--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -699,33 +699,26 @@ ParseMF(const char* filebuf, nsIZipReade
}
// unrecognized attributes must be ignored
}
return NS_OK;
}
-struct VerifyCertificateContext {
- AppTrustedRoot trustedRoot;
- UniqueCERTCertList& builtChain;
-};
-
nsresult
-VerifyCertificate(CERTCertificate* signerCert, void* voidContext, void* pinArg)
+VerifyCertificate(CERTCertificate* signerCert, AppTrustedRoot trustedRoot,
+ /*out*/ UniqueCERTCertList& builtChain)
{
- // TODO: null pinArg is tolerated.
- if (NS_WARN_IF(!signerCert) || NS_WARN_IF(!voidContext)) {
+ if (NS_WARN_IF(!signerCert)) {
return NS_ERROR_INVALID_ARG;
}
- const VerifyCertificateContext& context =
- *static_cast<const VerifyCertificateContext*>(voidContext);
-
- AppTrustDomain trustDomain(context.builtChain, pinArg);
- nsresult rv = trustDomain.SetTrustedRoot(context.trustedRoot);
+ // TODO: pinArg is null.
+ AppTrustDomain trustDomain(builtChain, nullptr);
+ nsresult rv = trustDomain.SetTrustedRoot(trustedRoot);
if (NS_FAILED(rv)) {
return rv;
}
Input certDER;
mozilla::pkix::Result result = certDER.Init(signerCert->derCert.data,
signerCert->derCert.len);
if (result != Success) {
return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
@@ -761,28 +754,25 @@ VerifyCertificate(CERTCertificate* signe
if (result != Success) {
return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
}
return NS_OK;
}
nsresult
-VerifyCMSDetachedSignatureIncludingCertificate(
- const SECItem& buffer, const SECItem& detachedDigest,
- nsresult (*verifyCertificate)(CERTCertificate* cert, void* context,
- void* pinArg),
- void* verifyCertificateContext, void* pinArg,
- const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer,
+ const SECItem& detachedDigest,
+ /*out*/ UniqueCERTCertList& builtChain)
{
- // XXX: missing pinArg is tolerated.
+ // Currently, this function is only called within the CalculateResult() method
+ // of CryptoTasks. As such, NSS should not be shut down at this point and the
+ // CryptoTask implementation should already hold a nsNSSShutDownPreventionLock.
if (NS_WARN_IF(!buffer.data && buffer.len > 0) ||
- NS_WARN_IF(!detachedDigest.data && detachedDigest.len > 0) ||
- (!verifyCertificate) ||
- NS_WARN_IF(!verifyCertificateContext)) {
+ NS_WARN_IF(!detachedDigest.data && detachedDigest.len > 0)) {
return NS_ERROR_INVALID_ARG;
}
UniqueNSSCMSMessage
cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
nullptr, nullptr, nullptr, nullptr,
nullptr));
if (!cmsMsg) {
@@ -853,17 +843,17 @@ VerifyCMSDetachedSignatureIncludingCerti
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
}
CERTCertificate* signerCert =
NSS_CMSSignerInfo_GetSigningCertificate(signer, CERT_GetDefaultCertDB());
if (!signerCert) {
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
}
- nsresult rv = verifyCertificate(signerCert, verifyCertificateContext, pinArg);
+ nsresult rv = VerifyCertificate(signerCert, trustedRoot, builtChain);
if (NS_WARN_IF(NS_FAILED(rv))) {
return rv;
}
// See NSS_CMSContentInfo_GetContentTypeOID, which isn't exported from NSS.
SECOidData* contentTypeOidData =
SECOID_FindOID(&signedData->contentInfo.contentType);
if (!contentTypeOidData) {
@@ -871,35 +861,16 @@ VerifyCMSDetachedSignatureIncludingCerti
}
return MapSECStatus(NSS_CMSSignerInfo_Verify(signer,
const_cast<SECItem*>(&detachedDigest),
&contentTypeOidData->oid));
}
nsresult
-VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer,
- const SECItem& detachedDigest,
- /*out*/ UniqueCERTCertList& builtChain)
-{
- // Currently, this function is only called within the CalculateResult() method
- // of CryptoTasks. As such, NSS should not be shut down at this point and the
- // CryptoTask implementation should already hold a nsNSSShutDownPreventionLock.
- // We acquire a nsNSSShutDownPreventionLock here solely to prove we did to
- // VerifyCMSDetachedSignatureIncludingCertificate().
- nsNSSShutDownPreventionLock locker;
- VerifyCertificateContext context = { trustedRoot, builtChain };
- // XXX: missing pinArg
- return VerifyCMSDetachedSignatureIncludingCertificate(buffer, detachedDigest,
- VerifyCertificate,
- &context, nullptr,
- locker);
-}
-
-nsresult
OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
/*out, optional */ nsIZipReader** aZipReader,
/*out, optional */ nsIX509Cert** aSignerCert)
{
NS_ENSURE_ARG_POINTER(aJarFile);
if (aZipReader) {
*aZipReader = nullptr;