autograph: go.mozilla.org/autograph/signer/xpi Index | Files

package xpi

import "go.mozilla.org/autograph/signer/xpi"

Index

Package Files

cose.go jar.go recommendation.go x509.go xpi.go

Constants

const (
    // Type of this signer is "xpi"
    Type = "xpi"

    // ModeAddOn represents a signer that issues signatures for
    // regular firefox add-ons and web extensions developed by anyone
    ModeAddOn = "add-on"

    // ModeAddOnWithRecommendation represents a signer that issues
    // signatures for regular firefox add-ons and web extensions
    // developed by anyone including a recommendation file
    ModeAddOnWithRecommendation = "add-on-with-recommendation"

    // ModeExtension represents a signer that issues signatures for
    // internal extensions developed by Mozilla
    ModeExtension = "extension"

    // ModeSystemAddOn represents a signer that issues signatures for
    // System Add-Ons developed by Mozilla
    ModeSystemAddOn = "system add-on"

    // ModeHotFix represents a signer that issues signatures for
    // Firefox HotFixes
    ModeHotFix = "hotfix"
)

func VerifySignedFile Uses

func VerifySignedFile(signedFile signer.SignedFile, truststore *x509.CertPool, opts Options) error

VerifySignedFile checks the XPI's PKCS7 signature and COSE signatures if present

type Metafile Uses

type Metafile struct {
    Name string
    Body []byte
}

Metafile is a file to pack into a JAR at .Name with contents .Body

func (*Metafile) IsNameValid Uses

func (m *Metafile) IsNameValid() bool

IsNameValid checks whether a Metafile.Name is non-nil and begins with "META-INF/" functions taking Metafile args should validate names before reading or writing them to JARs

type Options Uses

type Options struct {
    // ID is the add-on ID which is stored in the end-entity subject CN
    ID  string `json:"id"`

    // COSEAlgorithms is an optional list of strings referring to IANA algorithms to use for COSE signatures
    COSEAlgorithms []string `json:"cose_algorithms"`

    // PKCS7Digest is a string required for /sign/file referring to algorithm to use for the PKCS7 signature digest
    PKCS7Digest string `json:"pkcs7_digest"`

    // Recommendations is an optional list of strings referring to
    // recommended states to add to the recommendations file
    // for signers in ModeAddOnWithRecommendation
    Recommendations []string `json:"recommendations"`
}

Options contains specific parameters used to sign XPIs

func GetOptions Uses

func GetOptions(input interface{}) (options Options, err error)

GetOptions takes a input interface and reflects it into a struct of options

func (*Options) Algorithms Uses

func (o *Options) Algorithms() (algs []*cose.Algorithm, err error)

Algorithms validates and returns COSE algorithms

func (*Options) CN Uses

func (o *Options) CN(s *XPISigner) (cn string, err error)

CN returns the common name

func (*Options) PK7Digest Uses

func (o *Options) PK7Digest() (asn1.ObjectIdentifier, error)

PK7Digest validates and return an ASN OID for a PKCS7 digest algorithm or an error

func (*Options) RecommendationStates Uses

func (o *Options) RecommendationStates(allowedRecommendationStates map[string]bool) (states []string, err error)

RecommendationStates validates and returns allowed recommendation states algorithms from the request

type Recommendation Uses

type Recommendation struct {
    // AddOnID is the ID of the extension this recommendation is
    // for. Must match the ID in the extension’s manifest.json
    AddOnID string `json:"addon_id"`

    // States is a list of strings for each state of an addon that
    // firefox understands
    States []string `json:"states"`

    // Validity is a pair of timestamps to expire a recommendation
    // after an appropriate amount of time, since the
    // recommendation is for a given version of the addon and it
    // will need to be reissued for new versions.
    Validity map[string]time.Time `json:"validity"`

    // SchemaVersion is a uint to allow gradual upgrades of the
    // recommendation file
    SchemaVersion int `json:"schema_version"`
}

Recommendation represents an Addon Recommendation file

func Recommend Uses

func Recommend(addonID string, states []string, notBefore, notAfter time.Time) *Recommendation

