From 1440bc62c8a2e8c6aea838b4e411b181bc10797a Mon Sep 17 00:00:00 2001 From: "kaie%kuix.de" Date: Wed, 3 Oct 2007 11:52:26 +0000 Subject: [PATCH] Bug 327181, Improve error reporting for invalid-certificate errors (error page for https, or combined dialog) Code in mozilla/security/manager: r=rrelyea Code elsewhere: r=mconnor, sr=dveditz blocking1.9=mconnor git-svn-id: svn://10.0.0.236/trunk@237176 18797224-902f-48f8-a5cc-f745e15eee43 --- .../src/nsMicrosummaryService.js | 22 +- .../components/search/nsSearchService.js | 19 - mozilla/camino/src/browser/SecurityDialogs.h | 3 - mozilla/camino/src/browser/SecurityDialogs.mm | 185 +--- mozilla/config/system-headers | 1 + .../browser/gtk/src/EmbedCertificates.cpp | 121 --- .../browser/gtk/src/EmbedCertificates.h | 12 - .../browser/gtk/src/EmbedPrivate.cpp | 14 - .../metrics/src/nsMetricsService.cpp | 95 -- mozilla/minimo/base/Minimo.cpp | 162 --- .../en-US/chrome/pipnss/pipnss.properties | 8 + .../en-US/chrome/pippki/certManager.dtd | 2 + .../locales/en-US/chrome/pippki/pippki.dtd | 8 - .../en-US/chrome/pippki/pippki.properties | 16 +- .../pki/resources/content/WebSitesOverlay.xul | 9 + .../pki/resources/content/certManager.js | 152 ++- .../pki/resources/content/deletecert.js | 42 +- .../pki/resources/content/domainMismatch.js | 84 -- .../pki/resources/content/domainMismatch.xul | 64 -- .../pki/resources/content/newserver.js | 91 -- .../pki/resources/content/newserver.xul | 91 -- .../resources/content/serverCertExpired.js | 92 -- .../resources/content/serverCertExpired.xul | 67 -- mozilla/security/manager/pki/resources/jar.mn | 6 - .../security/manager/pki/src/nsNSSDialogs.cpp | 215 +--- .../security/manager/pki/src/nsNSSDialogs.h | 3 - .../security/manager/pki/src/nsPKIModule.cpp | 7 - .../security/manager/ssl/public/Makefile.in | 3 +- .../manager/ssl/public/nsIBadCertListener.idl | 155 --- .../ssl/public/nsIBadCertListener2.idl | 65 ++ .../ssl/public/nsICertOverrideService.idl | 144 +++ .../manager/ssl/public/nsICertTree.idl | 13 +- .../manager/ssl/public/nsISSLStatus.idl | 17 +- .../manager/ssl/public/nsIX509Cert2.idl | 7 +- .../manager/ssl/public/nsIX509Cert3.idl | 10 +- mozilla/security/manager/ssl/src/Makefile.in | 3 + .../manager/ssl/src/nsCertOverrideService.cpp | 920 ++++++++++++++++++ .../manager/ssl/src/nsCertOverrideService.h | 199 ++++ .../security/manager/ssl/src/nsCertTree.cpp | 663 ++++++++++--- mozilla/security/manager/ssl/src/nsCertTree.h | 59 +- .../manager/ssl/src/nsNSSCallbacks.cpp | 109 +-- .../manager/ssl/src/nsNSSCertificate.h | 4 +- .../security/manager/ssl/src/nsNSSCleaner.cpp | 58 ++ .../security/manager/ssl/src/nsNSSCleaner.h | 11 + .../security/manager/ssl/src/nsNSSIOLayer.cpp | 667 +++++++------ .../security/manager/ssl/src/nsNSSIOLayer.h | 8 - .../security/manager/ssl/src/nsNSSModule.cpp | 9 + .../security/manager/ssl/src/nsSSLStatus.cpp | 140 +++ .../security/manager/ssl/src/nsSSLStatus.h | 69 ++ .../manager/ssl/src/nsSmartCardEvent.cpp | 2 +- .../mozapps/shared/src/badCertHandler.js | 19 - mozilla/xpinstall/src/nsXPInstallManager.cpp | 33 +- mozilla/xpinstall/src/nsXPInstallManager.h | 6 +- 53 files changed, 2812 insertions(+), 2172 deletions(-) create mode 100644 mozilla/security/manager/ssl/public/nsIBadCertListener2.idl create mode 100644 mozilla/security/manager/ssl/public/nsICertOverrideService.idl create mode 100644 mozilla/security/manager/ssl/src/nsCertOverrideService.cpp create mode 100644 mozilla/security/manager/ssl/src/nsCertOverrideService.h create mode 100644 mozilla/security/manager/ssl/src/nsNSSCleaner.cpp create mode 100644 mozilla/security/manager/ssl/src/nsSSLStatus.cpp create mode 100644 mozilla/security/manager/ssl/src/nsSSLStatus.h diff --git a/mozilla/browser/components/microsummaries/src/nsMicrosummaryService.js b/mozilla/browser/components/microsummaries/src/nsMicrosummaryService.js index a5d3bc6babe..8861e8d9fa8 100644 --- a/mozilla/browser/components/microsummaries/src/nsMicrosummaryService.js +++ b/mozilla/browser/components/microsummaries/src/nsMicrosummaryService.js @@ -1767,8 +1767,7 @@ MicrosummaryResource.prototype = { // and abort loads for bad SSL certs and HTTP authorization requests. // Interfaces this component implements. - interfaces: [Ci.nsIBadCertListener, - Ci.nsIAuthPromptProvider, + interfaces: [Ci.nsIAuthPromptProvider, Ci.nsIAuthPrompt, Ci.nsIPrompt, Ci.nsIProgressEventSink, @@ -1800,25 +1799,6 @@ MicrosummaryResource.prototype = { return this.QueryInterface(iid); }, - // nsIBadCertListener - - // Suppress UI and abort secure loads from servers with bad SSL certificates. - - confirmUnknownIssuer: function MSR_confirmUnknownIssuer(socketInfo, cert, certAddType) { - return false; - }, - - confirmMismatchDomain: function MSR_confirmMismatchDomain(socketInfo, targetURL, cert) { - return false; - }, - - confirmCertExpired: function MSR_confirmCertExpired(socketInfo, cert) { - return false; - }, - - notifyCrlNextupdate: function MSR_notifyCrlNextupdate(socketInfo, targetURL, cert) { - }, - // Suppress UI and abort loads for files secured by authentication. // Auth requests appear to succeed when we cancel them (since the server diff --git a/mozilla/browser/components/search/nsSearchService.js b/mozilla/browser/components/search/nsSearchService.js index 51b3dba7aa6..ce000bd434e 100755 --- a/mozilla/browser/components/search/nsSearchService.js +++ b/mozilla/browser/components/search/nsSearchService.js @@ -293,7 +293,6 @@ loadListener.prototype = { aIID.equals(Ci.nsIStreamListener) || aIID.equals(Ci.nsIChannelEventSink) || aIID.equals(Ci.nsIInterfaceRequestor) || - aIID.equals(Ci.nsIBadCertListener) || // See FIXME comment below aIID.equals(Ci.nsIHttpEventSink) || aIID.equals(Ci.nsIProgressEventSink) || @@ -349,24 +348,6 @@ loadListener.prototype = { return this.QueryInterface(aIID); }, - // nsIBadCertListener - confirmUnknownIssuer: function SRCH_load_CUI(aSocketInfo, aCert, - aCertAddType) { - return false; - }, - - confirmMismatchDomain: function SRCH_load_CMD(aSocketInfo, aTargetURL, - aCert) { - return false; - }, - - confirmCertExpired: function SRCH_load_CCE(aSocketInfo, aCert) { - return false; - }, - - notifyCrlNextupdate: function SRCH_load_NCN(aSocketInfo, aTargetURL, aCert) { - }, - // FIXME: bug 253127 // nsIHttpEventSink onRedirect: function (aChannel, aNewChannel) {}, diff --git a/mozilla/camino/src/browser/SecurityDialogs.h b/mozilla/camino/src/browser/SecurityDialogs.h index 29cb269dc0f..73758aadbb3 100644 --- a/mozilla/camino/src/browser/SecurityDialogs.h +++ b/mozilla/camino/src/browser/SecurityDialogs.h @@ -40,7 +40,6 @@ #define __SecurityDialogs_h__ #include "nsIClientAuthDialogs.h" -#include "nsIBadCertListener.h" #include "nsITokenPasswordDialogs.h" #include "nsICertificateDialogs.h" #include "nsISecurityWarningDialogs.h" @@ -52,7 +51,6 @@ #include "nsCOMPtr.h" class SecurityDialogs : public nsICertificateDialogs, - public nsIBadCertListener, public nsITokenPasswordDialogs, public nsIClientAuthDialogs, public nsISecurityWarningDialogs, @@ -66,7 +64,6 @@ public: NS_DECL_ISUPPORTS; NS_DECL_NSICERTIFICATEDIALOGS; - NS_DECL_NSIBADCERTLISTENER; NS_DECL_NSITOKENPASSWORDDIALOGS; NS_DECL_NSICLIENTAUTHDIALOGS; NS_DECL_NSISECURITYWARNINGDIALOGS; diff --git a/mozilla/camino/src/browser/SecurityDialogs.mm b/mozilla/camino/src/browser/SecurityDialogs.mm index 107a2fbb6dc..c27c5a4999a 100644 --- a/mozilla/camino/src/browser/SecurityDialogs.mm +++ b/mozilla/camino/src/browser/SecurityDialogs.mm @@ -80,8 +80,7 @@ SecurityDialogs::~SecurityDialogs() { } -NS_IMPL_THREADSAFE_ISUPPORTS8(SecurityDialogs, nsICertificateDialogs, - nsIBadCertListener, +NS_IMPL_THREADSAFE_ISUPPORTS7(SecurityDialogs, nsICertificateDialogs, nsITokenPasswordDialogs, nsIClientAuthDialogs, nsISecurityWarningDialogs, @@ -317,188 +316,6 @@ NS_IMETHODIMP SecurityDialogs::CrlImportStatusDialog(nsIInterfaceRequestor *ctx, return NS_OK; } - -// nsIBadCertListener implementation - -/** - * Inform the user there are problems with the trust of a certificate, - * and request a decision from the user. - * The UI should offer the user a way to look at the certificate in detail. - * The following is a sample UI message to be shown to the user: - * - * Unable to verify the identity of %S as a trusted site. - * Possible reasons for this error: - * - Your browser does not recognize the Certificate Authority - * that issued the site's certificate. - * - The site's certificate is incomplete due to a - * server misconfiguration. - * - You are connected to a site pretending to be %S, - * possibly to obtain your confidential information. - * Please notify the site's webmaster about this problem. - * Before accepting this certificate, you should examine this site's - * certificate carefully. Are you willing to to accept this certificate - * for the purpose of identifying the Web site %S? - * o Accept this certificate permanently - * x Accept this certificate temporarily for this session - * o Do not accept this certificate and do not connect to this Web site - * - * @param socketInfo A network communication context that can be used to obtain more information - * about the active connection. - * @param cert The certificate that is not trusted and that is having the problem. - * @param certAddType The user's trust decision. See constants defined above. - * - * @return true if the user decided to connect anyway, false if the user decided to not connect - */ -/* boolean confirmUnknownIssuer (in nsIInterfaceRequestor socketInfo, - in nsIX509Cert cert, out addType); */ -NS_IMETHODIMP -SecurityDialogs::ConfirmUnknownIssuer(nsIInterfaceRequestor *socketInfo, - nsIX509Cert *cert, PRInt16 *outAddType, - PRBool *_retval) -{ - *_retval = PR_FALSE; - *outAddType = UNINIT_ADD_FLAG; - - UnknownCertIssuerDialogController* dialogController = [[[BrowserSecurityUIProvider sharedBrowserSecurityUIProvider] unknownCertIssuerDialogController] retain]; - if (!dialogController) - return NS_ERROR_FAILURE; - - [dialogController setCertificateItem:[CertificateItem certificateItemWithCert:cert]]; - - // HACK: there is no way to get which window this is for from the API. The - // security team in mozilla just cheats and assumes the frontmost window so - // that's what we'll do. Yes, it's wrong. Yes, it's skanky. Oh well. - NSWindow* parentWindow = [(MainController*)[NSApp delegate] getFrontmostBrowserWindow]; - int result = [nsAlertController safeRunModalForWindow:[dialogController window] relativeToWindow:parentWindow]; - - switch (result) - { - case NSAlertDefaultReturn: // just this session - *outAddType = nsIBadCertListener::ADD_TRUSTED_FOR_SESSION; - *_retval = PR_TRUE; - break; - - default: - case NSAlertAlternateReturn: // stop - *outAddType = nsIBadCertListener::UNINIT_ADD_FLAG; - *_retval = PR_FALSE; - break; - - case NSAlertOtherReturn: // always - *outAddType = nsIBadCertListener::ADD_TRUSTED_PERMANENTLY; - *_retval = PR_TRUE; - break; - } - - [dialogController release]; - return (result == NSAlertErrorReturn) ? NS_ERROR_FAILURE : NS_OK; -} - -/** - * Inform the user there are problems with the trust of a certificate, - * and request a decision from the user. - * The hostname mentioned in the server's certificate is not the hostname - * that was used as a destination address for the current connection. - * - * @param socketInfo A network communication context that can be used to obtain more information - * about the active connection. - * @param targetURL The URL that was used to open the current connection. - * @param cert The certificate that was presented by the server. - * - * @return true if the user decided to connect anyway, false if the user decided to not connect - */ -/* boolean confirmMismatchDomain (in nsIInterfaceRequestor socketInfo, - in nsAUTF8String targetURL, - in nsIX509Cert cert); */ -NS_IMETHODIMP -SecurityDialogs::ConfirmMismatchDomain(nsIInterfaceRequestor *socketInfo, - const nsACString& targetURL, - nsIX509Cert *cert, PRBool *_retval) -{ - MismatchedCertDomainDialogController* certDialogController = [[[BrowserSecurityUIProvider sharedBrowserSecurityUIProvider] mismatchedCertDomainDialogController] retain]; - if (!certDialogController) - return NS_ERROR_FAILURE; - - [certDialogController setTargetURL:[NSString stringWith_nsACString:targetURL]]; - [certDialogController setCertificateItem:[CertificateItem certificateItemWithCert:cert]]; - - // XXX fix window parenting - NSWindow* parentWindow = [(MainController*)[NSApp delegate] getFrontmostBrowserWindow]; - int result = [nsAlertController safeRunModalForWindow:[certDialogController window] relativeToWindow:parentWindow]; - - *_retval = (result == NSAlertDefaultReturn); - - [certDialogController release]; - return (result == NSAlertErrorReturn) ? NS_ERROR_FAILURE : NS_OK; -} - -/** - * Inform the user there are problems with the trust of a certificate, - * and request a decision from the user. - * The certificate presented by the server is no longer valid because - * the validity period has expired. - * - * @param socketInfo A network communication context that can be used to obtain