Bug 1178518 - Add an AppTrustedRoot for signed packaged app. r=keeler
authorJonathan Hao <jhao@mozilla.com>
Mon, 07 Sep 2015 15:28:21 +0800
changeset 296148 e014457c7890c578d1fa4b79004092e20e8ad38d
parent 296147 98c837a33821e4c2e508cd61d0a9c3a629c9877d
child 296149 9abe817972b19cb0fb5cc77cc5d6a7671bdc1265
push id5783
push usermartin.thomson@gmail.com
push dateThu, 24 Sep 2015 22:44:38 +0000
reviewerskeeler
bugs1178518
milestone44.0a1
Bug 1178518 - Add an AppTrustedRoot for signed packaged app. r=keeler
dom/apps/StoreTrustAnchor.jsm
security/apps/AppTrustDomain.cpp
security/apps/gen_cert_header.py
security/apps/moz.build
security/apps/privileged-package-root.der
security/manager/ssl/nsIX509CertDB.idl
--- a/dom/apps/StoreTrustAnchor.jsm
+++ b/dom/apps/StoreTrustAnchor.jsm
@@ -11,16 +11,17 @@ this.EXPORTED_SYMBOLS = [
   "TrustedRootCertificate"
 ];
 
 const APP_TRUSTED_ROOTS= ["AppMarketplaceProdPublicRoot",
                           "AppMarketplaceProdReviewersRoot",
                           "AppMarketplaceDevPublicRoot",
                           "AppMarketplaceDevReviewersRoot",
                           "AppMarketplaceStageRoot",
+                          "PrivilegedPackageRoot",
                           "AppXPCShellRoot"];
 
 this.TrustedRootCertificate = {
   _index: Ci.nsIX509CertDB.AppMarketplaceProdPublicRoot,
   get index() {
     return this._index;
   },
   set index(aIndex) {
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -21,16 +21,18 @@
 #include "marketplace-stage.inc"
 #include "xpcshell.inc"
 // Trusted Hosted Apps Certificates
 #include "manifest-signing-root.inc"
 #include "manifest-signing-test-root.inc"
 // Add-on signing Certificates
 #include "addons-public.inc"
 #include "addons-stage.inc"
+// Privileged Package Certificates
+#include "privileged-package-root.inc"
 
 using namespace mozilla::pkix;
 
 extern PRLogModuleInfo* gPIPNSSLog;
 
 static const unsigned int DEFAULT_MIN_RSA_BITS = 2048;
 
 namespace mozilla { namespace psm {
@@ -89,16 +91,21 @@ AppTrustDomain::SetTrustedRoot(AppTruste
       trustedDER.len = mozilla::ArrayLength(addonsPublicRoot);
       break;
 
     case nsIX509CertDB::AddonsStageRoot:
       trustedDER.data = const_cast<uint8_t*>(addonsStageRoot);
       trustedDER.len = mozilla::ArrayLength(addonsStageRoot);
       break;
 
+    case nsIX509CertDB::PrivilegedPackageRoot:
+      trustedDER.data = const_cast<uint8_t*>(privilegedPackageRoot);
+      trustedDER.len = mozilla::ArrayLength(privilegedPackageRoot);
+      break;
+
     default:
       PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
       return SECFailure;
   }
 
   mTrustedRoot = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                          &trustedDER, nullptr, false, true);
   if (!mTrustedRoot) {
--- a/security/apps/gen_cert_header.py
+++ b/security/apps/gen_cert_header.py
@@ -32,13 +32,14 @@ array_names = [
   'marketplaceDevPublicRoot',
   'marketplaceDevReviewersRoot',
   'marketplaceStageRoot',
   'trustedAppPublicRoot',
   'trustedAppTestRoot',
   'xpcshellRoot',
   'addonsPublicRoot',
   'addonsStageRoot',
+  'privilegedPackageRoot',
 ]
 
 for n in array_names:
   # Make sure the lambda captures the right string.
   globals()[n] = lambda header, cert_filename, name=n: header.write(_create_header(name, _file_byte_generator(cert_filename)))
--- a/security/apps/moz.build
+++ b/security/apps/moz.build
@@ -29,15 +29,16 @@ headers_arrays_certs = [
     ('marketplace-dev-public.inc', 'marketplaceDevPublicRoot', 'marketplace-dev-public.crt'),
     ('marketplace-dev-reviewers.inc', 'marketplaceDevReviewersRoot', 'marketplace-dev-reviewers.crt'),
     ('marketplace-stage.inc', 'marketplaceStageRoot', 'marketplace-stage.crt'),
     ('manifest-signing-root.inc', 'trustedAppPublicRoot', 'trusted-app-public.der'),
     ('manifest-signing-test-root.inc', 'trustedAppTestRoot', test_ssl_path + '/test_signed_manifest/trusted_ca1.der'),
     ('xpcshell.inc', 'xpcshellRoot', test_ssl_path + '/test_signed_apps/trusted_ca1.der'),
     ('addons-public.inc', 'addonsPublicRoot', 'addons-public.crt'),
     ('addons-stage.inc', 'addonsStageRoot', 'addons-stage.crt'),
+    ('privileged-package-root.inc', 'privilegedPackageRoot', 'privileged-package-root.der'),
 ]
 
