Bug 1712837 - introduce ipcclientcerts to allow client certificates to work with the socket process r=rmf,kershaw,necko-reviewers,ipc-reviewers,nika,jschanck

This patch introduces ipcclientcerts, a PKCS#11 module that the socket process can load to get access to client certificates and keys managed by the parent process. This enables client certificate authentication to work with the socket process (particularly for keys stored outside of NSS, as with osclientcerts or third-party PKCS#11 modules). Differential Revision: https://phabricator.services.mozilla.com/D122392
2021-12-01 18:10:34 +00:00
parent 70fc0203ca
commit a13bccff29
40 changed files with 2454 additions and 300 deletions
--- a/netwerk/ipc/SocketProcessChild.cpp
+++ b/netwerk/ipc/SocketProcessChild.cpp
@@ -165,7 +165,15 @@ bool SocketProcessChild::Init(base::ProcessId aParentPid,
  // Initialize DNS Service here, since it needs to be done in main thread.
  nsCOMPtr<nsIDNSService> dns =
      do_GetService("@mozilla.org/network/dns-service;1", &rv);
-  return NS_SUCCEEDED(rv);
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+
+  if (!EnsureNSSInitializedChromeOrContent()) {
+    return false;
+  }
+
+  return true;
 }

 void SocketProcessChild::ActorDestroy(ActorDestroyReason aWhy) {
@@ -214,6 +222,7 @@ mozilla::ipc::IPCResult SocketProcessChild::RecvInit(
  if (aAttributes.mInitSandbox()) {
    Unused << RecvInitLinuxSandbox(aAttributes.mSandboxBroker());
  }
+
  return IPC_OK();
 }

@@ -472,9 +481,7 @@ SocketProcessChild::GetAndRemoveDataBridge(uint64_t aChannelId) {
 }

 mozilla::ipc::IPCResult SocketProcessChild::RecvClearSessionCache() {
-  if (EnsureNSSInitializedChromeOrContent()) {
-    nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
-  }
+  nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
  return IPC_OK();
 }