Bug 1131227 - Make the about:certerror Unknown Issuer string mention missing intermediates and unimported roots. r=keeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Tue, 17 Mar 2015 14:33:00 +0100
changeset 234215 3d582311e619083d74ad4e118520fcc9312ad8c7
parent 234214 c70e9979e49b4c37fc8e38682547ddd13969e93c
child 234216 8d51dbc085b58f46c2a77dccc1682c58f39cc25f
push id57073
push usercbook@mozilla.com
push dateWed, 18 Mar 2015 11:00:37 +0000
treeherdermozilla-inbound@b976b2dc1a26 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1131227
milestone39.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1131227 - Make the about:certerror Unknown Issuer string mention missing intermediates and unimported roots. r=keeler
security/manager/locales/en-US/chrome/pipnss/pipnss.properties
security/manager/ssl/src/TransportSecurityInfo.cpp
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -263,16 +263,18 @@ PSMERR_SSL2_Disabled=Can't connect secur
 PSMERR_HostReusedIssuerSerial=You have received an invalid certificate.  Please contact the server administrator or email correspondent and give them the following information:\n\nYour certificate contains the same serial number as another certificate issued by the certificate authority.  Please get a new certificate containing a unique serial number.
 
 SSLConnectionErrorPrefix=An error occurred during a connection to %S.
 
 certErrorIntro=%S uses an invalid security certificate.
 
 certErrorTrust_SelfSigned=The certificate is not trusted because it is self-signed.
 certErrorTrust_UnknownIssuer=The certificate is not trusted because the issuer certificate is unknown.
+certErrorTrust_UnknownIssuer2=The server might not be sending the appropriate intermediate certificates.
+certErrorTrust_UnknownIssuer3=An additional root certificate may need to be imported.
 certErrorTrust_CaInvalid=The certificate is not trusted because it was issued by an invalid CA certificate.
 certErrorTrust_Issuer=The certificate is not trusted because the issuer certificate is not trusted.
 certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
 certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
 certErrorTrust_Untrusted=The certificate does not come from a trusted source.
 
 certErrorMismatch=The certificate is not valid for the name %S.
 # LOCALIZATION NOTE (certErrorMismatchSingle2): Do not translate <a id="cert_domain_link" title="%1$S">%1$S</a>
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -578,26 +578,30 @@ formatPlainErrorMessage(const nsXPIDLCSt
 
 static void
 AppendErrorTextUntrusted(PRErrorCode errTrust,
                          const nsString &host,
                          nsIX509Cert* ix509,
                          nsINSSComponent *component,
                          nsString &returnedMessage)
 {
-  const char *errorID = nullptr;
+  const char* errorID = nullptr;
+  const char* errorID2 = nullptr;
+  const char* errorID3 = nullptr;
   bool isSelfSigned;
   if (NS_SUCCEEDED(ix509->GetIsSelfSigned(&isSelfSigned)) && isSelfSigned) {
     errorID = "certErrorTrust_SelfSigned";
   }
 
   if (!errorID) {
     switch (errTrust) {
       case SEC_ERROR_UNKNOWN_ISSUER:
         errorID = "certErrorTrust_UnknownIssuer";
+        errorID2 = "certErrorTrust_UnknownIssuer2";
+        errorID3 = "certErrorTrust_UnknownIssuer3";
         break;
       case SEC_ERROR_CA_CERT_INVALID:
         errorID = "certErrorTrust_CaInvalid";
         break;
       case SEC_ERROR_UNTRUSTED_ISSUER:
         errorID = "certErrorTrust_Issuer";
         break;
       case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
@@ -608,23 +612,28 @@ AppendErrorTextUntrusted(PRErrorCode err
         break;
       case SEC_ERROR_UNTRUSTED_CERT:
       default:
         errorID = "certErrorTrust_Untrusted";
         break;
     }
   }
 
-  nsString formattedString;
-  nsresult rv = component->GetPIPNSSBundleString(errorID, 
-                                                 formattedString);
-  if (NS_SUCCEEDED(rv))
-  {
-    returnedMessage.Append(formattedString);
-    returnedMessage.Append('\n');
+  const char* errorIDs[] = { errorID, errorID2, errorID3 };
+  for (size_t i = 0; i < ArrayLength(errorIDs); i++) {
+    if (!errorIDs[i]) {
+      break;
+    }
+
+    nsString formattedString;
+    nsresult rv = component->GetPIPNSSBundleString(errorIDs[i], formattedString);
+    if (NS_SUCCEEDED(rv)) {
+      returnedMessage.Append(formattedString);
+      returnedMessage.Append('\n');
+    }
   }
 }
 
 // returns TRUE if SAN was used to produce names
 // return FALSE if nothing was produced
 // names => a single name or a list of names
 // multipleNames => whether multiple names were delivered
 static bool