The Tor Browser: security/apps/AppSignatureVerification.cpp@6474c204b198 (annotated)

security/apps/AppSignatureVerification.cpp@6474c204b198 (annotated)

security/apps/AppSignatureVerification.cpp

Wed, 31 Dec 2014 06:09:35 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:09:35 +0100
changeset 0: 6474c204b198
permissions: -rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #ifdef MOZ_LOGGING
 #define FORCE_PR_LOG 1
 #endif
 #include "nsNSSCertificateDB.h"
 #include "pkix/pkix.h"
 #include "mozilla/RefPtr.h"
 #include "CryptoTask.h"
 #include "AppTrustDomain.h"
 #include "nsComponentManagerUtils.h"
 #include "nsCOMPtr.h"
 #include "nsHashKeys.h"
 #include "nsIFile.h"
 #include "nsIInputStream.h"
 #include "nsIStringEnumerator.h"
 #include "nsIZipReader.h"
 #include "nsNSSCertificate.h"
 #include "nsProxyRelease.h"
 #include "nsString.h"
 #include "nsTHashtable.h"
 #include "ScopedNSSTypes.h"
 #include "base64.h"
 #include "certdb.h"
 #include "secmime.h"
 #include "plstr.h"
 #include "prlog.h"
 using namespace mozilla::pkix;
 using namespace mozilla;
 using namespace mozilla::psm;
 #ifdef PR_LOGGING
 extern PRLogModuleInfo* gPIPNSSLog;
 #endif
 namespace {
 // Finds exactly one (signature metadata) entry that matches the given
 // search pattern, and then load it. Fails if there are no matches or if
 // there is more than one match. If bugDigest is not null then on success
 // bufDigest will contain the SHA-1 digeset of the entry.
 nsresult
 FindAndLoadOneEntry(nsIZipReader * zip,
                     const nsACString & searchPattern,
                     /*out*/ nsACString & filename,
                     /*out*/ SECItem & buf,
                     /*optional, out*/ Digest * bufDigest)
 {
   nsCOMPtr<nsIUTF8StringEnumerator> files;
   nsresult rv = zip->FindEntries(searchPattern, getter_AddRefs(files));
   if (NS_FAILED(rv) || !files) {
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   }
   bool more;
   rv = files->HasMore(&more);
   NS_ENSURE_SUCCESS(rv, rv);
   if (!more) {
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   }
   rv = files->GetNext(filename);
   NS_ENSURE_SUCCESS(rv, rv);
   // Check if there is more than one match, if so then error!
   rv = files->HasMore(&more);
   NS_ENSURE_SUCCESS(rv, rv);
   if (more) {
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   }
   nsCOMPtr<nsIInputStream> stream;
   rv = zip->GetInputStream(filename, getter_AddRefs(stream));
   NS_ENSURE_SUCCESS(rv, rv);
   // The size returned by Available() might be inaccurate so we need to check
   // that Available() matches up with the actual length of the file.
   uint64_t len64;
   rv = stream->Available(&len64);
   NS_ENSURE_SUCCESS(rv, rv);
   // Cap the maximum accepted size of signature-related files at 1MB (which is
   // still crazily huge) to avoid OOM. The uncompressed length of an entry can be
   // hundreds of times larger than the compressed version, especially if
   // someone has speifically crafted the entry to cause OOM or to consume
   // massive amounts of disk space.
   //
   // Also, keep in mind bug 164695 and that we must leave room for
   // null-terminating the buffer.
   static const uint32_t MAX_LENGTH = 1024 * 1024;
   static_assert(MAX_LENGTH < UINT32_MAX, "MAX_LENGTH < UINT32_MAX");
   NS_ENSURE_TRUE(len64 < MAX_LENGTH, NS_ERROR_FILE_CORRUPTED);
   NS_ENSURE_TRUE(len64 < UINT32_MAX, NS_ERROR_FILE_CORRUPTED); // bug 164695
   SECITEM_AllocItem(buf, static_cast<uint32_t>(len64 + 1));
   // buf.len == len64 + 1. We attempt to read len64 + 1 bytes instead of len64,
   // so that we can check whether the metadata in the ZIP for the entry is
   // incorrect.
