Bug 758314 - Allow end-user to override error when MD5 cert is encountered, r=kaie

--HG--
rename : mobile/android/base/resources/layout-land-v14/tabs_panel_toolbar_menu.xml => mobile/android/base/resources/layout-land-v14/tabs_panel_toolbar.xml
extra : rebase_source : ed78fedd30fcd329a24de652a6d906e78759dc7c

security/manager/locales/en-US/chrome/pipnss/nsserrors.properties

@@ -298,4 +298,4 @@ SEC_ERROR_EXPIRED_PASSWORD=The password expired.
 SEC_ERROR_LOCKED_PASSWORD=The password is locked.
 SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error.
 SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name.
-SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using an signature algorithm that is disabled because it is not secure.
+SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure.

security/manager/locales/en-US/chrome/pipnss/pipnss.properties

@@ -312,6 +312,7 @@ certErrorTrust_UnknownIssuer=The certificate is not trusted because the issuer c
 certErrorTrust_MissingChain=The certificate is not trusted because no issuer chain was provided.
 certErrorTrust_CaInvalid=The certificate is not trusted because it was issued by an invalid CA certificate.
 certErrorTrust_Issuer=The certificate is not trusted because the issuer certificate is not trusted.
+certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
 certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
 certErrorTrust_Untrusted=The certificate does not come from a trusted source.
 
@@ -355,6 +356,7 @@ VerifyNotTrusted=<Not Trusted>
 VerifyIssuerNotTrusted=<Issuer Not Trusted>
 VerifyIssuerUnknown=<Issuer Unknown>
 VerifyInvalidCA=<Invalid CA>
+VerifyDisabledAlgorithm=<Signature Algorithm Not Secure>
 VerifyUnknown=<Unknown>
 CertUser=Your Cert
 CertCA=CA (Certificate Authority)

security/manager/locales/en-US/chrome/pippki/pippki.properties

@@ -59,6 +59,7 @@ certNotVerified_CertNotTrusted=Could not verify this certificate because it is n
 certNotVerified_IssuerNotTrusted=Could not verify this certificate because the issuer is not trusted.
 certNotVerified_IssuerUnknown=Could not verify this certificate because the issuer is unknown.
 certNotVerified_CAInvalid=Could not verify this certificate because the CA certificate is invalid.
+certNotVerified_AlgorithmDisabled=Could not verify this certificate because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
 certNotVerified_Unknown=Could not verify this certificate for unknown reasons.
 
 #Client auth
@@ -180,8 +181,8 @@ addExceptionDomainMismatchShort=Wrong Site
 addExceptionDomainMismatchLong=Certificate belongs to a different site, which could indicate an identity theft.
 addExceptionExpiredShort=Outdated Information
 addExceptionExpiredLong=Certificate is not currently valid. It is impossible to verify whether this identity was reported as stolen or lost.
-addExceptionUnverifiedShort=Unknown Identity
-addExceptionUnverifiedLong=Certificate is not trusted, because it hasn't been verified by a recognized authority.
+addExceptionUnverifiedOrBadSignatureShort=Unknown Identity
+addExceptionUnverifiedOrBadSignatureLong=Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.
 addExceptionValidShort=Valid Certificate
 addExceptionValidLong=This site provides valid, verified identification.  There is no need to add an exception.
 addExceptionCheckingShort=Checking Information

security/manager/pki/resources/content/exceptionDialog.js

@@ -209,8 +209,8 @@ function updateCertStatus() {
       var mml = "addExceptionDomainMismatchLong";
       var exs = "addExceptionExpiredShort";
       var exl = "addExceptionExpiredLong";
-      var uts = "addExceptionUnverifiedShort";
-      var utl = "addExceptionUnverifiedLong";
+      var uts = "addExceptionUnverifiedOrBadSignatureShort";
+      var utl = "addExceptionUnverifiedOrBadSignatureLong";
       var use1 = false;
       if (gSSLStatus.isDomainMismatch) {
         use1 = true;

