summaryrefslogtreecommitdiff
path: root/testing/marionette/cert.js
blob: c0b24d23bfd095a501130a7dc53182b42a24167c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

"use strict";

const {classes: Cc, interfaces: Ci, utils: Cu, results: Cr} = Components;

Cu.import("resource://gre/modules/Preferences.jsm");
Cu.import("resource://gre/modules/XPCOMUtils.jsm");

this.EXPORTED_SYMBOLS = ["cert"];

const registrar =
    Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
const sss = Cc["@mozilla.org/ssservice;1"]
    .getService(Ci.nsISiteSecurityService);

const CONTRACT_ID = "@mozilla.org/security/certoverride;1";
const CERT_PINNING_ENFORCEMENT_PREF =
    "security.cert_pinning.enforcement_level";
const HSTS_PRELOAD_LIST_PREF =
    "network.stricttransportsecurity.preloadlist";

/** TLS certificate service override management for Marionette. */
this.cert = {
  Error: {
    Untrusted: 1,
    Mismatch: 2,
    Time: 4,
  },

  currentOverride: null,
};

/**
 * Installs a TLS certificate service override.
 *
 * The provided |service| must implement the |register| and |unregister|
 * functions that causes a new |nsICertOverrideService| interface
 * implementation to be registered with the |nsIComponentRegistrar|.
 *
 * After |service| is registered and made the |cert.currentOverride|,
 * |nsICertOverrideService| is reinitialised to cause all Gecko components
 * to pick up the new service.
 *
 * If an override is already installed, i.e. when |cert.currentOverride|
 * is not null, this functions acts as a NOOP.
 *
 * @param {cert.Override} service
 *     Service generator that registers and unregisters the XPCOM service.
 *
 * @throws {Components.Exception}
 *     If unable to register or initialise |service|.
 */
cert.installOverride = function (service) {
  if (this.currentOverride) {
    return;
  }

  service.register();
  cert.currentOverride = service;
};

/**
 * Uninstall a TLS certificate service override.
 *
 * After the service has been unregistered, |cert.currentOverride|
 * is reset to null.
 *
 * If there no current override installed, i.e. if |cert.currentOverride|
 * is null, this function acts as a NOOP.
 */
cert.uninstallOverride = function() {
  if (!cert.currentOverride) {
    return;
  }
  cert.currentOverride.unregister();
  this.currentOverride = null;
};

/**
 * Certificate override service that acts in an all-inclusive manner
 * on TLS certificates.
 *
 * When an invalid certificate is encountered, it is overriden
 * with the |matching| bit level, which is typically a combination of
 * |cert.Error.Untrusted|, |cert.Error.Mismatch|, and |cert.Error.Time|.
 *
 * @type cert.Override
 *
 * @throws {Components.Exception}
 *     If there are any problems registering the service.
 */
cert.InsecureSweepingOverride = function() {
  const CID = Components.ID("{4b67cce0-a51c-11e6-9598-0800200c9a66}");
  const DESC = "All-encompassing cert service that matches on a bitflag";

  // This needs to be an old-style class with a function constructor
  // and prototype assignment because... XPCOM.  Any attempt at
  // modernisation will be met with cryptic error messages which will
  // make your life miserable.
  let service = function() {};
  service.prototype = {
    hasMatchingOverride: function (
        aHostName, aPort, aCert, aOverrideBits, aIsTemporary) {
      aIsTemporary.value = false;
      aOverrideBits.value =
          cert.Error.Untrusted | cert.Error.Mismatch | cert.Error.Time;

      return true;
    },

    QueryInterface: XPCOMUtils.generateQI([Ci.nsICertOverrideService]),
  };
  let factory = XPCOMUtils.generateSingletonFactory(service);

  return {
    register: function() {
      // make it possible to register certificate overrides for domains
      // that use HSTS or HPKP
      Preferences.set(HSTS_PRELOAD_LIST_PREF, false);
      Preferences.set(CERT_PINNING_ENFORCEMENT_PREF, 0);

      registrar.registerFactory(CID, DESC, CONTRACT_ID, factory);
    },

    unregister: function() {
      registrar.unregisterFactory(CID, factory);

      Preferences.reset(HSTS_PRELOAD_LIST_PREF);
      Preferences.reset(CERT_PINNING_ENFORCEMENT_PREF);

      // clear collected HSTS and HPKP state
      // through the site security service
      sss.clearAll();
      sss.clearPreloads();
    },
  };
};