2012-05-31 13:33:35 +04:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2010-10-28 19:46:00 +04:00
|
|
|
|
|
|
|
#include "NSSErrorsService.h"
|
|
|
|
|
|
|
|
#include "nsNSSComponent.h"
|
|
|
|
#include "nsServiceManagerUtils.h"
|
2018-10-02 15:59:34 +03:00
|
|
|
#include "mozpkix/pkixnss.h"
|
2010-10-28 19:46:00 +04:00
|
|
|
#include "secerr.h"
|
|
|
|
#include "sslerr.h"
|
|
|
|
|
|
|
|
#define PIPNSS_STRBUNDLE_URL "chrome://pipnss/locale/pipnss.properties"
|
|
|
|
#define NSSERR_STRBUNDLE_URL "chrome://pipnss/locale/nsserrors.properties"
|
|
|
|
|
|
|
|
namespace mozilla {
|
|
|
|
namespace psm {
|
|
|
|
|
2014-07-18 22:48:49 +04:00
|
|
|
static_assert(mozilla::pkix::ERROR_BASE ==
|
|
|
|
nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE,
|
|
|
|
"MOZILLA_PKIX_ERROR_BASE and "
|
|
|
|
"nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE do not match.");
|
|
|
|
static_assert(mozilla::pkix::ERROR_LIMIT ==
|
|
|
|
nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT,
|
|
|
|
"MOZILLA_PKIX_ERROR_LIMIT and "
|
|
|
|
"nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT do not match.");
|
2014-05-29 02:28:03 +04:00
|
|
|
|
|
|
|
static bool
|
|
|
|
IsPSMError(PRErrorCode error)
|
|
|
|
{
|
2014-07-18 22:48:49 +04:00
|
|
|
return (error >= mozilla::pkix::ERROR_BASE &&
|
|
|
|
error < mozilla::pkix::ERROR_LIMIT);
|
2014-05-29 02:28:03 +04:00
|
|
|
}
|
|
|
|
|
2014-04-27 11:06:00 +04:00
|
|
|
NS_IMPL_ISUPPORTS(NSSErrorsService, nsINSSErrorsService)
|
2011-02-17 00:37:53 +03:00
|
|
|
|
2014-05-30 07:18:17 +04:00
|
|
|
NSSErrorsService::~NSSErrorsService() { }
|
|
|
|
|
2010-10-28 19:46:00 +04:00
|
|
|
nsresult
|
|
|
|
NSSErrorsService::Init()
|
|
|
|
{
|
|
|
|
nsresult rv;
|
|
|
|
nsCOMPtr<nsIStringBundleService> bundleService(do_GetService(NS_STRINGBUNDLE_CONTRACTID, &rv));
|
2017-07-06 15:00:35 +03:00
|
|
|
if (NS_FAILED(rv) || !bundleService)
|
2010-10-28 19:46:00 +04:00
|
|
|
return NS_ERROR_FAILURE;
|
2017-07-06 15:00:35 +03:00
|
|
|
|
2010-10-28 19:46:00 +04:00
|
|
|
bundleService->CreateBundle(PIPNSS_STRBUNDLE_URL,
|
|
|
|
getter_AddRefs(mPIPNSSBundle));
|
|
|
|
if (!mPIPNSSBundle)
|
|
|
|
rv = NS_ERROR_FAILURE;
|
|
|
|
|
|
|
|
bundleService->CreateBundle(NSSERR_STRBUNDLE_URL,
|
|
|
|
getter_AddRefs(mNSSErrorsBundle));
|
|
|
|
if (!mNSSErrorsBundle)
|
|
|
|
rv = NS_ERROR_FAILURE;
|
|
|
|
|
|
|
|
return rv;
|
|
|
|
}
|
2011-02-17 00:37:53 +03:00
|
|
|
|
2010-10-28 19:46:00 +04:00
|
|
|
#define EXPECTED_SEC_ERROR_BASE (-0x2000)
|
|
|
|
#define EXPECTED_SSL_ERROR_BASE (-0x3000)
|
|
|
|
|
|
|
|
#if SEC_ERROR_BASE != EXPECTED_SEC_ERROR_BASE || SSL_ERROR_BASE != EXPECTED_SSL_ERROR_BASE
|
|
|
|
#error "Unexpected change of error code numbers in lib NSS, please adjust the mapping code"
|
|
|
|
/*
|
|
|
|
* Please ensure the NSS error codes are mapped into the positive range 0x1000 to 0xf000
|
|
|
|
* Search for NS_ERROR_MODULE_SECURITY to ensure there are no conflicts.
|
|
|
|
* The current code also assumes that NSS library error codes are negative.
