Bug 968560 - Return distinct error codes for certificates that are not valid yet, in mozilla::pkix. r=keeler

author: Cykesiopka <cykesiopka.bmo@gmail.com> 2015-02-06 11:18:20 -0800
committer: Cykesiopka <cykesiopka.bmo@gmail.com> 2015-02-06 11:18:20 -0800
commit: 1e3c2dd35033397dc6a7caef2769383549ab4322 (patch)
tree: d59d0e0868459eebfbb0a3d2e056a0535a6d5d67
parent: 70d4826aaf57185295e34390a40a860104b50714 (diff)
download: nss-hg-1e3c2dd35033397dc6a7caef2769383549ab4322.tar.gz
6 files changed, 19 insertions, 4 deletions
diff --git a/lib/mozpkix/include/pkix/Result.h b/lib/mozpkix/include/pkix/Result.h
index 818a7f3f0..13d71071a 100644
--- a/lib/mozpkix/include/pkix/Result.h
+++ b/lib/mozpkix/include/pkix/Result.h
@@ -173,6 +173,10 @@ static const unsigned int FATAL_ERROR_FLAG = 0x800;
                      MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH) \
     MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_ELLIPTIC_CURVE, 44, \
                      SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE) \
+    MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_CERTIFICATE, 45, \
+                     MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE) \
+    MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE, 46, \
+                     MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1, \
                      SEC_ERROR_INVALID_ARGS) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \
diff --git a/lib/mozpkix/include/pkix/pkixnss.h b/lib/mozpkix/include/pkix/pkixnss.h
index 96a8a1615..a7bb1fa2f 100644
--- a/lib/mozpkix/include/pkix/pkixnss.h
+++ b/lib/mozpkix/include/pkix/pkixnss.h
@@ -77,6 +77,8 @@ enum ErrorCode
   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
   MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
   MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4,
+  MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = ERROR_BASE + 5,
+  MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = ERROR_BASE + 6,
 };
 
 void RegisterErrorTable();
diff --git a/lib/mozpkix/lib/pkixbuild.cpp b/lib/mozpkix/lib/pkixbuild.cpp
index 791e8b1c5..1bb7f1c18 100644
--- a/lib/mozpkix/lib/pkixbuild.cpp
+++ b/lib/mozpkix/lib/pkixbuild.cpp
@@ -95,6 +95,8 @@ PathBuildingStep::RecordResult(Result newResult, /*out*/ bool& keepGoing)
     newResult = Result::ERROR_UNTRUSTED_ISSUER;
   } else if (newResult == Result::ERROR_EXPIRED_CERTIFICATE) {
     newResult = Result::ERROR_EXPIRED_ISSUER_CERTIFICATE;
+  } else if (newResult == Result::ERROR_NOT_YET_VALID_CERTIFICATE) {
+    newResult = Result::ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE;
   }
 
   if (resultWasSet) {
diff --git a/lib/mozpkix/lib/pkixcheck.cpp b/lib/mozpkix/lib/pkixcheck.cpp
index 9cab15111..a7f1dccfc 100644
--- a/lib/mozpkix/lib/pkixcheck.cpp
+++ b/lib/mozpkix/lib/pkixcheck.cpp
@@ -38,7 +38,7 @@ CheckValidity(Input encodedValidity, Time time)
     return Result::ERROR_EXPIRED_CERTIFICATE;
   }
   if (time < notBefore) {
-    return Result::ERROR_EXPIRED_CERTIFICATE;
+    return Result::ERROR_NOT_YET_VALID_CERTIFICATE;
   }
 
   Time notAfter(Time::uninitialized);
diff --git a/lib/mozpkix/lib/pkixnss.cpp b/lib/mozpkix/lib/pkixnss.cpp
index 0e407ce4c..aea39d614 100644
--- a/lib/mozpkix/lib/pkixnss.cpp
+++ b/lib/mozpkix/lib/pkixnss.cpp
@@ -273,6 +273,11 @@ RegisterErrorTable()
       "deprecated and should not be used to sign other certificates." },
     { "MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH",
       "The certificate is not valid for the given email address." },
+    { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE",
+      "The server presented a certificate that is not yet valid." },
+    { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE",
+      "A certificate that is not yet valid was used to issue the server's "
+      "certificate." },
   };
   // Note that these error strings are not localizable.
   // When these strings change, update the localization information too.
diff --git a/lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp b/lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
index 6573b6cd6..ad11b801e 100644
--- a/lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
+++ b/lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
@@ -90,7 +90,8 @@ TEST_F(pkixcheck_CheckValidity, NotAfterEmptyNull)
     0x17/*UTCTime*/, 0x00/*length*/,
   };
   static const Input validity(DER);
-  ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
+  ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE,
+            CheckValidity(validity, NOW));
 }
 
 static const uint8_t OLDER_UTCTIME_NEWER_UTCTIME_DATA[] = {
@@ -137,7 +138,7 @@ TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_GENERALIZEDTIME)
 
 TEST_F(pkixcheck_CheckValidity, InvalidBeforeNotBefore)
 {
-  ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE,
+  ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE,
             CheckValidity(OLDER_UTCTIME_NEWER_UTCTIME, PAST_TIME));
 }
 
@@ -154,5 +155,6 @@ TEST_F(pkixcheck_CheckValidity, InvalidNotAfterBeforeNotBefore)
     OLDER_UTCTIME,
   };
   static const Input validity(DER);
-  ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
+  ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE,
+            CheckValidity(validity, NOW));
 }
author	Cykesiopka <cykesiopka.bmo@gmail.com>	2015-02-06 11:18:20 -0800
committer	Cykesiopka <cykesiopka.bmo@gmail.com>	2015-02-06 11:18:20 -0800
commit	1e3c2dd35033397dc6a7caef2769383549ab4322 (patch)
tree	d59d0e0868459eebfbb0a3d2e056a0535a6d5d67
parent	70d4826aaf57185295e34390a40a860104b50714 (diff)
download	nss-hg-1e3c2dd35033397dc6a7caef2769383549ab4322.tar.gz