зеркало из https://github.com/mozilla/gecko-dev.git
bug 1042889 - allow overrides for untrusted x509v1 certificates used as CAs r=mmc
This commit is contained in:
Родитель
0a4f56b330
Коммит
36e798be2b
|
@ -83,6 +83,7 @@ let SSL_ERROR_BAD_CERT_DOMAIN = (SSL_ERROR_BASE + 12);
|
|||
|
||||
let MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
|
||||
let MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = (MOZILLA_PKIX_ERROR_BASE + 1);
|
||||
let MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = (MOZILLA_PKIX_ERROR_BASE + 3);
|
||||
|
||||
function getErrorClass(errorCode) {
|
||||
let NSPRCode = -1 * NS_ERROR_GET_CODE(errorCode);
|
||||
|
@ -96,6 +97,7 @@ function getErrorClass(errorCode) {
|
|||
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
||||
case MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
case MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
|
||||
return Ci.nsINSSErrorsService.ERROR_CLASS_BAD_CERT;
|
||||
default:
|
||||
return Ci.nsINSSErrorsService.ERROR_CLASS_SSL_PROTOCOL;
|
||||
|
|
|
@ -142,6 +142,7 @@ NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode, uint32_t *aErrorClass)
|
|||
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
|
||||
*aErrorClass = ERROR_CLASS_BAD_CERT;
|
||||
break;
|
||||
// Non-overridable errors.
|
||||
|
|
|
@ -305,6 +305,7 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
|
|||
case SSL_ERROR_BAD_CERT_DOMAIN: return 9;
|
||||
case SEC_ERROR_EXPIRED_CERTIFICATE: return 10;
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: return 11;
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA: return 12;
|
||||
}
|
||||
NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
|
||||
"handle everything in DetermineCertOverrideErrors?");
|
||||
|
@ -334,6 +335,7 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
|
|||
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
|
||||
case SEC_ERROR_UNKNOWN_ISSUER:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
|
||||
{
|
||||
collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
|
||||
errorCodeTrust = defaultErrorCodeToReport;
|
||||
|
|
|
@ -151,6 +151,7 @@ nsUsageArrayHelper::verifyFailed(uint32_t *_verified, int err)
|
|||
case SEC_ERROR_CA_CERT_INVALID:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
|
||||
*_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
|
||||
/* These are the cases that have individual error messages */
|
||||
case SEC_ERROR_REVOKED_CERTIFICATE:
|
||||
|
|
Загрузка…
Ссылка в новой задаче