[tbb-commits] [tor-browser/tor-browser-31.3.0esr-4.5-1] Bug 13379: Sign our MAR files (backport Mozilla patches).

brade at torproject.org brade at torproject.org
Wed Dec 17 22:06:24 UTC 2014


commit 40b509e6d7408a73c5a81a3d971dfc6daf5f7510
Author: Kathy Brade <brade at pearlcrescent.com>
Date:   Fri Nov 14 11:24:14 2014 -0500

    Bug 13379: Sign our MAR files (backport Mozilla patches).
    
    Backport reviewed patches from these two Mozilla bugs:
    903135 - Link updater to NSS and enable MAR verification on Linux and OSX
    903126 - Implement a platform independent way to determine which cert to use
    	   for verifying mars
    Configure browser build with --enable-signmar and --enable-verify-mar.
---
 browser/confvars.sh                              |    5 +
 configure.in                                     |    6 +-
 modules/libmar/moz.build                         |    6 +-
 modules/libmar/src/mar.h                         |   30 ++++-
 modules/libmar/src/mar_cmdline.h                 |   32 -----
 modules/libmar/tool/mar.c                        |  109 +++++++++--------
 modules/libmar/verify/cryptox.c                  |   32 ++---
 modules/libmar/verify/cryptox.h                  |   29 ++---
 modules/libmar/verify/mar_verify.c               |  143 +++++++---------------
 toolkit/mozapps/update/updater/Makefile.in       |   12 +-
 toolkit/mozapps/update/updater/archivereader.cpp |   29 +----
 toolkit/mozapps/update/updater/updater.cpp       |   19 +++
 12 files changed, 197 insertions(+), 255 deletions(-)

diff --git a/browser/confvars.sh b/browser/confvars.sh
index 8914379..8e7cf7e 100644
--- a/browser/confvars.sh
+++ b/browser/confvars.sh
@@ -8,6 +8,11 @@ MOZ_APP_VENDOR=Mozilla
 MOZ_UPDATER=1
 MOZ_PHOENIX=1
 
+MOZ_VERIFY_MAR_SIGNATURE=1
+
+# Enable building ./signmar and running libmar signature tests
+MOZ_ENABLE_SIGNMAR=1
+
 MOZ_CHROME_FILE_FORMAT=omni
 MOZ_DISABLE_EXPORT_JS=1
 MOZ_SAFE_BROWSING=1
diff --git a/configure.in b/configure.in
index b97a1e6..3093a3f 100644
--- a/configure.in
+++ b/configure.in
@@ -6351,11 +6351,7 @@ MOZ_ARG_ENABLE_BOOL(verify-mar,
     MOZ_VERIFY_MAR_SIGNATURE= )
 
 if test -n "$MOZ_VERIFY_MAR_SIGNATURE"; then
-  if test "$OS_ARCH" = "WINNT"; then
-    AC_DEFINE(MOZ_VERIFY_MAR_SIGNATURE)
-  else
-    AC_MSG_ERROR([Can only build with --enable-verify-mar with a Windows target])
-  fi
+  AC_DEFINE(MOZ_VERIFY_MAR_SIGNATURE)
 fi
 
 dnl ========================================================
diff --git a/modules/libmar/moz.build b/modules/libmar/moz.build
index 44191c3..d9a8b34 100644
--- a/modules/libmar/moz.build
+++ b/modules/libmar/moz.build
@@ -9,11 +9,7 @@ DIRS += ['src']
 if CONFIG['MOZ_ENABLE_SIGNMAR']:
     DIRS += ['sign', 'verify']
     TEST_DIRS += ['tests']
-elif CONFIG['OS_ARCH'] == 'WINNT':
-    # On Windows we don't verify with NSS and updater needs to link to it
-    DIRS += ['verify']
-elif CONFIG['OS_ARCH'] == 'Darwin':
-    # On OSX we don't verify with NSS and updater needs to link to it.
+elif CONFIG['MOZ_VERIFY_MAR_SIGNATURE']:
     DIRS += ['verify']
 
 # If we are building ./sign and ./verify then ./tool must come after it
diff --git a/modules/libmar/src/mar.h b/modules/libmar/src/mar.h
index 4e53d2c..98b454d 100644
--- a/modules/libmar/src/mar.h
+++ b/modules/libmar/src/mar.h
@@ -134,6 +134,26 @@ int mar_create(const char *dest,
  */
 int mar_extract(const char *path);
 
+#define MAR_MAX_CERT_SIZE (16*1024) // Way larger than necessary
+
+/* Read the entire file (not a MAR file) into a newly-allocated buffer.
+ * This function does not write to stderr. Instead, the caller should
+ * write whatever error messages it sees fit. The caller must free the returned
+ * buffer using free().
+ *
+ * @param filePath The path to the file that should be read.
+ * @param maxSize  The maximum valid file size.
+ * @param data     On success, *data will point to a newly-allocated buffer
+ *                 with the file's contents in it.
+ * @param size     On success, *size will be the size of the created buffer.
+ * 
+ * @return 0 on success, -1 on error
+ */
+int mar_read_entire_file(const char * filePath,
+                         uint32_t maxSize,
+                         /*out*/ const uint8_t * *data,
+                         /*out*/ uint32_t *size);
+
 /**
  * Verifies a MAR file by verifying each signature with the corresponding
  * certificate. That is, the first signature will be verified using the first
@@ -154,12 +174,10 @@ int mar_extract(const char *path);
  *         a negative number if there was an error
  *         a positive number if the signature does not verify
  */
-#ifdef XP_WIN
-int mar_verify_signaturesW(MarFile *mar,
-                           const uint8_t * const *certData,
-                           const uint32_t *certDataSizes,
-                           uint32_t certCount);
-#endif
+int mar_verify_signatures(MarFile *mar,
+                          const uint8_t * const *certData,
+                          const uint32_t *certDataSizes,
+                          uint32_t certCount);
 
 /** 
  * Reads the product info block from the MAR file's additional block section.
diff --git a/modules/libmar/src/mar_cmdline.h b/modules/libmar/src/mar_cmdline.h
index e8645ec..e2c9ed5 100644
--- a/modules/libmar/src/mar_cmdline.h
+++ b/modules/libmar/src/mar_cmdline.h
@@ -38,38 +38,6 @@ int get_mar_file_info(const char *path,
                       uint32_t *offsetAdditionalBlocks,
                       uint32_t *numAdditionalBlocks);
 
-/**
- * Verifies a MAR file by verifying each signature with the corresponding
- * certificate. That is, the first signature will be verified using the first
- * certificate given, the second signature will be verified using the second
- * certificate given, etc. The signature count must exactly match the number of
- * certificates given, and all signature verifications must succeed.
- * This is only used by the signmar program when used with arguments to verify 
- * a MAR. This should not be used to verify a MAR that will be extracted in the 
- * same operation by updater code. This function prints the error message if 
- * verification fails.
- * 
- * @param pathToMAR     The path of the MAR file whose signature should be
- *                      checked
- * @param certData      Pointer to the first element in an array of certificate
- *                      file data.
- * @param certDataSizes Pointer to the first element in an array for size of
- *                      the cert data.
- * @param certNames     Pointer to the first element in an array of certificate
- *                      names.
- *                      Used only if compiled with NSS support
- * @param certCount     The number of elements in certData, certDataSizes,
- *                      and certNames
- * @return 0 on success
- *         a negative number if there was an error
- *         a positive number if the signature does not verify
- */
-int mar_verify_signatures(const char *pathToMAR,
-                          const uint8_t * const *certData,
-                          const uint32_t *certDataSizes,
-                          const char * const *certNames,
-                          uint32_t certCount);
-
 /** 
  * Reads the product info block from the MAR file's additional block section.
  * The caller is responsible for freeing the fields in infoBlock
diff --git a/modules/libmar/tool/mar.c b/modules/libmar/tool/mar.c
index 8abbac7..821813c 100644
--- a/modules/libmar/tool/mar.c
+++ b/modules/libmar/tool/mar.c
@@ -19,6 +19,8 @@
 #endif
 
 #if !defined(NO_SIGN_VERIFY) && (!defined(XP_WIN) || defined(MAR_NSS))
+#include "cert.h"
+#include "pk11pub.h"
 int NSSInitCryptoContext(const char *NSSConfigDir);
 #endif
 
@@ -120,15 +122,13 @@ int main(int argc, char **argv) {
   uint32_t certCount = 0;
   int32_t sigIndex = -1;
 
