1 files changed, 277 insertions, 0 deletions

diff --git a/security/manager/ssl/moz.build b/security/manager/ssl/moz.build
new file mode 100644
index 0000000000..2df4b2f365
--- /dev/null
+++ b/security/manager/ssl/moz.build
@@ -0,0 +1,277 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# osclientcerts is currently only implemented for Windows
+# osclientcerts transitively depends on winapi 0.2.8, which doesn't work with
+# AArch64
+if (CONFIG["OS_ARCH"] == "WINNT" and CONFIG["CPU_ARCH"] != "aarch64") or CONFIG[
+    "OS_ARCH"
+] == "Darwin":
+    DIRS += ["osclientcerts"]
+
+DIRS += ["ipcclientcerts"]
+DIRS += ["builtins"]
+
+TEST_DIRS += ["tests"]
+
+XPIDL_SOURCES += [
+    "nsICertificateDialogs.idl",
+    "nsICertOverrideService.idl",
+    "nsICertStorage.idl",
+    "nsICertTree.idl",
+    "nsIClientAuthDialogs.idl",
+    "nsIClientAuthRememberService.idl",
+    "nsIContentSignatureVerifier.idl",
+    "nsICryptoHash.idl",
+    "nsINSSComponent.idl",
+    "nsINSSErrorsService.idl",
+    "nsINSSVersion.idl",
+    "nsIOSKeyStore.idl",
+    "nsIOSReauthenticator.idl",
+    "nsIPK11Token.idl",
+    "nsIPK11TokenDB.idl",
+    "nsIPKCS11Module.idl",
+    "nsIPKCS11ModuleDB.idl",
+    "nsIPKCS11Slot.idl",
+    "nsIPublicKeyPinningService.idl",
+    "nsISecretDecoderRing.idl",
+    "nsISecurityUITelemetry.idl",
+    "nsISiteSecurityService.idl",
+    "nsITLSSocketControl.idl",
+    "nsITokenPasswordDialogs.idl",
+    "nsITransportSecurityInfo.idl",
+    "nsIX509Cert.idl",
+    "nsIX509CertDB.idl",
+    "nsIX509CertValidity.idl",
+]
+
+XPIDL_MODULE = "pipnss"
+
+XPCOM_MANIFESTS += [
+    "components.conf",
+]
+
+EXTRA_JS_MODULES.psm += [
+    "DER.sys.mjs",
+    "RemoteSecuritySettings.sys.mjs",
+    "X509.sys.mjs",
+]
+
+EXPORTS += [
+    "CommonSocketControl.h",
+    "CryptoTask.h",
+    "EnterpriseRoots.h",
+    "nsClientAuthRemember.h",
+    "nsNSSCallbacks.h",
+    "nsNSSCertificate.h",
+    "nsNSSComponent.h",
+    "nsNSSHelper.h",
+    "nsRandomGenerator.h",
+    "nsSecureBrowserUI.h",
+    "nsSecurityHeaderParser.h",
+    "NSSErrorsService.h",
+    "nsSSLSocketProvider.h",
+    "nsTLSSocketProvider.h",
+    "RootCertificateTelemetryUtils.h",
+    "ScopedNSSTypes.h",
+    "SharedCertVerifier.h",
+    "SSLServerCertVerification.h",
+    "TransportSecurityInfo.h",
+]
+
+EXPORTS.mozilla += [
+    "DataStorage.h",
+    "DataStorageList.h",
+    "PublicSSL.h",
+]
+
+EXPORTS.mozilla.psm += [
+    "IPCClientCertsChild.h",
+    "IPCClientCertsParent.h",
+    "SelectTLSClientAuthCertChild.h",
+    "SelectTLSClientAuthCertParent.h",
+    "TransportSecurityInfo.h",
+    "VerifySSLServerCertChild.h",
+    "VerifySSLServerCertParent.h",
+]
+
+EXPORTS.ipc += [
+    "DataStorageIPCUtils.h",
+]
+
+UNIFIED_SOURCES += [
+    "AppSignatureVerification.cpp",
+    "AppTrustDomain.cpp",
+    "CertStorageMemoryReporting.cpp",
+    "CommonSocketControl.cpp",
+    "ContentSignatureVerifier.cpp",
+    "CryptoTask.cpp",
+    "DataStorage.cpp",
+    "EnterpriseRoots.cpp",
+    "IPCClientCertsChild.cpp",
+    "IPCClientCertsParent.cpp",
+    "md4.c",
+    "nsCertOverrideService.cpp",
+    "nsCertTree.cpp",
+    "nsClientAuthRemember.cpp",
+    "nsNSSCallbacks.cpp",
+    "nsNSSCertHelper.cpp",
+    "nsNSSCertificate.cpp",
+    "nsNSSCertificateDB.cpp",
+    "nsNSSCertTrust.cpp",
+    "nsNSSComponent.cpp",
+    "nsNSSIOLayer.cpp",
+    "nsNSSModule.cpp",
+    "nsNSSVersion.cpp",
+    "nsNTLMAuthModule.cpp",
+    "nsPK11TokenDB.cpp",
+    "nsPKCS11Slot.cpp",
+    "nsPKCS12Blob.cpp",
+    "nsRandomGenerator.cpp",
+    "nsSecureBrowserUI.cpp",
+    "nsSecurityHeaderParser.cpp",
+    "NSSErrorsService.cpp",
+    "nsSiteSecurityService.cpp",
+    "NSSKeyStore.cpp",
+    "nsSSLSocketProvider.cpp",
+    "NSSSocketControl.cpp",
+    "nsTLSSocketProvider.cpp",
+    "OSKeyStore.cpp",
+    "PKCS11ModuleDB.cpp",
+    "PSMRunnable.cpp",
+    "PublicKeyPinningService.cpp",
+    "RootCertificateTelemetryUtils.cpp",
+    "SecretDecoderRing.cpp",
+    "SharedSSLState.cpp",
+    "SSLServerCertVerification.cpp",
+    "TLSClientAuthCertSelection.cpp",
+    "TransportSecurityInfo.cpp",
+    "VerifySSLServerCertChild.cpp",
+    "VerifySSLServerCertParent.cpp",
+    "X509CertValidity.cpp",
+]
+
+if CONFIG["OS_ARCH"] == "WINNT":
+    # On Windows this file includes ntsecapi.h, which contains definitions that
+    # conflict with headers included in remaining source files. We compile this
+    # one independently to prevent that interferance.
