bool Sekrit::IsKeyValid() const
{
if(!m_impl->keyHasBeenSet)
return false;
Plaintext plaintext = DoDecrypt();
bool IsValid = VerifyHash(plaintext, m_impl->header.iv);
return IsValid;
}
/* static */ nsresult
SRICheck::VerifyIntegrity(const SRIMetadata& aMetadata,
nsIURI* aRequestURI,
const CORSMode aCORSMode,
uint32_t aStringLen,
const uint8_t* aString,
const nsIDocument* aDocument)
{
if (MOZ_LOG_TEST(GetSriLog(), mozilla::LogLevel::Debug)) {
nsAutoCString requestURL;
aRequestURI->GetAsciiSpec(requestURL);
// requestURL will be empty if GetAsciiSpec fails
SRILOG(("SRICheck::VerifyIntegrity, url=%s (length=%u)",
requestURL.get(), aStringLen));
}
MOZ_ASSERT(!aMetadata.IsEmpty()); // should be checked by caller
// IntegrityMetadata() checks this and returns "no metadata" if
// it's disabled so we should never make it this far
MOZ_ASSERT(Preferences::GetBool("security.sri.enable", false));
if (NS_FAILED(IsEligible(aRequestURI, aCORSMode, aDocument))) {
return NS_OK; // ignore non-CORS resources for forward-compatibility
}
if (!aMetadata.IsValid()) {
nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
NS_LITERAL_CSTRING("Sub-resource Integrity"),
aDocument,
nsContentUtils::eSECURITY_PROPERTIES,
"NoValidMetadata");
return NS_OK; // ignore invalid metadata for forward-compatibility
}
for (uint32_t i = 0; i < aMetadata.HashCount(); i++) {
if (NS_SUCCEEDED(VerifyHash(aMetadata, i, aStringLen,
aString, aDocument))) {
return NS_OK; // stop at the first valid hash
}
}
nsAutoCString alg;
aMetadata.GetAlgorithm(&alg);
NS_ConvertUTF8toUTF16 algUTF16(alg);
const char16_t* params[] = { algUTF16.get() };
nsContentUtils::ReportToConsole(nsIScriptError::errorFlag,
NS_LITERAL_CSTRING("Sub-resource Integrity"),
aDocument,
nsContentUtils::eSECURITY_PROPERTIES,
"IntegrityMismatch",
params, ArrayLength(params));
return NS_ERROR_SRI_CORRUPT;
}
nsresult
SRICheckDataVerifier::Verify(const SRIMetadata& aMetadata,
nsIChannel* aChannel,
const nsACString& aSourceFileURI,
nsIConsoleReportCollector* aReporter)
{
NS_ENSURE_ARG_POINTER(aReporter);
if (MOZ_LOG_TEST(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug)) {
nsAutoCString requestURL;
nsCOMPtr<nsIRequest> request = aChannel;
request->GetName(requestURL);
SRILOG(("SRICheckDataVerifier::Verify, url=%s (length=%zu)",
requestURL.get(), mBytesHashed));
}
nsresult rv = Finish();
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo();
NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE);
LoadTainting tainting = loadInfo->GetTainting();
if (NS_FAILED(IsEligible(aChannel, tainting, aSourceFileURI, aReporter))) {
return NS_ERROR_SRI_NOT_ELIGIBLE;
}
if (mInvalidMetadata) {
return NS_OK; // ignore invalid metadata for forward-compatibility
}
for (uint32_t i = 0; i < aMetadata.HashCount(); i++) {
if (NS_SUCCEEDED(VerifyHash(aMetadata, i, aSourceFileURI, aReporter))) {
return NS_OK; // stop at the first valid hash
}
}
nsAutoCString alg;
aMetadata.GetAlgorithm(&alg);
NS_ConvertUTF8toUTF16 algUTF16(alg);
nsTArray<nsString> params;
params.AppendElement(algUTF16);
aReporter->AddConsoleReport(nsIScriptError::errorFlag,
NS_LITERAL_CSTRING("Sub-resource Integrity"),
nsContentUtils::eSECURITY_PROPERTIES,
