diff options
author | Cykesiopka <cykesiopka.bmo@gmail.com> | 2015-02-06 11:18:20 -0800 |
---|---|---|
committer | Cykesiopka <cykesiopka.bmo@gmail.com> | 2015-02-06 11:18:20 -0800 |
commit | 1e3c2dd35033397dc6a7caef2769383549ab4322 (patch) | |
tree | d59d0e0868459eebfbb0a3d2e056a0535a6d5d67 | |
parent | 70d4826aaf57185295e34390a40a860104b50714 (diff) | |
download | nss-hg-1e3c2dd35033397dc6a7caef2769383549ab4322.tar.gz |
Bug 968560 - Return distinct error codes for certificates that are not valid yet, in mozilla::pkix. r=keeler
-rw-r--r-- | lib/mozpkix/include/pkix/Result.h | 4 | ||||
-rw-r--r-- | lib/mozpkix/include/pkix/pkixnss.h | 2 | ||||
-rw-r--r-- | lib/mozpkix/lib/pkixbuild.cpp | 2 | ||||
-rw-r--r-- | lib/mozpkix/lib/pkixcheck.cpp | 2 | ||||
-rw-r--r-- | lib/mozpkix/lib/pkixnss.cpp | 5 | ||||
-rw-r--r-- | lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp | 8 |
6 files changed, 19 insertions, 4 deletions
diff --git a/lib/mozpkix/include/pkix/Result.h b/lib/mozpkix/include/pkix/Result.h index 818a7f3f0..13d71071a 100644 --- a/lib/mozpkix/include/pkix/Result.h +++ b/lib/mozpkix/include/pkix/Result.h @@ -173,6 +173,10 @@ static const unsigned int FATAL_ERROR_FLAG = 0x800; MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH) \ MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_ELLIPTIC_CURVE, 44, \ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE) \ + MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_CERTIFICATE, 45, \ + MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE) \ + MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE, 46, \ + MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE) \ MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1, \ SEC_ERROR_INVALID_ARGS) \ MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \ diff --git a/lib/mozpkix/include/pkix/pkixnss.h b/lib/mozpkix/include/pkix/pkixnss.h index 96a8a1615..a7bb1fa2f 100644 --- a/lib/mozpkix/include/pkix/pkixnss.h +++ b/lib/mozpkix/include/pkix/pkixnss.h @@ -77,6 +77,8 @@ enum ErrorCode MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2, MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3, MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4, + MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = ERROR_BASE + 5, + MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = ERROR_BASE + 6, }; void RegisterErrorTable(); diff --git a/lib/mozpkix/lib/pkixbuild.cpp b/lib/mozpkix/lib/pkixbuild.cpp index 791e8b1c5..1bb7f1c18 100644 --- a/lib/mozpkix/lib/pkixbuild.cpp +++ b/lib/mozpkix/lib/pkixbuild.cpp @@ -95,6 +95,8 @@ PathBuildingStep::RecordResult(Result newResult, /*out*/ bool& keepGoing) newResult = Result::ERROR_UNTRUSTED_ISSUER; } else if (newResult == Result::ERROR_EXPIRED_CERTIFICATE) { newResult = Result::ERROR_EXPIRED_ISSUER_CERTIFICATE; + } else if (newResult == Result::ERROR_NOT_YET_VALID_CERTIFICATE) { + newResult = Result::ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE; } if (resultWasSet) { diff --git a/lib/mozpkix/lib/pkixcheck.cpp b/lib/mozpkix/lib/pkixcheck.cpp index 9cab15111..a7f1dccfc 100644 --- a/lib/mozpkix/lib/pkixcheck.cpp +++ b/lib/mozpkix/lib/pkixcheck.cpp @@ -38,7 +38,7 @@ CheckValidity(Input encodedValidity, Time time) return Result::ERROR_EXPIRED_CERTIFICATE; } if (time < notBefore) { - return Result::ERROR_EXPIRED_CERTIFICATE; + return Result::ERROR_NOT_YET_VALID_CERTIFICATE; } Time notAfter(Time::uninitialized); diff --git a/lib/mozpkix/lib/pkixnss.cpp b/lib/mozpkix/lib/pkixnss.cpp index 0e407ce4c..aea39d614 100644 --- a/lib/mozpkix/lib/pkixnss.cpp +++ b/lib/mozpkix/lib/pkixnss.cpp @@ -273,6 +273,11 @@ RegisterErrorTable() "deprecated and should not be used to sign other certificates." }, { "MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH", "The certificate is not valid for the given email address." }, + { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE", + "The server presented a certificate that is not yet valid." }, + { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE", + "A certificate that is not yet valid was used to issue the server's " + "certificate." }, }; // Note that these error strings are not localizable. // When these strings change, update the localization information too. diff --git a/lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp b/lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp index 6573b6cd6..ad11b801e 100644 --- a/lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp +++ b/lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp @@ -90,7 +90,8 @@ TEST_F(pkixcheck_CheckValidity, NotAfterEmptyNull) 0x17/*UTCTime*/, 0x00/*length*/, }; static const Input validity(DER); - ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW)); + ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE, + CheckValidity(validity, NOW)); } static const uint8_t OLDER_UTCTIME_NEWER_UTCTIME_DATA[] = { @@ -137,7 +138,7 @@ TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_GENERALIZEDTIME) TEST_F(pkixcheck_CheckValidity, InvalidBeforeNotBefore) { - ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, + ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE, CheckValidity(OLDER_UTCTIME_NEWER_UTCTIME, PAST_TIME)); } @@ -154,5 +155,6 @@ TEST_F(pkixcheck_CheckValidity, InvalidNotAfterBeforeNotBefore) OLDER_UTCTIME, }; static const Input validity(DER); - ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW)); + ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE, + CheckValidity(validity, NOW)); } |