Bug 1965950 - for non-overridable certificate errors, provide the same diagnostic information as for overridable errors r=jschanck,fluent-reviewers,flod

Differential Revision: https://phabricator.services.mozilla.com/D249121
2025-05-21 16:31:06 +00:00
parent 5dfd991488
commit 49b2652f8b
3 changed files with 129 additions and 32 deletions
--- a/security/manager/ssl/NSSErrorsService.cpp
+++ b/security/manager/ssl/NSSErrorsService.cpp
@@ -124,15 +124,40 @@ NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode,
    return NS_ERROR_FAILURE;
  }

-  // All overridable errors are certificate errors, but not all certificate
-  // errors are overridable.
-  if (mozilla::psm::ErrorIsOverridable(aNSPRCode) ||
-      aNSPRCode == SEC_ERROR_REVOKED_CERTIFICATE) {
+  // All overridable errors are certificate errors.
+  if (mozilla::psm::ErrorIsOverridable(aNSPRCode)) {
    *aErrorClass = ERROR_CLASS_BAD_CERT;
-  } else {
-    *aErrorClass = ERROR_CLASS_SSL_PROTOCOL;
+    return NS_OK;
+  }
+  // Some non-overridable errors are certificate errors.
+  switch (aNSPRCode) {
+    case SEC_ERROR_BAD_DER:
+    case SEC_ERROR_BAD_SIGNATURE:
+    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
+    case SEC_ERROR_EXTENSION_VALUE_INVALID:
+    case SEC_ERROR_INADEQUATE_CERT_TYPE:
+    case SEC_ERROR_INADEQUATE_KEY_USAGE:
+    case SEC_ERROR_INVALID_KEY:
+    case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
+    case SEC_ERROR_REVOKED_CERTIFICATE:
+    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
+    case SEC_ERROR_UNSUPPORTED_EC_POINT_FORM:
+    case SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE:
+    case SEC_ERROR_UNSUPPORTED_KEYALG:
+    case SEC_ERROR_UNTRUSTED_CERT:
+    case SEC_ERROR_UNTRUSTED_ISSUER:
+    case mozilla::pkix::MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING:
+    case mozilla::pkix::MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED:
+    case mozilla::pkix::MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE:
+    case mozilla::pkix::MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH:
+      *aErrorClass = ERROR_CLASS_BAD_CERT;
+      return NS_OK;
+    default:
+      break;
  }

+  // Otherwise, this must be a TLS error.
+  *aErrorClass = ERROR_CLASS_SSL_PROTOCOL;
  return NS_OK;
 }

--- a/toolkit/content/aboutNetError.mjs
+++ b/toolkit/content/aboutNetError.mjs
@@ -1018,9 +1018,6 @@ function setCertErrorDetails() {
      ];
      break;

-    case "SEC_ERROR_OCSP_INVALID_SIGNING_CERT": // FIXME - this would have thrown?
-      break;
-
    case "SEC_ERROR_UNKNOWN_ISSUER":
      whatToDoParts = [
        ["p", "certerror-unknown-issuer-what-can-you-do-about-it-website"],
@@ -1194,24 +1191,18 @@ function setCertErrorDetails() {
      ];
      break;
    }
-    case "MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY":
-      whatToDoParts = [
-        [
-          "p",
-          "cert-error-trust-certificate-transparency-what-can-you-do-about-it",
-        ],
-      ];
-      break;
-    case "SEC_ERROR_REVOKED_CERTIFICATE":
-      whatToDoParts = [
-        [
-          "p",
-          // This string was added for the certificate transparency error case,
-          // but it applies in other cases as well, such as this one.
-          "cert-error-trust-certificate-transparency-what-can-you-do-about-it",
-        ],
-      ];
-      break;
+  }
+
+  if (errorHasNoUserFix(failedCertInfo.errorCodeString)) {
+    // "cert-error-trust-certificate-transparency-what-can-you-do-about-it" was
+    // originally added for certificate transparency errors, but it's general
+    // enough to apply in many cases.
+    whatToDoParts = [
+      [
+        "p",
+        "cert-error-trust-certificate-transparency-what-can-you-do-about-it",
+      ],
+    ];
  }

  if (whatToDoParts) {
@@ -1223,6 +1214,36 @@ function setCertErrorDetails() {
  }
 }

+// Returns true if the error identified by the given error code string has no
+// particular action the user can take to fix it.
+function errorHasNoUserFix(errorCodeString) {
+  switch (errorCodeString) {
+    case "MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY":
+    case "MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING":
+    case "MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED":
+    case "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE":
+    case "MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH":
+    case "SEC_ERROR_BAD_DER":
+    case "SEC_ERROR_BAD_SIGNATURE":
+    case "SEC_ERROR_CERT_NOT_IN_NAME_SPACE":
+    case "SEC_ERROR_EXTENSION_VALUE_INVALID":
+    case "SEC_ERROR_INADEQUATE_CERT_TYPE":
+    case "SEC_ERROR_INADEQUATE_KEY_USAGE":
+    case "SEC_ERROR_INVALID_KEY":
+    case "SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID":
+    case "SEC_ERROR_REVOKED_CERTIFICATE":
+    case "SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION":
+    case "SEC_ERROR_UNSUPPORTED_EC_POINT_FORM":
+    case "SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE":
+    case "SEC_ERROR_UNSUPPORTED_KEYALG":
+    case "SEC_ERROR_UNTRUSTED_CERT":
+    case "SEC_ERROR_UNTRUSTED_ISSUER":
+      return true;
+    default:
+      return false;
+  }
+}
+
 // The optional argument is only here for testing purposes.
 function setTechnicalDetailsOnCertError(
  failedCertInfo = document.getFailedCertSecurityInfo()
@@ -1408,8 +1429,43 @@ function setTechnicalDetailsOnCertError(
      break;
  }