more information - * about the active connection. - * @param cert The certificate that was presented by the server. - * - * @return true if the user decided to connect anyway, false if the user decided to not connect - */ - -/* boolean confirmCertExpired (in nsIInterfaceRequestor socketInfo, - in nsIX509Cert cert); */ -NS_IMETHODIMP -SecurityDialogs::ConfirmCertExpired(nsIInterfaceRequestor *socketInfo, - nsIX509Cert *cert, PRBool *_retval) -{ - ExpiredCertDialogController* expiredCertController = [[[BrowserSecurityUIProvider sharedBrowserSecurityUIProvider] expiredCertDialogController] retain]; - if (!expiredCertController) - return NS_ERROR_FAILURE; - - [expiredCertController setCertificateItem:[CertificateItem certificateItemWithCert:cert]]; - // XXX fix window parenting - NSWindow* parentWindow = [(MainController*)[NSApp delegate] getFrontmostBrowserWindow]; - int result = [nsAlertController safeRunModalForWindow:[expiredCertController window] relativeToWindow:parentWindow]; - - *_retval = (result == NSAlertDefaultReturn); - [expiredCertController release]; - - return (result == NSAlertErrorReturn) ? NS_ERROR_FAILURE : NS_OK; -} - -/** - * Inform the user there are problems with the trust of a certificate, - * and request a decision from the user. - * The Certificate Authority (CA) that issued the server's certificate has issued a - * Certificate Revocation List (CRL). - * However, the application does not have a current version of the CA's CRL. - * Due to the application configuration, the application disallows the connection - * to the remote site. - * - * @param socketInfo A network communication context that can be used to obtain more information - * about the active connection. - * @param targetURL The URL that was used to open the current connection. - * @param cert The certificate that was presented by the server. - */ -NS_IMETHODIMP -SecurityDialogs::NotifyCrlNextupdate(nsIInterfaceRequestor *socketInfo, - const nsACString& targetURL, - nsIX509Cert *cert) -{ - CertificateItem* certItem = [CertificateItem certificateItemWithCert:cert]; - - NSString* titleFormat = NSLocalizedStringFromTable(@"CRLExpiredTitleFormat", @"CertificateDialogs", @""); - NSString* titleString = [NSString stringWithFormat:titleFormat, [NSString stringWith_nsACString:targetURL]]; - - NSString* messageFormat = NSLocalizedStringFromTable(@"CRLExpiredMessageFormat", @"CertificateDialogs", @""); - NSString* messageString = [NSString stringWithFormat:messageFormat, [certItem issuerOrganization]]; - - // XXX this is pretty lame. can't we direct them to some UI that allows them to fix the problem? - NSRunAlertPanel(titleString, messageString, NSLocalizedString(@"OK", @""), nil, nil); - return NS_OK; -} - - // a little delegate object that does checking of the old password in the CreatePasswordDialogController @interface ChangePasswordDelegate : NSObject { diff --git a/mozilla/config/system-headers b/mozilla/config/system-headers index c40e1dcae15..62032496c25 100644 --- a/mozilla/config/system-headers +++ b/mozilla/config/system-headers @@ -865,6 +865,7 @@ sslt.h smime.h cms.h sechash.h +secoidt.h certdb.h secerr.h nssb64.h diff --git a/mozilla/embedding/browser/gtk/src/EmbedCertificates.cpp b/mozilla/embedding/browser/gtk/src/EmbedCertificates.cpp index 62a332955f9..f9bf297db77 100644 --- a/mozilla/embedding/browser/gtk/src/EmbedCertificates.cpp +++ b/mozilla/embedding/browser/gtk/src/EmbedCertificates.cpp @@ -87,10 +87,6 @@ NS_IMPL_THREADSAFE_ADDREF(EmbedCertificates) NS_IMPL_THREADSAFE_RELEASE(EmbedCertificates) NS_INTERFACE_MAP_BEGIN(EmbedCertificates) NS_INTERFACE_MAP_ENTRY(nsITokenPasswordDialogs) -NS_INTERFACE_MAP_ENTRY(nsIBadCertListener) -#ifdef BAD_CERT_LISTENER2 -NS_INTERFACE_MAP_ENTRY(nsIBadCertListener2) -#endif NS_INTERFACE_MAP_ENTRY(nsICertificateDialogs) NS_INTERFACE_MAP_ENTRY(nsIClientAuthDialogs) NS_INTERFACE_MAP_ENTRY(nsICertPickDialogs) @@ -129,40 +125,6 @@ EmbedCertificates::GetPassword(nsIInterfaceRequestor *ctx, return NS_OK; } -NS_IMETHODIMP -EmbedCertificates::ConfirmUnknownIssuer(nsIInterfaceRequestor *socketInfo, - nsIX509Cert *cert, PRInt16 *outAddType, - PRBool *_retval) -{ - *outAddType = ADD_TRUSTED_FOR_SESSION; - *_retval = PR_TRUE; - return NS_OK; -} - -NS_IMETHODIMP -EmbedCertificates::ConfirmMismatchDomain(nsIInterfaceRequestor *socketInfo, - const nsACString &targetURL, - nsIX509Cert *cert, PRBool *_retval) -{ - *_retval = PR_TRUE; - return NS_OK; -} - -NS_IMETHODIMP -EmbedCertificates::ConfirmCertExpired(nsIInterfaceRequestor *socketInfo, - nsIX509Cert *cert, PRBool *_retval) -{ - *_retval = PR_TRUE; - return NS_OK; -} - -NS_IMETHODIMP -EmbedCertificates::NotifyCrlNextupdate(nsIInterfaceRequestor *socketInfo, - const nsACString &targetURL, nsIX509Cert *cert) -{ - return NS_OK; -} - NS_IMETHODIMP EmbedCertificates::CrlImportStatusDialog(nsIInterfaceRequestor *ctx, nsICRLInfo *crl) { @@ -278,86 +240,3 @@ EmbedCertificates::ConfirmKeyEscrow(nsIX509Cert *escrowAuthority, PRBool *_retva return NS_OK; } -#ifdef BAD_CERT_LISTENER2 -NS_IMETHODIMP -EmbedCertificates::ConfirmBadCertificate( - nsIInterfaceRequestor *ctx, - nsIX509Cert *cert, - PRBool aSecSuccess, - PRUint32 aError, - PRBool *_retval) -{ - nsresult rv; - gpointer pCert = NULL; - guint messint = 0; - nsCOMPtr parent(do_GetInterface(ctx)); - - GtkMozEmbedCommon * common = nsnull; - GtkMozEmbed *parentWidget = GTK_MOZ_EMBED(GetGtkWidgetForDOMWindow(parent)); - - if (!parentWidget) { - EmbedCommon * embedcommon = EmbedCommon::GetInstance(); - if (embedcommon) - common = GTK_MOZ_EMBED_COMMON(embedcommon->mCommon); - } - - if (!(aError & nsIX509Cert::VERIFIED_OK)) { - pCert = (gpointer)cert; - messint = GTK_MOZ_EMBED_CERT_VERIFIED_OK; - if (aError & nsIX509Cert::NOT_VERIFIED_UNKNOWN) { - messint |= GTK_MOZ_EMBED_CERT_NOT_VERIFIED_UNKNOWN; - } - if (aError & nsIX509Cert::CERT_EXPIRED || aError & nsIX509Cert::CERT_REVOKED) { - nsCOMPtr validity; - rv = cert->GetValidity(getter_AddRefs(validity)); - if (NS_SUCCEEDED(rv)) { - PRTime notBefore, notAfter, timeToUse; - PRTime now = PR_Now(); - rv = validity->GetNotBefore(¬Before); - if (NS_FAILED(rv)) - return rv; - rv = validity->GetNotAfter(¬After); - if (NS_FAILED(rv)) - return rv; - if (LL_CMP(now, >, notAfter)) { - messint |= GTK_MOZ_EMBED_CERT_EXPIRED; - timeToUse = notAfter; - } else { - messint |= GTK_MOZ_EMBED_CERT_REVOKED; - timeToUse = notBefore; - } - } - } - if (aError & nsIX509Cert::CERT_NOT_TRUSTED) { - messint |= GTK_MOZ_EMBED_CERT_UNTRUSTED; - } - if (aError & nsIX509Cert::ISSUER_UNKNOWN) { - messint |= GTK_MOZ_EMBED_CERT_ISSUER_UNKNOWN; - } - if (aError & nsIX509Cert::ISSUER_NOT_TRUSTED) { - messint |= GTK_MOZ_EMBED_CERT_ISSUER_UNTRUSTED; - } - if (aError & nsIX509Cert::INVALID_CA) { - messint |= GTK_MOZ_EMBED_CERT_INVALID_CA; - } - if (aError & nsIX509Cert::USAGE_NOT_ALLOWED) { - } - PRBool retVal = PR_FALSE; - if (common) { - g_signal_emit_by_name(common, "certificate-error", pCert, messint, &retVal); - } - if (retVal == PR_TRUE) { - *_retval = PR_FALSE; - rv = NS_ERROR_FAILURE; - } else { - rv = NS_OK; - *_retval = PR_TRUE; - } - pCert = NULL; - } else { - rv = NS_OK; - *_retval = PR_TRUE; - } - return rv; -} -#endif diff --git a/mozilla/embedding/browser/gtk/src/EmbedCertificates.h b/mozilla/embedding/browser/gtk/src/EmbedCertificates.h index 0f93027d359..7d765493816 100644 --- a/mozilla/embedding/browser/gtk/src/EmbedCertificates.h +++ b/mozilla/embedding/browser/gtk/src/EmbedCertificates.h @@ -44,10 +44,6 @@ #ifndef __EmbedCertificates_h #define __EmbedCertificates_h #include "nsITokenPasswordDialogs.h" -#include "nsIBadCertListener.h" -#ifdef BAD_CERT_LISTENER2 -#include "nsIBadCertListener2.h" -#endif #include "nsICertificateDialogs.h" #include "nsIClientAuthDialogs.h" #include "nsICertPickDialogs.h" @@ -63,10 +59,6 @@ class EmbedPrivate; class EmbedCertificates : public nsITokenPasswordDialogs, - public nsIBadCertListener, -#ifdef BAD_CERT_LISTENER2 - public nsIBadCertListener2, -#endif public nsICertificateDialogs, public nsIClientAuthDialogs, public nsICertPickDialogs, @@ -77,10 +69,6 @@ class EmbedCertificates public: NS_DECL_ISUPPORTS NS_DECL_NSITOKENPASSWORDDIALOGS - NS_DECL_NSIBADCERTLISTENER -#ifdef BAD_CERT_LISTENER2 - NS_DECL_NSIBADCERTLISTENER2 -#endif NS_DECL_NSICERTIFICATEDIALOGS NS_DECL_NSICLIENTAUTHDIALOGS NS_DECL_NSICERTPICKDIALOGS diff --git a/mozilla/embedding/browser/gtk/src/EmbedPrivate.cpp b/mozilla/embedding/browser/gtk/src/EmbedPrivate.cpp index cd7ec3e8375..c327eeda301 100644 --- a/mozilla/embedding/browser/gtk/src/EmbedPrivate.cpp +++ b/mozilla/embedding/browser/gtk/src/EmbedPrivate.cpp @@ -311,20 +311,6 @@ static const nsModuleComponentInfo