 for header, array_name, cert in headers_arrays_certs:
     GENERATED_FILES += [header]
     h = GENERATED_FILES[header]
     h.script = 'gen_cert_header.py:' + array_name
     h.inputs = [cert]
new file mode 100644
index 0000000000000000000000000000000000000000..9f15847bfccb5bfc22cbefd770b543b23ea01df3
GIT binary patch
literal 930
zc$_n6VxDKv#MHKcnTe5!iILHOmyJ`a&7<u*FC!y2D}zC?A-4f18*?ZNn=n&oFpR??
z%;fB7C}to6;;;+z`sSDBl_X~7DTHOFmK&-VD1pSegr!|85_1c3QWZjqN{dTUQxu%@
ziwg3K5=%1k^9&^o#6hZ<g#}=;VTn1JKsAmA3gWzmrUsUV1_l-eCdMXF68uI6rpN*V
z<E$n|CFI~?WMyD(V&rE4igPhFF)}ioyV{?(Z|9V~D+Ai=mnAXHyd!e%WW%<Oite6u
zuL^SS%>K`*`(bDG$|C6?ro*oN>k7X9HvRN}<I$Hn+n*X1?rRXc*LzCuWNk%*)(`)k
ztd}Ni=w=D;I>Y_)$HH|tc7A^ur+WHNVPWeMcK+)fyO)?ZpE&1~@s;(ujm7=N(RL1{
z1+V39TsR`?bfM7afuYYWHw%#kj;Z|%^9$2EQm@~dU9x2(r<>nVhSXWCvz||xuXOuz
zuF>a-MkT4G+J1a)jiJ+G%ck$WrKoQ|y^~X;%Ho)$s;Y+Yf>l#YL;CKN3(u&YdNttn
z3HcfNuU<y0y~~W*lk0q1ZN*A;@wCNvt9hy;{r85{e`I22WMEuuZD47@4-7(CVMfOP
zEUX61K*~T2B%lfs;4$E0<IrYfWMyS%W;WmhiSvWRS(uraSkO`*GbmKcm3}9vhR4lZ
z=)iW~c*pNj+1`E*t`66AH4_hZ?K|^gTl*Bdeb0TjH@x>$?>_7KVNyt2d4Pj#mkYmE
za)N&?*N5_F7ZrTsS_}<lSN(LZIJuTX;B|iIiF~yQHI0oLt}gNJu21vK9tH24yRPkt
z!}9qTX4}PQwsvoL)*LtSRB4$-@Nb)~EX8eBoBvF8Oify5R6Eh(bE#at?W8=0NxO2A
zy&fCaziSJQIVjA&*~9o3_uE^h9@TusRfSq}4f!9Y-^*vLIG6BLtg7lc$GN<X(vlPR
zdOhClx?zQ>-+3E_8;!A^Q_t+)>YqCM^~(4ME4DkI6usMNQ28lod2bWDp3Hgk#hJ4J
Dha6Q2
--- a/security/manager/ssl/nsIX509CertDB.idl
+++ b/security/manager/ssl/nsIX509CertDB.idl
@@ -41,17 +41,17 @@ interface nsIVerifySignedManifestCallbac
   void verifySignedManifestFinished(in nsresult rv,
                                     in nsIX509Cert aSignerCert);
 };
 
 /**
  * This represents a service to access and manipulate
  * X.509 certificates stored in a database.
  */
-[scriptable, uuid(3fe3702b-766b-47dd-8f77-c08c3a339a74)]
+[scriptable, uuid(0a47571d-602c-4b21-9f52-c3d0e681d83a)]
 interface nsIX509CertDB : nsISupports {
 
   /**
    *  Constants that define which usages a certificate
    *  is trusted for.
    */
   const unsigned long UNTRUSTED       =      0;
   const unsigned long TRUSTED_SSL     = 1 << 0;
@@ -313,16 +313,17 @@ interface nsIX509CertDB : nsISupports {
   const AppTrustedRoot AppMarketplaceProdPublicRoot = 1;
   const AppTrustedRoot AppMarketplaceProdReviewersRoot = 2;
   const AppTrustedRoot AppMarketplaceDevPublicRoot = 3;
   const AppTrustedRoot AppMarketplaceDevReviewersRoot = 4;
   const AppTrustedRoot AppMarketplaceStageRoot = 5;
   const AppTrustedRoot AppXPCShellRoot = 6;
   const AppTrustedRoot AddonsPublicRoot = 7;
   const AppTrustedRoot AddonsStageRoot = 8;
+  const AppTrustedRoot PrivilegedPackageRoot = 9;
   void openSignedAppFileAsync(in AppTrustedRoot trustedRoot,
                               in nsIFile aJarFile,
                               in nsIOpenSignedAppFileCallback callback);
 
   /**
    *  Verifies the signature on a directory representing an unpacked signed
    *  JAR file. To be considered valid, there must be exactly one signature
    *  on the directory structure and that signature must have signed every