diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp index 7d6c5016d334..a0d0340360e7 100644 --- a/security/manager/ssl/SSLServerCertVerification.cpp +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -318,16 +318,19 @@ SECStatus DetermineCertOverrideErrors(const nsCOMPtr& cert, certInput, mozilla::pkix::EndEntityOrCA::MustBeEndEntity, nullptr); Result rv = backCert.Init(); if (rv != Success) { - MapResultToPRErrorCode(rv); + PR_SetError(MapResultToPRErrorCode(rv), 0); return SECFailure; } mozilla::pkix::Time notBefore(mozilla::pkix::Time::uninitialized); mozilla::pkix::Time notAfter(mozilla::pkix::Time::uninitialized); + // If the validity can't be parsed, ParseValidity will return + // Result::ERROR_INVALID_DER_TIME. rv = mozilla::pkix::ParseValidity(backCert.GetValidity(), ¬Before, ¬After); if (rv != Success) { - MapResultToPRErrorCode(rv); - return SECFailure; + collectedErrors |= nsICertOverrideService::ERROR_TIME; + errorCodeTime = MapResultToPRErrorCode(rv); + break; } // If `now` is outside of the certificate's validity period, // CheckValidity will return Result::ERROR_NOT_YET_VALID_CERTIFICATE or diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem new file mode 100644 index 000000000000..69972591d4e4 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUCfV2HIsCkOeqHcXdhZf6ejBahIswDQYJKoZIhvcNAQEL +BQAwODE2MDQGA1UEAwwtU2VsZi1TaWduZWQgQmVmb3JlIFVOSVggRXBvY2ggVGVz +dCBFbmQtRW50aXR5MCIYDzE5NDYwMjE0MDAwMDAwWhgPMjAzMTAxMDEwMDAwMDBa +MDgxNjA0BgNVBAMMLVNlbGYtU2lnbmVkIEJlZm9yZSBVTklYIEVwb2NoIFRlc3Qg +RW5kLUVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMzMDEwLwYDVR0RBCgwJoIkYmVmb3JlLWVwb2NoLXNl +bGYtc2lnbmVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBCrP9yopCm +BJSG6MIq3olV8meoQ2wIrCm2i1Ob2BI3JXW9CSjtnklmQaXzyEY6EnH7K/qzHMbz +prbtiM+e0GjwwYNDAe3Ad1kUjDUSVnMAYmtTJOYxhmGYztkmM2xkz9Tvn+M4U35A +GXimG82MDslBvDINDCPvwWsjst8oMwDAezpxZP2zZ/BrXbyUvOfCqyWQrRTNfSmF +Aub2UQBdjSCgwY5RpzJ2ib5IWmVm3vPQmhM69FwI3WzWsbOb6MYdyPpnVnlN626l +AwLjoaSP3F/lSgPzDqVKgx6rjqkYANPGaLLXdRH3ynJlxuW9JlamyuEypPIA0+Ml +rvaprkFh5rXU +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec new file mode 100644 index 000000000000..579e85e49673 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec @@ -0,0 +1,4 @@ +issuer:Self-Signed Before UNIX Epoch Test End-Entity +subject:Self-Signed Before UNIX Epoch Test End-Entity +validity:19460214-20310101 +extension:subjectAlternativeName:before-epoch-self-signed.example.com diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js index c393596cc2a6..f780462bb578 100644 --- a/security/manager/ssl/tests/unit/test_cert_overrides.js +++ b/security/manager/ssl/tests/unit/test_cert_overrides.js @@ -90,7 +90,7 @@ function check_telemetry() { ); equal( histogram.values[16], - 2, + 3, "Actual and expected SEC_ERROR_INVALID_TIME values should match" ); equal( @@ -100,7 +100,7 @@ function check_telemetry() { ); equal( histogram.values[19], - 3, + 4, "Actual and expected MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT values should match" ); equal( @@ -129,7 +129,7 @@ function check_telemetry() { ); equal( keySizeHistogram.values[3], - 68, + 70, "Actual and expected verification failures unrelated to key size should match" ); @@ -246,6 +246,12 @@ function add_simple_tests() { Ci.nsICertOverrideService.ERROR_TIME, SEC_ERROR_INVALID_TIME ); + add_cert_override_test( + "before-epoch-self-signed.example.com", + Ci.nsICertOverrideService.ERROR_TIME | + Ci.nsICertOverrideService.ERROR_UNTRUSTED, + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); add_cert_override_test( "selfsigned.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp index b13d2e9e61ff..1ccd5e876b91 100644 --- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp @@ -28,6 +28,7 @@ const BadCertAndPinningHost sBadCertAndPinningHosts[] = { {"expired.example.com", "expired-ee"}, {"notyetvalid.example.com", "notYetValid"}, {"before-epoch.example.com", "beforeEpoch"}, + {"before-epoch-self-signed.example.com", "beforeEpochSelfSigned"}, {"selfsigned.example.com", "selfsigned"}, {"unknownissuer.example.com", "unknownissuer"}, {"mismatch.example.com", "mismatch"},