1 /* This Source Code Form is subject to the terms of the Mozilla Public
2  * License, v. 2.0. If a copy of the MPL was not distributed with this
3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 
5 #include "NSSErrorsService.h"
6 
7 #include "nsIStringBundle.h"
8 #include "nsNSSComponent.h"
9 #include "nsServiceManagerUtils.h"
10 #include "mozpkix/pkixnss.h"
11 #include "secerr.h"
12 #include "sslerr.h"
13 
14 #define PIPNSS_STRBUNDLE_URL "chrome://pipnss/locale/pipnss.properties"
15 #define NSSERR_STRBUNDLE_URL "chrome://pipnss/locale/nsserrors.properties"
16 
17 namespace mozilla {
18 namespace psm {
19 
20 static_assert(mozilla::pkix::ERROR_BASE ==
21                   nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE,
22               "MOZILLA_PKIX_ERROR_BASE and "
23               "nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE do not match.");
24 static_assert(mozilla::pkix::ERROR_LIMIT ==
25                   nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT,
26               "MOZILLA_PKIX_ERROR_LIMIT and "
27               "nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT do not match.");
28 
IsPSMError(PRErrorCode error)29 static bool IsPSMError(PRErrorCode error) {
30   return (error >= mozilla::pkix::ERROR_BASE &&
31           error < mozilla::pkix::ERROR_LIMIT);
32 }
33 
34 NS_IMPL_ISUPPORTS(NSSErrorsService, nsINSSErrorsService)
35 
36 NSSErrorsService::~NSSErrorsService() = default;
37 
Init()38 nsresult NSSErrorsService::Init() {
39   nsresult rv;
40   nsCOMPtr<nsIStringBundleService> bundleService(
41       do_GetService(NS_STRINGBUNDLE_CONTRACTID, &rv));
42   if (NS_FAILED(rv) || !bundleService) return NS_ERROR_FAILURE;
43 
44   bundleService->CreateBundle(PIPNSS_STRBUNDLE_URL,
45                               getter_AddRefs(mPIPNSSBundle));
46   if (!mPIPNSSBundle) rv = NS_ERROR_FAILURE;
47 
48   bundleService->CreateBundle(NSSERR_STRBUNDLE_URL,
49                               getter_AddRefs(mNSSErrorsBundle));
50   if (!mNSSErrorsBundle) rv = NS_ERROR_FAILURE;
51 
52   return rv;
53 }
54 
55 #define EXPECTED_SEC_ERROR_BASE (-0x2000)
56 #define EXPECTED_SSL_ERROR_BASE (-0x3000)
57 
58 #if SEC_ERROR_BASE != EXPECTED_SEC_ERROR_BASE || \
59     SSL_ERROR_BASE != EXPECTED_SSL_ERROR_BASE
60 #  error \
61       "Unexpected change of error code numbers in lib NSS, please adjust the mapping code"
62 /*
63  * Please ensure the NSS error codes are mapped into the positive range 0x1000
64  * to 0xf000 Search for NS_ERROR_MODULE_SECURITY to ensure there are no
65  * conflicts. The current code also assumes that NSS library error codes are
66  * negative.
67  */
68 #endif
69 
IsNSSErrorCode(PRErrorCode code)70 bool IsNSSErrorCode(PRErrorCode code) {
71   return IS_SEC_ERROR(code) || IS_SSL_ERROR(code) || IsPSMError(code);
72 }
73 
GetXPCOMFromNSSError(PRErrorCode code)74 nsresult GetXPCOMFromNSSError(PRErrorCode code) {
75   if (!code) {
76     MOZ_CRASH("Function failed without calling PR_GetError");
77   }
78 
79   // The error codes within each module must be a 16 bit value.
80   // For simplicity we use the positive value of the NSS code.
