1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #include "NSSErrorsService.h"
6
7 #include "nsIStringBundle.h"
8 #include "nsNSSComponent.h"
9 #include "nsServiceManagerUtils.h"
10 #include "mozpkix/pkixnss.h"
11 #include "secerr.h"
12 #include "sslerr.h"
13
14 #define PIPNSS_STRBUNDLE_URL "chrome://pipnss/locale/pipnss.properties"
15 #define NSSERR_STRBUNDLE_URL "chrome://pipnss/locale/nsserrors.properties"
16
17 namespace mozilla {
18 namespace psm {
19
20 static_assert(mozilla::pkix::ERROR_BASE ==
21 nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE,
22 "MOZILLA_PKIX_ERROR_BASE and "
23 "nsINSSErrorsService::MOZILLA_PKIX_ERROR_BASE do not match.");
24 static_assert(mozilla::pkix::ERROR_LIMIT ==
25 nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT,
26 "MOZILLA_PKIX_ERROR_LIMIT and "
27 "nsINSSErrorsService::MOZILLA_PKIX_ERROR_LIMIT do not match.");
28
IsPSMError(PRErrorCode error)29 static bool IsPSMError(PRErrorCode error) {
30 return (error >= mozilla::pkix::ERROR_BASE &&
31 error < mozilla::pkix::ERROR_LIMIT);
32 }
33
34 NS_IMPL_ISUPPORTS(NSSErrorsService, nsINSSErrorsService)
35
36 NSSErrorsService::~NSSErrorsService() = default;
37
Init()38 nsresult NSSErrorsService::Init() {
39 nsresult rv;
40 nsCOMPtr<nsIStringBundleService> bundleService(
41 do_GetService(NS_STRINGBUNDLE_CONTRACTID, &rv));
42 if (NS_FAILED(rv) || !bundleService) return NS_ERROR_FAILURE;
43
44 bundleService->CreateBundle(PIPNSS_STRBUNDLE_URL,
45 getter_AddRefs(mPIPNSSBundle));
46 if (!mPIPNSSBundle) rv = NS_ERROR_FAILURE;
47
48 bundleService->CreateBundle(NSSERR_STRBUNDLE_URL,
49 getter_AddRefs(mNSSErrorsBundle));
50 if (!mNSSErrorsBundle) rv = NS_ERROR_FAILURE;
51
52 return rv;
53 }
54
55 #define EXPECTED_SEC_ERROR_BASE (-0x2000)
56 #define EXPECTED_SSL_ERROR_BASE (-0x3000)
57
58 #if SEC_ERROR_BASE != EXPECTED_SEC_ERROR_BASE || \
59 SSL_ERROR_BASE != EXPECTED_SSL_ERROR_BASE
60 # error \
61 "Unexpected change of error code numbers in lib NSS, please adjust the mapping code"
62 /*
63 * Please ensure the NSS error codes are mapped into the positive range 0x1000
64 * to 0xf000 Search for NS_ERROR_MODULE_SECURITY to ensure there are no
65 * conflicts. The current code also assumes that NSS library error codes are
66 * negative.
67 */
68 #endif
69
IsNSSErrorCode(PRErrorCode code)70 bool IsNSSErrorCode(PRErrorCode code) {
71 return IS_SEC_ERROR(code) || IS_SSL_ERROR(code) || IsPSMError(code);
72 }
73
GetXPCOMFromNSSError(PRErrorCode code)74 nsresult GetXPCOMFromNSSError(PRErrorCode code) {
75 if (!code) {
76 MOZ_CRASH("Function failed without calling PR_GetError");
77 }
78
79 // The error codes within each module must be a 16 bit value.
80 // For simplicity we use the positive value of the NSS code.
81 return (nsresult)NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY,
82 -1 * code);
83 }
84
85 NS_IMETHODIMP
IsNSSErrorCode(int32_t aNSPRCode,bool * _retval)86 NSSErrorsService::IsNSSErrorCode(int32_t aNSPRCode, bool* _retval) {
87 if (!_retval) {
88 return NS_ERROR_INVALID_ARG;
89 }
90
91 *_retval = mozilla::psm::IsNSSErrorCode(aNSPRCode);
92 return NS_OK;
93 }
94
95 NS_IMETHODIMP
GetXPCOMFromNSSError(int32_t aNSPRCode,nsresult * aXPCOMErrorCode)96 NSSErrorsService::GetXPCOMFromNSSError(int32_t aNSPRCode,
97 nsresult* aXPCOMErrorCode) {
98 if (!aXPCOMErrorCode) {
99 return NS_ERROR_INVALID_ARG;
100 }
101
102 if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
103 return NS_ERROR_INVALID_ARG;
104 }
105
106 *aXPCOMErrorCode = mozilla::psm::GetXPCOMFromNSSError(aNSPRCode);
107
108 return NS_OK;
109 }
110
111 NS_IMETHODIMP
GetErrorClass(nsresult aXPCOMErrorCode,uint32_t * aErrorClass)112 NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode,
113 uint32_t* aErrorClass) {
114 NS_ENSURE_ARG(aErrorClass);
115
116 if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY ||
117 NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) {
118 return NS_ERROR_FAILURE;
119 }
120
121 int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode);
122
123 if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
124 return NS_ERROR_FAILURE;
125 }
126
127 if (mozilla::psm::ErrorIsOverridable(aNSPRCode)) {
128 *aErrorClass = ERROR_CLASS_BAD_CERT;
129 } else {
130 *aErrorClass = ERROR_CLASS_SSL_PROTOCOL;
131 }
132
133 return NS_OK;
134 }
135
ErrorIsOverridable(PRErrorCode code)136 bool ErrorIsOverridable(PRErrorCode code) {
137 switch (code) {
138 // Overridable errors.
139 case mozilla::pkix::MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
140 case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
141 case mozilla::pkix::MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME:
142 case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
143 case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
144 case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
145 case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
146 case mozilla::pkix::MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
147 case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
148 case SEC_ERROR_CA_CERT_INVALID:
149 case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
150 case SEC_ERROR_EXPIRED_CERTIFICATE:
151 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
152 case SEC_ERROR_INVALID_TIME:
153 case SEC_ERROR_UNKNOWN_ISSUER:
154 case SSL_ERROR_BAD_CERT_DOMAIN:
155 return true;
156 // Non-overridable errors.
157 default:
158 return false;
159 }
160 }
161
getOverrideErrorStringName(PRErrorCode aErrorCode)162 static const char* getOverrideErrorStringName(PRErrorCode aErrorCode) {
163 switch (aErrorCode) {
164 case SSL_ERROR_SSL_DISABLED:
165 return "PSMERR_SSL_Disabled";
166 case SSL_ERROR_SSL2_DISABLED:
167 return "PSMERR_SSL2_Disabled";
168 case SEC_ERROR_REUSED_ISSUER_AND_SERIAL:
169 return "PSMERR_HostReusedIssuerSerial";
170 case mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED:
171 return "certErrorTrust_MitM";
172 default:
173 return nullptr;
174 }
175 }
176
177 NS_IMETHODIMP
GetErrorMessage(nsresult aXPCOMErrorCode,nsAString & aErrorMessage)178 NSSErrorsService::GetErrorMessage(nsresult aXPCOMErrorCode,
179 nsAString& aErrorMessage) {
180 if (NS_ERROR_GET_MODULE(aXPCOMErrorCode) != NS_ERROR_MODULE_SECURITY ||
181 NS_ERROR_GET_SEVERITY(aXPCOMErrorCode) != NS_ERROR_SEVERITY_ERROR) {
182 return NS_ERROR_FAILURE;
183 }
184
185 int32_t aNSPRCode = -1 * NS_ERROR_GET_CODE(aXPCOMErrorCode);
186
187 if (!mozilla::psm::IsNSSErrorCode(aNSPRCode)) {
188 return NS_ERROR_FAILURE;
189 }
190
191 nsCOMPtr<nsIStringBundle> theBundle = mPIPNSSBundle;
192 const char* idStr = getOverrideErrorStringName(aNSPRCode);
193
194 if (!idStr) {
195 idStr = PR_ErrorToName(aNSPRCode);
196 theBundle = mNSSErrorsBundle;
197 }
198
199 if (!idStr || !theBundle) {
200 return NS_ERROR_FAILURE;
201 }
202
203 nsAutoString msg;
204 nsresult rv = theBundle->GetStringFromName(idStr, msg);
205 if (NS_SUCCEEDED(rv)) {
206 aErrorMessage = msg;
207 }
208 return rv;
209 }
210
211 } // namespace psm
212 } // namespace mozilla
213