From 7fd1427a9d6a085c4859e00fba490c175473db52 Mon Sep 17 00:00:00 2001
From: Johann Hofmann <jhofmann@mozilla.com>
Date: Sun, 26 Aug 2018 14:32:01 +0200
Subject: [PATCH] Bug 1484246 - Part 2 - Add more explanation to certificate
 errors caused by Symantec distrust to Fennec. r=snorp

Differential Revision: https://phabricator.services.mozilla.com/D4297

--HG--
extra : rebase_source : e3949c9520bec01270751898cee7bc21e6c015de
---
 .../chrome/content/aboutCertError.xhtml       |  4 ++--
 mobile/android/chrome/content/content.js      | 23 +++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/mobile/android/chrome/content/aboutCertError.xhtml b/mobile/android/chrome/content/aboutCertError.xhtml
index bcd152b6fa88..2f02afb2651c 100644
--- a/mobile/android/chrome/content/aboutCertError.xhtml
+++ b/mobile/android/chrome/content/aboutCertError.xhtml
@@ -116,8 +116,8 @@
 
         <div id="whatShouldIDoContent">
           <h2>&certerror.whatShouldIDo.heading;</h2>
-          <div id="whatShouldIDoContentText">
-            <p>&certerror.whatShouldIDo.content;</p>
+          <div>
+            <p id="whatShouldIDoContentText">&certerror.whatShouldIDo.content;</p>
             <button id="getMeOutOfHereButton">&certerror.getMeOutOfHere.label;</button>
           </div>
         </div>
diff --git a/mobile/android/chrome/content/content.js b/mobile/android/chrome/content/content.js
index f7bedf94ea6d..31108508aad8 100644
--- a/mobile/android/chrome/content/content.js
+++ b/mobile/android/chrome/content/content.js
@@ -91,6 +91,7 @@ const SEC_ERROR_REUSED_ISSUER_AND_SERIAL           = SEC_ERROR_BASE + 138;
 const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED  = SEC_ERROR_BASE + 176;
 const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 5;
 const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 6;
+const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = MOZILLA_PKIX_ERROR_BASE + 13;
 
 
 const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
@@ -203,6 +204,11 @@ var AboutCertErrorListener = {
         case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
           msg += gPipNSSBundle.GetStringFromName("certErrorTrust_ExpiredIssuer") + "\n";
           break;
+        // This error code currently only exists for the Symantec distrust, we may need to adjust
+        // it to fit other distrusts later.
+        case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
+          msg += gPipNSSBundle.formatStringFromName("certErrorTrust_Symantec", [hostString], 1) + "\n";
+          break;
         case SEC_ERROR_UNTRUSTED_CERT:
         default:
           msg += gPipNSSBundle.GetStringFromName("certErrorTrust_Untrusted") + "\n";
@@ -234,6 +240,23 @@ var AboutCertErrorListener = {
       hostString += ":" + uri.port;
     }
 
+    // This error code currently only exists for the Symantec distrust
+    // in Firefox 63, so we add copy explaining that to the user.
+    // In case of future distrusts of that scale we might need to add
+    // additional parameters that allow us to identify the affected party
+    // without replicating the complex logic from certverifier code.
+    if (securityInfo.errorCode == MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED) {
+      let introContent = doc.getElementById("introContent");
+      let description = doc.createElement("p");
+      description.textContent = gPipNSSBundle.formatStringFromName(
+        "certErrorSymantecDistrustDescription", [hostString], 1);
+      introContent.append(description);
+
+      // The regular "what should I do" message does not make sense in this case.
+      doc.getElementById("whatShouldIDoContentText").textContent =
+        gPipNSSBundle.GetStringFromName("certErrorSymantecDistrustAdministrator");
+    }
+
     this._setTechDetailsMsgPart1(hostString, sslStatus, securityInfo, technicalInfo, doc);
 
     if (sslStatus.isDomainMismatch) {