security/manager/pki/resources/content/viewCertDetails.js

@@ -216,6 +216,8 @@ function DisplayVerificationData(cert, result)
     verifystr = bundle.GetStringFromName('certNotVerified_IssuerUnknown');
   } else if (verifystate == cert.INVALID_CA) {
     verifystr = bundle.GetStringFromName('certNotVerified_CAInvalid');
+  } else if (verifystate == cert.SIGNATURE_ALGORITHM_DISABLED) {
+    verifystr = bundle.GetStringFromName('certNotVerified_AlgorithmDisabled');
   } else { /* if (verifystate == cert.NOT_VERIFIED_UNKNOWN || == USAGE_NOT_ALLOWED) */
     verifystr = bundle.GetStringFromName('certNotVerified_Unknown');
   }

security/manager/ssl/public/nsIX509Cert.idl

@@ -151,6 +151,7 @@ interface nsIX509Cert : nsISupports {
   const unsigned long ISSUER_UNKNOWN       = 1 << 5;
   const unsigned long INVALID_CA           = 1 << 6;
   const unsigned long USAGE_NOT_ALLOWED    = 1 << 7;
+  const unsigned long SIGNATURE_ALGORITHM_DISABLED = 1 << 8;
   
   /**
    *  Constants that describe the certified usages of a certificate.

security/manager/ssl/src/NSSErrorsService.cpp

@@ -102,6 +102,7 @@ NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode, PRUint32 *aErrorClass)
     case SEC_ERROR_INADEQUATE_KEY_USAGE:
     case SSL_ERROR_BAD_CERT_DOMAIN:
     case SEC_ERROR_EXPIRED_CERTIFICATE:
+    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
       *aErrorClass = ERROR_CLASS_BAD_CERT;
       break;
     default:

security/manager/ssl/src/SSLServerCertVerification.cpp

@@ -485,6 +485,7 @@ CreateCertErrorRunnable(PRErrorCode defaultErrorCodeToReport,
       case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
       case SEC_ERROR_UNTRUSTED_CERT:
       case SEC_ERROR_INADEQUATE_KEY_USAGE:
+      case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
         // We group all these errors as "cert not trusted"
         collected_errors |= nsICertOverrideService::ERROR_UNTRUSTED;
         if (errorCodeTrust == SECSuccess) {

security/manager/ssl/src/TransportSecurityInfo.cpp

@@ -671,6 +671,9 @@ AppendErrorTextUntrusted(PRErrorCode errTrust,
       case SEC_ERROR_UNTRUSTED_ISSUER:
         errorID = "certErrorTrust_Issuer";
         break;
+      case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
+        errorID = "certErrorTrust_SignatureAlgorithmDisabled";
+        break;
       case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
         errorID = "certErrorTrust_ExpiredIssuer";
         break;

security/manager/ssl/src/nsCertTree.cpp

@@ -1206,6 +1206,9 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
       case nsIX509Cert::INVALID_CA:
         rv = mNSSComponent->GetPIPNSSBundleString("VerifyInvalidCA", _retval);
         break;
+      case nsIX509Cert::SIGNATURE_ALGORITHM_DISABLED:
+        rv = mNSSComponent->GetPIPNSSBundleString("VerifyDisabledAlgorithm", _retval);
+        break;
       case nsIX509Cert::NOT_VERIFIED_UNKNOWN:
       case nsIX509Cert::USAGE_NOT_ALLOWED:
       default:

security/manager/ssl/src/nsNSSCertificate.cpp

@@ -1334,6 +1334,10 @@ nsNSSCertificate::VerifyForUsage(PRUint32 usage, PRUint32 *verificationResult)
         *verificationResult = ISSUER_UNKNOWN;
         break;
         
+      case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
+        *verificationResult = SIGNATURE_ALGORITHM_DISABLED;
+        break;
+
       case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
         *verificationResult = INVALID_CA;
         break;

security/manager/ssl/src/nsUsageArrayHelper.cpp

@@ -108,6 +108,8 @@ nsUsageArrayHelper::verifyFailed(PRUint32 *_verified, int err)
   case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
     // XXX are there other error for this?
     *_verified = nsNSSCertificate::INVALID_CA; break;
+  case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
+    *_verified = nsNSSCertificate::SIGNATURE_ALGORITHM_DISABLED; break;
   case SEC_ERROR_CERT_USAGES_INVALID: // XXX what is this?
   // there are some OCSP errors from PSM 1.x to add here
   case SECSuccess: