Feodor2/Mypal68
1
Fork 0
mirror of https://github.com/Feodor2/Mypal68.git synced 2025-06-18 06:45:44 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

68.14.8 - security

Browse Source
This commit is contained in:
Fedor 2025-04-19 19:15:10 +03:00
parent 21ec99e86e
commit 0841e6d37b
243 changed files with 3704 additions and 4203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1367
security/apps/AppSignatureVerification.cpp
View File

File diff suppressed because it is too large Load Diff

327
security/apps/AppTrustDomain.cpp
View File

@ -1,327 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "AppTrustDomain.h"
#include "MainThreadUtils.h"
#include "certdb.h"
#include "mozilla/ArrayUtils.h"
#include "mozilla/Casting.h"
#include "mozilla/Preferences.h"
#include "nsComponentManagerUtils.h"
#include "nsIFile.h"
#include "nsIFileStreams.h"
#include "nsIX509CertDB.h"
#include "nsNSSCertificate.h"
#include "nsNetUtil.h"
#include "mozpkix/pkixnss.h"
#include "prerror.h"
// Generated by gen_cert_header.py, which gets called by the build system.
#include "xpcshell.inc"
// Add-on signing Certificates
#include "addons-public.inc"
#include "addons-public-intermediate.inc"
#include "addons-stage.inc"
// Privileged Package Certificates
#include "privileged-package-root.inc"
using namespace mozilla::pkix;
extern mozilla::LazyLogModule gPIPNSSLog;
static char kDevImportedDER[] = "network.http.signed-packages.developer-root";
namespace mozilla {
namespace psm {
StaticMutex AppTrustDomain::sMutex;
UniquePtr<unsigned char[]> AppTrustDomain::sDevImportedDERData;
unsigned int AppTrustDomain::sDevImportedDERLen = 0;
AppTrustDomain::AppTrustDomain(UniqueCERTCertList& certChain, void* pinArg)
: mCertChain(certChain), mPinArg(pinArg) {}
nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) {
SECItem trustedDER;
// Load the trusted certificate into the in-memory NSS database so that
// CERT_CreateSubjectCertList can find it.
switch (trustedRoot) {
case nsIX509CertDB::AppXPCShellRoot:
trustedDER.data = const_cast<uint8_t*>(xpcshellRoot);
trustedDER.len = mozilla::ArrayLength(xpcshellRoot);
break;
case nsIX509CertDB::AddonsPublicRoot:
trustedDER.data = const_cast<uint8_t*>(addonsPublicRoot);
trustedDER.len = mozilla::ArrayLength(addonsPublicRoot);
break;
case nsIX509CertDB::AddonsStageRoot:
trustedDER.data = const_cast<uint8_t*>(addonsStageRoot);
trustedDER.len = mozilla::ArrayLength(addonsStageRoot);
break;
case nsIX509CertDB::PrivilegedPackageRoot:
trustedDER.data = const_cast<uint8_t*>(privilegedPackageRoot);
trustedDER.len = mozilla::ArrayLength(privilegedPackageRoot);
break;
case nsIX509CertDB::DeveloperImportedRoot: {
StaticMutexAutoLock lock(sMutex);
if (!sDevImportedDERData) {
MOZ_ASSERT(!NS_IsMainThread());
nsCOMPtr<nsIFile> file(do_CreateInstance("@mozilla.org/file/local;1"));
if (!file) {
return NS_ERROR_FAILURE;
}
nsAutoCString path;
Preferences::GetCString(kDevImportedDER, path);
nsresult rv = file->InitWithNativePath(path);
if (NS_FAILED(rv)) {
return rv;
}
nsCOMPtr<nsIInputStream> inputStream;
rv = NS_NewLocalFileInputStream(getter_AddRefs(inputStream), file, -1,
-1, nsIFileInputStream::CLOSE_ON_EOF);
if (NS_FAILED(rv)) {
return rv;
}
uint64_t length;
rv = inputStream->Available(&length);
if (NS_FAILED(rv)) {
return rv;
}
auto data = MakeUnique<char[]>(length);
rv = inputStream->Read(data.get(), length, &sDevImportedDERLen);
if (NS_FAILED(rv)) {
return rv;
}
MOZ_ASSERT(length == sDevImportedDERLen);
sDevImportedDERData.reset(
BitwiseCast<unsigned char*, char*>(data.release()));
}
trustedDER.data = sDevImportedDERData.get();
trustedDER.len = sDevImportedDERLen;
break;
}
default:
return NS_ERROR_INVALID_ARG;
}
mTrustedRoot.reset(CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &trustedDER, nullptr, false, true));
if (!mTrustedRoot) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
// If we're verifying add-ons signed by our production root, we want to make
// sure a valid intermediate certificate is available for path building.
// Merely holding this alive in memory makes it available for NSS to find in
// AppTrustDomain::FindIssuer.
if (trustedRoot == nsIX509CertDB::AddonsPublicRoot) {
SECItem intermediateDER = {
siBuffer,
const_cast<uint8_t*>(addonsPublicIntermediate),
static_cast<unsigned int>(
mozilla::ArrayLength(addonsPublicIntermediate)),
};
mAddonsIntermediate.reset(CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &intermediateDER, nullptr, false, true));
if (!mAddonsIntermediate) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
}
return NS_OK;
}
Result AppTrustDomain::FindIssuer(Input encodedIssuerName,
IssuerChecker& checker, Time)
{
MOZ_ASSERT(mTrustedRoot);
if (!mTrustedRoot) {
return Result::FATAL_ERROR_INVALID_STATE;
}
// TODO(bug 1035418): If/when mozilla::pkix relaxes the restriction that
// FindIssuer must only pass certificates with a matching subject name to
// checker.Check, we can stop using CERT_CreateSubjectCertList and instead
// use logic like this:
//
// 1. First, try the trusted trust anchor.
// 2. Secondly, iterate through the certificates that were stored in the CMS
// message, passing each one to checker.Check.
SECItem encodedIssuerNameSECItem = UnsafeMapInputToSECItem(encodedIssuerName);
UniqueCERTCertList candidates(CERT_CreateSubjectCertList(
nullptr, CERT_GetDefaultCertDB(), &encodedIssuerNameSECItem, 0, false));
if (candidates) {
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
Input certDER;
Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
if (rv != Success) {
continue; // probably too big
}
bool keepGoing;
rv = checker.Check(certDER, nullptr /*additionalNameConstraints*/,
keepGoing);
if (rv != Success) {
return rv;
}
if (!keepGoing) {
break;
}
}
}
return Success;
}
Result AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
const CertPolicyId& policy,
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel) {
MOZ_ASSERT(policy.IsAnyPolicy());
MOZ_ASSERT(mTrustedRoot);
if (!policy.IsAnyPolicy()) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
if (!mTrustedRoot) {
return Result::FATAL_ERROR_INVALID_STATE;
}
// Handle active distrust of the certificate.
// XXX: This would be cleaner and more efficient if we could get the trust
// information without constructing a CERTCertificate here, but NSS doesn't
// expose it in any other easy-to-use fashion.
SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER);
UniqueCERTCertificate candidateCert(CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &candidateCertDERSECItem, nullptr, false, true));
if (!candidateCert) {
return MapPRErrorCodeToResult(PR_GetError());
}
CERTCertTrust trust;
if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {
uint32_t flags = SEC_GET_TRUST_FLAGS(&trust, trustObjectSigning);
// For DISTRUST, we use the CERTDB_TRUSTED or CERTDB_TRUSTED_CA bit,
// because we can have active distrust for either type of cert. Note that
// CERTDB_TERMINAL_RECORD means "stop trying to inherit trust" so if the
// relevant trust bit isn't set then that means the cert must be considered
// distrusted.
uint32_t relevantTrustBit = endEntityOrCA == EndEntityOrCA::MustBeCA
? CERTDB_TRUSTED_CA
: CERTDB_TRUSTED;
if (((flags & (relevantTrustBit | CERTDB_TERMINAL_RECORD))) ==
CERTDB_TERMINAL_RECORD) {
trustLevel = TrustLevel::ActivelyDistrusted;
return Success;
}
}
// mTrustedRoot is the only trust anchor for this validation.
if (CERT_CompareCerts(mTrustedRoot.get(), candidateCert.get())) {
trustLevel = TrustLevel::TrustAnchor;
return Success;
}
trustLevel = TrustLevel::InheritsTrust;
return Success;
}
Result AppTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) {
return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
}
Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time,
Duration,
/*optional*/ const Input*,
/*optional*/ const Input*) {
// We don't currently do revocation checking. If we need to distrust an Apps
// certificate, we will use the active distrust mechanism.
return Success;
}
Result AppTrustDomain::IsChainValid(const DERArray& certChain, Time time,
const CertPolicyId& requiredPolicy) {
MOZ_ASSERT(requiredPolicy.IsAnyPolicy());
SECStatus srv =
ConstructCERTCertListFromReversedDERArray(certChain, mCertChain);
if (srv != SECSuccess) {
return MapPRErrorCodeToResult(PR_GetError());
}
return Success;
}
Result AppTrustDomain::CheckSignatureDigestAlgorithm(DigestAlgorithm,
EndEntityOrCA, Time) {
// TODO: We should restrict signatures to SHA-256 or better.
return Success;
}
Result AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits) {
if (modulusSizeInBits < 2048u) {
return Result::ERROR_INADEQUATE_KEY_SIZE;
}
return Success;
}
Result AppTrustDomain::VerifyRSAPKCS1SignedDigest(
const SignedDigest& signedDigest, Input subjectPublicKeyInfo) {
// TODO: We should restrict signatures to SHA-256 or better.
return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
mPinArg);
}
Result AppTrustDomain::CheckECDSACurveIsAcceptable(
EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) {
switch (curve) {
case NamedCurve::secp256r1: // fall through
case NamedCurve::secp384r1: // fall through
case NamedCurve::secp521r1:
return Success;
}
return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
}
Result AppTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest,
Input subjectPublicKeyInfo) {
return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
mPinArg);
}
Result AppTrustDomain::CheckValidityIsAcceptable(
Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
KeyPurposeId /*keyPurpose*/) {
return Success;
}
Result AppTrustDomain::NetscapeStepUpMatchesServerAuth(Time /*notBefore*/,
/*out*/ bool& matches) {
matches = false;
return Success;
}
void AppTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension /*extension*/,
Input /*extensionData*/) {}
} // namespace psm
} // namespace mozilla