81   return (nsresult)NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY,
82                                              -1 * code);
83 }
84 
85 NS_IMETHODIMP
IsNSSErrorCode(int32_t aNSPRCode,bool * _retval)86 NSSErrorsService::IsNSSErrorCode(int32_t aNSPRCode, bool* _retval) {
87   if (!_retval) {
88     return NS_ERROR_INVALID_ARG;
89   }
90 
91   *_retval = mozilla::psm::IsNSSErrorCode(aNSPRCode);
92   return NS_OK;
93 }
94 
95 NS_IMETHODIMP
GetXPCOMFromNSSError(int32_t aNSPRCode,nsresult * aXPCOMErrorCode)96 NSSErrorsService::GetXPCOMFromNSSError(int32_t aNSPRCode,
97                                        nsresult* aXPCOMErrorCode) {
98   if (!aXPCOMErrorCode) {
99     return NS_ERROR_INVALID_ARG;
100   }
101 
102   if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
103     return NS_ERROR_INVALID_ARG;
104   }
105 
106   *aXPCOMErrorCode = mozilla::psm::GetXPCOMFromNSSError(aNSPRCode);
107 
108   return NS_OK;
109 }
110 
111 NS_IMETHODIMP
GetErrorClass(nsresult aXPCOMErrorCode,uint32_t * aErrorClass)112 NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode,
113                                 uint32_t* aErrorClass) {
114   NS_ENSURE_ARG(aErrorClass);
115 
116   if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY ||
117       NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) {
118     return NS_ERROR_FAILURE;
119   }
120 
121   int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode);
122 
123   if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
124     return NS_ERROR_FAILURE;
125   }
126 
127   if (mozilla::psm::ErrorIsOverridable(aNSPRCode)) {
128     *aErrorClass = ERROR_CLASS_BAD_CERT;
129   } else {
130     *aErrorClass = ERROR_CLASS_SSL_PROTOCOL;
131   }
132 
133   return NS_OK;
134 }
135 
ErrorIsOverridable(PRErrorCode code)136 bool ErrorIsOverridable(PRErrorCode code) {
137   switch (code) {
138     // Overridable errors.
139     case mozilla::pkix::MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
140     case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
141     case mozilla::pkix::MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME:
142     case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
143     case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
144     case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
145     case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
146     case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
147     case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
148     case SEC_ERROR_CA_CERT_INVALID:
149     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
150     case SEC_ERROR_EXPIRED_CERTIFICATE:
151     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
152     case SEC_ERROR_INVALID_TIME:
153     case SEC_ERROR_UNKNOWN_ISSUER:
154     case SSL_ERROR_BAD_CERT_DOMAIN:
155       return true;
156     // Non-overridable errors.
157     default:
158       return false;
159   }
160 }
161 
getOverrideErrorStringName(PRErrorCode aErrorCode)162 static const char* getOverrideErrorStringName(PRErrorCode aErrorCode) {
163   switch (aErrorCode) {
164     case SSL_ERROR_SSL_DISABLED:
165       return "PSMERR_SSL_Disabled";
166     case SSL_ERROR_SSL2_DISABLED:
167       return "PSMERR_SSL2_Disabled";
168     case SEC_ERROR_REUSED_ISSUER_AND_SERIAL:
169       return "PSMERR_HostReusedIssuerSerial";
170     case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
171       return "certErrorTrust_MitM";
172     default:
173       return nullptr;
174   }
175 }
176 
177 NS_IMETHODIMP
GetErrorMessage(nsresult aXPCOMErrorCode,nsAString & aErrorMessage)178 NSSErrorsService::GetErrorMessage(nsresult aXPCOMErrorCode,
179                                   nsAString& aErrorMessage) {
180   if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY ||
181       NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) {
182     return NS_ERROR_FAILURE;
183   }
184 
185   int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode);
186 
187   if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
188     return NS_ERROR_FAILURE;
189   }
190 
191   nsCOMPtr<nsIStringBundle> theBundle = mPIPNSSBundle;
192   const char* idStr = getOverrideErrorStringName(aNSPRCode);
193 
194   if (!idStr) {
195     idStr = PR_ErrorToName(aNSPRCode);
196     theBundle = mNSSErrorsBundle;
197   }
198 
199   if (!idStr || !theBundle) {
200     return NS_ERROR_FAILURE;
201   }
202 
203   nsAutoString msg;
204   nsresult rv = theBundle->GetStringFromName(idStr, msg);
205   if (NS_SUCCEEDED(rv)) {
206     aErrorMessage = msg;
207   }
208   return rv;
209 }
210 
211 }  // namespace psm
212 }  // namespace mozilla
213