   uint32_t bytesRead;
   rv = stream->Read(char_ptr_cast(buf.data), buf.len, &bytesRead);
   NS_ENSURE_SUCCESS(rv, rv);
   if (bytesRead != len64) {
     return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
   }
   buf.data[buf.len - 1] = 0; // null-terminate
   if (bufDigest) {
     rv = bufDigest->DigestBuf(SEC_OID_SHA1, buf.data, buf.len - 1);
     NS_ENSURE_SUCCESS(rv, rv);
   }
   return NS_OK;
 }
 // Verify the digest of an entry. We avoid loading the entire entry into memory
 // at once, which would require memory in proportion to the size of the largest
 // entry. Instead, we require only a small, fixed amount of memory.
 //
 // @param digestFromManifest The digest that we're supposed to check the file's
 //                           contents against, from the manifest
 // @param buf A scratch buffer that we use for doing the I/O, which must have
 //            already been allocated. The size of this buffer is the unit
 //            size of our I/O.
 nsresult
 VerifyEntryContentDigest(nsIZipReader * zip, const nsACString & aFilename,
                          const SECItem & digestFromManifest, SECItem & buf)
 {
   MOZ_ASSERT(buf.len > 0);
   if (digestFromManifest.len != SHA1_LENGTH)
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   nsresult rv;
   nsCOMPtr<nsIInputStream> stream;
   rv = zip->GetInputStream(aFilename, getter_AddRefs(stream));
   if (NS_FAILED(rv)) {
     return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
   }
   uint64_t len64;
   rv = stream->Available(&len64);
   NS_ENSURE_SUCCESS(rv, rv);
   if (len64 > UINT32_MAX) {
     return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE;
   }
   ScopedPK11Context digestContext(PK11_CreateDigestContext(SEC_OID_SHA1));
   if (!digestContext) {
     return PRErrorCode_to_nsresult(PR_GetError());
   }
   rv = MapSECStatus(PK11_DigestBegin(digestContext));
   NS_ENSURE_SUCCESS(rv, rv);
   uint64_t totalBytesRead = 0;
   for (;;) {
     uint32_t bytesRead;
     rv = stream->Read(char_ptr_cast(buf.data), buf.len, &bytesRead);
     NS_ENSURE_SUCCESS(rv, rv);
     if (bytesRead == 0) {
       break; // EOF
     }
     totalBytesRead += bytesRead;
     if (totalBytesRead >= UINT32_MAX) {
       return NS_ERROR_SIGNED_JAR_ENTRY_TOO_LARGE;
     }
     rv = MapSECStatus(PK11_DigestOp(digestContext, buf.data, bytesRead));
     NS_ENSURE_SUCCESS(rv, rv);
   }
   if (totalBytesRead != len64) {
     // The metadata we used for Available() doesn't match the actual size of
     // the entry.
     return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
   }
   // Verify that the digests match.
   Digest digest;
   rv = digest.End(SEC_OID_SHA1, digestContext);
   NS_ENSURE_SUCCESS(rv, rv);
   if (SECITEM_CompareItem(&digestFromManifest, &digest.get()) != SECEqual) {
     return NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY;
   }
   return NS_OK;
 }
 // On input, nextLineStart is the start of the current line. On output,
 // nextLineStart is the start of the next line.
 nsresult
 ReadLine(/*in/out*/ const char* & nextLineStart, /*out*/ nsCString & line,
          bool allowContinuations = true)
 {
   line.Truncate();
   size_t previousLength = 0;
   size_t currentLength = 0;
   for (;;) {
     const char* eol = PL_strpbrk(nextLineStart, "\r\n");
     if (!eol) { // Reached end of file before newline
       eol = nextLineStart + strlen(nextLineStart);
     }
     previousLength = currentLength;
     line.Append(nextLineStart, eol - nextLineStart);
     currentLength = line.Length();
     // The spec says "No line may be longer than 72 bytes (not characters)"
     // in its UTF8-encoded form.
     static const size_t lineLimit = 72;
     if (currentLength - previousLength > lineLimit) {
       return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
     }
     // The spec says: "Implementations should support 65535-byte
     // (not character) header values..."
     if (currentLength > 65535) {
       return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
     }
     if (*eol == '\r') {
       ++eol;
     }
     if (*eol == '\n') {
       ++eol;
     }
     nextLineStart = eol;
     if (*eol != ' ') {
       // not a continuation
       return NS_OK;
     }
     // continuation
     if (!allowContinuations) {
       return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
     }
     ++nextLineStart; // skip space and keep appending
   }
 }
 // The header strings are defined in the JAR specification.