-#if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY)
-  HANDLE certFile;
-  uint8_t *certBuffers[MAX_SIGNATURES];
-#endif
-#if !defined(NO_SIGN_VERIFY) && ((!defined(MAR_NSS) && defined(XP_WIN)) || \
-                                 defined(XP_MACOSX))
-  char* DERFilePaths[MAX_SIGNATURES];
+#if !defined(NO_SIGN_VERIFY)
   uint32_t fileSizes[MAX_SIGNATURES];
-  uint32_t read;
+  uint8_t* certBuffers[MAX_SIGNATURES];
+  char* DERFilePaths[MAX_SIGNATURES];
+#if (!defined(XP_WIN) && !defined(XP_MACOSX)) || defined(MAR_NSS)
+  CERTCertificate* certs[MAX_SIGNATURES];
+#endif
 #endif
 
   memset(certNames, 0, sizeof(certNames));
@@ -319,43 +319,68 @@ int main(int argc, char **argv) {
     return import_signature(argv[2], sigIndex, argv[3], argv[4]);
 
   case 'v':
-
-#if defined(XP_WIN) && !defined(MAR_NSS)
     if (certCount == 0) {
       print_usage();
       return -1;
     }
 
+#if (!defined(XP_WIN) && !defined(XP_MACOSX)) || defined(MAR_NSS)
+    if (!NSSConfigDir || certCount == 0) {
+      print_usage();
+      return -1;
+    }
+
+    if (NSSInitCryptoContext(NSSConfigDir)) {
+      fprintf(stderr, "ERROR: Could not initialize crypto library.\n");
+      return -1;
+    }
+#endif
+
+    rv = 0;
     for (k = 0; k < certCount; ++k) {
-      /* If the mar program was built using CryptoAPI, then read in the buffer
-        containing the cert from disk. */
-      certFile = CreateFileA(DERFilePaths[k], GENERIC_READ,
-                             FILE_SHARE_READ |
-                             FILE_SHARE_WRITE |
-                             FILE_SHARE_DELETE,
-                             NULL,
-                             OPEN_EXISTING,
-                             0, NULL);
-      if (INVALID_HANDLE_VALUE == certFile) {
-        return -1;
+#if (defined(XP_WIN) || defined(XP_MACOSX)) && !defined(MAR_NSS)
+      rv = mar_read_entire_file(DERFilePaths[k], MAR_MAX_CERT_SIZE,
+                                &certBuffers[k], &fileSizes[k]);
+#else
+      /* It is somewhat circuitous to look up a CERTCertificate and then pass
+       * in its DER encoding just so we can later re-create that
+       * CERTCertificate to extract the public key out of it. However, by doing
+       * things this way, we maximize the reuse of the mar_verify_signatures
+       * function and also we keep the control flow as similar as possible
+       * between programs and operating systems, at least for the functions
+       * that are critically important to security.
+       */
+      certs[k] = PK11_FindCertFromNickname(certNames[k], NULL);
+      if (certs[k]) {
+        certBuffers[k] = certs[k]->derCert.data;
+        fileSizes[k] = certs[k]->derCert.len;
+      } else {
+        rv = -1;
       }
-      fileSizes[k] = GetFileSize(certFile, NULL);
-      certBuffers[k] = malloc(fileSizes[k]);
-      if (!ReadFile(certFile, certBuffers[k], fileSizes[k], &read, NULL) ||
-          fileSizes[k] != read) {
-        CloseHandle(certFile);
-        for (i = 0; i <= k; i++) {
-          free(certBuffers[i]);
-        }
-        return -1;
+#endif
+      if (rv) {
+        fprintf(stderr, "ERROR: could not read file %s", DERFilePaths[k]);
+        break;
       }
-      CloseHandle(certFile);
     }
 
-    rv = mar_verify_signatures(argv[2], certBuffers, fileSizes,
-                               NULL, certCount);
+    if (!rv) {
+      MarFile *mar = mar_open(argv[2]);
+      if (mar) {
+        rv = mar_verify_signatures(mar, certBuffers, fileSizes, certCount);
+        mar_close(mar);
+      } else {
+        fprintf(stderr, "ERROR: Could not open MAR file.\n");
+        rv = -1;
+      }
+    }
     for (k = 0; k < certCount; ++k) {
+#if (defined(XP_WIN) || defined(XP_MACOSX)) && !defined(MAR_NSS)
       free(certBuffers[k]);
+#else
+      /* certBuffers[k] is owned by certs[k] so don't free it */
+      CERT_DestroyCertificate(certs[k]);
+#endif
     }
     if (rv) {
       /* Determine if the source MAR file has the new fields for signing */
@@ -369,26 +394,8 @@ int main(int argc, char **argv) {
       }
       return -1;
     }
-
     return 0;
 
-#elif defined(XP_MACOSX)
-    return mar_verify_signatures(argv[2], (const uint8_t* const*)DERFilePaths,
-                                 0, NULL, certCount);
-#else
-    if (!NSSConfigDir || certCount == 0) {
-      print_usage();
-      return -1;
-    }
-
-    if (NSSInitCryptoContext(NSSConfigDir)) {
-      fprintf(stderr, "ERROR: Could not initialize crypto library.\n");
-      return -1;
-    }
-
-    return mar_verify_signatures(argv[2], NULL, 0, certNames, certCount);
-
-#endif /* defined(XP_WIN) && !defined(MAR_NSS) */
   case 's':
     if (!NSSConfigDir || certCount == 0 || argc < 4) {
       print_usage();
diff --git a/modules/libmar/verify/cryptox.c b/modules/libmar/verify/cryptox.c
index 48fbecd..af34210 100644
--- a/modules/libmar/verify/cryptox.c
+++ b/modules/libmar/verify/cryptox.c
@@ -16,29 +16,32 @@
 /** 
  * Loads the public key for the specified cert name from the NSS store.
  * 
- * @param certName The cert name to find.
+ * @param certData  The DER-encoded X509 certificate to extract the key from.
+ * @param certDataSize The size of certData.
  * @param publicKey Out parameter for the public key to use.
- * @param cert      Out parameter for the certificate to use.
  * @return CryptoX_Success on success, CryptoX_Error on error.
 */
 CryptoX_Result
-NSS_LoadPublicKey(const char *certNickname, 
-                  SECKEYPublicKey **publicKey, 
-                  CERTCertificate **cert)
+NSS_LoadPublicKey(const unsigned char *certData, unsigned int certDataSize,
+                  SECKEYPublicKey **publicKey)
 {
-  secuPWData pwdata = { PW_NONE, 0 };
-  if (!cert || !publicKey || !cert) {
+  CERTCertificate * cert;
+  SECItem certDataItem = { siBuffer, (unsigned char*) certData, certDataSize };
+
+  if (!certData || !publicKey) {
     return CryptoX_Error;
   }
 
+  cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDataItem, NULL,
+                                 PR_FALSE, PR_TRUE);
   /* Get the cert and embedded public key out of the database */
-  *cert = PK11_FindCertFromNickname(certNickname, &pwdata);
-  if (!*cert) {
+  if (!cert) {
     return CryptoX_Error;
   }
-  *publicKey = CERT_ExtractPublicKey(*cert);
+  *publicKey = CERT_ExtractPublicKey(cert);
+  CERT_DestroyCertificate(cert);
+
   if (!*publicKey) {
-    CERT_DestroyCertificate(*cert);
     return CryptoX_Error;
   }
   return CryptoX_Success;
@@ -150,12 +153,11 @@ CryptoX_Result
 CryptoAPI_LoadPublicKey(HCRYPTPROV provider, 
                         BYTE *certData,
                         DWORD sizeOfCertData,
-                        HCRYPTKEY *publicKey,
-                        HCERTSTORE *certStore)
+                        HCRYPTKEY *publicKey)
 {
   CRYPT_DATA_BLOB blob;
   CERT_CONTEXT *context;
-  if (!provider || !certData || !publicKey || !certStore) {
+  if (!provider || !certData || !publicKey) {
     return CryptoX_Error;
   }
 
@@ -165,7 +167,7 @@ CryptoAPI_LoadPublicKey(HCRYPTPROV provider,
                         CERT_QUERY_CONTENT_FLAG_CERT, 
                         CERT_QUERY_FORMAT_FLAG_BINARY, 
                         0, NULL, NULL, NULL, 
-                        certStore, NULL, (const void **)&context)) {
+                        NULL, NULL, (const void **)&context)) {
     return CryptoX_Error;
   }
 
diff --git a/modules/libmar/verify/cryptox.h b/modules/libmar/verify/cryptox.h
index 2dd93ef..ec8f5ac 100644
--- a/modules/libmar/verify/cryptox.h
+++ b/modules/libmar/verify/cryptox.h
@@ -15,7 +15,9 @@
 
 #if defined(MAR_NSS)
 
-#include "nss_secutil.h"
+#include "cert.h"
+#include "keyhi.h"
+#include "cryptohi.h"
 
 #define CryptoX_InvalidHandleValue NULL
 #define CryptoX_ProviderHandle void*
@@ -26,9 +28,9 @@
 #ifdef __cplusplus
 extern "C" {
 #endif
-CryptoX_Result NSS_LoadPublicKey(const char *certNickname,
-                                 SECKEYPublicKey **publicKey,
-                                 CERTCertificate **cert);
+CryptoX_Result NSS_LoadPublicKey(const unsigned char* certData,
+                                 unsigned int certDataSize,
+                                 SECKEYPublicKey** publicKey);
 CryptoX_Result NSS_VerifyBegin(VFYContext **ctx,
                                SECKEYPublicKey * const *publicKey);
 CryptoX_Result NSS_VerifySignature(VFYContext * const *ctx ,
@@ -46,9 +48,8 @@ CryptoX_Result NSS_VerifySignature(VFYContext * const *ctx ,
   VFY_DestroyContext(*SignatureHandle, PR_TRUE)
 #define CryptoX_VerifyUpdate(SignatureHandle, buf, len) \
   VFY_Update(*SignatureHandle, (const unsigned char*)(buf), len)
-#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, \
-                              publicKey, certName, cert) \
-  NSS_LoadPublicKey(certName, publicKey, cert)
+#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, publicKey) \
+  NSS_LoadPublicKey(certData, dataSize, publicKey)
 #define CryptoX_VerifySignature(hash, publicKey, signedData, len) \
   NSS_VerifySignature(hash, (const unsigned char *)(signedData), len)
 #define CryptoX_FreePublicKey(key) \
@@ -91,7 +92,7 @@ void CryptoMac_FreePublicKey(CryptoX_PublicKey* aPublicKey);
 #define CryptoX_VerifyUpdate(aInputData, aBuf, aLen) \
   CryptoMac_VerifyUpdate(aInputData, aBuf, aLen)
 #define CryptoX_LoadPublicKey(aProviderHandle, aCertData, aDataSize, \
-                              aPublicKey, aCertName, aCert) \
+                              aPublicKey) \
   CryptoMac_LoadPublicKey(aCertData, aPublicKey)
 #define CryptoX_VerifySignature(aInputData, aPublicKey, aSignature, \
                                 aSignatureLen) \
@@ -111,8 +112,7 @@ CryptoX_Result CryptoAPI_InitCryptoContext(HCRYPTPROV *provider);
 CryptoX_Result CryptoAPI_LoadPublicKey(HCRYPTPROV hProv, 
                                        BYTE *certData,
                                        DWORD sizeOfCertData,
-                                       HCRYPTKEY *publicKey,
-                                       HCERTSTORE *cert);
+                                       HCRYPTKEY *publicKey);
 CryptoX_Result CryptoAPI_VerifyBegin(HCRYPTPROV provider, HCRYPTHASH* hash);
 CryptoX_Result CryptoAPI_VerifyUpdate(HCRYPTHASH* hash, 
                                       BYTE *buf, DWORD len);
@@ -133,10 +133,8 @@ CryptoX_Result CyprtoAPI_VerifySignature(HCRYPTHASH *hash,
 #define CryptoX_FreeSignatureHandle(SignatureHandle)
 #define CryptoX_VerifyUpdate(SignatureHandle, buf, len) \
   CryptoAPI_VerifyUpdate(SignatureHandle, (BYTE *)(buf), len)
-#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, \
-                              publicKey, certName, cert) \
-  CryptoAPI_LoadPublicKey(CryptoHandle, (BYTE*)(certData), \
-                          dataSize, publicKey, cert)
+#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, publicKey) \
+  CryptoAPI_LoadPublicKey(CryptoHandle, (BYTE*)(certData), dataSize, publicKey)
 #define CryptoX_VerifySignature(hash, publicKey, signedData, len) \
   CyprtoAPI_VerifySignature(hash, publicKey, signedData, len)
 #define CryptoX_FreePublicKey(key) \
@@ -163,8 +161,7 @@ CryptoX_Result CyprtoAPI_VerifySignature(HCRYPTHASH *hash,
   CryptoX_Error
 #define CryptoX_FreeSignatureHandle(SignatureHandle)
 #define CryptoX_VerifyUpdate(SignatureHandle, buf, len) CryptoX_Error
-#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, \
-                              publicKey, certName, cert) \
+#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, publicKey) \
   CryptoX_Error
 #define CryptoX_VerifySignature(hash, publicKey, signedData, len) CryptoX_Error
 #define CryptoX_FreePublicKey(key) CryptoX_Error
diff --git a/modules/libmar/verify/mar_verify.c b/modules/libmar/verify/mar_verify.c
index 7578b62..165a802 100644
--- a/modules/libmar/verify/mar_verify.c
+++ b/modules/libmar/verify/mar_verify.c
@@ -17,6 +17,46 @@
 #include "mar.h"
 #include "cryptox.h"
 
