Bug 1484246 - Part 2 - Add more explanation to certificate errors caused by Symantec distrust to Fennec. r=snorp

Differential Revision: https://phabricator.services.mozilla.com/D4297 --HG-- extra : rebase_source : e3949c9520bec01270751898cee7bc21e6c015de
2024-12-03 10:33:33 +00:00 · 2018-08-26 14:32:01 +02:00 · 2018-08-26 14:32:01 +02:00 · 7fd1427a9d
commit 7fd1427a9d
parent a05ff7f01f
2 changed files with 25 additions and 2 deletions
--- a/mobile/android/chrome/content/aboutCertError.xhtml
+++ b/mobile/android/chrome/content/aboutCertError.xhtml
@ -116,8 +116,8 @@

        <div id="whatShouldIDoContent">
          <h2>&certerror.whatShouldIDo.heading;</h2>
-          <div id="whatShouldIDoContentText">
-            <p>&certerror.whatShouldIDo.content;</p>
+          <div>
+            <p id="whatShouldIDoContentText">&certerror.whatShouldIDo.content;</p>
            <button id="getMeOutOfHereButton">&certerror.getMeOutOfHere.label;</button>
          </div>
        </div>
--- a/mobile/android/chrome/content/content.js
+++ b/mobile/android/chrome/content/content.js
@ -91,6 +91,7 @@ const SEC_ERROR_REUSED_ISSUER_AND_SERIAL           = SEC_ERROR_BASE + 138;
 const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED  = SEC_ERROR_BASE + 176;
 const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 5;
 const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 6;
+const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = MOZILLA_PKIX_ERROR_BASE + 13;


 const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
@ -203,6 +204,11 @@ var AboutCertErrorListener = {
        case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
          msg += gPipNSSBundle.GetStringFromName("certErrorTrust_ExpiredIssuer") + "\n";
          break;
+        // This error code currently only exists for the Symantec distrust, we may need to adjust
+        // it to fit other distrusts later.
+        case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
+          msg += gPipNSSBundle.formatStringFromName("certErrorTrust_Symantec", [hostString], 1) + "\n";
+          break;
        case SEC_ERROR_UNTRUSTED_CERT:
        default:
          msg += gPipNSSBundle.GetStringFromName("certErrorTrust_Untrusted") + "\n";
@ -234,6 +240,23 @@ var AboutCertErrorListener = {
      hostString += ":" + uri.port;
    }

+    // This error code currently only exists for the Symantec distrust
+    // in Firefox 63, so we add copy explaining that to the user.
+    // In case of future distrusts of that scale we might need to add
+    // additional parameters that allow us to identify the affected party
+    // without replicating the complex logic from certverifier code.
+    if (securityInfo.errorCode == MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED) {
+      let introContent = doc.getElementById("introContent");
+      let description = doc.createElement("p");
+      description.textContent = gPipNSSBundle.formatStringFromName(
+        "certErrorSymantecDistrustDescription", [hostString], 1);
+      introContent.append(description);
+
+      // The regular "what should I do" message does not make sense in this case.
+      doc.getElementById("whatShouldIDoContentText").textContent =
+        gPipNSSBundle.GetStringFromName("certErrorSymantecDistrustAdministrator");
+    }
+
    this._setTechDetailsMsgPart1(hostString, sslStatus, securityInfo, technicalInfo, doc);

    if (sslStatus.isDomainMismatch) {