diff --git a/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties index e70ea3a95a52..188222a2c63e 100644 --- a/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties +++ b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties @@ -298,4 +298,4 @@ SEC_ERROR_EXPIRED_PASSWORD=The password expired. SEC_ERROR_LOCKED_PASSWORD=The password is locked. SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error. SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name. -SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using an signature algorithm that is disabled because it is not secure. +SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure. diff --git a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties index 2ad5834d45b3..13358f82b762 100755 --- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties +++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties @@ -312,6 +312,7 @@ certErrorTrust_UnknownIssuer=The certificate is not trusted because the issuer c certErrorTrust_MissingChain=The certificate is not trusted because no issuer chain was provided. certErrorTrust_CaInvalid=The certificate is not trusted because it was issued by an invalid CA certificate. certErrorTrust_Issuer=The certificate is not trusted because the issuer certificate is not trusted. +certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired. certErrorTrust_Untrusted=The certificate does not come from a trusted source. @@ -355,6 +356,7 @@ VerifyNotTrusted= VerifyIssuerNotTrusted= VerifyIssuerUnknown= VerifyInvalidCA= +VerifyDisabledAlgorithm= VerifyUnknown= CertUser=Your Cert CertCA=CA (Certificate Authority) diff --git a/security/manager/locales/en-US/chrome/pippki/pippki.properties b/security/manager/locales/en-US/chrome/pippki/pippki.properties index f340ef2a803f..0088d65b6205 100644 --- a/security/manager/locales/en-US/chrome/pippki/pippki.properties +++ b/security/manager/locales/en-US/chrome/pippki/pippki.properties @@ -59,6 +59,7 @@ certNotVerified_CertNotTrusted=Could not verify this certificate because it is n certNotVerified_IssuerNotTrusted=Could not verify this certificate because the issuer is not trusted. certNotVerified_IssuerUnknown=Could not verify this certificate because the issuer is unknown. certNotVerified_CAInvalid=Could not verify this certificate because the CA certificate is invalid. +certNotVerified_AlgorithmDisabled=Could not verify this certificate because it was signed using a signature algorithm that was disabled because that algorithm is not secure. certNotVerified_Unknown=Could not verify this certificate for unknown reasons. #Client auth @@ -180,8 +181,8 @@ addExceptionDomainMismatchShort=Wrong Site addExceptionDomainMismatchLong=Certificate belongs to a different site, which could indicate an identity theft. addExceptionExpiredShort=Outdated Information addExceptionExpiredLong=Certificate is not currently valid. It is impossible to verify whether this identity was reported as stolen or lost. -addExceptionUnverifiedShort=Unknown Identity -addExceptionUnverifiedLong=Certificate is not trusted, because it hasn't been verified by a recognized authority. +addExceptionUnverifiedOrBadSignatureShort=Unknown Identity +addExceptionUnverifiedOrBadSignatureLong=Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature. addExceptionValidShort=Valid Certificate addExceptionValidLong=This site provides valid, verified identification. There is no need to add an exception. addExceptionCheckingShort=Checking Information diff --git a/security/manager/pki/resources/content/exceptionDialog.js b/security/manager/pki/resources/content/exceptionDialog.js index ddaf4c5ffca6..8571a5509bba 100644 --- a/security/manager/pki/resources/content/exceptionDialog.js +++ b/security/manager/pki/resources/content/exceptionDialog.js @@ -209,8 +209,8 @@ function updateCertStatus() { var mml = "addExceptionDomainMismatchLong"; var exs = "addExceptionExpiredShort"; var exl = "addExceptionExpiredLong"; - var uts = "addExceptionUnverifiedShort"; - var utl = "addExceptionUnverifiedLong"; + var uts = "addExceptionUnverifiedOrBadSignatureShort"; + var utl = "addExceptionUnverifiedOrBadSignatureLong"; var use1 = false; if (gSSLStatus.isDomainMismatch) { use1 = true; diff --git a/security/manager/pki/resources/content/viewCertDetails.js b/security/manager/pki/resources/content/viewCertDetails.js index 5b31d1785b1d..51e3e814fc80 100644 --- a/security/manager/pki/resources/content/viewCertDetails.js +++ b/security/manager/pki/resources/content/viewCertDetails.js @@ -216,6 +216,8 @@ function DisplayVerificationData(cert, result) verifystr = bundle.GetStringFromName('certNotVerified_IssuerUnknown'); } else if (verifystate == cert.INVALID_CA) { verifystr = bundle.GetStringFromName('certNotVerified_CAInvalid'); + } else