Recommend returns a Recommendation for param addonID with param states

func UnmarshalRecommendation Uses

func UnmarshalRecommendation(input []byte) (r *Recommendation, err error)

UnmarshalRecommendation parses a recommendation file from JSON

func (*Recommendation) Marshal Uses

func (r *Recommendation) Marshal() ([]byte, error)

Marshal serializes a Recommendation to JSON

func (*Recommendation) Validate Uses

func (r *Recommendation) Validate(allowedRecommendationStates map[string]bool) error

Validate checks a Recommendation's validity fields and state is in the allowed states

type Signature Uses

type Signature struct {
    Data     []byte
    Finished bool
    // contains filtered or unexported fields
}

Signature is a detached PKCS7 signature or COSE SignMessage

func Unmarshal Uses

func Unmarshal(signature string, content []byte) (sig *Signature, err error)

Unmarshal parses a PKCS7 struct from the base64 representation of a PKCS7 detached and content of the signed data or it parses a COSE Sign Message struct from the base64 representation of a CBOR encoded Sign Message

func (*Signature) Marshal Uses

func (sig *Signature) Marshal() (string, error)

Marshal returns the base64 representation of a detached PKCS7 signature or COSE Sign Message

func (*Signature) String Uses

func (sig *Signature) String() string

String returns a PEM encoded PKCS7 block

func (*Signature) VerifyWithChain Uses

func (sig *Signature) VerifyWithChain(truststore *x509.CertPool) error

VerifyWithChain verifies an xpi signature using the provided truststore

type XPISigner Uses

type XPISigner struct {
    signer.Configuration

    // OU is the organizational unit of the end-entity certificate
    // generated for each operation performed by this signer
    OU  string

    // EndEntityCN is the subject CN of the end-entity certificate generated
    // for each operation performed by this signer. Most of the time
    // the ID will be left blank and provided by the requester of the
    // signature, but for hotfix signers, it is set to a specific value.
    EndEntityCN string
    // contains filtered or unexported fields
}

An XPISigner is configured to issue detached PKCS7 and COSE signatures for Firefox Add-ons of various types.

func New Uses

func New(conf signer.Configuration, stats *signer.StatsClient) (s *XPISigner, err error)

New initializes an XPI signer using a configuration

func (*XPISigner) Config Uses

func (s *XPISigner) Config() signer.Configuration

Config returns the configuration of the current signer

func (*XPISigner) GetDefaultOptions Uses

func (s *XPISigner) GetDefaultOptions() interface{}

GetDefaultOptions returns default options of the signer

func (*XPISigner) MakeEndEntity Uses

func (s *XPISigner) MakeEndEntity(cn string, coseAlg *cose.Algorithm) (eeCert *x509.Certificate, eeKey crypto.PrivateKey, err error)

MakeEndEntity generates a private key and certificate ready to sign a given XPI.

The subject CN of the certificate is taken from the `cn` string argument.

The key type is identical to the key type of the signer that issues the certificate when the optional `coseAlg` argument is nil. For example, if the signer uses an RSA 2048 key, so will the end-entity. When `coseAlg` is not nil, a key type of the COSE algorithm is generated.

The signature expiration date is copied over from the issuer.

The signed x509 certificate and private key are returned.

func (*XPISigner) ReadAndVerifyRecommendationFile Uses

func (s *XPISigner) ReadAndVerifyRecommendationFile(signedXPI []byte) (recFileBytes []byte, err error)

ReadAndVerifyRecommendationFile reads and verifies the recommendation file from an XPI for a signer's config and returns the file bytes and an error when verification fails

func (*XPISigner) SignData Uses

func (s *XPISigner) SignData(sigfile []byte, options interface{}) (signer.Signature, error)

SignData takes an input signature file and returns a PKCS7 or COSE detached signature

func (*XPISigner) SignFile Uses

func (s *XPISigner) SignFile(input []byte, options interface{}) (signedFile signer.SignedFile, err error)

SignFile takes an unsigned zipped XPI file and returns a signed XPI file

Package xpi imports 26 packages (graph) and is imported by 2 packages. Updated 2020-08-15. Refresh now. Tools for package owners.