Bug 13379: Allow using NSS to sign and verify MAR signatures

# Bug 13379: Sign our MAR files.

ac_add_options --enable-verify-mar

ac_add_options --enable-nss-mar

ac_add_options --enable-bundled-fonts

    "MOZ_VERIFY_MAR_SIGNATURE", depends_if("--enable-verify-mar")(lambda _: True)

)

# Use NSS for MAR signatures even on platforms where system libraries are

# supported (currently Windows and macOS).

# ==============================================================

option("--enable-nss-mar", help="Always use NSS for MAR signatures")

set_config("MOZ_USE_NSS_FOR_MAR", True, when="--enable-nss-mar")

# Maintenance service (Windows only)

# ==============================================================

      "signed_input_archive.mar base_64_encoded_signature_file "

      "changed_signed_output.mar\n");

  printf("(i) is the index of the certificate to extract\n");

#  if defined(XP_MACOSX) || (defined(XP_WIN) && !defined(MAR_NSS))

#  if (defined(XP_MACOSX) || defined(XP_WIN)) && !defined(MAR_NSS)

  printf("Verify a MAR file:\n");

  printf("  mar [-C workingDir] -D DERFilePath -v signed_archive.mar\n");

  printf(

  memset((void*)certBuffers, 0, sizeof(certBuffers));

#endif

#if !defined(NO_SIGN_VERIFY) && \

    ((!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX))

    (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX)))

  memset(DERFilePaths, 0, sizeof(DERFilePaths));

  memset(fileSizes, 0, sizeof(fileSizes));

#endif

      argc -= 2;

    }

#if !defined(NO_SIGN_VERIFY)

#  if (!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX)

#  if (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX)))

    /* -D DERFilePath, also matches -D[index] DERFilePath

       We allow an index for verifying to be symmetric

       with the import and export command line arguments. */

        "verifymar",

    ]

    if CONFIG["MOZ_USE_NSS_FOR_MAR"]:

        DEFINES["MAR_NSS"] = True

    if CONFIG["OS_ARCH"] == "WINNT":

        USE_STATIC_LIBS = True

        OS_LIBS += [

            "ws2_32",

        ]

        if not CONFIG["MOZ_USE_NSS_FOR_MAR"]:

            OS_LIBS += [

                "crypt32",

                "advapi32",

            ]

    elif CONFIG["OS_ARCH"] == "Darwin":

    elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["MOZ_USE_NSS_FOR_MAR"]:

        OS_LIBS += [

            "-framework CoreFoundation",

            "-framework Security",

if CONFIG["OS_ARCH"] == "WINNT":

    USE_STATIC_LIBS = True

elif CONFIG["OS_ARCH"] == "Darwin":

    use_nss = CONFIG["MOZ_USE_NSS_FOR_MAR"]

elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["MOZ_USE_NSS_FOR_MAR"]:

    UNIFIED_SOURCES += [

        "MacVerifyCrypto.cpp",

    ]

    OS_LIBS += [

        "-framework Security",

    ]

    use_nss = False

else:

    DEFINES["MAR_NSS"] = True

    LOCAL_INCLUDES += ["../sign"]

    USE_LIBS += [

        "nspr",

        "nss",

        "signmar",

    ]

    if CONFIG["OS_ARCH"] != "Darwin":

        # Ideally, this would be '-Wl,-rpath=$ORIGIN', but the build system

        # doesn't do the right escaping yet. Even more ideally, this would

    # be LDFLAGS, but the build system doesn't propagate those like USE_LIBS

    # and OS_LIBS. Bug #1041943.

        # be LDFLAGS, but the build system doesn't propagate those like

        # USE_LIBS and OS_LIBS. Bug #1041943.

        OS_LIBS += [

            "-Wl,-rpath=\\$$ORIGIN",

        ]

    use_nss = True

LOCAL_INCLUDES += [

    "../src",

]

if use_nss:

    LOCAL_INCLUDES += ["../sign"]

    DEFINES["MAR_NSS"] = True

# C11 for static_assert

c11_flags = ["-std=gnu11"]

if CONFIG["CC_TYPE"] == "clang-cl":