/toolkit/components/corroborator/Corroborate.sys.mjs
new file mode 100644
index 0000000000..1f06ce8412
--- /dev/null
+++ b/toolkit/components/corroborator/Corroborate.sys.mjs
@@ -0,0 +1,45 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";
+
+const lazy = {};
+
+XPCOMUtils.defineLazyServiceGetters(lazy, {
+  gCertDB: ["@mozilla.org/security/x509certdb;1", "nsIX509CertDB"],
+});
+
+/**
+ * Tools for verifying internal files in Mozilla products.
+ */
+export const Corroborate = {
+  async init() {},
+
+  /**
+   * Verify signed state of arbitrary JAR file. Currently only JAR files signed
+   * with Mozilla-internal keys are supported.
+   *
+   * @argument file - an nsIFile pointing to the JAR to verify.
+   *
+   * @returns {Promise} - resolves true if file exists and is valid, false otherwise.
+   *                      Never rejects.
+   */
+  verifyJar(file) {
+    let root = Ci.nsIX509CertDB.AddonsPublicRoot;
+    let expectedOrganizationalUnit = "Mozilla Components";
+
+    return new Promise(resolve => {
+      lazy.gCertDB.openSignedAppFileAsync(
+        root,
+        file,
+        (rv, _zipReader, cert) => {
+          resolve(
+            Components.isSuccessCode(rv) &&
+              cert.organizationalUnit === expectedOrganizationalUnit
+          );
+        }
+      );
+    });
+  },
+};
diff --git a/toolkit/components/corroborator/moz.build b/toolkit/components/corroborator/moz.build
new file mode 100644
index 0000000000..62101434d1
--- /dev/null
+++ b/toolkit/components/corroborator/moz.build
@@ -0,0 +1,17 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+with Files("**"):
+    BUG_COMPONENT = ("Toolkit", "General")
+
+EXTRA_JS_MODULES += [
+    "Corroborate.sys.mjs",
+]
+
+XPCSHELL_TESTS_MANIFESTS += [
+    "test/xpcshell/xpcshell.ini",
+]
diff --git a/toolkit/components/corroborator/test/xpcshell/data/privileged.xpi b/toolkit/components/corroborator/test/xpcshell/data/privileged.xpi
new file mode 100644
index 0000000000..c22acaacd2
--- /dev/null
+++ b/toolkit/components/corroborator/test/xpcshell/data/privileged.xpi
diff --git a/toolkit/components/corroborator/test/xpcshell/data/signed-amo.xpi b/toolkit/components/corroborator/test/xpcshell/data/signed-amo.xpi
new file mode 100644
index 0000000000..e2ba7d6fd8
--- /dev/null
+++ b/toolkit/components/corroborator/test/xpcshell/data/signed-amo.xpi
diff --git a/toolkit/components/corroborator/test/xpcshell/data/signed-components.xpi b/toolkit/components/corroborator/test/xpcshell/data/signed-components.xpi
new file mode 100644
index 0000000000..f27ac1fb73
--- /dev/null
+++ b/toolkit/components/corroborator/test/xpcshell/data/signed-components.xpi
diff --git a/toolkit/components/corroborator/test/xpcshell/data/signed-privileged.xpi b/toolkit/components/corroborator/test/xpcshell/data/signed-privileged.xpi
new file mode 100644
index 0000000000..c22acaacd2
--- /dev/null
+++ b/toolkit/components/corroborator/test/xpcshell/data/signed-privileged.xpi
diff --git a/toolkit/components/corroborator/test/xpcshell/data/unsigned.xpi b/toolkit/components/corroborator/test/xpcshell/data/unsigned.xpi
new file mode 100644
index 0000000000..9e10be5db3
--- /dev/null
+++ b/toolkit/components/corroborator/test/xpcshell/data/unsigned.xpi
diff --git a/toolkit/components/corroborator/test/xpcshell/test_verify_jar.js b/toolkit/components/corroborator/test/xpcshell/test_verify_jar.js
new file mode 100644
index 0000000000..c1c98f4485
--- /dev/null
+++ b/toolkit/components/corroborator/test/xpcshell/test_verify_jar.js
@@ -0,0 +1,31 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set sts=2 sw=2 et tw=80: */
+"use strict";
+
+const { Corroborate } = ChromeUtils.importESModule(
+  "resource://gre/modules/Corroborate.sys.mjs"
+);
+
+add_task(async function test_various_jars() {
+  let result = await Corroborate.verifyJar(do_get_file("data/unsigned.xpi"));
+  equal(result, false, "unsigned files do not verify");
+
+  result = await Corroborate.verifyJar(do_get_file("data/signed-amo.xpi"));
+  equal(result, false, "AMO signed files do not verify");
+
+  result = await Corroborate.verifyJar(
+    do_get_file("data/signed-privileged.xpi")
+  );
+  equal(result, false, "Privileged signed files do not verify");
+
+  let missingFile = do_get_file("data");
+  missingFile.append("missing.xpi");
+
+  result = await Corroborate.verifyJar(missingFile);
+  equal(result, false, "Missing (but expected) files do not verify");
+
+  result = await Corroborate.verifyJar(
+    do_get_file("data/signed-components.xpi")
+  );
+  equal(result, true, "Components signed files do verify");
+});
diff --git a/toolkit/components/corroborator/test/xpcshell/xpcshell.ini b/toolkit/components/corroborator/test/xpcshell/xpcshell.ini
new file mode 100644
index 0000000000..17d0b031b5
--- /dev/null
+++ b/toolkit/components/corroborator/test/xpcshell/xpcshell.ini
@@ -0,0 +1,6 @@
+[DEFAULT]
+tags = corroborator
+support-files =
+  data/**
+
+[test_verify_jar.js]