defaultAppComps[] = { NS_TOKENPASSWORDSDIALOG_CONTRACTID, EmbedCertificatesConstructor }, - { - EMBED_CERTIFICATES_DESCRIPTION, - EMBED_CERTIFICATES_CID, - NS_BADCERTLISTENER_CONTRACTID, - EmbedCertificatesConstructor - }, -#ifdef BAD_CERT_LISTENER2 - { - EMBED_CERTIFICATES_DESCRIPTION, - EMBED_CERTIFICATES_CID, - NS_BADCERTLISTENER2_CONTRACTID, - EmbedCertificatesConstructor - }, -#endif { EMBED_CERTIFICATES_DESCRIPTION, EMBED_CERTIFICATES_CID, diff --git a/mozilla/extensions/metrics/src/nsMetricsService.cpp b/mozilla/extensions/metrics/src/nsMetricsService.cpp index 2c2012697b3..c458aa83b97 100644 --- a/mozilla/extensions/metrics/src/nsMetricsService.cpp +++ b/mozilla/extensions/metrics/src/nsMetricsService.cpp @@ -81,7 +81,6 @@ #include "nsIDocShellTreeItem.h" #include "nsDocShellCID.h" #include "nsMemory.h" -#include "nsIBadCertListener.h" #include "nsIInterfaceRequestor.h" #include "nsIInterfaceRequestorUtils.h" #include "nsIX509Cert.h" @@ -195,95 +194,6 @@ CompressBZ2(nsIInputStream *src, PRFileDesc *outFd) //----------------------------------------------------------------------------- -class nsMetricsService::BadCertListener : public nsIBadCertListener, - public nsIInterfaceRequestor -{ - public: - NS_DECL_ISUPPORTS - NS_DECL_NSIBADCERTLISTENER - NS_DECL_NSIINTERFACEREQUESTOR - - BadCertListener() { } - - private: - ~BadCertListener() { } -}; - -// This object has to implement threadsafe addref and release, but this is -// only because the GetInterface call happens on the socket transport thread. -// The actual notifications are proxied to the main thread. -NS_IMPL_THREADSAFE_ISUPPORTS2(nsMetricsService::BadCertListener, - nsIBadCertListener, nsIInterfaceRequestor) - -NS_IMETHODIMP -nsMetricsService::BadCertListener::ConfirmUnknownIssuer( - nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, - PRInt16 *certAddType, PRBool *result) -{ - *result = PR_FALSE; - return NS_OK; -} - -NS_IMETHODIMP -nsMetricsService::BadCertListener::ConfirmMismatchDomain( - nsIInterfaceRequestor *socketInfo, const nsACString &targetURL, - nsIX509Cert *cert, PRBool *result) -{ - *result = PR_FALSE; - - nsCOMPtr prefs = do_GetService(NS_PREFSERVICE_CONTRACTID); - NS_ENSURE_STATE(prefs); - - nsCString certHostOverride; - prefs->GetCharPref("metrics.upload.cert-host-override", - getter_Copies(certHostOverride)); - - if (!certHostOverride.IsEmpty()) { - // Accept the given alternate hostname (CN) for the certificate - nsString certHost; - cert->GetCommonName(certHost); - if (certHostOverride.Equals(NS_ConvertUTF16toUTF8(certHost))) { - *result = PR_TRUE; - } - } - - return NS_OK; -} - -NS_IMETHODIMP -nsMetricsService::BadCertListener::ConfirmCertExpired( - nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, PRBool *result) -{ - *result = PR_FALSE; - return NS_OK; -} - -NS_IMETHODIMP -nsMetricsService::BadCertListener::NotifyCrlNextupdate( - nsIInterfaceRequestor *socketInfo, - const nsACString &targetURL, nsIX509Cert *cert) -{ - return NS_OK; -} - -NS_IMETHODIMP -nsMetricsService::BadCertListener::GetInterface(const nsIID &uuid, - void **result) -{ - NS_ENSURE_ARG_POINTER(result); - - if (uuid.Equals(NS_GET_IID(nsIBadCertListener))) { - *result = static_cast(this); - NS_ADDREF_THIS(); - return NS_OK; - } - - *result = nsnull; - return NS_ERROR_NO_INTERFACE; -} - -//----------------------------------------------------------------------------- - nsMetricsService::nsMetricsService() : mMD5Context(nsnull), mEventCount(0), @@ -1327,11 +1237,6 @@ nsMetricsService::UploadData() NS_ENSURE_STATE(props); props->SetPropertyAsBool(NS_LITERAL_STRING("moz-metrics-request"), PR_TRUE); - nsCOMPtr certListener = new BadCertListener(); - NS_ENSURE_TRUE(certListener, NS_ERROR_OUT_OF_MEMORY); - - channel->SetNotificationCallbacks(certListener); - nsCOMPtr uploadChannel = do_QueryInterface(channel); NS_ENSURE_STATE(uploadChannel); diff --git a/mozilla/minimo/base/Minimo.cpp b/mozilla/minimo/base/Minimo.cpp index 4566fe83551..112c8ed20ce 100755 --- a/mozilla/minimo/base/Minimo.cpp +++ b/mozilla/minimo/base/Minimo.cpp @@ -262,147 +262,6 @@ nsFullScreen::GetChromeItems(nsISimpleEnumerator **_retval) return NS_ERROR_NOT_IMPLEMENTED; } -#ifndef WINCE - -class nsBadCertListener : public nsIBadCertListener -{ -public: - NS_DECL_ISUPPORTS - NS_DECL_NSIBADCERTLISTENER - - nsBadCertListener(); - ~nsBadCertListener(); -}; - - -nsBadCertListener::nsBadCertListener() -{ -} - -nsBadCertListener::~nsBadCertListener() -{ -} - -NS_IMPL_ISUPPORTS1(nsBadCertListener, nsIBadCertListener) - - - -NS_IMETHODIMP -nsBadCertListener::ConfirmUnknownIssuer(nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, PRInt16 *certAddType, PRBool *_retval) -{ - nsCOMPtr bundleService = do_GetService(NS_STRINGBUNDLE_CONTRACTID); - if (!bundleService) - return NS_ERROR_FAILURE; - - nsCOMPtr bundle; - bundleService->CreateBundle(MINIMO_PROPERTIES_URL, getter_AddRefs(bundle)); - - if (!bundle) - return NS_ERROR_FAILURE; - - nsXPIDLString message; - nsXPIDLString title; - bundle->GetStringFromName(NS_LITERAL_STRING("confirmUnknownIssuer").get(), getter_Copies(message)); - bundle->GetStringFromName(NS_LITERAL_STRING("securityWarningTitle").get(), getter_Copies(title)); - - nsCOMPtr wwatcher = do_GetService(NS_WINDOWWATCHER_CONTRACTID); - if (!wwatcher) - return NS_ERROR_FAILURE; - - nsCOMPtr parent; - if (!parent) - wwatcher->GetActiveWindow(getter_AddRefs(parent)); - - PRBool result; - nsCOMPtr dlgService(do_GetService(NS_PROMPTSERVICE_CONTRACTID)); - dlgService->Confirm(parent, title, message, &result); - - *_retval = result; - - if (result) - *certAddType = ADD_TRUSTED_FOR_SESSION; - - return NS_OK; -} - -NS_IMETHODIMP -nsBadCertListener::ConfirmMismatchDomain(nsIInterfaceRequestor *socketInfo, const nsACString & targetURL, nsIX509Cert *cert, PRBool *_retval) -{ - nsCOMPtr bundleService = do_GetService(NS_STRINGBUNDLE_CONTRACTID); - if (!bundleService) - return NS_ERROR_FAILURE; - - nsCOMPtr bundle; - bundleService->CreateBundle(MINIMO_PROPERTIES_URL, getter_AddRefs(bundle)); - - if (!bundle) - return NS_ERROR_FAILURE; - - nsXPIDLString message; - nsXPIDLString title; - bundle->GetStringFromName(NS_LITERAL_STRING("confirmMismatch").get(), getter_Copies(message)); - bundle->GetStringFromName(NS_LITERAL_STRING("securityWarningTitle").get(), getter_Copies(title)); - - nsCOMPtr wwatcher = do_GetService(NS_WINDOWWATCHER_CONTRACTID); - if (!wwatcher) - return NS_ERROR_FAILURE; - - nsCOMPtr parent; - if (!parent) - wwatcher->GetActiveWindow(getter_AddRefs(parent)); - - PRBool result; - nsCOMPtr dlgService(do_GetService(NS_PROMPTSERVICE_CONTRACTID)); - dlgService->Confirm(parent, title, message, &result); - - *_retval = result; - - return NS_OK; -} - -NS_IMETHODIMP -nsBadCertListener::ConfirmCertExpired(nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, PRBool *_retval) -{ - nsCOMPtr bundleService = do_GetService(NS_STRINGBUNDLE_CONTRACTID); - if (!bundleService) - return NS_ERROR_FAILURE; - - nsCOMPtr bundle; - bundleService->CreateBundle(MINIMO_PROPERTIES_URL, getter_AddRefs(bundle)); - - if (!bundle) - return NS_ERROR_FAILURE; - - nsXPIDLString message; - nsXPIDLString title; - bundle->GetStringFromName(NS_LITERAL_STRING("confirmCertExpired").get(), getter_Copies(message)); - bundle->GetStringFromName(NS_LITERAL_STRING("securityWarningTitle").get(), getter_Copies(title)); - - nsCOMPtr wwatcher = do_GetService(NS_WINDOWWATCHER_CONTRACTID); - if (!wwatcher) - return NS_ERROR_FAILURE; - - nsCOMPtr parent; - if (!parent) - wwatcher->GetActiveWindow(getter_AddRefs(parent)); - - PRBool result; - nsCOMPtr dlgService(do_GetService(NS_PROMPTSERVICE_CONTRACTID)); - dlgService->Confirm(parent, title, message, &result); - - *_retval = result; - - return NS_OK; -} - -NS_IMETHODIMP -nsBadCertListener::NotifyCrlNextupdate(nsIInterfaceRequestor *socketInfo, const nsACString & targetURL, nsIX509Cert *cert) -{ - return NS_ERROR_NOT_IMPLEMENTED; -} -#endif - - #ifdef WINCE class nsSecurityWarningDialogs : public nsISecurityWarningDialogs @@ -566,14 +425,6 @@ void DoPreferences() {0xa5, 0x9b, 0x93, 0x63, 0xa0, 0xbf, 0x9a, 0x87} \ } -#define NS_BADCERTLISTENER_CID \ - { /* a4bdf79a-ed05-4256-bf12-4581a03f966e */ \ - 0xa4bdf79a, \ - 0xed05, \ - 0x4256, \ - {0xbf, 0x12, 0x45, 0x81, 0xa0, 0x3f, 0x96, 0x6e} \ - } - #define NS_SECURITYWARNINGDIALOGS_CID \ { /* 8d995d4f-adcc-4159-b7f1-e94af72eeb88 */ \ 0x8d995d4f, \ @@ -587,10 +438,6 @@ NS_GENERIC_FACTORY_CONSTRUCTOR(nsBrowserInstance) NS_GENERIC_FACTORY_CONSTRUCTOR(nsBrowserStatusFilter) NS_GENERIC_FACTORY_CONSTRUCTOR(nsFullScreen) -#ifndef WINCE -NS_GENERIC_FACTORY_CONSTRUCTOR(nsBadCertListener) -#endif - #ifdef WINCE NS_GENERIC_FACTORY_CONSTRUCTOR(nsSecurityWarningDialogs) #endif @@ -618,15 +465,6 @@ static const