| blob | f3cb49771d1cdfd6e285b003677068866cb46a99 |
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
3 * You can obtain one at http://mozilla.org/MPL/2.0/. */
5 "use strict";
7 const { Preferences } = ChromeUtils.import(
8 "resource://gre/modules/Preferences.jsm"
9 );
10 const { XPCOMUtils } = ChromeUtils.import(
11 "resource://gre/modules/XPCOMUtils.jsm"
12 );
14 this.EXPORTED_SYMBOLS = [
15 "CertificateOverrideManager",
16 "InsecureSweepingOverride",
17 ];
19 const registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
20 const sss = Cc["@mozilla.org/ssservice;1"].getService(
21 Ci.nsISiteSecurityService
22 );
24 const CERT_PINNING_ENFORCEMENT_PREF = "security.cert_pinning.enforcement_level";
25 const CID = Components.ID("{4b67cce0-a51c-11e6-9598-0800200c9a66}");
26 const CONTRACT_ID = "@mozilla.org/security/certoverride;1";
27 const DESC = "All-encompassing cert service that matches on a bitflag";
28 const HSTS_PRELOAD_LIST_PREF = "network.stricttransportsecurity.preloadlist";
30 const Error = {
31 Untrusted: 1,
32 Mismatch: 2,
33 Time: 4,
34 };
36 let currentOverride = null;
38 /** TLS certificate service override management for Marionette. */
39 class CertificateOverrideManager {
40 /**
41 * Installs a TLS certificate service override.
42 *
43 * The provided `service` must implement the `register` and `unregister`
44 * functions that causes a new `nsICertOverrideService` interface
45 * implementation to be registered with the `nsIComponentRegistrar`.
46 *
47 * After `service` is registered, `nsICertOverrideService` is
48 * reinitialised to cause all Gecko components to pick up the
49 * new service.
50 *
51 * If an override is already installed this functions acts as a no-op.
52 *
53 * @param {cert.Override} service
54 * Service generator that registers and unregisters the XPCOM service.
55 *
56 * @throws {Components.Exception}
57 * If unable to register or initialise `service`.
58 */
59 static install(service) {
60 if (currentOverride) {
61 return;
62 }
64 service.register();
65 currentOverride = service;
66 }
68 /**
69 * Uninstall a TLS certificate service override.
70 *
71 * If there is no current override installed this function acts
72 * as a no-op.
73 */
74 static uninstall() {
75 if (!currentOverride) {
76 return;
77 }
78 currentOverride.unregister();
79 currentOverride = null;
80 }
81 }
82 this.CertificateOverrideManager = CertificateOverrideManager;
84 /**
85 * Certificate override service that acts in an all-inclusive manner
86 * on TLS certificates.
87 *
88 * @throws {Components.Exception}
89 * If there are any problems registering the service.
90 */
91 function InsecureSweepingOverride() {
92 // This needs to be an old-style class with a function constructor
93 // and prototype assignment because... XPCOM. Any attempt at
94 // modernisation will be met with cryptic error messages which will
95 // make your life miserable.
96 let service = function() {};
97 service.prototype = {
98 hasMatchingOverride(aHostName, aPort, aCert, aOverrideBits, aIsTemporary) {
99 aIsTemporary.value = false;
100 aOverrideBits.value = Error.Untrusted | Error.Mismatch | Error.Time;
102 return true;
103 },
105 QueryInterface: ChromeUtils.generateQI([Ci.nsICertOverrideService]),
106 };
107 let factory = XPCOMUtils.generateSingletonFactory(service);
109 return {
110 register() {
111 // make it possible to register certificate overrides for domains
112 // that use HSTS or HPKP
113 Preferences.set(HSTS_PRELOAD_LIST_PREF, false);
114 Preferences.set(CERT_PINNING_ENFORCEMENT_PREF, 0);
116 registrar.registerFactory(CID, DESC, CONTRACT_ID, factory);
117 },
119 unregister() {
120 registrar.unregisterFactory(CID, factory);
122 Preferences.reset(HSTS_PRELOAD_LIST_PREF);
123 Preferences.reset(CERT_PINNING_ENFORCEMENT_PREF);
125 // clear collected HSTS and HPKP state
126 // through the site security service
127 sss.clearAll();
128 sss.clearPreloads();
129 },
130 };
131 }
132 this.InsecureSweepingOverride = InsecureSweepingOverride;