87
security/apps/AppTrustDomain.h
View File

@ -1,87 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef AppTrustDomain_h
#define AppTrustDomain_h
#include "mozpkix/pkixtypes.h"
#include "mozilla/StaticMutex.h"
#include "mozilla/UniquePtr.h"
#include "nsDebug.h"
#include "ScopedNSSTypes.h"
namespace mozilla {
namespace psm {
class AppTrustDomain final : public mozilla::pkix::TrustDomain {
public:
typedef mozilla::pkix::Result Result;
AppTrustDomain(UniqueCERTCertList& certChain, void* pinArg);
nsresult SetTrustedRoot(AppTrustedRoot trustedRoot);
virtual Result GetCertTrust(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
const mozilla::pkix::CertPolicyId& policy,
mozilla::pkix::Input candidateCertDER,
/*out*/ mozilla::pkix::TrustLevel& trustLevel) override;
virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
IssuerChecker& checker,
mozilla::pkix::Time time) override;
virtual Result CheckRevocation(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
mozilla::pkix::Duration validityDuration,
/*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
/*optional*/ const mozilla::pkix::Input* aiaExtension) override;
virtual Result IsChainValid(
const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
const mozilla::pkix::CertPolicyId& requiredPolicy) override;
virtual Result CheckSignatureDigestAlgorithm(
mozilla::pkix::DigestAlgorithm digestAlg,
mozilla::pkix::EndEntityOrCA endEntityOrCA,
mozilla::pkix::Time notBefore) override;
virtual Result CheckRSAPublicKeyModulusSizeInBits(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
unsigned int modulusSizeInBits) override;
virtual Result VerifyRSAPKCS1SignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result CheckECDSACurveIsAcceptable(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
mozilla::pkix::NamedCurve curve) override;
virtual Result VerifyECDSASignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result CheckValidityIsAcceptable(
mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
mozilla::pkix::EndEntityOrCA endEntityOrCA,
mozilla::pkix::KeyPurposeId keyPurpose) override;
virtual Result NetscapeStepUpMatchesServerAuth(
mozilla::pkix::Time notBefore,
/*out*/ bool& matches) override;
virtual void NoteAuxiliaryExtension(
mozilla::pkix::AuxiliaryExtension extension,
mozilla::pkix::Input extensionData) override;
virtual Result DigestBuf(mozilla::pkix::Input item,
mozilla::pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) override;
private:
/*out*/ UniqueCERTCertList& mCertChain;
void* mPinArg; // non-owning!
UniqueCERTCertificate mTrustedRoot;
UniqueCERTCertificate mAddonsIntermediate;
static StaticMutex sMutex;
static UniquePtr<unsigned char[]> sDevImportedDERData;
static unsigned int sDevImportedDERLen;
};
} // namespace psm
} // namespace mozilla
#endif // AppTrustDomain_h

BIN
security/apps/addons-public-intermediate.crt
View File

Binary file not shown.

BIN
security/apps/addons-public.crt
View File

Binary file not shown.

BIN
security/apps/addons-stage.crt
View File

Binary file not shown.

43
security/apps/gen_cert_header.py
View File

@ -1,43 +0,0 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import binascii
def _file_byte_generator(filename):
with open(filename, "rb") as f:
contents = f.read()
# Treat empty files the same as a file containing a lone 0;
# a single-element array will fail cert verifcation just as an
# empty array would.
if not contents:
return ['\0']
return contents
def _create_header(array_name, cert_bytes):
hexified = ["0x" + binascii.hexlify(byte) for byte in cert_bytes]
substs = {'array_name': array_name, 'bytes': ', '.join(hexified)}
return "const uint8_t %(array_name)s[] = {\n%(bytes)s\n};\n" % substs
# Create functions named the same as the data arrays that we're going to
# write to the headers, so we don't have to duplicate the names like so:
#
# def arrayName(header, cert_filename):
# header.write(_create_header("arrayName", cert_filename))
array_names = [
'xpcshellRoot',
'addonsPublicRoot',
'addonsPublicIntermediate',
'addonsStageRoot',
'privilegedPackageRoot',
]
for n in array_names:
# Make sure the lambda captures the right string.
globals()[n] = lambda header, cert_filename, name=n: header.write(
_create_header(name, _file_byte_generator(cert_filename)))

49
security/apps/moz.build
View File

@ -1,49 +0,0 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
with Files("**"):
BUG_COMPONENT = ("Core", "Security: PSM")
UNIFIED_SOURCES += [
'AppSignatureVerification.cpp',
'AppTrustDomain.cpp',
]
include('/ipc/chromium/chromium-config.mozbuild')
FINAL_LIBRARY = 'xul'
LOCAL_INCLUDES += [
'/security/certverifier',
'/security/manager/ssl',
'/third_party/rust/cose-c/include',
]
DEFINES['NSS_ENABLE_ECC'] = 'True'
for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
DEFINES[var] = '"%s"' % CONFIG[var]
if CONFIG['CC_TYPE'] in ('clang', 'gcc'):
CXXFLAGS += [
'-Wextra',
]
# Gecko headers aren't warning-free enough for us to enable these warnings.
CXXFLAGS += [
'-Wno-unused-parameter',
]
test_ssl_path = '/security/manager/ssl/tests/unit'
headers_arrays_certs = [
('xpcshell.inc', 'xpcshellRoot', test_ssl_path + '/test_signed_apps/xpcshellTestRoot.der'),
('addons-public.inc', 'addonsPublicRoot', 'addons-public.crt'),
('addons-public-intermediate.inc', 'addonsPublicIntermediate', 'addons-public-intermediate.crt'),
('addons-stage.inc', 'addonsStageRoot', 'addons-stage.crt'),
('privileged-package-root.inc', 'privilegedPackageRoot', 'privileged-package-root.der'),
]
for header, array_name, cert in headers_arrays_certs:
GeneratedFile(header, script='gen_cert_header.py',
entry_point=array_name, inputs=[cert])

BIN
security/apps/privileged-package-root.der
View File

Binary file not shown.

2
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@ -568,7 +568,7 @@ static Result GetOCSPAuthorityInfoAccessLocation(const UniquePLArenaPool& arena,
Result NSSCertDBTrustDomain::CheckRevocation(
EndEntityOrCA endEntityOrCA, const CertID& certID, Time time,
Duration validityDuration,
Time validityPeriodBeginning, Duration validityDuration,
/*optional*/ const Input* stapledOCSPResponse,
/*optional*/ const Input* aiaExtension) {
// Actively distrusted certificates will have already been blocked by

1
security/certverifier/NSSCertDBTrustDomain.h
View File

@ -204,6 +204,7 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
virtual Result CheckRevocation(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
mozilla::pkix::Time validityPeriodBeginning,
mozilla::pkix::Duration validityDuration,
/*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
/*optional*/ const mozilla::pkix::Input* aiaExtension) override;

2
security/certverifier/OCSPVerificationTrustDomain.cpp
View File

@ -34,7 +34,7 @@ Result OCSPVerificationTrustDomain::IsChainValid(const DERArray&, Time,
}
Result OCSPVerificationTrustDomain::CheckRevocation(EndEntityOrCA,
const CertID&, Time,
const CertID&, Time, Time,
Duration, const Input*,
const Input*) {
// We do not expect this to be called for OCSP signers

1
security/certverifier/OCSPVerificationTrustDomain.h
View File

@ -65,6 +65,7 @@ class OCSPVerificationTrustDomain : public mozilla::pkix::TrustDomain {
virtual Result CheckRevocation(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
mozilla::pkix::Time validityPeriodBeginning,
mozilla::pkix::Duration validityDuration,
/*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
/*optional*/ const mozilla::pkix::Input* aiaExtension) override;

2
security/ct/CTLogVerifier.cpp
View File

@ -36,7 +36,7 @@ class SignatureParamsTrustDomain final : public TrustDomain {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
const Input*, const Input*) override {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}

4
security/ct/tests/gtest/CTTestUtils.cpp
View File

@ -673,8 +673,8 @@ class OCSPExtensionTrustDomain : public TrustDomain {
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
pkix::Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
const Input*, const Input*) override {
pkix::Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time,
Duration, const Input*, const Input*) override {
ADD_FAILURE();
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}

4
security/manager/locales/en-US/chrome/pippki/pippki.dtd
View File

@ -2,7 +2,7 @@
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
<!-- Values for changepassword.xul -->
<!-- Values for changepassword.xhtml -->
<!ENTITY setPassword.title "Change Master Password">
<!ENTITY setPassword.tokenName.label "Security Device">
<!ENTITY setPassword.oldPassword.label "Current password:">
@ -10,7 +10,7 @@
<!ENTITY setPassword.reenterPassword.label "New password (again):">
<!ENTITY setPassword.meter.label "Password quality meter">
<!-- Values for resetpassword.xul -->
<!-- Values for resetpassword.xhtml -->
<!ENTITY resetPasswordButtonLabel "Reset">
<!ENTITY resetPassword.title "Reset Master Password">
<!ENTITY resetPassword.text "If you reset your master password, all your stored web and e-mail passwords, form data, personal certificates, and private keys will be forgotten. Are you sure you want to reset your master password?">

1
security/manager/locales/en-US/chrome/pippki/pippki.properties
View File

@ -80,7 +80,6 @@ pw_not_wanted=Warning! You have decided not to use a Master Password.
pw_empty_warning=Your stored web and email passwords, form data, and private keys will not be protected.
pw_change2empty_in_fips_mode=You are currently in FIPS mode. FIPS requires a non-empty Master Password.
enable_fips=Enable FIPS
disable_fips=Disable FIPS
resetPasswordConfirmationTitle=Reset Master Password
resetPasswordConfirmationMessage=Your password has been reset.