|
|
|
|
*/
|
|
|
|
#endif
|
|
|
|
|
2014-05-29 02:28:03 +04:00
|
|
|
bool
|
|
|
|
IsNSSErrorCode(PRErrorCode code)
|
|
|
|
{
|
|
|
|
return IS_SEC_ERROR(code) || IS_SSL_ERROR(code) || IsPSMError(code);
|
|
|
|
}
|
|
|
|
|
|
|
|
nsresult
|
|
|
|
GetXPCOMFromNSSError(PRErrorCode code)
|
|
|
|
{
|
|
|
|
if (!code) {
|
|
|
|
MOZ_CRASH("Function failed without calling PR_GetError");
|
|
|
|
}
|
|
|
|
|
|
|
|
// The error codes within each module must be a 16 bit value.
|
|
|
|
// For simplicity we use the positive value of the NSS code.
|
|
|
|
return (nsresult)NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY,
|
|
|
|
-1 * code);
|
|
|
|
}
|
|
|
|
|
2010-10-28 19:46:00 +04:00
|
|
|
NS_IMETHODIMP
|
2012-08-22 19:56:38 +04:00
|
|
|
NSSErrorsService::IsNSSErrorCode(int32_t aNSPRCode, bool *_retval)
|
2010-10-28 19:46:00 +04:00
|
|
|
{
|
2014-05-29 02:28:03 +04:00
|
|
|
if (!_retval) {
|
|
|
|
return NS_ERROR_INVALID_ARG;
|
|
|
|
}
|
2010-10-28 19:46:00 +04:00
|
|
|
|
2014-05-29 02:28:03 +04:00
|
|
|
*_retval = mozilla::psm::IsNSSErrorCode(aNSPRCode);
|
2010-10-28 19:46:00 +04:00
|
|
|
return NS_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2012-08-22 19:56:38 +04:00
|
|
|
NSSErrorsService::GetXPCOMFromNSSError(int32_t aNSPRCode, nsresult *aXPCOMErrorCode)
|
2010-10-28 19:46:00 +04:00
|
|
|
{
|
2014-05-29 02:28:03 +04:00
|
|
|
if (!aXPCOMErrorCode) {
|
|
|
|
return NS_ERROR_INVALID_ARG;
|
|
|
|
}
|
2010-10-28 19:46:00 +04:00
|
|
|
|
2014-05-29 02:28:03 +04:00
|
|
|
if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
|
2010-10-28 19:46:00 +04:00
|
|
|
return NS_ERROR_INVALID_ARG;
|
2014-05-29 02:28:03 +04:00
|
|
|
}
|
2010-10-28 19:46:00 +04:00
|
|
|
|
2014-05-29 02:28:03 +04:00
|
|
|
*aXPCOMErrorCode = mozilla::psm::GetXPCOMFromNSSError(aNSPRCode);
|
2010-10-28 19:46:00 +04:00
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2012-08-22 19:56:38 +04:00
|
|
|
NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode, uint32_t *aErrorClass)
|
2010-10-28 19:46:00 +04:00
|
|
|
{
|
|
|
|
NS_ENSURE_ARG(aErrorClass);
|
|
|
|
|
2014-05-29 02:28:03 +04:00
|
|
|
if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY ||
|
|
|
|
NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) {
|
2010-10-28 19:46:00 +04:00
|
|
|
return NS_ERROR_FAILURE;
|
2014-05-29 02:28:03 +04:00
|
|
|
}
|
2017-07-06 15:00:35 +03:00
|
|
|
|
2012-08-22 19:56:38 +04:00
|
|
|
int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode);
|
2010-10-28 19:46:00 +04:00
|
|
|
|
2014-05-29 02:28:03 +04:00
|
|
|
if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
|
2010-10-28 19:46:00 +04:00
|
|
|
return NS_ERROR_FAILURE;
|
2014-05-29 02:28:03 +04:00
|
|
|
}
|
2010-10-28 19:46:00 +04:00
|
|
|
|
2015-01-24 01:04:44 +03:00
|
|
|
if (mozilla::psm::ErrorIsOverridable(aNSPRCode)) {
|
|
|
|
*aErrorClass = ERROR_CLASS_BAD_CERT;
|
|
|
|
} else {
|
|
|
|
*aErrorClass = ERROR_CLASS_SSL_PROTOCOL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool
|
|
|
|
ErrorIsOverridable(PRErrorCode code)
|
|
|
|
{
|
|
|
|
switch (code)
|
2010-10-28 19:46:00 +04:00
|
|
|
{
|
2014-04-16 02:35:41 +04:00
|
|
|
// Overridable errors.
