Bug 1052257 - Add and use error code specific to inadequate key sizes. r=keeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Tue, 12 Aug 2014 22:24:00 -0400
changeset 14651 636639b0f0b199a261caacac54c73af4657993e0
parent 14650 ffe4741a32ef7aa695f3590de6c37e314bb0e819
child 14652 b23f97018cceb555389d8a4f722dd8413f54243c
push id3202
push userfranziskuskiefer@gmail.com
push dateMon, 01 Oct 2018 08:30:12 +0000
reviewerskeeler
bugs1052257
Bug 1052257 - Add and use error code specific to inadequate key sizes. r=keeler
lib/mozpkix/include/pkix/Result.h
lib/mozpkix/include/pkix/pkixnss.h
lib/mozpkix/lib/pkixnss.cpp
--- a/lib/mozpkix/include/pkix/Result.h
+++ b/lib/mozpkix/include/pkix/Result.h
@@ -73,16 +73,17 @@ MOZILLA_PKIX_ENUM_CLASS Result
   ERROR_OCSP_UNKNOWN_CERT = 33,
   ERROR_OCSP_FUTURE_RESPONSE = 34,
 
   ERROR_UNKNOWN_ERROR = 35,
   ERROR_INVALID_KEY = 36,
   ERROR_UNSUPPORTED_KEYALG = 37,
   ERROR_EXPIRED_ISSUER_CERTIFICATE = 38,
   ERROR_CA_CERT_USED_AS_END_ENTITY = 39,
+  ERROR_INADEQUATE_KEY_SIZE = 40,
 
   // Keep this in sync with MAP_LIST in pkixnss.cpp
 
   FATAL_ERROR_INVALID_ARGS = FATAL_ERROR_FLAG | 1,
   FATAL_ERROR_INVALID_STATE = FATAL_ERROR_FLAG | 2,
   FATAL_ERROR_LIBRARY_FAILURE = FATAL_ERROR_FLAG | 3,
   FATAL_ERROR_NO_MEMORY = FATAL_ERROR_FLAG | 4,
 
--- a/lib/mozpkix/include/pkix/pkixnss.h
+++ b/lib/mozpkix/include/pkix/pkixnss.h
@@ -67,17 +67,18 @@ const char* MapResultToName(Result resul
 // in the NS_ERROR_MODULE_SECURITY module. Hence, PSM errors will start at
 // a negative value that both doesn't overlap with the current value
 // ranges for NSS errors and that will fit in 16 bits when negated.
 static const PRErrorCode ERROR_BASE = -0x4000;
 static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
 
 enum ErrorCode {
   MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
-  MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1
+  MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
+  MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2
 };
 
 void RegisterErrorTable();
 
 inline SECItem UnsafeMapInputToSECItem(Input input)
 {
   SECItem result = {
     siBuffer,
--- a/lib/mozpkix/lib/pkixnss.cpp
+++ b/lib/mozpkix/lib/pkixnss.cpp
@@ -59,18 +59,17 @@ CheckPublicKeySize(Input subjectPublicKe
   switch (publicKey.get()->keyType) {
     case ecKey:
       // TODO(bug 622859): We should check which curve.
       return Success;
     case dsaKey: // fall through
     case rsaKey:
       // TODO(bug 622859): Enforce a minimum of 2048 bits for EV certs.
       if (SECKEY_PublicKeyStrengthInBits(publicKey.get()) < MINIMUM_NON_ECC_BITS) {
-        // TODO(bug 1031946): Create a new error code.
-        return Result::ERROR_INVALID_KEY;
+        return Result::ERROR_INADEQUATE_KEY_SIZE;
       }
       break;
     case nullKey:
     case fortezzaKey:
     case dhKey:
     case keaKey:
     case rsaPssKey:
     case rsaOaepKey:
@@ -227,16 +226,17 @@ DigestBuf(Input item, /*out*/ uint8_t* d
     MAP(Result::ERROR_OCSP_UNAUTHORIZED_REQUEST, SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST) \
     MAP(Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS) \
     MAP(Result::ERROR_OCSP_UNKNOWN_CERT, SEC_ERROR_OCSP_UNKNOWN_CERT) \
     MAP(Result::ERROR_OCSP_FUTURE_RESPONSE, SEC_ERROR_OCSP_FUTURE_RESPONSE) \
     MAP(Result::ERROR_INVALID_KEY, SEC_ERROR_INVALID_KEY) \
     MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \
     MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
     MAP(Result::ERROR_CA_CERT_USED_AS_END_ENTITY, MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
+    MAP(Result::ERROR_INADEQUATE_KEY_SIZE, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE) \
     MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \
     MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \
     MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \
     MAP(Result::FATAL_ERROR_NO_MEMORY, SEC_ERROR_NO_MEMORY) \
     /* nothing here */
 
 Result
 MapPRErrorCodeToResult(PRErrorCode error)
@@ -297,17 +297,20 @@ RegisterErrorTable()
   static const struct PRErrorMessage ErrorTableText[] = {
     { "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE",
       "The server uses key pinning (HPKP) but no trusted certificate chain "
       "could be constructed that matches the pinset. Key pinning violations "
       "cannot be overridden." },
     { "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
       "The server uses a certificate with a basic constraints extension "
       "identifying it as a certificate authority. For a properly-issued "
-      "certificate, this should not be the case." }
+      "certificate, this should not be the case." },
+    { "MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE",
+      "The server presented a certificate with a key size that is too small "
+      "to establish a secure connection." }
   };
 
   static const struct PRErrorTable ErrorTable = {
     ErrorTableText,
     "pkixerrors",
     ERROR_BASE,
     PR_ARRAY_SIZE(ErrorTableText)
   };