Attachment #390386 for bug #530834

View | Details | Raw Unified | Return to bug 530834
Collapse All | Expand All




  switch (NSPRCode) {
    case SEC_ERROR_UNKNOWN_ISSUER:
    case SEC_ERROR_UNTRUSTED_ISSUER:
    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
    case SEC_ERROR_UNTRUSTED_CERT:
    case SSL_ERROR_BAD_CERT_DOMAIN:
    case SEC_ERROR_EXPIRED_CERTIFICATE:
    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
    case SEC_ERROR_CA_CERT_INVALID:
    case MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
      return Ci.nsINSSErrorsService.ERROR_CLASS_BAD_CERT;
    default:
      return Ci.nsINSSErrorsService.ERROR_CLASS_SSL_PROTOCOL;
  }

  return null;
}




    // Overridable errors.
    case SEC_ERROR_UNKNOWN_ISSUER:
    case SEC_ERROR_UNTRUSTED_ISSUER:
    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
    case SEC_ERROR_UNTRUSTED_CERT:
    case SSL_ERROR_BAD_CERT_DOMAIN:
    case SEC_ERROR_EXPIRED_CERTIFICATE:
    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
    case SEC_ERROR_CA_CERT_INVALID:
    case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
      *aErrorClass = ERROR_CLASS_BAD_CERT;
      break;
    // Non-overridable errors.
    default:
      *aErrorClass = ERROR_CLASS_SSL_PROTOCOL;
      break;
  }





// A probe value of 1 means "no error".
uint32_t
MapCertErrorToProbeValue(PRErrorCode errorCode)
{
  switch (errorCode)
  {
    case SEC_ERROR_UNKNOWN_ISSUER:                     return  2;
    case SEC_ERROR_CA_CERT_INVALID:                    return  3;
    case SEC_ERROR_UNTRUSTED_ISSUER:                   return  4;
    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:         return  5;
    case SEC_ERROR_UNTRUSTED_CERT:                     return  6;
    case SEC_ERROR_INADEQUATE_KEY_USAGE:               return  7;
    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:  return  8;
    case SSL_ERROR_BAD_CERT_DOMAIN:                    return  9;
    case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
    case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: return 11;

  MOZ_ASSERT(errorCodeMismatch == 0);
  MOZ_ASSERT(errorCodeExpired == 0);

  // Assumes the error prioritization described in mozilla::pkix's
  // BuildForward function. Also assumes that CERT_VerifyCertName was only
  // called if CertVerifier::VerifyCert succeeded.
  switch (defaultErrorCodeToReport) {
    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
    case SEC_ERROR_CA_CERT_INVALID:
    case SEC_ERROR_UNKNOWN_ISSUER:
    case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
    {
      collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
      errorCodeTrust = defaultErrorCodeToReport;

      SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, now, false);
      if (validity == secCertTimeUndetermined) {

Return to bug 530834

Lines 136-151 NSSErrorsService::GetErrorClass(nsresult Link Here

(-)a/security/manager/ssl/src/NSSErrorsService.cpp (+1 lines)
136	// Overridable errors.	136	// Overridable errors.
137	case SEC_ERROR_UNKNOWN_ISSUER:	137	case SEC_ERROR_UNKNOWN_ISSUER:
138	case SEC_ERROR_UNTRUSTED_ISSUER:	138	case SEC_ERROR_UNTRUSTED_ISSUER:
139	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:	139	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
140	case SEC_ERROR_UNTRUSTED_CERT:	140	case SEC_ERROR_UNTRUSTED_CERT:
141	case SSL_ERROR_BAD_CERT_DOMAIN:	141	case SSL_ERROR_BAD_CERT_DOMAIN:
142	case SEC_ERROR_EXPIRED_CERTIFICATE:	142	case SEC_ERROR_EXPIRED_CERTIFICATE:
143	case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:	143	case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
		144	case SEC_ERROR_CA_CERT_INVALID:
144	case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:	145	case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
145	*aErrorClass = ERROR_CLASS_BAD_CERT;	146	*aErrorClass = ERROR_CLASS_BAD_CERT;
146	break;	147	break;
147	// Non-overridable errors.	148	// Non-overridable errors.
148	default:	149	default:
149	*aErrorClass = ERROR_CLASS_SSL_PROTOCOL;	150	*aErrorClass = ERROR_CLASS_SSL_PROTOCOL;
150	break;	151	break;
151	}	152	}

