mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
bug 1040446 - mozilla::pkix: add error code for CA cert used as end-entity cert r=briansmith
This commit is contained in:
parent
46a53f7d64
commit
fb25ddfa4c
@ -6,14 +6,14 @@
|
||||
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "nsCOMPtr.h"
|
||||
#include "nsIDateTimeFormat.h"
|
||||
#include "nsDateTimeFormatCID.h"
|
||||
#include "nsComponentManagerUtils.h"
|
||||
#include "nsReadableUtils.h"
|
||||
#include "nsDateTimeFormatCID.h"
|
||||
#include "nsIDateTimeFormat.h"
|
||||
#include "nsNSSCertificate.h"
|
||||
#include "nsReadableUtils.h"
|
||||
#include "nsServiceManagerUtils.h"
|
||||
|
||||
#include "nspr.h"
|
||||
#include "pkix/pkixnss.h"
|
||||
#include "secerr.h"
|
||||
|
||||
using namespace mozilla;
|
||||
@ -149,6 +149,7 @@ nsUsageArrayHelper::verifyFailed(uint32_t *_verified, int err)
|
||||
case SEC_ERROR_INADEQUATE_KEY_USAGE:
|
||||
case SEC_ERROR_INADEQUATE_CERT_TYPE:
|
||||
case SEC_ERROR_CA_CERT_INVALID:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
*_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
|
||||
/* These are the cases that have individual error messages */
|
||||
case SEC_ERROR_REVOKED_CERTIFICATE:
|
||||
|
@ -77,6 +77,7 @@ MOZILLA_PKIX_ENUM_CLASS Result
|
||||
ERROR_INVALID_KEY = 36,
|
||||
ERROR_UNSUPPORTED_KEYALG = 37,
|
||||
ERROR_EXPIRED_ISSUER_CERTIFICATE = 38,
|
||||
ERROR_CA_CERT_USED_AS_END_ENTITY = 39,
|
||||
|
||||
// Keep this in sync with MAP_LIST in pkixnss.cpp
|
||||
|
||||
|
@ -71,7 +71,8 @@ static const PRErrorCode ERROR_BASE = -0x4000;
|
||||
static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
|
||||
|
||||
enum ErrorCode {
|
||||
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0
|
||||
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
|
||||
MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1
|
||||
};
|
||||
|
||||
void RegisterErrorTable();
|
||||
|
@ -362,17 +362,10 @@ CheckBasicConstraints(EndEntityOrCA endEntityOrCA,
|
||||
// CA certificates are not trusted as EE certs.
|
||||
|
||||
if (isCA) {
|
||||
// TODO(bug 1040446): We use Result::ERROR_CA_CERT_INVALID here so we can
|
||||
// distinguish this error from other errors, given that NSS does not have
|
||||
// a "CA cert used as end-entity" error code since it doesn't have such a
|
||||
// prohibition. We should add such an error code and stop abusing
|
||||
// Result::ERROR_CA_CERT_INVALID this way.
|
||||
//
|
||||
// Note, in particular, that this check prevents a delegated OCSP
|
||||
// response signing certificate with the CA bit from successfully
|
||||
// validating when we check it from pkixocsp.cpp, which is a good thing.
|
||||
//
|
||||
return Result::ERROR_CA_CERT_INVALID;
|
||||
// Note that this check prevents a delegated OCSP response signing
|
||||
// certificate with the CA bit from successfully validating when we check
|
||||
// it from pkixocsp.cpp, which is a good thing.
|
||||
return Result::ERROR_CA_CERT_USED_AS_END_ENTITY;
|
||||
}
|
||||
|
||||
return Success;
|
||||
|
@ -231,6 +231,7 @@ DigestBuf(Input item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
|
||||
MAP(Result::ERROR_INVALID_KEY, SEC_ERROR_INVALID_KEY) \
|
||||
MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \
|
||||
MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
|
||||
MAP(Result::ERROR_CA_CERT_USED_AS_END_ENTITY, MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
|
||||
MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \
|
||||
MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \
|
||||
MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \
|
||||
@ -297,7 +298,11 @@ RegisterErrorTable()
|
||||
{ "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE",
|
||||
"The server uses key pinning (HPKP) but no trusted certificate chain "
|
||||
"could be constructed that matches the pinset. Key pinning violations "
|
||||
"cannot be overridden." }
|
||||
"cannot be overridden." },
|
||||
{ "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
|
||||
"The server uses a certificate with a basic constraints extension "
|
||||
"identifying it as a certificate authority. For a properly-issued "
|
||||
"certificate, this should not be the case." }
|
||||
};
|
||||
|
||||
static const struct PRErrorTable ErrorTable = {
|
||||
|
Loading…
Reference in New Issue
Block a user