10
security/manager/pki/nsNSSDialogs.cpp
View File

@ -77,7 +77,7 @@ nsNSSDialogs::SetPassword(nsIInterfaceRequestor* ctx, nsIPK11Token* token,
}
rv = nsNSSDialogHelper::openDialog(
parent, "chrome://pippki/content/changepassword.xul", block);
parent, "chrome://pippki/content/changepassword.xhtml", block);
if (NS_FAILED(rv)) return rv;
@ -120,7 +120,7 @@ nsNSSDialogs::ConfirmDownloadCACert(nsIInterfaceRequestor* ctx,
// Get the parent window for the dialog
nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
rv = nsNSSDialogHelper::openDialog(
parent, "chrome://pippki/content/downloadcert.xul", argArray);
parent, "chrome://pippki/content/downloadcert.xhtml", argArray);
if (NS_FAILED(rv)) {
return rv;
}
@ -227,7 +227,7 @@ nsNSSDialogs::ChooseCertificate(const nsACString& hostname, int32_t port,
}
rv = nsNSSDialogHelper::openDialog(
nullptr, "chrome://pippki/content/clientauthask.xul", argArray);
nullptr, "chrome://pippki/content/clientauthask.xhtml", argArray);
if (NS_FAILED(rv)) {
return rv;
}
@ -265,7 +265,7 @@ nsNSSDialogs::SetPKCS12FilePassword(nsIInterfaceRequestor* ctx,
nsCOMPtr<mozIDOMWindowProxy> parent = do_GetInterface(ctx);
nsCOMPtr<nsIWritablePropertyBag2> retVals = new nsHashPropertyBag();
nsresult rv = nsNSSDialogHelper::openDialog(
parent, "chrome://pippki/content/setp12password.xul", retVals);
parent, "chrome://pippki/content/setp12password.xhtml", retVals);
if (NS_FAILED(rv)) {
return rv;
}
@ -342,7 +342,7 @@ nsNSSDialogs::DisplayProtectedAuth(nsIInterfaceRequestor* aCtx,
nsCOMPtr<mozIDOMWindowProxy> newWindow;
rv = windowWatcher->OpenWindow(
parent, "chrome://pippki/content/protectedAuth.xul", "_blank",
parent, "chrome://pippki/content/protectedAuth.xhtml", "_blank",
"centerscreen,chrome,modal,titlebar,close=no", runnable,
getter_AddRefs(newWindow));

6
security/manager/pki/resources/content/certManager.js
View File

@ -333,7 +333,7 @@ function editCerts() {
for (let cert of selected_certs) {
window.openDialog(
"chrome://pippki/content/editcacert.xul",
"chrome://pippki/content/editcacert.xhtml",
"",
"chrome,centerscreen,modal",
cert
@ -461,7 +461,7 @@ function deleteCerts() {
deleteConfirmed: false,
};
window.openDialog(
"chrome://pippki/content/deletecert.xul",
"chrome://pippki/content/deletecert.xhtml",
"",
"chrome,centerscreen,modal",
selTabID,
@ -534,7 +534,7 @@ async function addEmailCert() {
function addException() {
window.openDialog(
"chrome://pippki/content/exceptionDialog.xul",
"chrome://pippki/content/exceptionDialog.xhtml",
"",
"chrome,centerscreen,modal"
);

40
security/manager/pki/resources/content/certManager.xul → security/manager/pki/resources/content/certManager.xhtml
View File

@ -5,17 +5,17 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog>
<!DOCTYPE window>
<dialog id="certmanager"
windowtype="mozilla:certmanager"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
<window windowtype="mozilla:certmanager"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
data-l10n-id="certmgr-title"
onload="LoadCerts();"
buttons="accept"
style="width: 40em; height: 32em;"
persist="screenX screenY width height">
<dialog id="certmanager"
buttons="accept">
<linkset>
<html:link rel="localization" href="security/certificates/certManager.ftl"/>
@ -39,6 +39,15 @@
<tree id="user-tree" flex="1" enableColumnDrag="true"
onselect="mine_enableButtons()">
<treecols>
<!--
The below code may suggest that 'ordinal' is still a supported XUL
XUL attribute. It is not. This is a crutch so that we can
continue persisting the CSS -moz-box-ordinal-group attribute,
which is the appropriate replacement for the ordinal attribute
but cannot yet be easily persisted. The code that synchronizes
the attribute with the CSS lives in
toolkit/content/widget/tree.js and is specific to tree elements.
-->
<treecol id="certcol" data-l10n-id="certmgr-cert-name" primary="true"
persist="hidden width ordinal" flex="1"/>
<splitter class="tree-splitter"/>
@ -118,6 +127,15 @@
<tree id="server-tree" flex="1" enableColumnDrag="true"
onselect="websites_enableButtons()">
<treecols>
<!--
The below code may suggest that 'ordinal' is still a supported XUL
XUL attribute. It is not. This is a crutch so that we can
continue persisting the CSS -moz-box-ordinal-group attribute,
which is the appropriate replacement for the ordinal attribute
but cannot yet be easily persisted. The code that synchronizes
the attribute with the CSS lives in
toolkit/content/widget/tree.js and is specific to tree elements.
-->
<treecol id="certcol" data-l10n-id="certmgr-cert-name" primary="true"
persist="hidden width ordinal" flex="1"/>
<splitter class="tree-splitter"/>
@ -156,6 +174,15 @@
<tree id="ca-tree" flex="1" enableColumnDrag="true"
onselect="ca_enableButtons()">
<treecols>
<!--
The below code may suggest that 'ordinal' is still a supported XUL
XUL attribute. It is not. This is a crutch so that we can
continue persisting the CSS -moz-box-ordinal-group attribute,
which is the appropriate replacement for the ordinal attribute
but cannot yet be easily persisted. The code that synchronizes
the attribute with the CSS lives in
toolkit/content/widget/tree.js and is specific to tree elements.
-->
<treecol id="certcol" data-l10n-id="certmgr-cert-name" primary="true"
persist="hidden width ordinal" flex="1"/>
<splitter class="tree-splitter"/>
@ -191,3 +218,4 @@
</vbox>
</dialog>
</window>

6
security/manager/pki/resources/content/certViewer.js
View File

@ -6,7 +6,7 @@
"use strict";
/**
* @file Implements functionality for certViewer.xul and its general and details
* @file Implements functionality for certViewer.xhtml and its general and details
* tabs.
* @argument {nsISupports} window.arguments[0]
* The cert to view, queryable to nsIX509Cert.
@ -46,11 +46,11 @@ function AddCertChain(node, chain) {
*/
function AddUsage(l10nId) {
let verifyInfoBox = document.getElementById("verify_info_box");
let text = document.createXULElement("textbox");
let text = document.createElementNS("http://www.w3.org/1999/xhtml", "input");
document.l10n.setAttributes(text, l10nId);
text.setAttribute("data-l10n-attrs", "value");
text.setAttribute("style", "margin: 2px 5px");
text.setAttribute("readonly", "true");
text.setAttribute("readonly", "readonly");
text.setAttribute("class", "scrollfield");
verifyInfoBox.appendChild(text);
}

50
security/manager/pki/resources/content/certViewer.xul → security/manager/pki/resources/content/certViewer.xhtml
View File

@ -5,16 +5,19 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog>
<!DOCTYPE window>
<dialog id="certDetails"
data-l10n-id="certmgr-cert-detail"
data-l10n-attrs="buttonlabelaccept, buttonaccesskeyaccept"
<window
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
buttons="accept"
data-l10n-id="certmgr-cert-detail"
data-l10n-attrs="title"
onload="setWindowName();">
<dialog id="certDetails"
data-l10n-id="certmgr-cert-detail"
data-l10n-attrs="buttonlabelaccept, buttonaccesskeyaccept"
buttons="accept">
<linkset>
@ -29,16 +32,24 @@
table {
border-spacing: 0.5ch 2px;
}
td > textbox {
td > input {
width: 100%;
}
th {
vertical-align: top;
vertical-align: middle;
text-align: start;
}
th[scope="row"] {
font-weight: normal;
}
input:-moz-read-only,
textarea:-moz-read-only {
background: none;
border: none;
width: 100%;
padding-block: 0;
margin-inline: 0;
}
</html:style>
<tabbox flex="1">
@ -59,19 +70,19 @@
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-cert-detail-commonname"></th>
<td><xul:textbox id="commonname" class="plain" readonly="true"/></td>
<td><input id="commonname" readonly="readonly"/></td>
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-cert-detail-org"></th>
<td><xul:textbox id="organization" class="plain" readonly="true"/></td>
<td><input id="organization" readonly="readonly"/></td>
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-cert-detail-orgunit"></th>
<td><xul:textbox id="orgunit" class="plain" readonly="true"/></td>
<td><input id="orgunit" readonly="readonly"/></td>
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-cert-detail-serial-number"></th>
<td><xul:textbox id="serialnumber" class="plain" readonly="true"/></td>
<td><input id="serialnumber" readonly="readonly"/></td>
</tr>
<tr>
<td colspan="2"><xul:separator class="thin"/></td>
@ -81,15 +92,15 @@
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-cert-detail-commonname"></th>
<td><xul:textbox id="issuercommonname" class="plain" readonly="true"/></td>
<td><input id="issuercommonname" readonly="readonly"/></td>
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-cert-detail-org"></th>
<td><xul:textbox id="issuerorganization" class="plain" readonly="true"/></td>
<td><input id="issuerorganization" readonly="readonly"/></td>
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-cert-detail-orgunit"></th>
<td><xul:textbox id="issuerorgunit" class="plain" readonly="true"/></td>
<td><input id="issuerorgunit" readonly="readonly"/></td>
</tr>
<tr>
<td colspan="2"><xul:separator class="thin"/></td>
@ -99,11 +110,11 @@
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-begins-on"></th>
<td><xul:textbox id="validitystart" class="plain" readonly="true"/></td>
<td><input id="validitystart" readonly="readonly"/></td>
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-expires-on"></th>
<td><xul:textbox id="validityend" class="plain" readonly="true"/></td>
<td><input id="validityend" readonly="readonly"/></td>
</tr>
<tr>
<td colspan="2"><xul:separator class="thin"/></td>
@ -114,13 +125,13 @@
<tr>
<th scope="row" data-l10n-id="certmgr-cert-detail-sha-256-fingerprint"></th>
<td>
<textarea id="sha256fingerprint" class="plain" readonly="readonly"
style="height: 6ex; width: 48ch; font-family: monospace; background: none;"/>
<textarea id="sha256fingerprint" readonly="readonly"
style="height: 6ex; width: 48ch; font-family: monospace;"/>
</td>
</tr>
<tr>
<th scope="row" data-l10n-id="certmgr-cert-detail-sha-1-fingerprint"></th>
<td><xul:textbox id="sha1fingerprint" class="plain" readonly="true" style="min-width:34em;"/></td>
<td><input id="sha1fingerprint" readonly="readonly" style="min-width:34em;"/></td>
</tr>
</table>
</vbox>
@ -155,3 +166,4 @@
</tabbox>
</dialog>
</window>

17
security/manager/pki/resources/content/changepassword.js
View File

@ -14,7 +14,7 @@ function doPrompt(msg) {
}
function onLoad() {
document.documentElement.getButton("accept").disabled = true;
document.getElementById("set_password").getButton("accept").disabled = true;
document.addEventListener("dialogaccept", setPassword);
pw1 = document.getElementById("pw1");
@ -33,9 +33,9 @@ function process() {
// If the token is unitialized, don't use the old password box.
// Otherwise, do.
if ((token.needsLogin() && token.needsUserInit) || !token.needsLogin()) {
oldpwbox.setAttribute("hidden", "true");
oldpwbox.hidden = true;
msgBox.setAttribute("value", bundle.getString("password_not_set"));
msgBox.setAttribute("hidden", "false");
msgBox.hidden = false;
if (!token.needsLogin()) {
oldpwbox.setAttribute("inited", "empty");
@ -47,8 +47,8 @@ function process() {
document.getElementById("pw1").focus();
} else {
// Select old password field
oldpwbox.setAttribute("hidden", "false");
msgBox.setAttribute("hidden", "true");
oldpwbox.hidden = false;
msgBox.hidden = true;
oldpwbox.setAttribute("inited", "false");
oldpwbox.focus();
}
@ -197,10 +197,13 @@ function checkPasswords() {
// was called with the intention to change the password.
// The token currently uses an empty password.
// We will not allow changing the password from empty to empty.
document.documentElement.getButton("accept").disabled = true;
document
.getElementById("set_password")
.getButton("accept").disabled = true;
return;
}
}
document.documentElement.getButton("accept").disabled = pw1 != pw2;
document.getElementById("set_password").getButton("accept").disabled =
pw1 != pw2;
}

27
security/manager/pki/resources/content/changepassword.xul → security/manager/pki/resources/content/changepassword.xhtml
View File

@ -5,16 +5,20 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog SYSTEM "chrome://pippki/locale/pippki.dtd">
<!DOCTYPE window SYSTEM "chrome://pippki/locale/pippki.dtd">
<dialog id="set_password" title="&setPassword.title;"
<window title="&setPassword.title;"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
buttons="accept,cancel"
onload="onLoad();">
<dialog id="set_password"
buttons="accept,cancel">
<stringbundle id="pippki_bundle" src="chrome://pippki/locale/pippki.properties"/>
<script src="chrome://global/content/globalOverlay.js"/>
<script src="chrome://global/content/editMenuOverlay.js"/>
<script src="chrome://pippki/content/changepassword.js"/>
<hbox align="center">
@ -25,9 +29,9 @@
<separator/>
<vbox>
<hbox>
<hbox class="input-row">
<label flex="1" value="&setPassword.oldPassword.label;"/>
<textbox id="oldpw" type="password"/>
<html:input id="oldpw" type="password"/>
<!-- This textbox is inserted as a workaround to the fact that making the 'type'
& 'disabled' property of the 'oldpw' textbox toggle between ['password' &
'false'] and ['text' & 'true'] - as would be necessary if the menu has more
@ -35,16 +39,16 @@
either the textbox 'oldpw' or the textbox 'message' would be displayed,
depending on the state of the token selected
-->
<textbox id="message" disabled="true" />
<html:input id="message" disabled="true" />
</hbox>
<hbox>
<hbox class="input-row">
<label flex="1" value="&setPassword.newPassword.label;"/>
<textbox id="pw1" type="password"
oninput="setPasswordStrength(); checkPasswords();"/>
<html:input id="pw1" type="password"
oninput="setPasswordStrength(); checkPasswords();"/>
</hbox>
<hbox>
<hbox class="input-row">
<label flex="1" value="&setPassword.reenterPassword.label;"/>
<textbox id="pw2" type="password" oninput="checkPasswords();"/>
<html:input id="pw2" type="password" oninput="checkPasswords();"/>
</hbox>
</vbox>
@ -54,3 +58,4 @@
</vbox>
</dialog>
</window>

2
security/manager/pki/resources/content/clientauthask.js
View File

@ -5,7 +5,7 @@
"use strict";
/**
* @file Implements the functionality of clientauthask.xul: a dialog that allows
* @file Implements the functionality of clientauthask.xhtml: a dialog that allows
* a user pick a client certificate for TLS client authentication.
* @argument {String} window.arguments[0]
* The hostname of the server requesting client authentication.

8
security/manager/pki/resources/content/clientauthask.xul → security/manager/pki/resources/content/clientauthask.xhtml
View File

@ -5,17 +5,18 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog [
<!DOCTYPE window [
<!ENTITY % pippkiDTD SYSTEM "chrome://pippki/locale/pippki.dtd" >
%pippkiDTD;
]>
<dialog id="certAuthAsk" title="&clientAuthAsk.title;"
<window title="&clientAuthAsk.title;"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
buttons="accept,cancel"
onload="onLoad();">
<dialog id="certAuthAsk"
buttons="accept,cancel">
<stringbundleset id="stringbundleset">
<stringbundle id="pippki_bundle" src="chrome://pippki/locale/pippki.properties"/>
@ -43,3 +44,4 @@
<checkbox id="rememberBox" checked="true"/>
</dialog>
</window>

4
security/manager/pki/resources/content/deletecert.js
View File

@ -5,10 +5,10 @@
"use strict";
/**
* @file Implements the functionality of deletecert.xul: a dialog that allows a
* @file Implements the functionality of deletecert.xhtml: a dialog that allows a
* user to confirm whether to delete certain certificates.
* @argument {String} window.arguments[0]
* One of the tab IDs listed in certManager.xul.
* One of the tab IDs listed in certManager.xhtml.
* @argument {nsICertTreeItem[]} window.arguments[1]
* An array of cert tree items representing the certs to delete.
* @argument {DeleteCertReturnValues} window.arguments[2]

9
security/manager/pki/resources/content/deletecert.xul → security/manager/pki/resources/content/deletecert.xhtml
View File

@ -5,14 +5,14 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog>
<!DOCTYPE window>
<dialog id="deleteCertificate"
data-l10n-id="certmgr-delete-cert"
<window data-l10n-id="certmgr-delete-cert"
data-l10n-attrs="style"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
onload="onLoad();"
onload="onLoad();">
<dialog id="deleteCertificate"
buttons="accept,cancel">
<linkset>
@ -28,3 +28,4 @@
<description id="impact" style="width: 400px;"/>
</dialog>
</window>

4
security/manager/pki/resources/content/device_manager.js
View File

@ -326,7 +326,7 @@ function doLogout() {
// load a new device
function doLoad() {
window.open("load_device.xul", "loaddevice", "chrome,centerscreen,modal");
window.open("load_device.xhtml", "loaddevice", "chrome,centerscreen,modal");
ClearDeviceList();
RefreshDeviceList();
}
@ -362,7 +362,7 @@ function changePassword() {
objects.appendElement(selected_slot.getToken());
params.objects = objects;
window.openDialog(
"changepassword.xul",
"changepassword.xhtml",
"",
"chrome,centerscreen,modal",
params

7
security/manager/pki/resources/content/device_manager.xul → security/manager/pki/resources/content/device_manager.xhtml
View File

@ -7,14 +7,14 @@
<!DOCTYPE dialog>
<dialog id="devicemanager"
windowtype="mozilla:devicemanager"
<window windowtype="mozilla:devicemanager"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
data-l10n-id="devmgr"
data-l10n-attrs="style"
persist="screenX screenY width height"
onload="LoadModules();"
onload="LoadModules();">
<dialog id="devicemanager"
buttons="accept">
<linkset>
@ -67,3 +67,4 @@
</hbox>
</dialog>
</window>

2
security/manager/pki/resources/content/downloadcert.js
View File

@ -5,7 +5,7 @@
"use strict";
/**
* @file Implements the functionality of downloadcert.xul: a dialog that allows
* @file Implements the functionality of downloadcert.xhtml: a dialog that allows
* a user to confirm whether to import a certificate, and if so what trust
* to give it.
* @argument {nsISupports} window.arguments[0]

9
security/manager/pki/resources/content/downloadcert.xul → security/manager/pki/resources/content/downloadcert.xhtml
View File

@ -5,14 +5,14 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog SYSTEM "chrome://pippki/locale/pippki.dtd">
<!DOCTYPE window SYSTEM "chrome://pippki/locale/pippki.dtd">
<dialog id="download_cert"
title="&downloadCert.title;"
<window title="&downloadCert.title;"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
style="width: 46em;"
buttons="accept,cancel"
onload="onLoad();">
<dialog id="download_cert"
buttons="accept,cancel">
<stringbundle id="pippki_bundle" src="chrome://pippki/locale/pippki.properties"/>
@ -54,3 +54,4 @@
</vbox>
</dialog>
</window>

9
security/manager/pki/resources/content/editcacert.xul → security/manager/pki/resources/content/editcacert.xhtml
View File

@ -5,15 +5,15 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog>
<!DOCTYPE window>
<dialog id="editCaCert"
data-l10n-id="certmgr-edit-ca-cert"
<window data-l10n-id="certmgr-edit-ca-cert"
data-l10n-attrs="style"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
buttons="accept,cancel"
onload="onLoad();">
<dialog id="editCaCert"
buttons="accept,cancel">
<linkset>
<html:link rel="localization" href="security/certificates/certManager.ftl"/>
@ -33,3 +33,4 @@
</vbox>
</dialog>
</window>

4
security/manager/pki/resources/content/exceptionDialog.css
View File

@ -32,3 +32,7 @@
.longDescription:empty {
display: none;
}
#locationTextBox {
-moz-box-flex: 1;
}

2
security/manager/pki/resources/content/exceptionDialog.js
View File

@ -18,7 +18,7 @@ const { PrivateBrowsingUtils } = ChromeUtils.import(
function initExceptionDialog() {
gNeedReset = false;
gDialog = document.documentElement;
gDialog = document.getElementById("exceptiondialog");
gSecHistogram = Services.telemetry.getHistogramById("SECURITY_UI");
let warningText = document.getElementById("warningText");
document.l10n.setAttributes(warningText, "add-exception-branded-warning");

21
security/manager/pki/resources/content/exceptionDialog.xul → security/manager/pki/resources/content/exceptionDialog.xhtml
View File

@ -6,16 +6,16 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<?xml-stylesheet href="chrome://pippki/content/exceptionDialog.css" type="text/css"?>
<!DOCTYPE dialog>
<!DOCTYPE window>
<dialog id="exceptiondialog"
windowtype="mozilla:exceptiondialog"
<window windowtype="mozilla:exceptiondialog"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
data-l10n-id="exception-mgr"
onload="initExceptionDialog();">
<dialog id="exceptiondialog"
buttonidextra1="exception-mgr-extra-button"
buttons="cancel,extra1,extra2"
onload="initExceptionDialog();"
defaultButton="extra2">
<linkset>
@ -23,6 +23,9 @@
<html:link rel="localization" href="security/certificates/certManager.ftl"/>
</linkset>
<script src="chrome://global/content/globalOverlay.js"/>
<script src="chrome://global/content/editMenuOverlay.js"/>
<script src="chrome://pippki/content/pippki.js"/>
<script src="chrome://pippki/content/exceptionDialog.js"/>
@ -48,11 +51,10 @@
<label control="locationTextBox"
id="certLocationLabel"
data-l10n-id="exception-mgr-cert-location-url"/>
<textbox id="locationTextBox"
flex="1"
oninput="handleTextChange();"
value="https://"
class="uri-element"/>
<html:input id="locationTextBox"
oninput="handleTextChange();"
value="https://"
class="uri-element"/>
<button id="checkCertButton"
disabled="true"
dlgtype="extra2"
@ -83,3 +85,4 @@
disabled="true"
data-l10n-id="exception-mgr-permanent"/>
</dialog>
</window>

2
security/manager/pki/resources/content/load_device.js
View File

@ -7,7 +7,7 @@
document.addEventListener("dialogaccept", onDialogAccept);
/**
* @file Implements the functionality of load_device.xul: a dialog that allows
* @file Implements the functionality of load_device.xhtml: a dialog that allows
* a PKCS #11 module to be loaded into Firefox.
*/

29
security/manager/pki/resources/content/load_device.xul → security/manager/pki/resources/content/load_device.xhtml
View File

@ -5,34 +5,44 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog>
<!DOCTYPE window>
<dialog id="loaddevice"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
data-l10n-id="load-device"
data-l10n-id="load-device">
<dialog id="loaddevice"
buttons="accept,cancel">
<linkset>
<html:link rel="localization" href="security/certificates/deviceManager.ftl"/>
</linkset>
<script src="chrome://global/content/globalOverlay.js"/>
<script src="chrome://global/content/editMenuOverlay.js"/>
<script src="chrome://pippki/content/pippki.js"/>
<script src="chrome://pippki/content/load_device.js"/>
<html:style>
#device_name,
#device_path {
-moz-box-flex: 1;
}
</html:style>
<description data-l10n-id="load-device-info"></description>
<hbox align="center">
<label data-l10n-id="load-device-modname"
control="device_name"/>
<textbox id="device_name" flex="1"
data-l10n-id="load-device-modname-default"
data-l10n-attrs="value"
onchange="validateModuleName();"/>
<html:input id="device_name"
data-l10n-id="load-device-modname-default"
data-l10n-attrs="value"
onchange="validateModuleName();"/>
</hbox>
<hbox align="center">
<label data-l10n-id="load-device-filename"
control="device_path"/>
<textbox id="device_path" flex="1"/>
<html:input id="device_path" />
<button id="browse" flex="1"
data-l10n-id="load-device-browse"
oncommand="onBrowseBtnPress();"/>
@ -40,3 +50,4 @@
<label id="helpText" value=""/>
</dialog>
</window>

22
security/manager/pki/resources/content/pippki.js
View File

@ -30,18 +30,23 @@ function viewCertHelper(parent, cert) {
Services.ww.openWindow(
parent,
"chrome://pippki/content/certViewer.xul",
"chrome://pippki/content/certViewer.xhtml",
"_blank",
"centerscreen,chrome",
cert
);
}
function getPKCS7String(certArray) {
function getPKCS7Array(certArray) {
let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
return certdb.asPKCS7Blob(certArray);
let pkcs7String = certdb.asPKCS7Blob(certArray);
let pkcs7Array = new Uint8Array(pkcs7String.length);
for (let i = 0; i < pkcs7Array.length; i++) {
pkcs7Array[i] = pkcs7String.charCodeAt(i);
}
return pkcs7Array;
}
function getPEMString(cert) {
@ -146,13 +151,18 @@ async function exportToFile(parent, cert) {
}
break;
case 2:
content = cert.getRawDER();
// OS.File.writeAtomic requires a utf-8 string or a typed array.
// nsIX509Cert.getRawDER() returns an array (not a typed array), so we
// convert it here.
content = Uint8Array.from(cert.getRawDER());
break;
case 3:
content = getPKCS7String([cert]);
// getPKCS7Array returns a typed array already, so no conversion is
// necessary.
content = getPKCS7Array([cert]);
break;
case 4:
content = getPKCS7String(chain);
content = getPKCS7Array(chain);
break;
case 0:
default:

0
security/manager/pki/resources/content/protectedAuth.xul → security/manager/pki/resources/content/protectedAuth.xhtml
View File

10
security/manager/pki/resources/content/resetpassword.xul → security/manager/pki/resources/content/resetpassword.xhtml
View File

@ -5,14 +5,15 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog SYSTEM "chrome://pippki/locale/pippki.dtd">
<!DOCTYPE window SYSTEM "chrome://pippki/locale/pippki.dtd">
<dialog id="reset_password" title="&resetPassword.title;"
<window title="&resetPassword.title;"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
style="width: 40em;">
<dialog id="reset_password"
buttons="accept,cancel"
buttonlabelaccept="&resetPasswordButtonLabel;"
defaultButton="cancel"
style="width: 40em;">
defaultButton="cancel">
<stringbundle id="pippki_bundle" src="chrome://pippki/locale/pippki.properties"/>
@ -32,3 +33,4 @@
</vbox>
</hbox>
</dialog>
</window>

5
security/manager/pki/resources/content/setp12password.js
View File

@ -4,7 +4,7 @@
"use strict";
/**
* @file Implements the functionality of setp12password.xul: a dialog that lets
* @file Implements the functionality of setp12password.xhtml: a dialog that lets
* the user confirm the password to set on a PKCS #12 file.
* @argument {nsISupports} window.arguments[0]
* Object to set the return values of calling the dialog on, queryable
@ -122,5 +122,6 @@ function onPasswordInput(recalculatePasswordStrength) {
// Disable the accept button if the two passwords don't match, and enable it
// if the passwords do match.
let pw2 = document.getElementById("pw2").value;
document.documentElement.getButton("accept").disabled = pw1 != pw2;
document.getElementById("setp12password").getButton("accept").disabled =
pw1 != pw2;
}

20
security/manager/pki/resources/content/setp12password.xul → security/manager/pki/resources/content/setp12password.xhtml
View File

@ -5,28 +5,31 @@
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<!DOCTYPE dialog SYSTEM "chrome://pippki/locale/pippki.dtd">
<!DOCTYPE window SYSTEM "chrome://pippki/locale/pippki.dtd">
<dialog id="setp12password"
title="&pkcs12.setpassword.title;"
<window title="&pkcs12.setpassword.title;"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
style="width: 48em;"
buttons="accept,cancel"
onload="onLoad();">
<dialog id="setp12password"
buttons="accept,cancel">
<script src="chrome://global/content/globalOverlay.js"/>
<script src="chrome://global/content/editMenuOverlay.js"/>
<script src="chrome://pippki/content/setp12password.js"/>
<description>&pkcs12.setpassword.message;</description>
<separator />
<vbox>
<hbox>
<hbox class="input-row">
<label flex="1" value="&pkcs12.setpassword.label1;"/>
<textbox id="pw1" type="password" oninput="onPasswordInput(true);"/>
<html:input id="pw1" type="password" oninput="onPasswordInput(true);"/>
</hbox>
<hbox>
<hbox class="input-row">
<label flex="1" value="&pkcs12.setpassword.label2;"/>
<textbox id="pw2" type="password" oninput="onPasswordInput(false);"/>
<html:input id="pw2" type="password" oninput="onPasswordInput(false);"/>
</hbox>
</vbox>
<separator/>
@ -38,3 +41,4 @@
<html:progress id="pwmeter" value="0" max="100"/>
</vbox>
</dialog>
</window>

