Overriding CertOverrideService in xulrunner 10+

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Overriding CertOverrideService in xulrunner 10+

Yuriy Cherepko-2
Hi All.
I use xulrunner for embedding a mozilla-functionality in my app.
For my app I need some way to accept the site's security certificate
unconditionally without any certificate-error report dialogs.
For this reason I wrote my own implementation of the
nsICertOverrideService and was planning use it for temporary
certificates acception but
some logic in the CertErrorRunnable::CheckCertOverrides
(xulrunner-12.0b.6, security/manager/ssl/src/
SSLServerCertVerification.cpp) makes that impossible

Here is a part of code from SSLServerCertVerification.cpp ...

SSLServerCertVerificationResult *
CertErrorRunnable::CheckCertOverrides()
{
        ....

        PRUint32 remaining_display_errors = mCollectedErrors;

    ....

    if (!strictTransportSecurityEnabled) {
    nsCOMPtr<nsICertOverrideService> overrideService =
      do_GetService(NS_CERTOVERRIDE_CONTRACTID);
    // it is fine to continue without the nsICertOverrideService

    PRUint32 overrideBits = 0;

    if (overrideService)
    {
      bool haveOverride;
      bool isTemporaryOverride; // we don't care
      nsCString hostString(mInfoObject->GetHostName());
      nsrv = overrideService->HasMatchingOverride(hostString, port,
                                                  mCert,
                                                  &overrideBits,
 
&isTemporaryOverride,
                                                  &haveOverride);
      if (NS_SUCCEEDED(nsrv) && haveOverride)
      {
       // remove the errors that are already overriden
        remaining_display_errors -= overrideBits;
/*
Here it would be nice to have a chance to accept the certificate
unconditionally, but
because of the "-=" operation, it is impossible

During a call of the HasMatchingOverride the remaining_display_errors
is not passed to the service and if the call returns "true" and it
sets all possible override bits to "1" then we have the next...

              remaining_display_errors  is 1 // untrusted certificate
              overrideBits is 7 // in the service we don't know what
happend and override all possible errors

              remaining_display_errors -= overrideBits
              if (! remaining_display_errors) { // FALSE !!!

              But if...

              remaining_display_errors &= (~overrideBits);
              if (! remaining_display_errors) { // it's OK
*/
      }
    }

    if (!remaining_display_errors) {
      // all errors are covered by override rules, so let's accept the
cert
      PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
             ("[%p][%p] All errors covered by override rules\n",
             mFdForLogging, this));
      return new SSLServerCertVerificationResult(*mInfoObject, 0);
    }
  } else {

    ....
}

Is there some other way to accept site's certificate during first
connection attempt ?

_______________________________________________
dev-embedding mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-embedding