| blob | c11e5506cd1573891e8f2fa193b28efae193b849 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
42 #ifdef PR_LOGGING
44 #endif
48 // Reads a maximum of 1MB from a stream into the supplied buffer.
49 // The reason for the 1MB limit is because this function is used to read
50 // signature-related files and we want to avoid OOM. The uncompressed length of
51 // an entry can be hundreds of times larger than the compressed version,
52 // especially if someone has specifically crafted the entry to cause OOM or to
53 // consume massive amounts of disk space.
54 //
55 // @param stream The input stream to read from.
56 // @param buf The buffer that we read the stream into, which must have
57 // already been allocated.
58 nsresult
60 {
61 // The size returned by Available() might be inaccurate so we need
62 // to check that Available() matches up with the actual length of
63 // the file.
68 }
70 // Cap the maximum accepted size of signature-related files at 1MB (which is
71 // still crazily huge) to avoid OOM. The uncompressed length of an entry can be
72 // hundreds of times larger than the compressed version, especially if
73 // someone has speifically crafted the entry to cause OOM or to consume
74 // massive amounts of disk space.
78 }
80 // With bug 164695 in mind we +1 to leave room for null-terminating
81 // the buffer.
84 // buf.len == length + 1. We attempt to read length + 1 bytes
85 // instead of length, so that we can check whether the metadata for
86 // the entry is incorrect.
91 }
94 }
99 }
101 // Finds exactly one (signature metadata) entry that matches the given
102 // search pattern, and then load it. Fails if there are no matches or if
103 // there is more than one match. If bugDigest is not null then on success
104 // bufDigest will contain the SHA-1 digeset of the entry.
105 nsresult
111 {
116 }
123 }
128 // Check if there is more than one match, if so then error!
133 }
142 }
147 }
150 }
152 // Verify the digest of an entry. We avoid loading the entire entry into memory
153 // at once, which would require memory in proportion to the size of the largest
154 // entry. Instead, we require only a small, fixed amount of memory.
155 //
156 // @param digestFromManifest The digest that we're supposed to check the file's
157 // contents against, from the manifest
158 // @param buf A scratch buffer that we use for doing the I/O, which must have
159 // already been allocated. The size of this buffer is the unit
160 // size of our I/O.
161 nsresult
164 {
169 nsresult rv;
175 }
182 }
187 }
200 }
205 }
209 }
212 // The metadata we used for Available() doesn't match the actual size of
213 // the entry.
215 }
217 // Verify that the digests match.
218 Digest digest;
224 }
227 }
229 // On input, nextLineStart is the start of the current line. On output,
230 // nextLineStart is the start of the next line.
231 nsresult
234 {
243 }
249 // The spec says "No line may be longer than 72 bytes (not characters)"
250 // in its UTF8-encoded form.
254 }
256 // The spec says: "Implementations should support 65535-byte
257 // (not character) header values..."
260 }
264 }
267 }
272 // not a continuation
274 }
276 // continuation
279 }
282 }
283 }
285 // The header strings are defined in the JAR specification.
292 nsresult
296 {
297 // Find the colon that separates the name from the value.
301 }
303 // set attrName to the name, skipping spaces between the name and colon
308 }
312 }
315 // Set attrValue to the value, skipping spaces between the colon and the
316 // value. The value may be empty.
321 }
325 }
327 // Parses the version line of the MF or SF header.
328 nsresult
331 {
332 // The JAR spec says: "Manifest-Version and Signature-Version must be first,
333 // and in exactly that case (so that they can be recognized easily as magic
334 // strings)."
335 nsAutoCString curLine;
339 }
342 }
344 }
346 // Parses a signature file (SF) as defined in the JDK 8 JAR Specification.
347 //
348 // The SF file *must* contain exactly one SHA1-Digest-Manifest attribute in
349 // the main section. All other sections are ignored. This means that this will
350 // NOT parse old-style signature files that have separate digests per entry.
351 // The JDK8 x-Digest-Manifest variant is better because:
352 //
353 // (1) It allows us to follow the principle that we should minimize the
354 // processing of data that we do before we verify its signature. In
355 // particular, with the x-Digest-Manifest style, we can verify the digest
356 // of MANIFEST.MF before we parse it, which prevents malicious JARs
357 // exploiting our MANIFEST.MF parser.
358 // (2) It is more time-efficient and space-efficient to have one
359 // x-Digest-Manifest instead of multiple x-Digest values.
360 //
361 // In order to get benefit (1), we do NOT implement the fallback to the older
362 // mechanism as the spec requires/suggests. Also, for simplity's sake, we only
363 // support exactly one SHA1-Digest-Manifest attribute, and no other
364 // algorithms.
365 //
366 // filebuf must be null-terminated. On output, mfDigest will contain the
367 // decoded value of SHA1-Digest-Manifest.
368 nsresult
370 {
371 nsresult rv;
378 // Find SHA1-Digest-Manifest
380 nsAutoCString curLine;
384 }
387 // End of main section (blank line or end-of-file), and no
388 // SHA1-Digest-Manifest found.
390 }
392 nsAutoCString attrName;
393 nsAutoCString attrValue;
397 }
403 }
405 // There could be multiple SHA1-Digest-Manifest attributes, which
406 // would be an error, but it's better to just skip any erroneous
407 // duplicate entries rather than trying to detect them, because:
408 //
409 // (1) It's simpler, and simpler generally means more secure
410 // (2) An attacker can't make us accept a JAR we would otherwise
411 // reject just by adding additional SHA1-Digest-Manifest
412 // attributes.
