Bug 1052257 - Add and use error code specific to inadequate key sizes. r=keeler

security/manager/locales/en-US/chrome/pipnss/nsserrors.properties

@@ -299,3 +299,4 @@ SEC_ERROR_LOCKED_PASSWORD=The password is locked.
 SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error.
 SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name.
 SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure.
+MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE=The server presented a certificate with a key size that is too small to establish a secure connection.

security/manager/ssl/src/nsUsageArrayHelper.cpp

@@ -150,6 +150,7 @@ nsUsageArrayHelper::verifyFailed(uint32_t *_verified, int err)
   case SEC_ERROR_INADEQUATE_CERT_TYPE:
   case SEC_ERROR_CA_CERT_INVALID:
   case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
+  case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
     *_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
   /* These are the cases that have individual error messages */
   case SEC_ERROR_REVOKED_CERTIFICATE:

security/manager/ssl/tests/unit/head_psm.js

@@ -60,6 +60,7 @@ const SSL_ERROR_BAD_CERT_DOMAIN                         = SSL_ERROR_BASE +  12;
 const SSL_ERROR_BAD_CERT_ALERT                          = SSL_ERROR_BASE +  17;
 
 const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE            = MOZILLA_PKIX_ERROR_BASE +   0;
+const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE            = MOZILLA_PKIX_ERROR_BASE +   2; // -16382
 
 // Supported Certificate Usages
 const certificateUsageSSLClient              = 0x0001;

security/manager/ssl/tests/unit/test_keysize.js

@@ -44,12 +44,12 @@ function check_ok_ca(cert) {
 }
 
 function check_fail(cert) {
-  return check_cert_err(cert, SEC_ERROR_INVALID_KEY);
+  return check_cert_err(cert, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 }
 
 function check_fail_ca(cert) {
   return check_cert_err_generic(cert,
-                                SEC_ERROR_INVALID_KEY,
+                                MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE,
                                 certificateUsageSSLCA);
 }
 

security/manager/ssl/tests/unit/test_ocsp_stapling.js

@@ -141,7 +141,8 @@ function add_tests(certDB, otherTestCA) {
   // Check that OCSP responder certificates with key sizes below 1024 bits are
   // rejected, even when the main certificate chain keys are at least 1024 bits.
   add_ocsp_test("keysize-ocsp-delegated.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_INVALID_KEY), true);
+                getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE),
+                true);
 }
 
 function check_ocsp_stapling_telemetry() {

security/pkix/include/pkix/Result.h

@@ -78,6 +78,7 @@ MOZILLA_PKIX_ENUM_CLASS Result
   ERROR_UNSUPPORTED_KEYALG = 37,
   ERROR_EXPIRED_ISSUER_CERTIFICATE = 38,
   ERROR_CA_CERT_USED_AS_END_ENTITY = 39,
+  ERROR_INADEQUATE_KEY_SIZE = 40,
 
   // Keep this in sync with MAP_LIST in pkixnss.cpp
 

security/pkix/include/pkix/pkixnss.h

@@ -72,7 +72,8 @@ static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
 
 enum ErrorCode {
   MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
-  MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1
+  MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
+  MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2
 };
 
 void RegisterErrorTable();

security/pkix/lib/pkixnss.cpp

@@ -64,8 +64,7 @@ CheckPublicKeySize(Input subjectPublicKeyInfo,
     case rsaKey:
       // TODO(bug 622859): Enforce a minimum of 2048 bits for EV certs.
       if (SECKEY_PublicKeyStrengthInBits(publicKey.get()) < MINIMUM_NON_ECC_BITS) {
-        // TODO(bug 1031946): Create a new error code.
-        return Result::ERROR_INVALID_KEY;
+        return Result::ERROR_INADEQUATE_KEY_SIZE;
       }
       break;
     case nullKey:
@@ -232,6 +231,7 @@ DigestBuf(Input item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
     MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \
     MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
     MAP(Result::ERROR_CA_CERT_USED_AS_END_ENTITY, MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
+    MAP(Result::ERROR_INADEQUATE_KEY_SIZE, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE) \
     MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \
     MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \
     MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \
@@ -302,7 +302,10 @@ RegisterErrorTable()
     { "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
       "The server uses a certificate with a basic constraints extension "
       "identifying it as a certificate authority. For a properly-issued "
-      "certificate, this should not be the case." }
+      "certificate, this should not be the case." },
+    { "MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE",
+      "The server presented a certificate with a key size that is too small "
+      "to establish a secure connection." }
   };
 
   static const struct PRErrorTable ErrorTable = {