bug 1042889 - use a separate error for untrusted x509v1 certificates used as CAs r=briansmith

security/manager/locales/en-US/chrome/pipnss/nsserrors.properties

@@ -314,3 +314,4 @@ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a s
 MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE=The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY=The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case.
 MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE=The server presented a certificate with a key size that is too small to establish a secure connection.
+MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA=An X.509 version 1 certificate that is not a trust anchor was used to issue the server's certificate. X.509 version 1 certificates are deprecated and should not be used to sign other certificates.

security/pkix/include/pkix/Result.h

@@ -124,6 +124,8 @@ static const unsigned int FATAL_ERROR_FLAG = 0x800;
                      MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
     MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_SIZE, 40, \
                      MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE) \
+    MOZILLA_PKIX_MAP(ERROR_V1_CERT_USED_AS_CA, 41, \
+                     MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1, \
                      SEC_ERROR_INVALID_ARGS) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \

security/pkix/include/pkix/pkixnss.h

@@ -69,7 +69,8 @@ static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
 enum ErrorCode {
   MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
   MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
-  MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2
+  MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
+  MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
 };
 
 void RegisterErrorTable();

security/pkix/lib/pkixcheck.cpp

@@ -348,10 +348,18 @@ CheckBasicConstraints(EndEntityOrCA endEntityOrCA,
     // For compatibility, we must accept v1 trust anchors without basic
     // constraints as CAs.
     //
+    // There are devices with v1 certificates that are unlikely to be trust
+    // anchors. In order to allow applications to treat this case differently
+    // from other basic constraints violations (e.g. allowing certificate error
+    // overrides for only this case), we return a different error code.
+    //
     // TODO: add check for self-signedness?
-    if (endEntityOrCA == EndEntityOrCA::MustBeCA &&
-        trustLevel == TrustLevel::TrustAnchor && version == der::Version::v1) {
-      isCA = true;
+    if (endEntityOrCA == EndEntityOrCA::MustBeCA && version == der::Version::v1) {
+      if (trustLevel == TrustLevel::TrustAnchor) {
+        isCA = true;
+      } else {
+        return Result::ERROR_V1_CERT_USED_AS_CA;
+      }
     }
   }
 

security/pkix/lib/pkixnss.cpp

@@ -242,7 +242,11 @@ RegisterErrorTable()
       "certificate, this should not be the case." },
     { "MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE",
       "The server presented a certificate with a key size that is too small "
-      "to establish a secure connection." }
+      "to establish a secure connection." },
+    { "MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA",
+      "An X.509 version 1 certificate that is not a trust anchor was used to "
+      "issue the server's certificate. X.509 version 1 certificates are "
+      "deprecated and should not be used to sign other certificates." },
   };
   // Note that these error strings are not localizable.
   // When these strings change, update the localization information too.