diff --git a/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties index 188222a2c63..4567761d82f 100644 --- a/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties +++ b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties @@ -299,3 +299,4 @@ SEC_ERROR_LOCKED_PASSWORD=The password is locked. SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error. SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name. SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure. +MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE=The server presented a certificate with a key size that is too small to establish a secure connection. diff --git a/security/manager/ssl/src/nsUsageArrayHelper.cpp b/security/manager/ssl/src/nsUsageArrayHelper.cpp index e5a89537719..5777a4e6d68 100644 --- a/security/manager/ssl/src/nsUsageArrayHelper.cpp +++ b/security/manager/ssl/src/nsUsageArrayHelper.cpp @@ -150,6 +150,7 @@ nsUsageArrayHelper::verifyFailed(uint32_t *_verified, int err) case SEC_ERROR_INADEQUATE_CERT_TYPE: case SEC_ERROR_CA_CERT_INVALID: case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: + case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE: *_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break; /* These are the cases that have individual error messages */ case SEC_ERROR_REVOKED_CERTIFICATE: diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js index c62073572a4..9741ea82090 100644 --- a/security/manager/ssl/tests/unit/head_psm.js +++ b/security/manager/ssl/tests/unit/head_psm.js @@ -60,6 +60,7 @@ const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12; const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17; const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0; +const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2; // -16382 // Supported Certificate Usages const certificateUsageSSLClient = 0x0001; diff --git a/security/manager/ssl/tests/unit/test_keysize.js b/security/manager/ssl/tests/unit/test_keysize.js index 4333194dbe9..0006d9fcf3f 100644 --- a/security/manager/ssl/tests/unit/test_keysize.js +++ b/security/manager/ssl/tests/unit/test_keysize.js @@ -44,12 +44,12 @@ function check_ok_ca(cert) { } function check_fail(cert) { - return check_cert_err(cert, SEC_ERROR_INVALID_KEY); + return check_cert_err(cert, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); } function check_fail_ca(cert) { return check_cert_err_generic(cert, - SEC_ERROR_INVALID_KEY, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE, certificateUsageSSLCA); } diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling.js b/security/manager/ssl/tests/unit/test_ocsp_stapling.js index 5591560602c..0f843b730df 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js @@ -141,7 +141,8 @@ function add_tests(certDB, otherTestCA) { // Check that OCSP responder certificates with key sizes below 1024 bits are // rejected, even when the main certificate chain keys are at least 1024 bits. add_ocsp_test("keysize-ocsp-delegated.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_INVALID_KEY), true); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE), + true); } function check_ocsp_stapling_telemetry() { diff --git a/security/pkix/include/pkix/Result.h b/security/pkix/include/pkix/Result.h index 1fff4c64569..19dca5cfc15 100644 --- a/security/pkix/include/pkix/Result.h +++ b/security/pkix/include/pkix/Result.h @@ -78,6 +78,7 @@ MOZILLA_PKIX_ENUM_CLASS Result ERROR_UNSUPPORTED_KEYALG = 37, ERROR_EXPIRED_ISSUER_CERTIFICATE = 38, ERROR_CA_CERT_USED_AS_END_ENTITY = 39, + ERROR_INADEQUATE_KEY_SIZE = 40, // Keep this in sync with MAP_LIST in pkixnss.cpp diff --git a/security/pkix/include/pkix/pkixnss.h b/security/pkix/include/pkix/pkixnss.h index 721e7f04834..7dfef1175fa 100644 --- a/security/pkix/include/pkix/pkixnss.h +++ b/security/pkix/include/pkix/pkixnss.h @@ -72,7 +72,8 @@ static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000; enum ErrorCode { MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0, - MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1 + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2 }; void RegisterErrorTable(); diff --git a/security/pkix/lib/pkixnss.cpp b/security/pkix/lib/pkixnss.cpp index 8b66902f734..477c75f91ee 100644 --- a/security/pkix/lib/pkixnss.cpp +++ b/security/pkix/lib/pkixnss.cpp @@ -64,8 +64,7 @@ CheckPublicKeySize(Input subjectPublicKeyInfo, case rsaKey: // TODO(bug 622859): Enforce a minimum of 2048 bits for EV certs. if (SECKEY_PublicKeyStrengthInBits(publicKey.get()) < MINIMUM_NON_ECC_BITS) { - // TODO(bug 1031946): Create a new error code. - return Result::ERROR_INVALID_KEY; + return Result::ERROR_INADEQUATE_KEY_SIZE; } break; case nullKey: @@ -232,6 +231,7 @@ DigestBuf(Input item, /*out*/ uint8_t* digestBuf, size_t digestBufLen) MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \ MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \ MAP(Result::ERROR_CA_CERT_USED_AS_END_ENTITY, MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \ + MAP(Result::ERROR_INADEQUATE_KEY_SIZE, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE) \ MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \ MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \ MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \ @@ -302,7 +302,10 @@ RegisterErrorTable() { "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY", "The server uses a certificate with a basic constraints extension " "identifying it as a certificate authority. For a properly-issued " - "certificate, this should not be the case." } + "certificate, this should not be the case." }, + { "MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE", + "The server presented a certificate with a key size that is too small " + "to establish a secure connection." } }; static const struct PRErrorTable ErrorTable = {