mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 1052257 - Add and use error code specific to inadequate key sizes. r=keeler
This commit is contained in:
parent
fec0e6e81c
commit
60bbf0d3c1
@ -299,3 +299,4 @@ SEC_ERROR_LOCKED_PASSWORD=The password is locked.
|
|||||||
SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error.
|
SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error.
|
||||||
SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name.
|
SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name.
|
||||||
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure.
|
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure.
|
||||||
|
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE=The server presented a certificate with a key size that is too small to establish a secure connection.
|
||||||
|
@ -150,6 +150,7 @@ nsUsageArrayHelper::verifyFailed(uint32_t *_verified, int err)
|
|||||||
case SEC_ERROR_INADEQUATE_CERT_TYPE:
|
case SEC_ERROR_INADEQUATE_CERT_TYPE:
|
||||||
case SEC_ERROR_CA_CERT_INVALID:
|
case SEC_ERROR_CA_CERT_INVALID:
|
||||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||||
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
|
||||||
*_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
|
*_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
|
||||||
/* These are the cases that have individual error messages */
|
/* These are the cases that have individual error messages */
|
||||||
case SEC_ERROR_REVOKED_CERTIFICATE:
|
case SEC_ERROR_REVOKED_CERTIFICATE:
|
||||||
|
@ -60,6 +60,7 @@ const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
|
|||||||
const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
|
const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
|
||||||
|
|
||||||
const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
|
const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
|
||||||
|
const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2; // -16382
|
||||||
|
|
||||||
// Supported Certificate Usages
|
// Supported Certificate Usages
|
||||||
const certificateUsageSSLClient = 0x0001;
|
const certificateUsageSSLClient = 0x0001;
|
||||||
|
@ -44,12 +44,12 @@ function check_ok_ca(cert) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function check_fail(cert) {
|
function check_fail(cert) {
|
||||||
return check_cert_err(cert, SEC_ERROR_INVALID_KEY);
|
return check_cert_err(cert, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
|
||||||
}
|
}
|
||||||
|
|
||||||
function check_fail_ca(cert) {
|
function check_fail_ca(cert) {
|
||||||
return check_cert_err_generic(cert,
|
return check_cert_err_generic(cert,
|
||||||
SEC_ERROR_INVALID_KEY,
|
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE,
|
||||||
certificateUsageSSLCA);
|
certificateUsageSSLCA);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -141,7 +141,8 @@ function add_tests(certDB, otherTestCA) {
|
|||||||
// Check that OCSP responder certificates with key sizes below 1024 bits are
|
// Check that OCSP responder certificates with key sizes below 1024 bits are
|
||||||
// rejected, even when the main certificate chain keys are at least 1024 bits.
|
// rejected, even when the main certificate chain keys are at least 1024 bits.
|
||||||
add_ocsp_test("keysize-ocsp-delegated.example.com",
|
add_ocsp_test("keysize-ocsp-delegated.example.com",
|
||||||
getXPCOMStatusFromNSS(SEC_ERROR_INVALID_KEY), true);
|
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE),
|
||||||
|
true);
|
||||||
}
|
}
|
||||||
|
|
||||||
function check_ocsp_stapling_telemetry() {
|
function check_ocsp_stapling_telemetry() {
|
||||||
|
@ -78,6 +78,7 @@ MOZILLA_PKIX_ENUM_CLASS Result
|
|||||||
ERROR_UNSUPPORTED_KEYALG = 37,
|
ERROR_UNSUPPORTED_KEYALG = 37,
|
||||||
ERROR_EXPIRED_ISSUER_CERTIFICATE = 38,
|
ERROR_EXPIRED_ISSUER_CERTIFICATE = 38,
|
||||||
ERROR_CA_CERT_USED_AS_END_ENTITY = 39,
|
ERROR_CA_CERT_USED_AS_END_ENTITY = 39,
|
||||||
|
ERROR_INADEQUATE_KEY_SIZE = 40,
|
||||||
|
|
||||||
// Keep this in sync with MAP_LIST in pkixnss.cpp
|
// Keep this in sync with MAP_LIST in pkixnss.cpp
|
||||||
|
|
||||||
|
@ -72,7 +72,8 @@ static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
|
|||||||
|
|
||||||
enum ErrorCode {
|
enum ErrorCode {
|
||||||
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
|
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
|
||||||
MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1
|
MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
|
||||||
|
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2
|
||||||
};
|
};
|
||||||
|
|
||||||
void RegisterErrorTable();
|
void RegisterErrorTable();
|
||||||
|
@ -64,8 +64,7 @@ CheckPublicKeySize(Input subjectPublicKeyInfo,
|
|||||||
case rsaKey:
|
case rsaKey:
|
||||||
// TODO(bug 622859): Enforce a minimum of 2048 bits for EV certs.
|
// TODO(bug 622859): Enforce a minimum of 2048 bits for EV certs.
|
||||||
if (SECKEY_PublicKeyStrengthInBits(publicKey.get()) < MINIMUM_NON_ECC_BITS) {
|
if (SECKEY_PublicKeyStrengthInBits(publicKey.get()) < MINIMUM_NON_ECC_BITS) {
|
||||||
// TODO(bug 1031946): Create a new error code.
|
return Result::ERROR_INADEQUATE_KEY_SIZE;
|
||||||
return Result::ERROR_INVALID_KEY;
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case nullKey:
|
case nullKey:
|
||||||
@ -232,6 +231,7 @@ DigestBuf(Input item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
|
|||||||
MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \
|
MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \
|
||||||
MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
|
MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
|
||||||
MAP(Result::ERROR_CA_CERT_USED_AS_END_ENTITY, MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
|
MAP(Result::ERROR_CA_CERT_USED_AS_END_ENTITY, MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
|
||||||
|
MAP(Result::ERROR_INADEQUATE_KEY_SIZE, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE) \
|
||||||
MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \
|
MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \
|
||||||
MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \
|
MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \
|
||||||
MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \
|
MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \
|
||||||
@ -302,7 +302,10 @@ RegisterErrorTable()
|
|||||||
{ "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
|
{ "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
|
||||||
"The server uses a certificate with a basic constraints extension "
|
"The server uses a certificate with a basic constraints extension "
|
||||||
"identifying it as a certificate authority. For a properly-issued "
|
"identifying it as a certificate authority. For a properly-issued "
|
||||||
"certificate, this should not be the case." }
|
"certificate, this should not be the case." },
|
||||||
|
{ "MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE",
|
||||||
|
"The server presented a certificate with a key size that is too small "
|
||||||
|
"to establish a secure connection." }
|
||||||
};
|
};
|
||||||
|
|
||||||
static const struct PRErrorTable ErrorTable = {
|
static const struct PRErrorTable ErrorTable = {
|
||||||
|
Loading…
Reference in New Issue
Block a user