-  if (failedCertInfo.errorCodeString == "SEC_ERROR_REVOKED_CERTIFICATE") {
-    addLabel("cert-error-revoked", { hostname });
+  const nonoverridableErrorCodeToLabelMap = {
+    SEC_ERROR_BAD_DER: "cert-error-bad-der",
+    SEC_ERROR_BAD_SIGNATURE: "cert-error-bad-signature",
+    SEC_ERROR_CERT_NOT_IN_NAME_SPACE: "cert-error-cert-not-in-name-space",
+    SEC_ERROR_EXTENSION_VALUE_INVALID: "cert-error-extension-value-invalid",
+    SEC_ERROR_INADEQUATE_CERT_TYPE: "cert-error-inadequate-cert-type",
+    // NB: SEC_ERROR_INADEQUATE_KEY_USAGE intentionally uses the same error
+    // message as SEC_ERROR_INADEQUATE_CERT_TYPE
+    SEC_ERROR_INADEQUATE_KEY_USAGE: "cert-error-inadequate-cert-type",
+    SEC_ERROR_INVALID_KEY: "cert-error-invalid-key",
+    SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
+      "cert-error-path-len-constraint-invalid",
+    SEC_ERROR_REVOKED_CERTIFICATE: "cert-error-revoked-certificate",
+    SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
+      "cert-error-unknown-critical-extension",
+    // NB: SEC_ERROR_UNSUPPORTED_EC_POINT_FORM intentionally uses the same
+    // error message as SEC_ERROR_UNSUPPORTED_KEYALG
+    SEC_ERROR_UNSUPPORTED_EC_POINT_FORM: "cert-error-unsupported-keyalg",
+    // NB: SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE intentionally uses the same
+    // error message as SEC_ERROR_UNSUPPORTED_KEYALG
+    SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE: "cert-error-unsupported-keyalg",
+    SEC_ERROR_UNSUPPORTED_KEYALG: "cert-error-unsupported-keyalg",
+    SEC_ERROR_UNTRUSTED_CERT: "cert-error-untrusted-cert",
+    SEC_ERROR_UNTRUSTED_ISSUER: "cert-error-untrusted-issuer",
+    MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING:
+      "cert-error-invalid-integer-encoding",
+    MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED:
+      "cert-error-issuer-no-longer-trusted",
+    MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE: "cert-error-key-pinning-failure",
+    MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH:
+      "cert-error-signature-algorithm-mismatch",
+  };
+  if (failedCertInfo.errorCodeString in nonoverridableErrorCodeToLabelMap) {
+    addLabel(
+      nonoverridableErrorCodeToLabelMap[failedCertInfo.errorCodeString],
+      { hostname }
+    );
    addErrorCodeLink();
  }

--- a/toolkit/locales/en-US/toolkit/neterror/certError.ftl
+++ b/toolkit/locales/en-US/toolkit/neterror/certError.ftl
@@ -34,9 +34,25 @@ cert-error-trust-symantec = Certificates issued by GeoTrust, RapidSSL, Symantec,
 #   $hostname (string) - Hostname of the website with cert error.
 cert-error-trust-certificate-transparency = { -brand-short-name } doesn’t trust { $hostname } because it couldn’t prove it meets public certificate transparency requirements.

-# Variables:
-#   $hostname (string) - Hostname of the website with cert error.
-cert-error-revoked = Websites prove their identity via certificates. { -brand-short-name } doesn’t trust { $hostname } because it uses a certificate that has been revoked.
+## Variables:
+##   $hostname (string) - Hostname of the website with cert error.
+
+cert-error-revoked-certificate = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } has been revoked and isn’t trusted anymore.
+cert-error-bad-signature = { -brand-short-name } blocked your visit to this site because the signature on the certificate provided for { $hostname } isn’t valid.
+cert-error-key-pinning-failure = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } uses a different public key than expected.
+cert-error-bad-der = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } isn’t properly encoded.
+cert-error-cert-not-in-name-space = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } doesn’t follow the name constraints of a certificate that issued it.
+cert-error-inadequate-cert-type = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } isn’t allowed to be used by a web server.
+cert-error-path-len-constraint-invalid = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } has too many intermediate certificates in the path to the root certificate.
+cert-error-invalid-key = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } has a key that is invalid. Most likely, it is too small to be secure.
+cert-error-unknown-critical-extension = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } contains an unsupported critical extension.
+cert-error-extension-value-invalid = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } contains an invalid extension.
+cert-error-untrusted-issuer = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } was issued by a certificate authority that isn’t trusted anymore.
+cert-error-untrusted-cert = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } is marked as not trusted.
+cert-error-invalid-integer-encoding = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } contains an invalid encoding of an integer. Common causes include negative serial numbers, negative RSA moduli, and encodings that are longer than necessary.
+cert-error-unsupported-keyalg = { -brand-short-name } blocked your visit to this site because the certificate provided for { $hostname } has an unsupported key type.
+cert-error-issuer-no-longer-trusted = { -brand-short-name } blocked your visit to this site because the certificate authority that issued the certificate provided for { $hostname } isn’t trusted anymore.
+cert-error-signature-algorithm-mismatch = { -brand-short-name } blocked your visit to this site because the signature algorithm of the certificate provided for { $hostname } doesn’t match its signature algorithm field.

 cert-error-untrusted-default = The certificate does not come from a trusted source.