Lines 90-105 function getErrorClass(errorCode) { Link Here

(-)a/dom/browser-element/BrowserElementChildPreload.js (+1 lines)
90	switch (NSPRCode) {	90	switch (NSPRCode) {
91	case SEC_ERROR_UNKNOWN_ISSUER:	91	case SEC_ERROR_UNKNOWN_ISSUER:
92	case SEC_ERROR_UNTRUSTED_ISSUER:	92	case SEC_ERROR_UNTRUSTED_ISSUER:
93	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:	93	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
94	case SEC_ERROR_UNTRUSTED_CERT:	94	case SEC_ERROR_UNTRUSTED_CERT:
95	case SSL_ERROR_BAD_CERT_DOMAIN:	95	case SSL_ERROR_BAD_CERT_DOMAIN:
96	case SEC_ERROR_EXPIRED_CERTIFICATE:	96	case SEC_ERROR_EXPIRED_CERTIFICATE:
97	case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:	97	case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
		98	case SEC_ERROR_CA_CERT_INVALID:
98	case MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:	99	case MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
99	return Ci.nsINSSErrorsService.ERROR_CLASS_BAD_CERT;	100	return Ci.nsINSSErrorsService.ERROR_CLASS_BAD_CERT;
100	default:	101	default:
101	return Ci.nsINSSErrorsService.ERROR_CLASS_SSL_PROTOCOL;	102	return Ci.nsINSSErrorsService.ERROR_CLASS_SSL_PROTOCOL;
102	}	103	}
103		104
104	return null;	105	return null;
105	}	106	}

Lines 287-302 private: Link Here

(-)a/security/manager/ssl/src/SSLServerCertVerification.cpp (+2 lines)
287		287
288	// A probe value of 1 means "no error".	288	// A probe value of 1 means "no error".
289	uint32_t	289	uint32_t
290	MapCertErrorToProbeValue(PRErrorCode errorCode)	290	MapCertErrorToProbeValue(PRErrorCode errorCode)
291	{	291	{
292	switch (errorCode)	292	switch (errorCode)
293	{	293	{
294	case SEC_ERROR_UNKNOWN_ISSUER: return 2;	294	case SEC_ERROR_UNKNOWN_ISSUER: return 2;
		295	case SEC_ERROR_CA_CERT_INVALID: return 3;
295	case SEC_ERROR_UNTRUSTED_ISSUER: return 4;	296	case SEC_ERROR_UNTRUSTED_ISSUER: return 4;
296	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: return 5;	297	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: return 5;
297	case SEC_ERROR_UNTRUSTED_CERT: return 6;	298	case SEC_ERROR_UNTRUSTED_CERT: return 6;
298	case SEC_ERROR_INADEQUATE_KEY_USAGE: return 7;	299	case SEC_ERROR_INADEQUATE_KEY_USAGE: return 7;
299	case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: return 8;	300	case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: return 8;
300	case SSL_ERROR_BAD_CERT_DOMAIN: return 9;	301	case SSL_ERROR_BAD_CERT_DOMAIN: return 9;
301	case SEC_ERROR_EXPIRED_CERTIFICATE: return 10;	302	case SEC_ERROR_EXPIRED_CERTIFICATE: return 10;
302	case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: return 11;	303	case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: return 11;
Lines 321-336 DetermineCertOverrideErrors(CERTCertific Link Here
321	MOZ_ASSERT(errorCodeMismatch == 0);	322	MOZ_ASSERT(errorCodeMismatch == 0);
322	MOZ_ASSERT(errorCodeExpired == 0);	323	MOZ_ASSERT(errorCodeExpired == 0);
323		324
324	// Assumes the error prioritization described in mozilla::pkix's	325	// Assumes the error prioritization described in mozilla::pkix's
325	// BuildForward function. Also assumes that CERT_VerifyCertName was only	326	// BuildForward function. Also assumes that CERT_VerifyCertName was only
326	// called if CertVerifier::VerifyCert succeeded.	327	// called if CertVerifier::VerifyCert succeeded.
327	switch (defaultErrorCodeToReport) {	328	switch (defaultErrorCodeToReport) {
328	case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:	329	case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
		330	case SEC_ERROR_CA_CERT_INVALID:
329	case SEC_ERROR_UNKNOWN_ISSUER:	331	case SEC_ERROR_UNKNOWN_ISSUER:
330	case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:	332	case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
331	{	333	{
332	collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;	334	collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
333	errorCodeTrust = defaultErrorCodeToReport;	335	errorCodeTrust = defaultErrorCodeToReport;
334		336
335	SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, now, false);	337	SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, now, false);
336	if (validity == secCertTimeUndetermined) {	338	if (validity == secCertTimeUndetermined) {