bug 1040446 - mozilla::pkix: add error code for CA cert used as end-entity cert r=briansmith

2024-09-13 09:24:08 -07:00 · 2014-08-11 12:35:45 -07:00 · 2014-08-11 12:35:45 -07:00 · fb25ddfa4c
commit fb25ddfa4c
parent 46a53f7d64
5 changed files with 18 additions and 17 deletions
--- a/security/manager/ssl/src/nsUsageArrayHelper.cpp
+++ b/security/manager/ssl/src/nsUsageArrayHelper.cpp
@ -6,14 +6,14 @@

 #include "mozilla/Assertions.h"
 #include "nsCOMPtr.h"
-#include "nsIDateTimeFormat.h"
-#include "nsDateTimeFormatCID.h"
 #include "nsComponentManagerUtils.h"
-#include "nsReadableUtils.h"
+#include "nsDateTimeFormatCID.h"
+#include "nsIDateTimeFormat.h"
 #include "nsNSSCertificate.h"
+#include "nsReadableUtils.h"
 #include "nsServiceManagerUtils.h"
-
 #include "nspr.h"
+#include "pkix/pkixnss.h"
 #include "secerr.h"

 using namespace mozilla;
@ -149,6 +149,7 @@ nsUsageArrayHelper::verifyFailed(uint32_t *_verified, int err)
  case SEC_ERROR_INADEQUATE_KEY_USAGE:
  case SEC_ERROR_INADEQUATE_CERT_TYPE:
  case SEC_ERROR_CA_CERT_INVALID:
+  case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
    *_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
  /* These are the cases that have individual error messages */
  case SEC_ERROR_REVOKED_CERTIFICATE:
--- a/security/pkix/include/pkix/Result.h
+++ b/security/pkix/include/pkix/Result.h
@ -77,6 +77,7 @@ MOZILLA_PKIX_ENUM_CLASS Result
  ERROR_INVALID_KEY = 36,
  ERROR_UNSUPPORTED_KEYALG = 37,
  ERROR_EXPIRED_ISSUER_CERTIFICATE = 38,
+  ERROR_CA_CERT_USED_AS_END_ENTITY = 39,

  // Keep this in sync with MAP_LIST in pkixnss.cpp

--- a/security/pkix/include/pkix/pkixnss.h
+++ b/security/pkix/include/pkix/pkixnss.h
@ -71,7 +71,8 @@ static const PRErrorCode ERROR_BASE = -0x4000;
 static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;

 enum ErrorCode {
-  MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0
+  MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
+  MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1
 };

 void RegisterErrorTable();
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@ -362,17 +362,10 @@ CheckBasicConstraints(EndEntityOrCA endEntityOrCA,
    // CA certificates are not trusted as EE certs.

    if (isCA) {
-      // TODO(bug 1040446): We use Result::ERROR_CA_CERT_INVALID here so we can
-      // distinguish this error from other errors, given that NSS does not have
-      // a "CA cert used as end-entity" error code since it doesn't have such a
-      // prohibition. We should add such an error code and stop abusing
-      // Result::ERROR_CA_CERT_INVALID this way.
-      //
-      // Note, in particular, that this check prevents a delegated OCSP
-      // response signing certificate with the CA bit from successfully
-      // validating when we check it from pkixocsp.cpp, which is a good thing.
-      //
-      return Result::ERROR_CA_CERT_INVALID;
+      // Note that this check prevents a delegated OCSP response signing
+      // certificate with the CA bit from successfully validating when we check
+      // it from pkixocsp.cpp, which is a good thing.
+      return Result::ERROR_CA_CERT_USED_AS_END_ENTITY;
    }

    return Success;
--- a/security/pkix/lib/pkixnss.cpp
+++ b/security/pkix/lib/pkixnss.cpp
@ -231,6 +231,7 @@ DigestBuf(Input item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
    MAP(Result::ERROR_INVALID_KEY, SEC_ERROR_INVALID_KEY) \
    MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \
    MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
+    MAP(Result::ERROR_CA_CERT_USED_AS_END_ENTITY, MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
    MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \
    MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \
    MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \
@ -297,7 +298,11 @@ RegisterErrorTable()
    { "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE",
      "The server uses key pinning (HPKP) but no trusted certificate chain "
      "could be constructed that matches the pinset. Key pinning violations "
-      "cannot be overridden." }
+      "cannot be overridden." },
+    { "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
+      "The server uses a certificate with a basic constraints extension "
+      "identifying it as a certificate authority. For a properly-issued "
+      "certificate, this should not be the case." }
  };

  static const struct PRErrorTable ErrorTable = {