aSourceFileURI, 0, 0,
NS_LITERAL_CSTRING("IntegrityMismatch"),
const_cast<const nsTArray<nsString>&>(params));
return NS_ERROR_SRI_CORRUPT;
}
nsresult
SRICheckDataVerifier::Verify(const SRIMetadata& aMetadata,
nsIChannel* aChannel,
const CORSMode aCORSMode,
const nsIDocument* aDocument)
{
NS_ENSURE_ARG_POINTER(aDocument);
if (MOZ_LOG_TEST(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug)) {
nsAutoCString requestURL;
nsCOMPtr<nsIRequest> request;
request = do_QueryInterface(aChannel);
request->GetName(requestURL);
SRILOG(("SRICheckDataVerifier::Verify, url=%s (length=%lu)",
requestURL.get(), mBytesHashed));
}
nsresult rv = Finish();
NS_ENSURE_SUCCESS(rv, rv);
if (NS_FAILED(IsEligible(aChannel, aCORSMode, aDocument))) {
return NS_ERROR_SRI_NOT_ELIGIBLE;
}
if (mInvalidMetadata) {
return NS_OK; // ignore invalid metadata for forward-compatibility
}
for (uint32_t i = 0; i < aMetadata.HashCount(); i++) {
if (NS_SUCCEEDED(VerifyHash(aMetadata, i, aDocument))) {
return NS_OK; // stop at the first valid hash
}
}
nsAutoCString alg;
aMetadata.GetAlgorithm(&alg);
NS_ConvertUTF8toUTF16 algUTF16(alg);
const char16_t* params[] = { algUTF16.get() };
nsContentUtils::ReportToConsole(nsIScriptError::errorFlag,
NS_LITERAL_CSTRING("Sub-resource Integrity"),
aDocument,
nsContentUtils::eSECURITY_PROPERTIES,
"IntegrityMismatch",
params, ArrayLength(params));
return NS_ERROR_SRI_CORRUPT;
}
nsresult nsXPInstallManager::InstallItems()
{
nsresult rv;
nsCOMPtr<nsIZipReader> hZip = do_CreateInstance(kZipReaderCID, &rv);
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIExtensionManager> em = do_GetService("@mozilla.org/extensions/manager;1", &rv);
NS_ENSURE_SUCCESS(rv, rv);
// can't cancel from here on cause we can't undo installs in a multitrigger
for (PRUint32 i = 0; i < mTriggers->Size(); ++i)
{
mItem = (nsXPITriggerItem*)mTriggers->Get(i);
if ( !mItem || !mItem->mFile )
{
// notification for these errors already handled
continue;
}
// If there was hash info in the trigger, but
// there wasn't a hash object created, then the
// algorithm used isn't known.
if (mItem->mHashFound && !mItem->mHasher)
{
// report failure
mTriggers->SendStatus( mItem->mURL.get(), nsInstall::INVALID_HASH_TYPE );
if (mDlg)
mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_DONE,
nsInstall::INVALID_HASH_TYPE );
continue;
}
// Don't install if we can't verify the hash (if specified)
if (mItem->mHasher && !VerifyHash(mItem))
{
// report failure
mTriggers->SendStatus( mItem->mURL.get(), nsInstall::INVALID_HASH );
if (mDlg)
mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_DONE,
nsInstall::INVALID_HASH );
continue;
}
if (mDlg)
mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_START, 0 );
PRInt32 finalStatus = OpenAndValidateArchive( hZip,
mItem->mFile,
mItem->mPrincipal);
hZip->Close();
if (finalStatus == nsInstall::SUCCESS)
{
rv = em->InstallItemFromFile( mItem->mFile,
NS_INSTALL_LOCATION_APPPROFILE);
if (NS_FAILED(rv))
finalStatus = nsInstall::EXECUTION_ERROR;
}
mTriggers->SendStatus( mItem->mURL.get(), finalStatus );
if (mDlg)
mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_DONE,
finalStatus );
}
return NS_OK;
}
