mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 1052257 - Add and use error code specific to inadequate key sizes. r=keeler
This commit is contained in:
parent
fec0e6e81c
commit
60bbf0d3c1
@ -299,3 +299,4 @@ SEC_ERROR_LOCKED_PASSWORD=The password is locked.
|
||||
SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error.
|
||||
SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name.
|
||||
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure.
|
||||
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE=The server presented a certificate with a key size that is too small to establish a secure connection.
|
||||
|
@ -150,6 +150,7 @@ nsUsageArrayHelper::verifyFailed(uint32_t *_verified, int err)
|
||||
case SEC_ERROR_INADEQUATE_CERT_TYPE:
|
||||
case SEC_ERROR_CA_CERT_INVALID:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
|
||||
*_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
|
||||
/* These are the cases that have individual error messages */
|
||||
case SEC_ERROR_REVOKED_CERTIFICATE:
|
||||
|
@ -60,6 +60,7 @@ const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
|
||||
const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
|
||||
|
||||
const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
|
||||
const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2; // -16382
|
||||
|
||||
// Supported Certificate Usages
|
||||
const certificateUsageSSLClient = 0x0001;
|
||||
|
@ -44,12 +44,12 @@ function check_ok_ca(cert) {
|
||||
}
|
||||
|
||||
function check_fail(cert) {
|
||||
return check_cert_err(cert, SEC_ERROR_INVALID_KEY);
|
||||
return check_cert_err(cert, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
|
||||
}
|
||||
|
||||
function check_fail_ca(cert) {
|
||||
return check_cert_err_generic(cert,
|
||||
SEC_ERROR_INVALID_KEY,
|
||||
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE,
|
||||
certificateUsageSSLCA);
|
||||
}
|
||||
|
||||
|
@ -141,7 +141,8 @@ function add_tests(certDB, otherTestCA) {
|
||||
// Check that OCSP responder certificates with key sizes below 1024 bits are
|
||||
// rejected, even when the main certificate chain keys are at least 1024 bits.
|
||||
add_ocsp_test("keysize-ocsp-delegated.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_INVALID_KEY), true);
|
||||
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE),
|
||||
true);
|
||||
}
|
||||
|
||||
function check_ocsp_stapling_telemetry() {
|
||||
|
@ -78,6 +78,7 @@ MOZILLA_PKIX_ENUM_CLASS Result
|
||||
ERROR_UNSUPPORTED_KEYALG = 37,
|
||||
ERROR_EXPIRED_ISSUER_CERTIFICATE = 38,
|
||||
ERROR_CA_CERT_USED_AS_END_ENTITY = 39,
|
||||
ERROR_INADEQUATE_KEY_SIZE = 40,
|
||||
|
||||
// Keep this in sync with MAP_LIST in pkixnss.cpp
|
||||
|
||||
|
@ -72,7 +72,8 @@ static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
|
||||
|
||||
enum ErrorCode {
|
||||
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
|
||||
MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1
|
||||
MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
|
||||
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2
|
||||
};
|
||||
|
||||
void RegisterErrorTable();
|
||||
|
@ -64,8 +64,7 @@ CheckPublicKeySize(Input subjectPublicKeyInfo,
|
||||
case rsaKey:
|
||||
// TODO(bug 622859): Enforce a minimum of 2048 bits for EV certs.
|
||||
if (SECKEY_PublicKeyStrengthInBits(publicKey.get()) < MINIMUM_NON_ECC_BITS) {
|
||||
// TODO(bug 1031946): Create a new error code.
|
||||
return Result::ERROR_INVALID_KEY;
|
||||
return Result::ERROR_INADEQUATE_KEY_SIZE;
|
||||
}
|
||||
break;
|
||||
case nullKey:
|
||||
@ -232,6 +231,7 @@ DigestBuf(Input item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
|
||||
MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \
|
||||
MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
|
||||
MAP(Result::ERROR_CA_CERT_USED_AS_END_ENTITY, MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
|
||||
MAP(Result::ERROR_INADEQUATE_KEY_SIZE, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE) \
|
||||
MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \
|
||||
MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \
|
||||
MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \
|
||||
@ -302,7 +302,10 @@ RegisterErrorTable()
|
||||
{ "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
|
||||
"The server uses a certificate with a basic constraints extension "
|
||||
"identifying it as a certificate authority. For a properly-issued "
|
||||
"certificate, this should not be the case." }
|
||||
"certificate, this should not be the case." },
|
||||
{ "MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE",
|
||||
"The server presented a certificate with a key size that is too small "
|
||||
"to establish a secure connection." }
|
||||
};
|
||||
|
||||
static const struct PRErrorTable ErrorTable = {
|
||||
|
Loading…
Reference in New Issue
Block a user