Bug 1779973 - treat failure to parse certificate validity as a time error r=djackson

Differential Revision: https://phabricator.services.mozilla.com/D152333
2024-11-27 23:02:20 +00:00 · 2022-07-21 23:51:01 +00:00 · 2022-07-21 23:51:01 +00:00 · 30b914478f
commit 30b914478f
parent f3b0b136dc
5 changed files with 40 additions and 6 deletions
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@ -318,16 +318,19 @@ SECStatus DetermineCertOverrideErrors(const nsCOMPtr<nsIX509Cert>& cert,
          certInput, mozilla::pkix::EndEntityOrCA::MustBeEndEntity, nullptr);
      Result rv = backCert.Init();
      if (rv != Success) {
-        MapResultToPRErrorCode(rv);
+        PR_SetError(MapResultToPRErrorCode(rv), 0);
        return SECFailure;
      }
      mozilla::pkix::Time notBefore(mozilla::pkix::Time::uninitialized);
      mozilla::pkix::Time notAfter(mozilla::pkix::Time::uninitialized);
+      // If the validity can't be parsed, ParseValidity will return
+      // Result::ERROR_INVALID_DER_TIME.
      rv = mozilla::pkix::ParseValidity(backCert.GetValidity(), &notBefore,
                                        &notAfter);
      if (rv != Success) {
-        MapResultToPRErrorCode(rv);
-        return SECFailure;
+        collectedErrors |= nsICertOverrideService::ERROR_TIME;
+        errorCodeTime = MapResultToPRErrorCode(rv);
+        break;
      }
      // If `now` is outside of the certificate's validity period,
      // CheckValidity will return Result::ERROR_NOT_YET_VALID_CERTIFICATE or
--- a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem
@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUCfV2HIsCkOeqHcXdhZf6ejBahIswDQYJKoZIhvcNAQEL
+BQAwODE2MDQGA1UEAwwtU2VsZi1TaWduZWQgQmVmb3JlIFVOSVggRXBvY2ggVGVz
+dCBFbmQtRW50aXR5MCIYDzE5NDYwMjE0MDAwMDAwWhgPMjAzMTAxMDEwMDAwMDBa
+MDgxNjA0BgNVBAMMLVNlbGYtU2lnbmVkIEJlZm9yZSBVTklYIEVwb2NoIFRlc3Qg
+RW5kLUVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMzMDEwLwYDVR0RBCgwJoIkYmVmb3JlLWVwb2NoLXNl
+bGYtc2lnbmVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBCrP9yopCm
+BJSG6MIq3olV8meoQ2wIrCm2i1Ob2BI3JXW9CSjtnklmQaXzyEY6EnH7K/qzHMbz
+prbtiM+e0GjwwYNDAe3Ad1kUjDUSVnMAYmtTJOYxhmGYztkmM2xkz9Tvn+M4U35A
+GXimG82MDslBvDINDCPvwWsjst8oMwDAezpxZP2zZ/BrXbyUvOfCqyWQrRTNfSmF
+Aub2UQBdjSCgwY5RpzJ2ib5IWmVm3vPQmhM69FwI3WzWsbOb6MYdyPpnVnlN626l
+AwLjoaSP3F/lSgPzDqVKgx6rjqkYANPGaLLXdRH3ynJlxuW9JlamyuEypPIA0+Ml
+rvaprkFh5rXU
+-----END CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec
@ -0,0 +1,4 @@
+issuer:Self-Signed Before UNIX Epoch Test End-Entity
+subject:Self-Signed Before UNIX Epoch Test End-Entity
+validity:19460214-20310101
+extension:subjectAlternativeName:before-epoch-self-signed.example.com
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@ -90,7 +90,7 @@ function check_telemetry() {
  );
  equal(
    histogram.values[16],
-    2,
+    3,
    "Actual and expected SEC_ERROR_INVALID_TIME values should match"
  );
  equal(
@ -100,7 +100,7 @@ function check_telemetry() {
  );
  equal(
    histogram.values[19],
-    3,
+    4,
    "Actual and expected MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT values should match"
  );
  equal(
@ -129,7 +129,7 @@ function check_telemetry() {
  );
  equal(
    keySizeHistogram.values[3],
-    68,
+    70,
    "Actual and expected verification failures unrelated to key size should match"
  );

@ -246,6 +246,12 @@ function add_simple_tests() {
    Ci.nsICertOverrideService.ERROR_TIME,
    SEC_ERROR_INVALID_TIME
  );
+  add_cert_override_test(
+    "before-epoch-self-signed.example.com",
+    Ci.nsICertOverrideService.ERROR_TIME |
+      Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+    MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+  );
  add_cert_override_test(
    "selfsigned.example.com",
    Ci.nsICertOverrideService.ERROR_UNTRUSTED,
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
@ -28,6 +28,7 @@ const BadCertAndPinningHost sBadCertAndPinningHosts[] = {
    {"expired.example.com", "expired-ee"},
    {"notyetvalid.example.com", "notYetValid"},
    {"before-epoch.example.com", "beforeEpoch"},
+    {"before-epoch-self-signed.example.com", "beforeEpochSelfSigned"},
    {"selfsigned.example.com", "selfsigned"},
    {"unknownissuer.example.com", "unknownissuer"},
    {"mismatch.example.com", "mismatch"},