if (verifystate == cert.SIGNATURE_ALGORITHM_DISABLED) { + verifystr = bundle.GetStringFromName('certNotVerified_AlgorithmDisabled'); } else { /* if (verifystate == cert.NOT_VERIFIED_UNKNOWN || == USAGE_NOT_ALLOWED) */ verifystr = bundle.GetStringFromName('certNotVerified_Unknown'); } diff --git a/security/manager/ssl/public/nsIX509Cert.idl b/security/manager/ssl/public/nsIX509Cert.idl index 8e96f3d97dea..3bc91020f94a 100644 --- a/security/manager/ssl/public/nsIX509Cert.idl +++ b/security/manager/ssl/public/nsIX509Cert.idl @@ -151,6 +151,7 @@ interface nsIX509Cert : nsISupports { const unsigned long ISSUER_UNKNOWN = 1 << 5; const unsigned long INVALID_CA = 1 << 6; const unsigned long USAGE_NOT_ALLOWED = 1 << 7; + const unsigned long SIGNATURE_ALGORITHM_DISABLED = 1 << 8; /** * Constants that describe the certified usages of a certificate. diff --git a/security/manager/ssl/src/NSSErrorsService.cpp b/security/manager/ssl/src/NSSErrorsService.cpp index f305420d3645..7fa847b93e84 100644 --- a/security/manager/ssl/src/NSSErrorsService.cpp +++ b/security/manager/ssl/src/NSSErrorsService.cpp @@ -102,6 +102,7 @@ NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode, PRUint32 *aErrorClass) case SEC_ERROR_INADEQUATE_KEY_USAGE: case SSL_ERROR_BAD_CERT_DOMAIN: case SEC_ERROR_EXPIRED_CERTIFICATE: + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: *aErrorClass = ERROR_CLASS_BAD_CERT; break; default: diff --git a/security/manager/ssl/src/SSLServerCertVerification.cpp b/security/manager/ssl/src/SSLServerCertVerification.cpp index b54d98fb8d00..04442bb3fc7b 100644 --- a/security/manager/ssl/src/SSLServerCertVerification.cpp +++ b/security/manager/ssl/src/SSLServerCertVerification.cpp @@ -485,6 +485,7 @@ CreateCertErrorRunnable(PRErrorCode defaultErrorCodeToReport, case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: case SEC_ERROR_UNTRUSTED_CERT: case SEC_ERROR_INADEQUATE_KEY_USAGE: + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: // We group all these errors as "cert not trusted" collected_errors |= nsICertOverrideService::ERROR_UNTRUSTED; if (errorCodeTrust == SECSuccess) { diff --git a/security/manager/ssl/src/TransportSecurityInfo.cpp b/security/manager/ssl/src/TransportSecurityInfo.cpp index 2c18d01e38e0..be8a12b254d3 100644 --- a/security/manager/ssl/src/TransportSecurityInfo.cpp +++ b/security/manager/ssl/src/TransportSecurityInfo.cpp @@ -671,6 +671,9 @@ AppendErrorTextUntrusted(PRErrorCode errTrust, case SEC_ERROR_UNTRUSTED_ISSUER: errorID = "certErrorTrust_Issuer"; break; + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: + errorID = "certErrorTrust_SignatureAlgorithmDisabled"; + break; case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: errorID = "certErrorTrust_ExpiredIssuer"; break; diff --git a/security/manager/ssl/src/nsCertTree.cpp b/security/manager/ssl/src/nsCertTree.cpp index b2523a1a54d2..7deb72ba80ca 100644 --- a/security/manager/ssl/src/nsCertTree.cpp +++ b/security/manager/ssl/src/nsCertTree.cpp @@ -1206,6 +1206,9 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col, case nsIX509Cert::INVALID_CA: rv = mNSSComponent->GetPIPNSSBundleString("VerifyInvalidCA", _retval); break; + case nsIX509Cert::SIGNATURE_ALGORITHM_DISABLED: + rv = mNSSComponent->GetPIPNSSBundleString("VerifyDisabledAlgorithm", _retval); + break; case nsIX509Cert::NOT_VERIFIED_UNKNOWN: case nsIX509Cert::USAGE_NOT_ALLOWED: default: diff --git a/security/manager/ssl/src/nsNSSCertificate.cpp b/security/manager/ssl/src/nsNSSCertificate.cpp index 7e19a62a29da..241931b1e380 100644 --- a/security/manager/ssl/src/nsNSSCertificate.cpp +++ b/security/manager/ssl/src/nsNSSCertificate.cpp @@ -1334,6 +1334,10 @@ nsNSSCertificate::VerifyForUsage(PRUint32 usage, PRUint32 *verificationResult) *verificationResult = ISSUER_UNKNOWN; break; + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: + *verificationResult = SIGNATURE_ALGORITHM_DISABLED; + break; + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: *verificationResult = INVALID_CA; break; diff --git a/security/manager/ssl/src/nsUsageArrayHelper.cpp b/security/manager/ssl/src/nsUsageArrayHelper.cpp index ede105dd8ed7..bb1615aef85a 100644 --- a/security/manager/ssl/src/nsUsageArrayHelper.cpp +++ b/security/manager/ssl/src/nsUsageArrayHelper.cpp @@ -108,6 +108,8 @@ nsUsageArrayHelper::verifyFailed(PRUint32 *_verified, int err) case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: // XXX are there other error for this? *_verified = nsNSSCertificate::INVALID_CA; break; + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: + *_verified = nsNSSCertificate::SIGNATURE_ALGORITHM_DISABLED; break; case SEC_ERROR_CERT_USAGES_INVALID: // XXX what is this? // there are some OCSP errors from PSM 1.x to add here case SECSuccess: