Add xpcshell script and warning

components/net/Cargo.toml

@@ -23,9 +23,7 @@ git = "https://github.com/servo/rust-png"
 [dependencies.stb_image]
 git = "https://github.com/servo/rust-stb-image"
 
-[dependencies.openssl]
-git = "https://github.com/sfackler/rust-openssl"
-
 [dependencies]
 url = "0.2.16"
 time = "0.1.12"
+openssl="*"

components/net/http_loader.rs

@@ -7,16 +7,19 @@ use resource_task::ProgressMsg::{Payload, Done};
 
 use log;
 use std::collections::HashSet;
+use file_loader;
 use hyper::client::Request;
 use hyper::header::common::{ContentLength, ContentType, Host, Location};
+use hyper::HttpError;
 use hyper::method::Method;
 use hyper::net::HttpConnector;
 use hyper::status::StatusClass;
 use std::error::Error;
 use openssl::ssl::{SslContext, SslVerifyMode};
-use std::io::Reader;
+use std::io::{IoError, IoErrorKind, Reader};
 use std::sync::mpsc::Sender;
 use util::task::spawn_named;
+use util::resource_files::resources_dir_path;
 use url::{Url, UrlParser};
 
 use std::borrow::ToOwned;
@@ -77,14 +80,29 @@ fn load(load_data: LoadData, start_chan: Sender<TargetedLoadResponse>) {
 
         info!("requesting {}", url.serialize());
 
-        fn verifier<'a>(ssl: &mut SslContext) {
+        fn verifier(ssl: &mut SslContext) {
             ssl.set_verify(SslVerifyMode::SslVerifyPeer, None);
-            ssl.set_CA_file(&Path::new("/home/manishearth/sand/equifax"));
-        }
+            let mut certs = resources_dir_path();
+            certs.push("certs");
+            ssl.set_CA_file(&certs);
+        };
 
-        let mut req = match Request::with_connector(load_data.method.clone(), url.clone(), &mut HttpConnector(Some(verifier))) {
+        let ssl_err_string = "[UnknownError { library: \"SSL routines\", function: \"SSL3_GET_SERVER_CERTIFICATE\",\
+                               reason: \"certificate verify failed\" }]";
+        let mut req = match Request::with_connector(load_data.method.clone(), url.clone(),
+                                                    &mut HttpConnector(Some(box verifier as Box<FnMut(&mut SslContext)>))) {
             Ok(req) => req,
+            Err(HttpError::HttpIoError(IoError {kind: IoErrorKind::OtherIoError,
+                                                desc: "Error in OpenSSL",
+                                                detail: Some(ref det)})) if det.as_slice() == ssl_err_string => {
+                let mut image = resources_dir_path();
+                image.push("badcert.html");
+                let load_data = LoadData::new(Url::from_file_path(&image).unwrap(), senders.eventual_consumer);
+                file_loader::factory(load_data, senders.immediate_consumer);
+                return;
+            },
             Err(e) => {
+                println!("{:?}", e);
                 send_error(url, e.description().to_string(), senders);
                 return;
             }

etc/cert_generator.js

@@ -0,0 +1,73 @@
+// XPCShell script for generating a single file containing all certificates in PEM
+// format. You may run this in the browser toolbox's console
+// (Firefox -> devtools -> settings -> enable remote/chrome debugging,
+// followed by settings -> devtools menu -> browser toolbox) or the 
+// xpcshell runner that comes with a built Firefox (./run-mozilla.sh ./xpcshell).
+// The variable `certstring` contains the final pem file. You can use `save(path)` to
+// save it to a file. `certlist` contains an array with the PEM certs as well as their names if you
+// want to filter them.
+
+
+// http://mxr.mozilla.org/mozilla-central/source/security/manager/pki/resources/content/pippki.js
+function getDERString(cert)
+{
+  var length = {};
+  var derArray = cert.getRawDER(length);
+  var derString = '';
+  for (var i = 0; i < derArray.length; i++) {
+    derString += String.fromCharCode(derArray[i]);
+  }
+  return derString;
+}
+
+// http://mxr.mozilla.org/mozilla-central/source/security/manager/pki/resources/content/pippki.js
+function getPEMString(cert)
+{
+  var derb64 = btoa(getDERString(cert));
+  // Wrap the Base64 string into lines of 64 characters, 
+  // with CRLF line breaks (as specified in RFC 1421).
+  var wrapped = derb64.replace(/(\S{64}(?!$))/g, "$1\r\n");
+  return "-----BEGIN CERTIFICATE-----\r\n"
+         + wrapped
+         + "\r\n-----END CERTIFICATE-----\r\n";
+}
+
+let certcache = Components.classes["@mozilla.org/security/nsscertcache;1"].createInstance(Ci.nsINSSCertCache);
+certcache.cacheAllCerts();
+let enumerator = certcache.getX509CachedCerts().getEnumerator();
+let certlist = [];
+let certstring="";
+while(enumerator.hasMoreElements()){
+  let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
+  let pem = getPEMString(cert);
+  certlist.push({name: cert.commonName, pem: pem});
+  certstring+=pem;
+}
+
+function save(path) {
+  // https://developer.mozilla.org/en-US/Add-ons/Code_snippets/File_I_O
+  Components.utils.import("resource://gre/modules/FileUtils.jsm");
+  var file = new FileUtils.File(path);
+  Components.utils.import("resource://gre/modules/NetUtil.jsm");
+
+  // file is nsIFile, data is a string
+
+  // You can also optionally pass a flags parameter here. It defaults to
+  // FileUtils.MODE_WRONLY | FileUtils.MODE_CREATE | FileUtils.MODE_TRUNCATE;
+  var ostream = FileUtils.openSafeFileOutputStream(file);
+
+  var converter = Components.classes["@mozilla.org/intl/scriptableunicodeconverter"].
+                  createInstance(Components.interfaces.nsIScriptableUnicodeConverter);
+  converter.charset = "UTF-8";
+  var istream = converter.convertToInputStream(certstring);
+
+  // The last argument (the callback) is optional.
+  NetUtil.asyncCopy(istream, ostream, function(status) {
+    if (!Components.isSuccessCode(status)) {
+      // Handle error!
+      return;
+    }
+
+    // Data has been written to the file.
+  });
+}