+    SOURCES += [
+        "OSReauthenticator.cpp",
+    ]
+else:
+    UNIFIED_SOURCES += [
+        "OSReauthenticator.cpp",
+    ]
+
+if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
+    UNIFIED_SOURCES += [
+        "LibSecret.cpp",
+    ]
+    CFLAGS += CONFIG["GLIB_CFLAGS"]
+    CXXFLAGS += CONFIG["GLIB_CFLAGS"]
+
+if CONFIG["OS_ARCH"] == "Darwin":
+    UNIFIED_SOURCES += [
+        "KeychainSecret.cpp",
+        "OSReauthenticatorDarwin.mm",
+    ]
+    OS_LIBS += [
+        "-framework LocalAuthentication",
+        "-framework Security",
+    ]
+
+if CONFIG["OS_ARCH"] == "WINNT":
+    OS_LIBS += ["credui"]
+    UNIFIED_SOURCES += [
+        "CredentialManagerSecret.cpp",
+    ]
+
+IPDL_SOURCES += [
+    "PIPCClientCerts.ipdl",
+    "PSelectTLSClientAuthCert.ipdl",
+    "PSMIPCTypes.ipdlh",
+    "PVerifySSLServerCert.ipdl",
+]
+
+FINAL_LIBRARY = "xul"
+
+LOCAL_INCLUDES += [
+    "!/dist/public/nss",
+    "/dom/base",
+    "/dom/crypto",
+    "/netwerk/base",
+    "/security/certverifier",
+    "/third_party/rust/cose-c/include",
+    "/xpcom/build",
+]
+
+GeneratedFile(
+    "nsSTSPreloadListGenerated.inc",
+    script="../../../xpcom/ds/tools/make_dafsa.py",
+    inputs=["nsSTSPreloadList.inc"],
+)
+
+DEFINES["SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES"] = "True"
+DEFINES["NSS_ENABLE_ECC"] = "True"
+
+# mozpkix is linked statically from the in-tree sources independent of whether
+# system NSS is used or not.
+USE_LIBS += ["mozpkix"]
+
+include("/ipc/chromium/chromium-config.mozbuild")
+
+if CONFIG["CC_TYPE"] in ("clang", "gcc"):
+    CXXFLAGS += [
+        "-Wextra",
+        # -Wextra enables this warning, but it's too noisy to be useful.
+        "-Wno-missing-field-initializers",
+    ]
+
+    # Gecko headers aren't warning-free enough for us to enable these warnings.
+    CXXFLAGS += [
+        "-Wno-unused-parameter",
+    ]
+
+headers_arrays_certs = [
+    (
+        "xpcshell.inc",
+        "xpcshellRoot",
+        "tests/unit/test_signed_apps/xpcshellTestRoot.der",
+    ),
+    ("addons-public.inc", "addonsPublicRoot", "addons-public.crt"),
+    (
+        "addons-public-intermediate.inc",
+        "addonsPublicIntermediate",
+        "addons-public-intermediate.crt",
+    ),
+    ("addons-stage.inc", "addonsStageRoot", "addons-stage.crt"),
+    (
+        "content-signature-prod.inc",
+        "contentSignatureProdRoot",
+        "content-signature-prod.crt",
+    ),
+    (
+        "content-signature-stage.inc",
+        "contentSignatureStageRoot",
+        "content-signature-stage.crt",
+    ),
+    # The dev root is the same as the stage root.
+    (
+        "content-signature-dev.inc",
+        "contentSignatureDevRoot",
+        "content-signature-stage.crt",
+    ),
+    (
+        "content-signature-local.inc",
+        "contentSignatureLocalRoot",
+        "content-signature-local.crt",
+    ),
+]
+
+for header, array_name, cert in headers_arrays_certs:
+    GeneratedFile(
+        header, script="gen_cert_header.py", entry_point=array_name, inputs=[cert]
+    )