26
security/manager/pki/resources/jar.mn
View File

@ -5,30 +5,30 @@
pippki.jar:
% content pippki %content/pippki/
content/pippki/certManager.js (content/certManager.js)
content/pippki/certManager.xul (content/certManager.xul)
content/pippki/certManager.xhtml (content/certManager.xhtml)
content/pippki/certViewer.js (content/certViewer.js)
content/pippki/certViewer.xul (content/certViewer.xul)
content/pippki/certViewer.xhtml (content/certViewer.xhtml)
content/pippki/changepassword.js (content/changepassword.js)
content/pippki/changepassword.xul (content/changepassword.xul)
content/pippki/changepassword.xhtml (content/changepassword.xhtml)
content/pippki/clientauthask.js (content/clientauthask.js)
content/pippki/clientauthask.xul (content/clientauthask.xul)
content/pippki/clientauthask.xhtml (content/clientauthask.xhtml)
content/pippki/deletecert.js (content/deletecert.js)
content/pippki/deletecert.xul (content/deletecert.xul)
content/pippki/deletecert.xhtml (content/deletecert.xhtml)
content/pippki/device_manager.js (content/device_manager.js)
content/pippki/device_manager.xul (content/device_manager.xul)
content/pippki/device_manager.xhtml (content/device_manager.xhtml)
content/pippki/downloadcert.js (content/downloadcert.js)
content/pippki/downloadcert.xul (content/downloadcert.xul)
content/pippki/downloadcert.xhtml (content/downloadcert.xhtml)
content/pippki/editcacert.js (content/editcacert.js)
content/pippki/editcacert.xul (content/editcacert.xul)
content/pippki/editcacert.xhtml (content/editcacert.xhtml)
content/pippki/exceptionDialog.css (content/exceptionDialog.css)
content/pippki/exceptionDialog.js (content/exceptionDialog.js)
* content/pippki/exceptionDialog.xul (content/exceptionDialog.xul)
* content/pippki/exceptionDialog.xhtml (content/exceptionDialog.xhtml)
content/pippki/load_device.js (content/load_device.js)
content/pippki/load_device.xul (content/load_device.xul)
content/pippki/load_device.xhtml (content/load_device.xhtml)
content/pippki/pippki.js (content/pippki.js)
content/pippki/protectedAuth.js (content/protectedAuth.js)
content/pippki/protectedAuth.xul (content/protectedAuth.xul)
content/pippki/protectedAuth.xhtml (content/protectedAuth.xhtml)
content/pippki/resetpassword.js (content/resetpassword.js)
content/pippki/resetpassword.xul (content/resetpassword.xul)
content/pippki/resetpassword.xhtml (content/resetpassword.xhtml)
content/pippki/setp12password.js (content/setp12password.js)
content/pippki/setp12password.xul (content/setp12password.xul)
content/pippki/setp12password.xhtml (content/setp12password.xhtml)

2
security/manager/ssl/CSTrustDomain.cpp
View File

@ -158,7 +158,7 @@ Result CSTrustDomain::FindIssuer(Input encodedIssuerName,
Result CSTrustDomain::CheckRevocation(
EndEntityOrCA endEntityOrCA, const CertID& certID, Time time,
Duration validityDuration,
Time validityPeriodBeginning, Duration validityDuration,
/*optional*/ const Input* stapledOCSPresponse,
/*optional*/ const Input* aiaExtension) {
// We're relying solely on the CertBlocklist for revocation - and we're

1
security/manager/ssl/CSTrustDomain.h
View File

@ -36,6 +36,7 @@ class CSTrustDomain final : public mozilla::pkix::TrustDomain {
virtual Result CheckRevocation(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
mozilla::pkix::Time validityPeriodBeginning,
mozilla::pkix::Duration validityDuration,
/*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
/*optional*/ const mozilla::pkix::Input* aiaExtension) override;

6
security/manager/ssl/RootHashes.inc
View File

@ -1101,6 +1101,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
0x2C, 0x44, 0x1F, 0x0F, 0xA8, 0xBC, 0x77, 0xF0, 0x34, 0xB1, 0x9E, 0x5D, 0xB2, 0x58, 0x01, 0x5D },
135 /* Bin Number */
},
{
/* Entrust_Root_Certification_Authority___G4 */
{ 0xDB, 0x35, 0x17, 0xD1, 0xF6, 0x73, 0x2A, 0x2D, 0x5A, 0xB9, 0x7C, 0x53, 0x3E, 0xC7, 0x07, 0x79,
0xEE, 0x32, 0x70, 0xA6, 0x2F, 0xB4, 0xAC, 0x42, 0x38, 0x37, 0x24, 0x60, 0xE6, 0xF0, 0x1E, 0x88 },
211 /* Bin Number */
},
{
/* TeliaSonera_Root_CA_v1 */
{ 0xDD, 0x69, 0x36, 0xFE, 0x21, 0xF8, 0xF0, 0x77, 0xC1, 0x23, 0xA1, 0xA5, 0x21, 0xC1, 0x22, 0x24,

38
security/manager/ssl/nsIX509CertDB.idl
View File

@ -223,44 +223,6 @@ interface nsIX509CertDB : nsISupports {
[must_use]
nsIX509Cert constructX509(in Array<uint8_t> certDER);
/**
* Verifies the signature on the given JAR file to verify that it has a
* valid signature. To be considered valid, there must be exactly one
* signature on the JAR file and that signature must have signed every
* entry. Further, the signature must come from a certificate that
* is trusted for code signing.
*
* On success, NS_OK, a nsIZipReader, and the trusted certificate that
* signed the JAR are returned.
*
* On failure, an error code is returned.
*
* This method returns a nsIZipReader, instead of taking an nsIZipReader
* as input, to encourage users of the API to verify the signature as the
* first step in opening the JAR.
*/
// 1 used to be AppMarketplaceProdPublicRoot.
// 2 used to be AppMarketplaceProdReviewersRoot.
// 3 used to be AppMarketplaceDevPublicRoot.
// 4 used to be AppMarketplaceDevReviewersRoot.
// 5 used to be AppMarketplaceStageRoot.
const AppTrustedRoot AppXPCShellRoot = 6;
const AppTrustedRoot AddonsPublicRoot = 7;
const AppTrustedRoot AddonsStageRoot = 8;
const AppTrustedRoot PrivilegedPackageRoot = 9;
/*
* If DeveloperImportedRoot is set as trusted root, a CA from local file
* system will be imported. Only used when preference
* "network.http.packaged-apps-developer-mode" is set.
* The path of the CA is specified by preference
* "network.http.packaged-apps-developer-trusted-root".
*/
const AppTrustedRoot DeveloperImportedRoot = 10;
[must_use]
void openSignedAppFileAsync(in AppTrustedRoot trustedRoot,
in nsIFile aJarFile,
in nsIOpenSignedAppFileCallback callback);
/*
* Add a cert to a cert DB from a binary string.
*

6
security/manager/ssl/nsNSSCallbacks.cpp
View File

@ -994,6 +994,12 @@ static void AccumulateCipherSuite(Telemetry::HistogramID probe,
case TLS_RSA_WITH_SEED_CBC_SHA:
value = 67;
break;
case TLS_RSA_WITH_AES_128_GCM_SHA256:
value = 68;
break;
case TLS_RSA_WITH_AES_256_GCM_SHA384:
value = 69;
break;
// TLS 1.3 PSK resumption
case TLS_AES_128_GCM_SHA256:
value = 70;

8
security/manager/ssl/nsNSSComponent.cpp
View File

@ -923,16 +923,20 @@ static const CipherPref sCipherPrefs[] = {
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, true},
{"security.ssl3.dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
true},
false},
{"security.ssl3.dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
true},
false},
{"security.tls13.aes_128_gcm_sha256", TLS_AES_128_GCM_SHA256, true},
{"security.tls13.chacha20_poly1305_sha256", TLS_CHACHA20_POLY1305_SHA256,
true},
{"security.tls13.aes_256_gcm_sha384", TLS_AES_256_GCM_SHA384, true},
{"security.ssl3.rsa_aes_128_gcm_sha256", TLS_RSA_WITH_AES_128_GCM_SHA256,
true}, // deprecated (RSA key exchange)
{"security.ssl3.rsa_aes_256_gcm_sha384", TLS_RSA_WITH_AES_256_GCM_SHA384,
true}, // deprecated (RSA key exchange)
{"security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA,
true}, // deprecated (RSA key exchange)
{"security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA,

2
security/manager/ssl/nsNTLMAuthModule.cpp
View File

@ -567,7 +567,7 @@ static nsresult GenerateType3Msg(const nsString& domain,
}
if (unicode) {
ucsHostBuf = NS_ConvertUTF8toUTF16(hostBuf);
CopyUTF8toUTF16(hostBuf, ucsHostBuf);
hostPtr = ucsHostBuf.get();
hostLen = ucsHostBuf.Length() * 2;
#ifdef IS_BIG_ENDIAN

27
security/manager/ssl/nsSecureBrowserUIImpl.cpp
View File

@ -12,6 +12,7 @@
#include "nsIChannel.h"
#include "nsDocShell.h"
#include "nsIDocShellTreeItem.h"
#include "nsGlobalWindow.h"
#include "nsIInterfaceRequestorUtils.h"
#include "nsITransportSecurityInfo.h"
#include "nsIWebProgress.h"
@ -20,7 +21,8 @@ using namespace mozilla;
LazyLogModule gSecureBrowserUILog("nsSecureBrowserUI");
nsSecureBrowserUIImpl::nsSecureBrowserUIImpl() : mState(0), mEvent(0) {
nsSecureBrowserUIImpl::nsSecureBrowserUIImpl()
: mState(0), mEvent(0), mIsSecureContext(false) {
MOZ_ASSERT(NS_IsMainThread());
}
@ -72,6 +74,15 @@ nsSecureBrowserUIImpl::GetState(uint32_t* aState) {
return NS_OK;
}
NS_IMETHODIMP
nsSecureBrowserUIImpl::GetIsSecureContext(bool* aIsSecureContext) {
MOZ_ASSERT(NS_IsMainThread());
NS_ENSURE_ARG(aIsSecureContext);
*aIsSecureContext = mIsSecureContext;
return NS_OK;
}
NS_IMETHODIMP
nsSecureBrowserUIImpl::GetContentBlockingEvent(uint32_t* aEvent) {
MOZ_ASSERT(NS_IsMainThread());
@ -371,6 +382,7 @@ nsSecureBrowserUIImpl::OnLocationChange(nsIWebProgress* aWebProgress,
mState = 0;
mEvent = 0;
mIsSecureContext = false;
mTopLevelSecurityInfo = nullptr;
if (aFlags & LOCATION_CHANGE_ERROR_PAGE) {
@ -394,6 +406,19 @@ nsSecureBrowserUIImpl::OnLocationChange(nsIWebProgress* aWebProgress,
mTopLevelSecurityInfo = nullptr;
}
}
nsCOMPtr<mozIDOMWindowProxy> domWindow;
aWebProgress->GetDOMWindow(getter_AddRefs(domWindow));
if (domWindow) {
nsPIDOMWindowOuter* outerWindow = nsPIDOMWindowOuter::From(domWindow);
if (outerWindow) {
nsGlobalWindowInner* innerWindow =
nsGlobalWindowInner::Cast(outerWindow->GetCurrentInnerWindow());
if (innerWindow) {
mIsSecureContext = innerWindow->IsSecureContext();
}
}
}
}
nsCOMPtr<nsIDocShell> docShell = do_QueryReferent(mDocShell);