|
2018-02-27 22:21:51 +03:00
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
|
2014-08-22 23:07:08 +04:00
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
2016-07-29 04:36:18 +03:00
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME:
|
2014-11-11 02:59:00 +03:00
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
|
2018-03-16 13:36:50 +03:00
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
|
2015-02-06 22:18:20 +03:00
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
|
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
|
2018-03-29 12:51:33 +03:00
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
|
2015-02-18 23:56:00 +03:00
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
|
2015-03-11 21:11:22 +03:00
|
|
|
case SEC_ERROR_CA_CERT_INVALID:
|
2015-02-18 23:56:00 +03:00
|
|
|
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
|
|
|
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
|
|
|
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
|
|
|
|
case SEC_ERROR_INVALID_TIME:
|
|
|
|
case SEC_ERROR_UNKNOWN_ISSUER:
|
|
|
|
case SSL_ERROR_BAD_CERT_DOMAIN:
|
2015-01-24 01:04:44 +03:00
|
|
|
return true;
|
2014-04-16 02:35:41 +04:00
|
|
|
// Non-overridable errors.
|
2010-10-28 19:46:00 +04:00
|
|
|
default:
|
2015-01-24 01:04:44 +03:00
|
|
|
return false;
|
2010-10-28 19:46:00 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-06-02 02:23:17 +03:00
|
|
|
static const char*
|
|
|
|
getOverrideErrorStringName(PRErrorCode aErrorCode)
|
|
|
|
{
|
|
|
|
switch (aErrorCode) {
|
|
|
|
case SSL_ERROR_SSL_DISABLED:
|
|
|
|
return "PSMERR_SSL_Disabled";
|
|
|
|
case SSL_ERROR_SSL2_DISABLED:
|
|
|
|
return "PSMERR_SSL2_Disabled";
|
|
|
|
case SEC_ERROR_REUSED_ISSUER_AND_SERIAL:
|
|
|
|
return "PSMERR_HostReusedIssuerSerial";
|
|
|
|
case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
|
|
|
|
return "certErrorTrust_MitM";
|
|
|
|
default:
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-10-28 19:46:00 +04:00
|
|
|
NS_IMETHODIMP
|
|
|
|
NSSErrorsService::GetErrorMessage(nsresult aXPCOMErrorCode, nsAString &aErrorMessage)
|
|
|
|
{
|
2014-05-29 02:28:03 +04:00
|
|
|
if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY ||
|
|
|
|
NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) {
|
2010-10-28 19:46:00 +04:00
|
|
|
return NS_ERROR_FAILURE;
|
2014-05-29 02:28:03 +04:00
|
|
|
}
|
2017-07-06 15:00:35 +03:00
|
|
|
|
2012-08-22 19:56:38 +04:00
|
|
|
int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode);
|
2010-10-28 19:46:00 +04:00
|
|
|
|
2014-05-29 02:28:03 +04:00
|
|
|
if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
|
2010-10-28 19:46:00 +04:00
|
|
|
return NS_ERROR_FAILURE;
|
2014-05-29 02:28:03 +04:00
|
|
|
}
|
2010-10-28 19:46:00 +04:00
|
|
|
|
|
|
|
nsCOMPtr<nsIStringBundle> theBundle = mPIPNSSBundle;
|
2018-06-02 02:23:17 +03:00
|
|
|
const char* idStr = getOverrideErrorStringName(aNSPRCode);
|
2010-10-28 19:46:00 +04:00
|
|
|
|
2018-06-02 02:23:17 +03:00
|
|
|
if (!idStr) {
|
|
|
|
idStr = PR_ErrorToName(aNSPRCode);
|
2010-10-28 19:46:00 +04:00
|
|
|
theBundle = mNSSErrorsBundle;
|
|
|
|
}
|
|
|
|
|
2018-06-02 02:23:17 +03:00
|
|
|
if (!idStr || !theBundle) {
|
2010-10-28 19:46:00 +04:00
|
|
|
return NS_ERROR_FAILURE;
|
2014-05-29 02:28:03 +04:00
|
|
|
}
|
2010-10-28 19:46:00 +04:00
|
|
|
|
|
|
|
nsAutoString msg;
|
2018-06-02 02:23:17 +03:00
|
|
|
nsresult rv = theBundle->GetStringFromName(idStr, msg);
|
2010-10-28 19:46:00 +04:00
|
|
|
if (NS_SUCCEEDED(rv)) {
|
|
|
|
aErrorMessage = msg;
|
|
|
|
}
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
2015-07-13 18:25:42 +03:00
|
|
|
} // namespace psm
|
|
|
|
} // namespace mozilla
|