+int
+mar_read_entire_file(const char * filePath, uint32_t maxSize,
+                     /*out*/ const uint8_t * *data,
+                     /*out*/ uint32_t *size)
+{
+  int result;
+  FILE * f;
+
+  if (!filePath || !data || !size) {
+    return -1;
+  }
+
+  f = fopen(filePath, "rb");
+  if (!f) {
+    return -1;
+  }
+
+  result = -1;
+  if (!fseeko(f, 0, SEEK_END)) {
+    int64_t fileSize = ftello(f);
+    if (fileSize > 0 && fileSize <= maxSize && !fseeko(f, 0, SEEK_SET)) {
+      unsigned char * fileData;
+
+      *size = (unsigned int) fileSize;
+      fileData = malloc(*size);
+      if (fileData) {
+        if (fread(fileData, *size, 1, f) == 1) {
+          *data = fileData;
+          result = 0;
+        } else {
+          free(fileData);
+        }
+      }
+    }
+    fclose(f);
+  }
+
+  return result;
+}
+
 int mar_extract_and_verify_signatures_fp(FILE *fp,
                                          CryptoX_ProviderHandle provider,
                                          CryptoX_PublicKey *keys,
@@ -81,92 +121,8 @@ ReadAndUpdateVerifyContext(FILE *fp,
  * certificate given, the second signature will be verified using the second
  * certificate given, etc. The signature count must exactly match the number of
  * certificates given, and all signature verifications must succeed.
- * This is only used by the signmar program when used with arguments to verify 
- * a MAR. This should not be used to verify a MAR that will be extracted in the 
- * same operation by updater code. This function prints the error message if 
- * verification fails.
  * 
- * @param pathToMARFile The path of the MAR file to verify.
- * @param certData      Pointer to the first element in an array of certificate
- *                      file data.
- * @param certDataSizes Pointer to the first element in an array for size of the
- *                      cert data.
- * @param certNames     Pointer to the first element in an array of certificate names.
- *                      Used only if compiled as NSS, specifies the certificate names
- * @param certCount     The number of elements in certData, certDataSizes, and certNames
- * @return 0 on success
- *         a negative number if there was an error
- *         a positive number if the signature does not verify
- */
-int
-mar_verify_signatures(const char *pathToMARFile,
-                      const uint8_t * const *certData,
-                      const uint32_t *certDataSizes,
-                      const char * const *certNames,
-                      uint32_t certCount) {
-  int rv;
-  CryptoX_ProviderHandle provider = CryptoX_InvalidHandleValue;
-  CryptoX_Certificate certs[MAX_SIGNATURES];
-  CryptoX_PublicKey keys[MAX_SIGNATURES];
-  FILE *fp;
-  uint32_t k;
-  
-  memset(certs, 0, sizeof(certs));
-  memset(keys, 0, sizeof(keys));
-
-  if (!pathToMARFile || certCount == 0) {
-    fprintf(stderr, "ERROR: Invalid parameter specified.\n");
-    return CryptoX_Error;
-  }
-
-  fp = fopen(pathToMARFile, "rb");
-  if (!fp) {
-    fprintf(stderr, "ERROR: Could not open MAR file.\n");
-    return CryptoX_Error;
-  }
-
-  if (CryptoX_Failed(CryptoX_InitCryptoProvider(&provider))) {
-    fclose(fp);
-    fprintf(stderr, "ERROR: Could not init crytpo library.\n");
-    return CryptoX_Error;
-  }
-
-  /* Load the certs and keys */
-  for (k = 0; k < certCount; k++) {
-    if (CryptoX_Failed(CryptoX_LoadPublicKey(provider, certData[k], certDataSizes[k],
-                                             &keys[k], certNames[k], &certs[k]))) {
-      fclose(fp);
-      fprintf(stderr, "ERROR: Could not load public key.\n");
-      return CryptoX_Error;
-    }
-  }
-
-  rv = mar_extract_and_verify_signatures_fp(fp, provider, keys, certCount);
-  fclose(fp);
-
-  /* Cleanup the allocated keys and certs */
-  for (k = 0; k < certCount; k++) {
-    if (keys[k]) {
-      CryptoX_FreePublicKey(&keys[k]);
-    }
-
-    if (certs[k]) {
-      CryptoX_FreeCertificate(&certs[k]);
-    }
-  }
-  return rv;
-}
-
-#ifdef XP_WIN
-/**
- * Verifies a MAR file by verifying each signature with the corresponding
- * certificate. That is, the first signature will be verified using the first
- * certificate given, the second signature will be verified using the second
- * certificate given, etc. The signature count must exactly match the number of
- * certificates given, and all signature verifications must succeed.
- * 
- * @param  pathToMARFile  The path of the MAR file who's signature
- *                        should be calculated
+ * @param  mar            The file who's signature should be calculated
  * @param  certData       Pointer to the first element in an array of
  *                        certificate data
  * @param  certDataSizes  Pointer to the first element in an array for size of
@@ -175,17 +131,15 @@ mar_verify_signatures(const char *pathToMARFile,
  * @return 0 on success
 */
 int
-mar_verify_signaturesW(MarFile *mar,
-                       const uint8_t * const *certData,
-                       const uint32_t *certDataSizes,
-                       uint32_t certCount) {
+mar_verify_signatures(MarFile *mar,
+                      const uint8_t * const *certData,
+                      const uint32_t *certDataSizes,
+                      uint32_t certCount) {
   int rv = -1;
   CryptoX_ProviderHandle provider = CryptoX_InvalidHandleValue;
-  CryptoX_Certificate certs[MAX_SIGNATURES];
   CryptoX_PublicKey keys[MAX_SIGNATURES];
   uint32_t k;
   
-  memset(certs, 0, sizeof(certs));
   memset(keys, 0, sizeof(keys));
 
   if (!mar || !certData || !certDataSizes || certCount == 0) {
@@ -205,7 +159,7 @@ mar_verify_signaturesW(MarFile *mar,
 
   for (k = 0; k < certCount; ++k) {
     if (CryptoX_Failed(CryptoX_LoadPublicKey(provider, certData[k], certDataSizes[k],
-                                             &keys[k], "", &certs[k]))) {
+                                             &keys[k]))) {
       fprintf(stderr, "ERROR: Could not load public key.\n");
       goto failure;
     }
@@ -219,15 +173,10 @@ failure:
     if (keys[k]) {
       CryptoX_FreePublicKey(&keys[k]);
     }
-
-    if (certs[k]) {
-      CryptoX_FreeCertificate(&certs[k]);
-    }
   }
 
   return rv;
 }
-#endif
 
 /**
  * Extracts each signature from the specified MAR file,
diff --git a/toolkit/mozapps/update/updater/Makefile.in b/toolkit/mozapps/update/updater/Makefile.in
index bd6716b..52cdbeb 100644
--- a/toolkit/mozapps/update/updater/Makefile.in
+++ b/toolkit/mozapps/update/updater/Makefile.in
@@ -18,9 +18,14 @@ LIBS += \
   $(MOZ_BZ2_LIBS) \
   $(NULL)
 
-ifeq ($(OS_ARCH),WINNT)
+LIBS += $(call EXPAND_LIBNAME_PATH,signmar,$(DEPTH)/modules/libmar/sign)
 LIBS += $(call EXPAND_LIBNAME_PATH,verifymar,$(DEPTH)/modules/libmar/verify)
+ifeq ($(OS_ARCH),WINNT)
 OS_LIBS += $(call EXPAND_LIBNAME,comctl32 ws2_32 shell32 shlwapi)
+else
+LIBS += $(DIST)/lib/$(LIB_PREFIX)nss3.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
+	$(NSPR_LIBS)
 endif
 
 ifdef MOZ_WIDGET_GTK
@@ -51,14 +56,13 @@ else ifneq (,$(filter nightly aurora nightly-elm nightly-profiling nightly-oak n
 	PRIMARY_CERT = nightly_aurora_level3_primary.der
 	SECONDARY_CERT = nightly_aurora_level3_secondary.der
 else
-	PRIMARY_CERT = dep1.der
-	SECONDARY_CERT = dep2.der
+	PRIMARY_CERT = xpcshellCertificate.der
+	SECONDARY_CERT = xpcshellCertificate.der
 endif
 
 export::
 	$(PYTHON) $(srcdir)/gen_cert_header.py primaryCertData $(srcdir)/$(PRIMARY_CERT) > primaryCert.h
 	$(PYTHON) $(srcdir)/gen_cert_header.py secondaryCertData $(srcdir)/$(SECONDARY_CERT) > secondaryCert.h
-	$(PYTHON) $(srcdir)/gen_cert_header.py xpcshellCertData $(srcdir)/xpcshellCertificate.der > xpcshellCert.h
 
 ifdef MOZ_WIDGET_GTK
 libs:: updater.png
diff --git a/toolkit/mozapps/update/updater/archivereader.cpp b/toolkit/mozapps/update/updater/archivereader.cpp
index f0e6ea3..aa9ccc4 100644
--- a/toolkit/mozapps/update/updater/archivereader.cpp
+++ b/toolkit/mozapps/update/updater/archivereader.cpp
@@ -15,13 +15,10 @@
 #include "updatehelper.h"
 #endif
 
-#ifdef XP_WIN
 // These are generated at compile time based on the DER file for the channel
 // being used
 #include "primaryCert.h"
 #include "secondaryCert.h"
-#include "xpcshellCert.h"
-#endif
 
 #define UPDATER_NO_STRING_GLUE_STL
 #include "nsVersionComparator.cpp"
@@ -38,9 +35,6 @@ static int outbuf_size = 262144;
 static char *inbuf  = nullptr;
 static char *outbuf = nullptr;
 
-#ifdef XP_WIN
-#include "resource.h"
-
 /**
  * Performs a verification on the opened MAR file with the passed in
  * certificate name ID and type ID.
@@ -54,15 +48,13 @@ int
 VerifyLoadedCert(MarFile *archive, const uint8_t (&certData)[SIZE])
 {
   const uint32_t size = SIZE;
-  const uint8_t * const data = &certData[0];
-  if (mar_verify_signaturesW(archive, &data, &size, 1)) {
+  const uint8_t* const data = &certData[0];
+  if (mar_verify_signatures(archive, &data, &size, 1)) {
     return CERT_VERIFY_ERROR;
   }
 
   return OK;
 }
-#endif
-
 
 /**
  * Performs a verification on the opened MAR file.  Both the primary and backup 
@@ -79,22 +71,11 @@ ArchiveReader::VerifySignature()
     return ARCHIVE_NOT_OPEN;
   }
 
-#ifdef XP_WIN
-  // If the fallback key exists we're running an XPCShell test and we should
-  // use the XPCShell specific cert for the signed MAR.
-  int rv;
-  if (DoesFallbackKeyExist()) {
-    rv = VerifyLoadedCert(mArchive, xpcshellCertData);
-  } else {
-    rv = VerifyLoadedCert(mArchive, primaryCertData);
-    if (rv != OK) {
-      rv = VerifyLoadedCert(mArchive, secondaryCertData);
-    }
+  int rv = VerifyLoadedCert(mArchive, primaryCertData);
+  if (rv != OK) {
+    rv = VerifyLoadedCert(mArchive, secondaryCertData);
   }
   return rv;
-#else
-  return OK;
-#endif
 }
 
 /**
diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp
index 4cf24db..3a3968e 100644
--- a/toolkit/mozapps/update/updater/updater.cpp
+++ b/toolkit/mozapps/update/updater/updater.cpp
@@ -108,6 +108,11 @@ static bool sUseHardLinks = true;
 # define MAYBE_USE_HARD_LINKS 0
 #endif
 
+#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN)
+#include "nss.h"
+#include "prerror.h"
+#endif
+
 #ifdef XP_WIN
 #include "updatehelper.h"
 
@@ -2520,6 +2525,20 @@ int NS_main(int argc, NS_tchar **argv)
     _exit(1);
   }
 #endif
+
+#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN)
+  // On Windows we rely on CyrptoAPI to do verifications so we don't need to
+  // initialize NSS at all there.
+  // Otherwise, minimize the amount of NSS we depend on by avoiding all the NSS
+  // databases.
+  if (NSS_NoDB_Init(NULL) != SECSuccess) {
+   PRErrorCode error = PR_GetError();
+   fprintf(stderr, "Could not initialize NSS: %s (%d)",
+           PR_ErrorToName(error), (int) error);
+    _exit(1);
+  }
+#endif
+
   InitProgressUI(&argc, &argv);
 
   // To process an update the updater command line must at a minimum have the





More information about the tbb-commits mailing list