1
security/manager/ssl/nsSecureBrowserUIImpl.h
View File

@ -51,6 +51,7 @@ class nsSecureBrowserUIImpl : public nsISecureBrowserUI,
uint32_t mState;
uint32_t mEvent;
bool mIsSecureContext;
nsWeakPtr mDocShell;
nsWeakPtr mWebProgress;
nsCOMPtr<nsITransportSecurityInfo> mTopLevelSecurityInfo;

2
security/manager/ssl/tests/mochitest/browser/browser.ini
View File

@ -7,7 +7,7 @@ support-files =
[browser_bug627234_perwindowpb.js]
[browser_certificateManagerLeak.js]
[browser_certViewer.js]
skip-if = (verify && debug)
skip-if = verify
[browser_clientAuth_connection.js]
[browser_clientAuth_ui.js]
[browser_deleteCert_ui.js]

2
security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
View File

@ -185,7 +185,7 @@ add_task(async function testLongOID() {
*/
function displayCertificate(certificate) {
let win = window.openDialog(
"chrome://pippki/content/certViewer.xul",
"chrome://pippki/content/certViewer.xhtml",
"",
"",
certificate

2
security/manager/ssl/tests/mochitest/browser/browser_certificateManagerLeak.js
View File

@ -30,6 +30,6 @@ function test() {
"Each test requires at least one pass, fail or todo so here is a pass."
);
gBugWindow = window.openDialog("chrome://pippki/content/certManager.xul");
gBugWindow = window.openDialog("chrome://pippki/content/certManager.xhtml");
gBugWindow.addEventListener("load", onLoad);
}

2
security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
View File

@ -37,7 +37,7 @@ function openClientAuthDialog(cert) {
Ci.nsIWritablePropertyBag2
);
let win = window.openDialog(
"chrome://pippki/content/clientauthask.xul",
"chrome://pippki/content/clientauthask.xhtml",
"",
"",
TEST_HOSTNAME,

2
security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js
View File

@ -82,7 +82,7 @@ function openDeleteCertConfirmDialog(tabID) {
deleteConfirmed: false,
};
let win = window.openDialog(
"chrome://pippki/content/deletecert.xul",
"chrome://pippki/content/deletecert.xhtml",
"",
"",
tabID,

2
security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js
View File

@ -49,7 +49,7 @@ function openCertDownloadDialog(cert) {
Ci.nsIWritablePropertyBag2
);
let win = window.openDialog(
"chrome://pippki/content/downloadcert.xul",
"chrome://pippki/content/downloadcert.xhtml",
"",
"",
cert,

2
security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js
View File

@ -25,7 +25,7 @@ var gCert;
*/
function openEditCertTrustDialog() {
let win = window.openDialog(
"chrome://pippki/content/editcacert.xul",
"chrome://pippki/content/editcacert.xhtml",
"",
"",
gCert

7
security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js
View File

@ -67,7 +67,7 @@ function openSetP12PasswordDialog() {
Ci.nsIWritablePropertyBag2
);
let win = window.openDialog(
"chrome://pippki/content/setp12password.xul",
"chrome://pippki/content/setp12password.xhtml",
"",
"",
returnVals
@ -89,7 +89,7 @@ add_task(async function testFocus() {
let [win] = await openSetP12PasswordDialog();
Assert.equal(
win.document.activeElement,
win.document.getElementById("pw1").inputField,
win.document.getElementById("pw1"),
"First password textbox should have focus"
);
await BrowserTestUtils.closeWindow(win);
@ -112,7 +112,8 @@ add_task(async function testPasswordStrengthAndEquality() {
password2Textbox.oninput();
Assert.equal(
win.document.documentElement.getButton("accept").disabled,
win.document.getElementById("setp12password").getButton("accept")
.disabled,
password1Textbox.value != password2Textbox.value,
"Actual and expected accept button disable state should " +
`match for ${testCase.name}`

2
security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
View File

@ -127,7 +127,7 @@ function resetCallCounts() {
*/
function openLoadModuleDialog() {
let win = window.openDialog(
"chrome://pippki/content/load_device.xul",
"chrome://pippki/content/load_device.xhtml",
"",
""
);