414 }
416 // ignore unrecognized attributes
417 }
420 }
422 // Parses MANIFEST.MF. The filenames of all entries will be returned in
423 // mfItems. buf must be a pre-allocated scratch buffer that is used for doing
424 // I/O.
425 nsresult
429 {
430 nsresult rv;
437 }
439 // Skip the rest of the header section, which ends with a blank line.
440 {
441 nsAutoCString line;
446 }
449 // Manifest containing no file entries is OK, though useless.
452 }
453 }
455 nsAutoCString curItemName;
456 ScopedAutoSECItem digest;
459 nsAutoCString curLine;
464 // end of section (blank line or end-of-file)
467 // '...Each section must start with an attribute with the name as
468 // "Name",...', so every section must have a Name attribute.
470 }
473 // We require every entry to have a digest, since we require every
474 // entry to be signed and we don't allow duplicate entries.
476 }
479 // Duplicate entry
481 }
483 // Verify that the entry's content digest matches the digest from this
484 // MF section.
494 // reset so we know we haven't encountered either of these for the next
495 // item yet.
500 }
502 nsAutoCString attrName;
503 nsAutoCString attrValue;
507 }
509 // Lines to look for:
511 // (1) Digest:
513 {
522 }
524 // (2) Name: associates this manifest section with a file in the jar.
526 {
536 }
538 // (3) Magic: the only other must-understand attribute
540 // We don't understand any magic, so we can't verify an entry that
541 // requires magic. Since we require every entry to have a valid
542 // signature, we have no choice but to reject the entry.
544 }
546 // unrecognized attributes must be ignored
547 }
550 }
553 AppTrustedRoot trustedRoot;
555 };
557 nsresult
559 {
560 // TODO: null pinArg is tolerated.
563 }
570 }
571 Input certDER;
575 }
585 }
588 }
590 nsresult
594 {
596 // XXX: missing pinArg
598 VerifyCertificate,
600 }
602 NS_IMETHODIMP
606 {
611 }
615 }
617 nsresult rv;
626 // Signature (RSA) file
627 nsAutoCString sigFilename;
628 ScopedAutoSECItem sigBuffer;
633 }
635 // Signature (SF) file
636 nsAutoCString sfFilename;
637 ScopedAutoSECItem sfBuffer;
638 Digest sfCalculatedDigest;
643 }
646 ScopedCERTCertList builtChain;
648 builtChain);
651 }
653 ScopedAutoSECItem mfDigest;
657 }
659 // Manifest (MF) file
660 nsAutoCString mfFilename;
661 ScopedAutoSECItem manifestBuffer;
662 Digest mfCalculatedDigest;
667 }
671 }
673 // Allocate the I/O buffer only once per JAR, instead of once per entry, in
674 // order to minimize malloc/free calls and in order to avoid fragmenting
675 // memory.
683 }
685 // Verify every entry in the file.
690 }
693 }
702 }
704 nsAutoCString entryFilename;
711 // The files that comprise the signature mechanism are not covered by the
712 // signature.
713 //
714 // XXX: This is OK for a single signature, but doesn't work for
715 // multiple signatures, because the metadata for the other signatures
716 // is not signed either.
721 }
725 }
727 // Entries with names that end in "/" are directory entries, which are not
728 // signed.
729 //
730 // XXX: As long as we don't unpack the JAR into the filesystem, the "/"
731 // entries are harmless. But, it is not clear what the security
732 // implications of directory entries are if/when we were to unpackage the
733 // JAR into the filesystem.
736 }
741 }
743 // Remove the item so we can check for leftover items later
745 }
747 // We verified that every entry that we require to be signed is signed. But,
748 // were there any missing entries--that is, entries that are mentioned in the
749 // manifest but missing from the archive?
752 }
754 // Return the reader to the caller if they want it
757 }
759 // Return the signer's certificate to the reader if they want it.
760 // XXX: We should return an nsIX509CertList with the whole validated chain.
767 }
770 }
772 nsresult
777 {
783 }
785 // Load signature file in buffer
786 ScopedAutoSECItem signatureBuffer;
790 }
793 // Load manifest file in buffer
794 ScopedAutoSECItem manifestBuffer;
798 }
800 // Calculate SHA1 digest of the manifest buffer
801 Digest manifestCalculatedDigest;
807 }
809 // Get base64 encoded string from manifest buffer digest
814 }
816 // Calculate SHA1 digest of the base64 encoded string
817 Digest doubleDigest;
823 }
825 // Verify the manifest signature (signed digest of the base64 encoded string)
826 ScopedCERTCertList builtChain;
831 }
833 // Return the signer's certificate to the reader if they want it.
840 }
843 }
846 }
849 {
856 {
857 }
861 {
865 }
867 // nsNSSCertificate implements nsNSSShutdownObject, so there's nothing that
868 // needs to be released
872 {
874 }
881 };
884 {
895 {
896 }
900 {
903 }
905 // nsNSSCertificate implements nsNSSShutdownObject, so there's nothing that
906 // needs to be released
910 {
912 }
919 };
923 NS_IMETHODIMP
927 {
931 aJarFile,
932 aCallback));
934 }
936 NS_IMETHODIMP
940 {
949 }