forked from mirrors/gecko-dev
658b880816
Before this patch, the content signature verifier (nsIContentSignatureVerifier/ContentSignatureVerifier) would identify the root it trusted based on the value of a preference. This patch changes the implementation to require a specified hard-coded root to trust as with add-on signature verification. Depends on D146644 Differential Revision: https://phabricator.services.mozilla.com/D146645
46 lines
1.5 KiB
Python
46 lines
1.5 KiB
Python
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
|
|
def _file_byte_generator(filename):
|
|
with open(filename, "rb") as f:
|
|
contents = f.read()
|
|
|
|
# Treat empty files the same as a file containing a lone 0;
|
|
# a single-element array will fail cert verifcation just as an
|
|
# empty array would.
|
|
if not contents:
|
|
return ["\0"]
|
|
|
|
return contents
|
|
|
|
|
|
def _create_header(array_name, cert_bytes):
|
|
hexified = ["0x%02x" % byte for byte in cert_bytes]
|
|
|
|
substs = {"array_name": array_name, "bytes": ", ".join(hexified)}
|
|
return "const uint8_t %(array_name)s[] = {\n%(bytes)s\n};\n" % substs
|
|
|
|
|
|
# Create functions named the same as the data arrays that we're going to
|
|
# write to the headers, so we don't have to duplicate the names like so:
|
|
#
|
|
# def arrayName(header, cert_filename):
|
|
# header.write(_create_header("arrayName", cert_filename))
|
|
array_names = [
|
|
"addonsPublicIntermediate",
|
|
"addonsPublicRoot",
|
|
"addonsStageRoot",
|
|
"contentSignatureDevRoot",
|
|
"contentSignatureLocalRoot",
|
|
"contentSignatureProdRoot",
|
|
"contentSignatureStageRoot",
|
|
"xpcshellRoot",
|
|
]
|
|
|
|
for n in array_names:
|
|
# Make sure the lambda captures the right string.
|
|
globals()[n] = lambda header, cert_filename, name=n: header.write(
|
|
_create_header(name, _file_byte_generator(cert_filename))
|
|
)
|