 #define JAR_MF_SEARCH_STRING "(M|/M)ETA-INF/(M|m)(ANIFEST|anifest).(MF|mf)$"
 #define JAR_SF_SEARCH_STRING "(M|/M)ETA-INF/*.(SF|sf)$"
 #define JAR_RSA_SEARCH_STRING "(M|/M)ETA-INF/*.(RSA|rsa)$"
 #define JAR_MF_HEADER "Manifest-Version: 1.0"
 #define JAR_SF_HEADER "Signature-Version: 1.0"
 nsresult
 ParseAttribute(const nsAutoCString & curLine,
                /*out*/ nsAutoCString & attrName,
                /*out*/ nsAutoCString & attrValue)
 {
   // Find the colon that separates the name from the value.
   int32_t colonPos = curLine.FindChar(':');
   if (colonPos == kNotFound) {
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   }
   // set attrName to the name, skipping spaces between the name and colon
   int32_t nameEnd = colonPos;
   for (;;) {
     if (nameEnd == 0) {
       return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; // colon with no name
     }
     if (curLine[nameEnd - 1] != ' ')
       break;
     --nameEnd;
   }
   curLine.Left(attrName, nameEnd);
   // Set attrValue to the value, skipping spaces between the colon and the
   // value. The value may be empty.
   int32_t valueStart = colonPos + 1;
   int32_t curLineLength = curLine.Length();
   while (valueStart != curLineLength && curLine[valueStart] == ' ') {
     ++valueStart;
   }
   curLine.Right(attrValue, curLineLength - valueStart);
   return NS_OK;
 }
 // Parses the version line of the MF or SF header.
 nsresult
 CheckManifestVersion(const char* & nextLineStart,
                      const nsACString & expectedHeader)
 {
   // The JAR spec says: "Manifest-Version and Signature-Version must be first,
   // and in exactly that case (so that they can be recognized easily as magic
   // strings)."
   nsAutoCString curLine;
   nsresult rv = ReadLine(nextLineStart, curLine, false);
   if (NS_FAILED(rv)) {
     return rv;
   }
   if (!curLine.Equals(expectedHeader)) {
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   }
   return NS_OK;
 }
 // Parses a signature file (SF) as defined in the JDK 8 JAR Specification.
 //
 // The SF file *must* contain exactly one SHA1-Digest-Manifest attribute in
 // the main section. All other sections are ignored. This means that this will
 // NOT parse old-style signature files that have separate digests per entry.
 // The JDK8 x-Digest-Manifest variant is better because:
 //
 //   (1) It allows us to follow the principle that we should minimize the
 //       processing of data that we do before we verify its signature. In
 //       particular, with the x-Digest-Manifest style, we can verify the digest
 //       of MANIFEST.MF before we parse it, which prevents malicious JARs
 //       exploiting our MANIFEST.MF parser.
 //   (2) It is more time-efficient and space-efficient to have one
 //       x-Digest-Manifest instead of multiple x-Digest values.
 //
 // In order to get benefit (1), we do NOT implement the fallback to the older
 // mechanism as the spec requires/suggests. Also, for simplity's sake, we only
 // support exactly one SHA1-Digest-Manifest attribute, and no other
 // algorithms.