331
security/manager/ssl/tests/unit/sign_app.py
View File

@ -1,331 +0,0 @@
#!/usr/bin/env python
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
"""
Given a directory of files, packages them up and signs the
resulting zip file. Mainly for creating test inputs to the
nsIX509CertDB.openSignedAppFileAsync API.
"""
from base64 import b64encode
from cbor2 import dumps
from cbor2.types import CBORTag
from hashlib import sha1, sha256
import StringIO
import argparse
import os
import pycert
import pycms
import pykey
import re
import zipfile
ES256 = -7
ES384 = -35
ES512 = -36
KID = 4
ALG = 1
COSE_Sign = 98
def coseAlgorithmToPykeyHash(algorithm):
"""Helper function that takes one of (ES256, ES384, ES512)
and returns the corresponding pykey.HASH_* identifier."""
if algorithm == ES256:
return pykey.HASH_SHA256
elif algorithm == ES384:
return pykey.HASH_SHA384
elif algorithm == ES512:
return pykey.HASH_SHA512
else:
raise UnknownCOSEAlgorithmError(algorithm)
# COSE_Signature = [
# protected : serialized_map,
# unprotected : {},
# signature : bstr
# ]
def coseSignature(payload, algorithm, signingKey, signingCertificate,
bodyProtected):
"""Returns a COSE_Signature structure.
payload is a string representing the data to be signed
algorithm is one of (ES256, ES384, ES512)
signingKey is a pykey.ECKey to sign the data with
signingCertificate is a byte string
bodyProtected is the serialized byte string of the protected body header
"""
protected = {ALG: algorithm, KID: signingCertificate}
protectedEncoded = dumps(protected)
# Sig_structure = [
# context : "Signature"
# body_protected : bodyProtected
# sign_protected : protectedEncoded
# external_aad : nil
# payload : bstr
# ]
sigStructure = [u'Signature', bodyProtected, protectedEncoded, None,
payload]
sigStructureEncoded = dumps(sigStructure)
pykeyHash = coseAlgorithmToPykeyHash(algorithm)
signature = signingKey.signRaw(sigStructureEncoded, pykeyHash)
return [protectedEncoded, {}, signature]
# COSE_Sign = [
# protected : serialized_map,
# unprotected : {},
# payload : nil,
# signatures : [+ COSE_Signature]
# ]
def coseSig(payload, intermediates, signatures):
"""Returns the entire (tagged) COSE_Sign structure.
payload is a string representing the data to be signed
intermediates is an array of byte strings
signatures is an array of (algorithm, signingKey,
signingCertificate) triplets to be passed to
coseSignature
"""
protected = {KID: intermediates}
protectedEncoded = dumps(protected)
coseSignatures = []
for (algorithm, signingKey, signingCertificate) in signatures:
coseSignatures.append(coseSignature(payload, algorithm, signingKey,
signingCertificate,
protectedEncoded))
tagged = CBORTag(COSE_Sign, [protectedEncoded, {}, None, coseSignatures])
return dumps(tagged)
def walkDirectory(directory):
"""Given a relative path to a directory, enumerates the
files in the tree rooted at that location. Returns a list
of pairs of paths to those files. The first in each pair
is the full path to the file. The second in each pair is
the path to the file relative to the directory itself."""
paths = []
for path, dirs, files in os.walk(directory):
for f in files:
fullPath = os.path.join(path, f)
internalPath = re.sub(r'^/', '', fullPath.replace(directory, ''))
paths.append((fullPath, internalPath))
return paths
def addManifestEntry(filename, hashes, contents, entries):
"""Helper function to fill out a manifest entry.
Takes the filename, a list of (hash function, hash function name)
pairs to use, the contents of the file, and the current list
of manifest entries."""
entry = 'Name: %s\n' % filename
for (hashFunc, name) in hashes:
base64hash = b64encode(hashFunc(contents).digest())
entry += '%s-Digest: %s\n' % (name, base64hash)
entries.append(entry)
def getCert(subject, keyName, issuerName, ee, issuerKey=""):
"""Helper function to create an X509 cert from a specification.
Takes the subject, the subject key name to use, the issuer name,
a bool whether this is an EE cert or not, and optionally an issuer key
name."""
certSpecification = 'issuer:%s\n' % issuerName + \
'subject:' + subject + '\n' + \
'subjectKey:%s\n' % keyName
if ee:
certSpecification += 'extension:keyUsage:digitalSignature'
else:
certSpecification += 'extension:basicConstraints:cA,\n' + \
'extension:keyUsage:cRLSign,keyCertSign'
if issuerKey:
certSpecification += '\nissuerKey:%s' % issuerKey
certSpecificationStream = StringIO.StringIO()
print >>certSpecificationStream, certSpecification
certSpecificationStream.seek(0)
return pycert.Certificate(certSpecificationStream)
def coseAlgorithmToSignatureParams(coseAlgorithm, issuerName):
"""Given a COSE algorithm ('ES256', 'ES384', 'ES512') and an issuer
name, returns a (algorithm id, pykey.ECCKey, encoded certificate)
triplet for use with coseSig.
"""
if coseAlgorithm == 'ES256':
keyName = 'secp256r1'
algId = ES256
elif coseAlgorithm == 'ES384':
keyName = 'secp384r1'
algId = ES384
elif coseAlgorithm == 'ES512':
keyName = 'secp521r1' # COSE uses the hash algorithm; this is the curve
algId = ES512
else:
raise UnknownCOSEAlgorithmError(coseAlgorithm)
key = pykey.ECCKey(keyName)
# The subject must differ to avoid errors when importing into NSS later.
ee = getCert('xpcshell signed app test signer ' + keyName,
keyName, issuerName, True, 'default')
return (algId, key, ee.toDER())
def signZip(appDirectory, outputFile, issuerName, rootName, manifestHashes,
signatureHashes, pkcs7Hashes, coseAlgorithms, emptySignerInfos,
headerPaddingFactor):
"""Given a directory containing the files to package up,
an output filename to write to, the name of the issuer of
the signing certificate, the name of trust anchor, a list of hash algorithms
to use in the manifest file, a similar list for the signature file,
a similar list for the pkcs#7 signature, a list of COSE signature algorithms
to include, whether the pkcs#7 signer info should be kept empty, and how
many MB to pad the manifests by (to test handling large manifest files),
packages up the files in the directory and creates the output as
appropriate."""
# The header of each manifest starts with the magic string
# 'Manifest-Version: 1.0' and ends with a blank line. There can be
# essentially anything after the first line before the blank line.
mfEntries = ['Manifest-Version: 1.0']
if headerPaddingFactor > 0:
# In this format, each line can only be 72 bytes long. We make
# our padding 50 bytes per line (49 of content and one newline)
# so the math is easy.
singleLinePadding = 'a' * 49
# 1000000 / 50 = 20000
allPadding = [singleLinePadding] * (headerPaddingFactor * 20000)
mfEntries.extend(allPadding)
# Append the blank line.
mfEntries.append('')
with zipfile.ZipFile(outputFile, 'w', zipfile.ZIP_DEFLATED) as outZip:
for (fullPath, internalPath) in walkDirectory(appDirectory):
with open(fullPath) as inputFile:
contents = inputFile.read()
outZip.writestr(internalPath, contents)
# Add the entry to the manifest we're building
addManifestEntry(internalPath, manifestHashes, contents, mfEntries)
if len(coseAlgorithms) > 0:
coseManifest = '\n'.join(mfEntries)
outZip.writestr('META-INF/cose.manifest', coseManifest)
addManifestEntry('META-INF/cose.manifest', manifestHashes,
coseManifest, mfEntries)
intermediates = []
coseIssuerName = issuerName
if rootName:
coseIssuerName = 'xpcshell signed app test issuer'
intermediate = getCert(coseIssuerName, 'default', rootName, False)
intermediate = intermediate.toDER()
intermediates.append(intermediate)
signatures = map(lambda coseAlgorithm:
coseAlgorithmToSignatureParams(coseAlgorithm, coseIssuerName),
coseAlgorithms)
coseSignatureBytes = coseSig(coseManifest, intermediates, signatures)
outZip.writestr('META-INF/cose.sig', coseSignatureBytes)
addManifestEntry('META-INF/cose.sig', manifestHashes,
coseSignatureBytes, mfEntries)
if len(pkcs7Hashes) != 0 or emptySignerInfos:
mfContents = '\n'.join(mfEntries)
sfContents = 'Signature-Version: 1.0\n'
for (hashFunc, name) in signatureHashes:
base64hash = b64encode(hashFunc(mfContents).digest())
sfContents += '%s-Digest-Manifest: %s\n' % (name, base64hash)
cmsSpecification = ''
for name in pkcs7Hashes:
hashFunc, _ = hashNameToFunctionAndIdentifier(name)
cmsSpecification += '%s:%s\n' % (name,
hashFunc(sfContents).hexdigest())
cmsSpecification += 'signer:\n' + \
'issuer:%s\n' % issuerName + \
'subject:xpcshell signed app test signer\n' + \
'extension:keyUsage:digitalSignature'
cmsSpecificationStream = StringIO.StringIO()
print >>cmsSpecificationStream, cmsSpecification
cmsSpecificationStream.seek(0)
cms = pycms.CMS(cmsSpecificationStream)
p7 = cms.toDER()
outZip.writestr('META-INF/A.RSA', p7)
outZip.writestr('META-INF/A.SF', sfContents)
outZip.writestr('META-INF/MANIFEST.MF', mfContents)
class Error(Exception):
"""Base class for exceptions in this module."""
pass
class UnknownHashAlgorithmError(Error):
"""Helper exception type to handle unknown hash algorithms."""
def __init__(self, name):
super(UnknownHashAlgorithmError, self).__init__()
self.name = name
def __str__(self):
return 'Unknown hash algorithm %s' % repr(self.name)
class UnknownCOSEAlgorithmError(Error):
"""Helper exception type to handle unknown COSE algorithms."""
def __init__(self, name):
super(UnknownCOSEAlgorithmError, self).__init__()
self.name = name
def __str__(self):
return 'Unknown COSE algorithm %s' % repr(self.name)
def hashNameToFunctionAndIdentifier(name):
if name == 'sha1':
return (sha1, 'SHA1')
if name == 'sha256':
return (sha256, 'SHA256')
raise UnknownHashAlgorithmError(name)
def main(outputFile, appPath, *args):
"""Main entrypoint. Given an already-opened file-like
object, a path to the app directory to sign, and some
optional arguments, signs the contents of the directory and
writes the resulting package to the 'file'."""
parser = argparse.ArgumentParser(description='Sign an app.')
parser.add_argument('-i', '--issuer', action='store', help='Issuer name',
default='xpcshell signed apps test root')
parser.add_argument('-r', '--root', action='store', help='Root name',
default='')
parser.add_argument('-m', '--manifest-hash', action='append',
help='Hash algorithms to use in manifest',
default=[])
parser.add_argument('-s', '--signature-hash', action='append',
help='Hash algorithms to use in signature file',
default=[])
parser.add_argument('-c', '--cose-sign', action='append',
help='Append a COSE signature with the given ' +
'algorithms (out of ES256, ES384, and ES512)',
default=[])
parser.add_argument('-z', '--pad-headers', action='store', default=0,
help='Pad the header sections of the manifests ' +
'with X MB of repetitive data')
group = parser.add_mutually_exclusive_group()
group.add_argument('-p', '--pkcs7-hash', action='append',
help='Hash algorithms to use in PKCS#7 signature',
default=[])
group.add_argument('-e', '--empty-signerInfos', action='store_true',
help='Emit pkcs#7 SignedData with empty signerInfos')
parsed = parser.parse_args(args)
if len(parsed.manifest_hash) == 0:
parsed.manifest_hash.append('sha256')
if len(parsed.signature_hash) == 0:
parsed.signature_hash.append('sha256')
signZip(appPath, outputFile, parsed.issuer, parsed.root,
map(hashNameToFunctionAndIdentifier, parsed.manifest_hash),
map(hashNameToFunctionAndIdentifier, parsed.signature_hash),
parsed.pkcs7_hash, parsed.cose_sign, parsed.empty_signerInfos,
int(parsed.pad_headers))

47
security/manager/ssl/tests/unit/test_nss_shutdown.js
View File

@ -1,47 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";
// This test attempts to ensure that PSM doesn't deadlock or crash when shutting
// down NSS while a background thread is attempting to use NSS.
// Uses test_signed_apps/app_mf-1_sf-1_p7-1.zip from test_signed_apps.js.
function startAsyncNSSOperation(certdb, appFile) {
return new Promise((resolve, reject) => {
certdb.openSignedAppFileAsync(
Ci.nsIX509CertDB.AppXPCShellRoot,
appFile,
function(rv, aZipReader, aSignerCert) {
// rv will either indicate success (if NSS hasn't been shut down yet) or
// it will be some error code that varies depending on when NSS got shut
// down. As such, there's nothing really to check here. Just resolve the
// promise to continue execution.
resolve();
}
);
});
}
add_task(async function() {
do_get_profile();
let psm = Cc["@mozilla.org/psm;1"]
.getService(Ci.nsISupports)
.QueryInterface(Ci.nsIObserver);
let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
let appFile = do_get_file("test_signed_apps/app_mf-1_sf-1_p7-1.zip");
let promises = [];
for (let i = 0; i < 25; i++) {
promises.push(startAsyncNSSOperation(certdb, appFile));
}
// Trick PSM into thinking it should shut down NSS. If this test doesn't
// hang or crash, we're good.
psm.observe(null, "profile-before-change", null);
for (let i = 0; i < 25; i++) {
promises.push(startAsyncNSSOperation(certdb, appFile));
}
await Promise.all(promises);
});

1012
security/manager/ssl/tests/unit/test_signed_apps.js
View File

File diff suppressed because it is too large Load Diff

1
security/manager/ssl/tests/unit/test_signed_apps/app/README
View File

@ -1 +0,0 @@
This is the readme for the test extension.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 534 B

5
security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json
View File

@ -1,5 +0,0 @@
{
"manifest_version": 2,
"name": "Test Extension",
"version": "0.0.1"
}

10
security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest
View File

@ -1,10 +0,0 @@
Manifest-Version: 1.0
Name: README
SHA256-Digest: bY0l9xqGJYCpqYeJ0K6q4DWUQqu0mNBFM4H4emhjiJg=
Name: manifest.json
SHA256-Digest: BTnCpT154N26RZm8bhdD43WXd0tj5bg6ofM19NLI0OE=
Name: data/image.png
SHA256-Digest: EPjkNZwya9X+pruLlxG+FACLwGC48XU4S9oZOA0lVVQ=

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig
View File

Binary file not shown.

2
security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README
View File

@ -1,2 +0,0 @@
This is the readme for the test extension.
This app was created by unzipping only_cose_signed.zip and adding this line (thus invalidating the COSE signature).

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 534 B

5
security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json
View File

@ -1,5 +0,0 @@
{
"manifest_version": 2,
"name": "Test Extension",
"version": "0.0.1"
}

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More