 //
 // filebuf must be null-terminated. On output, mfDigest will contain the
 // decoded value of SHA1-Digest-Manifest.
 nsresult
 ParseSF(const char* filebuf, /*out*/ SECItem & mfDigest)
 {
   nsresult rv;
   const char* nextLineStart = filebuf;
   rv = CheckManifestVersion(nextLineStart, NS_LITERAL_CSTRING(JAR_SF_HEADER));
   if (NS_FAILED(rv))
     return rv;
   // Find SHA1-Digest-Manifest
   for (;;) {
     nsAutoCString curLine;
     rv = ReadLine(nextLineStart, curLine);
     if (NS_FAILED(rv)) {
       return rv;
     }
     if (curLine.Length() == 0) {
       // End of main section (blank line or end-of-file), and no
       // SHA1-Digest-Manifest found.
       return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
     }
     nsAutoCString attrName;
     nsAutoCString attrValue;
     rv = ParseAttribute(curLine, attrName, attrValue);
     if (NS_FAILED(rv)) {
       return rv;
     }
     if (attrName.LowerCaseEqualsLiteral("sha1-digest-manifest")) {
       rv = MapSECStatus(ATOB_ConvertAsciiToItem(&mfDigest, attrValue.get()));
       if (NS_FAILED(rv)) {
         return rv;
       }
       // There could be multiple SHA1-Digest-Manifest attributes, which
       // would be an error, but it's better to just skip any erroneous
       // duplicate entries rather than trying to detect them, because:
       //
       //   (1) It's simpler, and simpler generally means more secure
       //   (2) An attacker can't make us accept a JAR we would otherwise
       //       reject just by adding additional SHA1-Digest-Manifest
       //       attributes.
       break;
     }
     // ignore unrecognized attributes
   }
   return NS_OK;
 }
 // Parses MANIFEST.MF. The filenames of all entries will be returned in
 // mfItems. buf must be a pre-allocated scratch buffer that is used for doing
 // I/O.
 nsresult
 ParseMF(const char* filebuf, nsIZipReader * zip,
         /*out*/ nsTHashtable<nsCStringHashKey> & mfItems,
         ScopedAutoSECItem & buf)
 {
   nsresult rv;
   const char* nextLineStart = filebuf;
   rv = CheckManifestVersion(nextLineStart, NS_LITERAL_CSTRING(JAR_MF_HEADER));
   if (NS_FAILED(rv)) {
     return rv;
   }
   // Skip the rest of the header section, which ends with a blank line.
   {
     nsAutoCString line;
     do {
       rv = ReadLine(nextLineStart, line);
       if (NS_FAILED(rv)) {
         return rv;
       }
     } while (line.Length() > 0);
     // Manifest containing no file entries is OK, though useless.
     if (*nextLineStart == '\0') {
       return NS_OK;
     }
   }
   nsAutoCString curItemName;
   ScopedAutoSECItem digest;
   for (;;) {
     nsAutoCString curLine;
     rv = ReadLine(nextLineStart, curLine);
     NS_ENSURE_SUCCESS(rv, rv);
     if (curLine.Length() == 0) {
       // end of section (blank line or end-of-file)
       if (curItemName.Length() == 0) {
         // '...Each section must start with an attribute with the name as
         // "Name",...', so every section must have a Name attribute.
         return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
       }
       if (digest.len == 0) {
         // We require every entry to have a digest, since we require every
         // entry to be signed and we don't allow duplicate entries.
         return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
       }
       if (mfItems.Contains(curItemName)) {
         // Duplicate entry
         return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
       }
       // Verify that the entry's content digest matches the digest from this
       // MF section.
       rv = VerifyEntryContentDigest(zip, curItemName, digest, buf);
       if (NS_FAILED(rv))
         return rv;
       mfItems.PutEntry(curItemName);
       if (*nextLineStart == '\0') // end-of-file
         break;
       // reset so we know we haven't encountered either of these for the next
       // item yet.
       curItemName.Truncate();
       digest.reset();
       continue; // skip the rest of the loop below
     }
     nsAutoCString attrName;
     nsAutoCString attrValue;
     rv = ParseAttribute(curLine, attrName, attrValue);
     if (NS_FAILED(rv)) {
       return rv;
     }
     // Lines to look for:
     // (1) Digest:
     if (attrName.LowerCaseEqualsLiteral("sha1-digest"))
     {
       if (digest.len > 0) // multiple SHA1 digests in section
         return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
       rv = MapSECStatus(ATOB_ConvertAsciiToItem(&digest, attrValue.get()));
       if (NS_FAILED(rv))
         return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
       continue;
     }
     // (2) Name: associates this manifest section with a file in the jar.
     if (attrName.LowerCaseEqualsLiteral("name"))
     {
       if (MOZ_UNLIKELY(curItemName.Length() > 0)) // multiple names in section
         return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
       if (MOZ_UNLIKELY(attrValue.Length() == 0))
         return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
       curItemName = attrValue;
       continue;
     }
     // (3) Magic: the only other must-understand attribute
     if (attrName.LowerCaseEqualsLiteral("magic")) {
       // We don't understand any magic, so we can't verify an entry that
       // requires magic. Since we require every entry to have a valid
       // signature, we have no choice but to reject the entry.
       return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
     }
     // unrecognized attributes must be ignored
   }
   return NS_OK;
 }
 nsresult
 VerifySignature(AppTrustedRoot trustedRoot,
                 const SECItem& buffer, const SECItem& detachedDigest,
         /*out*/ mozilla::pkix::ScopedCERTCertList& builtChain)
 {
   mozilla::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy>
     cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
                                         nullptr, nullptr, nullptr, nullptr,
                                         nullptr));
   if (!cmsMsg) {
     return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
   }
   if (!NSS_CMSMessage_IsSigned(cmsMsg.get())) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("CMS message isn't signed"));
     return NS_ERROR_CMS_VERIFY_NOT_SIGNED;
   }
   NSSCMSContentInfo* cinfo = NSS_CMSMessage_ContentLevel(cmsMsg.get(), 0);
   if (!cinfo) {
     return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
   }
   // signedData is non-owning
   NSSCMSSignedData* signedData =
     reinterpret_cast<NSSCMSSignedData*>(NSS_CMSContentInfo_GetContent(cinfo));
   if (!signedData) {
     return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
   }
   // Set digest value.
   if (NSS_CMSSignedData_SetDigestValue(signedData, SEC_OID_SHA1,
                                        const_cast<SECItem*>(&detachedDigest))) {
     return NS_ERROR_CMS_VERIFY_BAD_DIGEST;
   }
   // Parse the certificates into CERTCertificate objects held in memory, so that
   // AppTrustDomain will be able to find them during path building.
   mozilla::pkix::ScopedCERTCertList certs(CERT_NewCertList());
   if (!certs) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
   if (signedData->rawCerts) {
     for (size_t i = 0; signedData->rawCerts[i]; ++i) {
       mozilla::pkix::ScopedCERTCertificate
         cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                      signedData->rawCerts[i], nullptr, false,
                                      true));
       // Skip certificates that fail to parse
       if (cert) {
         if (CERT_AddCertToListTail(certs.get(), cert.get()) == SECSuccess) {
           cert.release(); // ownership transfered
         } else {
           return NS_ERROR_OUT_OF_MEMORY;
         }
       }
     }
   }
   // Get the end-entity certificate.
   int numSigners = NSS_CMSSignedData_SignerInfoCount(signedData);
   if (NS_WARN_IF(numSigners != 1)) {
     return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
   }
   // signer is non-owning.
   NSSCMSSignerInfo* signer = NSS_CMSSignedData_GetSignerInfo(signedData, 0);
   if (NS_WARN_IF(!signer)) {
     return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
   }
   // cert is signerCert
   CERTCertificate* signerCert =
     NSS_CMSSignerInfo_GetSigningCertificate(signer, CERT_GetDefaultCertDB());
   if (!signerCert) {
     return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
   }
   // Verify certificate.
   AppTrustDomain trustDomain(nullptr); // TODO: null pinArg
   if (trustDomain.SetTrustedRoot(trustedRoot) != SECSuccess) {
     return MapSECStatus(SECFailure);
   }
   if (BuildCertChain(trustDomain, signerCert, PR_Now(), MustBeEndEntity,
                      KeyUsage::digitalSignature,
                      SEC_OID_EXT_KEY_USAGE_CODE_SIGN,
                      SEC_OID_X509_ANY_POLICY, nullptr, builtChain)
         != SECSuccess) {
     return MapSECStatus(SECFailure);
   }
   // See NSS_CMSContentInfo_GetContentTypeOID, which isn't exported from NSS.
   SECOidData* contentTypeOidData =
     SECOID_FindOID(&signedData->contentInfo.contentType);
   if (!contentTypeOidData) {
     return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
   }
   return MapSECStatus(NSS_CMSSignerInfo_Verify(signer,
                          const_cast<SECItem*>(&detachedDigest),
                          &contentTypeOidData->oid));
 }
 NS_IMETHODIMP
 OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
                   /*out, optional */ nsIZipReader** aZipReader,
                   /*out, optional */ nsIX509Cert3** aSignerCert)
 {
   NS_ENSURE_ARG_POINTER(aJarFile);
   if (aZipReader) {
     *aZipReader = nullptr;
   }
   if (aSignerCert) {
     *aSignerCert = nullptr;
   }
   nsresult rv;
   static NS_DEFINE_CID(kZipReaderCID, NS_ZIPREADER_CID);
   nsCOMPtr<nsIZipReader> zip = do_CreateInstance(kZipReaderCID, &rv);
   NS_ENSURE_SUCCESS(rv, rv);
   rv = zip->Open(aJarFile);
   NS_ENSURE_SUCCESS(rv, rv);
   // Signature (RSA) file
   nsAutoCString sigFilename;
   ScopedAutoSECItem sigBuffer;
   rv = FindAndLoadOneEntry(zip, nsLiteralCString(JAR_RSA_SEARCH_STRING),
                            sigFilename, sigBuffer, nullptr);
   if (NS_FAILED(rv)) {
     return NS_ERROR_SIGNED_JAR_NOT_SIGNED;
   }
   // Signature (SF) file
   nsAutoCString sfFilename;
   ScopedAutoSECItem sfBuffer;
   Digest sfCalculatedDigest;
   rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_SF_SEARCH_STRING),
                            sfFilename, sfBuffer, &sfCalculatedDigest);
   if (NS_FAILED(rv)) {
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   }
   sigBuffer.type = siBuffer;
   mozilla::pkix::ScopedCERTCertList builtChain;
   rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedDigest.get(),
                        builtChain);
   if (NS_FAILED(rv)) {
     return rv;
   }
   ScopedAutoSECItem mfDigest;
   rv = ParseSF(char_ptr_cast(sfBuffer.data), mfDigest);
   if (NS_FAILED(rv)) {
     return rv;
   }
   // Manifest (MF) file
   nsAutoCString mfFilename;
   ScopedAutoSECItem manifestBuffer;
   Digest mfCalculatedDigest;
   rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_MF_SEARCH_STRING),
                            mfFilename, manifestBuffer, &mfCalculatedDigest);
   if (NS_FAILED(rv)) {
     return rv;
   }
   if (SECITEM_CompareItem(&mfDigest, &mfCalculatedDigest.get()) != SECEqual) {
     return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
   }
   // Allocate the I/O buffer only once per JAR, instead of once per entry, in
   // order to minimize malloc/free calls and in order to avoid fragmenting
   // memory.
   ScopedAutoSECItem buf(128 * 1024);
   nsTHashtable<nsCStringHashKey> items;
   rv = ParseMF(char_ptr_cast(manifestBuffer.data), zip, items, buf);
   if (NS_FAILED(rv)) {
     return rv;
   }
   // Verify every entry in the file.
   nsCOMPtr<nsIUTF8StringEnumerator> entries;
   rv = zip->FindEntries(EmptyCString(), getter_AddRefs(entries));
   if (NS_SUCCEEDED(rv) && !entries) {
     rv = NS_ERROR_UNEXPECTED;
   }
   if (NS_FAILED(rv)) {
     return rv;
   }
   for (;;) {
     bool hasMore;
     rv = entries->HasMore(&hasMore);
     NS_ENSURE_SUCCESS(rv, rv);
     if (!hasMore) {
       break;
     }
     nsAutoCString entryFilename;
     rv = entries->GetNext(entryFilename);
     NS_ENSURE_SUCCESS(rv, rv);
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Verifying digests for %s",
            entryFilename.get()));
     // The files that comprise the signature mechanism are not covered by the
     // signature.
     //
     // XXX: This is OK for a single signature, but doesn't work for
     // multiple signatures, because the metadata for the other signatures
     // is not signed either.
     if (entryFilename == mfFilename ||
         entryFilename == sfFilename ||
         entryFilename == sigFilename) {
       continue;
     }
     if (entryFilename.Length() == 0) {
       return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
     }
     // Entries with names that end in "/" are directory entries, which are not
     // signed.
     //
     // XXX: As long as we don't unpack the JAR into the filesystem, the "/"
     // entries are harmless. But, it is not clear what the security
     // implications of directory entries are if/when we were to unpackage the
     // JAR into the filesystem.
     if (entryFilename[entryFilename.Length() - 1] == '/') {
       continue;
     }
     nsCStringHashKey * item = items.GetEntry(entryFilename);
     if (!item) {
       return NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY;
     }
     // Remove the item so we can check for leftover items later
     items.RemoveEntry(entryFilename);
   }
   // We verified that every entry that we require to be signed is signed. But,
   // were there any missing entries--that is, entries that are mentioned in the
   // manifest but missing from the archive?
   if (items.Count() != 0) {
     return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
   }
   // Return the reader to the caller if they want it
   if (aZipReader) {
     zip.forget(aZipReader);
   }
   // Return the signer's certificate to the reader if they want it.
   // XXX: We should return an nsIX509CertList with the whole validated chain,
   //      but we can't do that until we switch to libpkix.
   if (aSignerCert) {
     MOZ_ASSERT(CERT_LIST_HEAD(builtChain));
     nsCOMPtr<nsIX509Cert3> signerCert =
       nsNSSCertificate::Create(CERT_LIST_HEAD(builtChain)->cert);
     NS_ENSURE_TRUE(signerCert, NS_ERROR_OUT_OF_MEMORY);
     signerCert.forget(aSignerCert);
   }
   return NS_OK;
 }
 class OpenSignedAppFileTask MOZ_FINAL : public CryptoTask
 {
 public:
   OpenSignedAppFileTask(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
                         nsIOpenSignedAppFileCallback* aCallback)
     : mTrustedRoot(aTrustedRoot)
     , mJarFile(aJarFile)
     , mCallback(new nsMainThreadPtrHolder<nsIOpenSignedAppFileCallback>(aCallback))
   {
   }
 private:
   virtual nsresult CalculateResult() MOZ_OVERRIDE
   {
     return OpenSignedAppFile(mTrustedRoot, mJarFile,
                              getter_AddRefs(mZipReader),
                              getter_AddRefs(mSignerCert));
   }
   // nsNSSCertificate implements nsNSSShutdownObject, so there's nothing that
   // needs to be released
   virtual void ReleaseNSSResources() { }
   virtual void CallCallback(nsresult rv)
   {
     (void) mCallback->OpenSignedAppFileFinished(rv, mZipReader, mSignerCert);
   }
   const AppTrustedRoot mTrustedRoot;
   const nsCOMPtr<nsIFile> mJarFile;
   nsMainThreadPtrHandle<nsIOpenSignedAppFileCallback> mCallback;
   nsCOMPtr<nsIZipReader> mZipReader; // out
   nsCOMPtr<nsIX509Cert3> mSignerCert; // out
 };
 } // unnamed namespace
 NS_IMETHODIMP
 nsNSSCertificateDB::OpenSignedAppFileAsync(
   AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
   nsIOpenSignedAppFileCallback* aCallback)
 {
   NS_ENSURE_ARG_POINTER(aJarFile);
   NS_ENSURE_ARG_POINTER(aCallback);
   RefPtr<OpenSignedAppFileTask> task(new OpenSignedAppFileTask(aTrustedRoot,
                                                                aJarFile,
                                                                aCallback));
   return task->Dispatch("SignedJAR");
 }

The Tor Browser / annotate

security/apps/AppSignatureVerification.cpp@6474c204b198 (annotated)

security/apps/AppSignatureVerification.cpp