nsModuleComponentInfo defaultAppComps[] = { nsFullScreenConstructor }, -#ifndef WINCE - { - "Bad Cert Dialogs", - NS_BADCERTLISTENER_CID, - NS_BADCERTLISTENER_CONTRACTID, - nsBadCertListenerConstructor - }, -#endif - #ifdef WINCE { "PSM Security Warnings", diff --git a/mozilla/security/manager/locales/en-US/chrome/pipnss/pipnss.properties b/mozilla/security/manager/locales/en-US/chrome/pipnss/pipnss.properties index 621f1a08bde..00390a24966 100644 --- a/mozilla/security/manager/locales/en-US/chrome/pipnss/pipnss.properties +++ b/mozilla/security/manager/locales/en-US/chrome/pipnss/pipnss.properties @@ -336,6 +336,12 @@ PSMERR_HostReusedIssuerSerial=You have received an invalid certificate. Please SSLConnectionErrorPrefix=An error occurred during a connection to %S. +certErrorIntro=An error occurred during a connection to %S because it uses an invalid security certificate. +certErrorUntrusted=The certificate is not trusted or its issuer certificate is invalid. +certErrorMismatch=The certificate is not valid for domain name %S. +certErrorExpired=The certificate has expired on %S. +certErrorNotYetValid=The certificate will not be valid until %S. + CertInfoIssuedFor=Issued to: CertInfoIssuedBy=Issued by: CertInfoValid=Valid @@ -377,3 +383,5 @@ NotACACert=This is not a certificate authority certificate, so it can't be impor NotImportingUnverifiedCert=This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved. UserCertIgnoredNoPrivateKey=This personal certificate can't be installed because you do not own the corresponding private key which was created when the certificate was requested. UserCertImported=Your personal certificate has been installed. You should keep a backup copy of this certificate. +CertOrgUnknown=(Unknown) +CertNotStored=(Not Stored) diff --git a/mozilla/security/manager/locales/en-US/chrome/pippki/certManager.dtd b/mozilla/security/manager/locales/en-US/chrome/pippki/certManager.dtd index 762af9fd7f4..bfbb4122a0c 100644 --- a/mozilla/security/manager/locales/en-US/chrome/pippki/certManager.dtd +++ b/mozilla/security/manager/locales/en-US/chrome/pippki/certManager.dtd @@ -93,6 +93,8 @@ + + diff --git a/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.dtd b/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.dtd index 2ff58c8105e..961745073f4 100644 --- a/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.dtd +++ b/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.dtd @@ -82,16 +82,8 @@ - - - - - - - - diff --git a/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.properties b/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.properties index 65baa063e34..bf70f866f72 100644 --- a/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.properties +++ b/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.properties @@ -54,9 +54,9 @@ issuerNotKnown=Because you do not know the certificate authority that issued thi issuerCertNotFound=Certificate for this certificate authority was not found #For Deleting Certificates -deleteSslCertConfirm=Are you sure you want to delete these web site certificates? -deleteSslCertImpact=If you delete a web site certificate, you will be asked to accept it again the next time you visit the web site. -deleteSslCertTitle=Delete Web Site Certificates +deleteSslCertConfirm2=Are you sure you want to delete these web site exceptions? +deleteSslCertImpact2=If you delete a web site exception, you restore the usual security checks for that site and require it uses a valid certificate. +deleteSslCertTitle2=Delete Web Site Certificate Exceptions deleteUserCertConfirm=Are you sure you want to delete these certificates? deleteUserCertImpact=If you delete one of your own certificates, you can no longer use it to identify yourself. @@ -79,16 +79,6 @@ chooseP12RestoreFileDialog=File Name to Restore chooseP12BackupFileDialog=File Name to Backup file_browse_PKCS12_spec=PKCS12 Files -#Mismatch Domain Dialg -mismatchDomainMsg1=You have attempted to establish a connection with "%S". However, the security certificate presented belongs to "%S". It is possible, though unlikely, that someone may be trying to intercept your communication with this web site. -mismatchDomainMsg2=If you suspect the certificate shown does not belong to "%S", please cancel the connection and notify the site administrator. - -#Server Cert expired -serverCertExpiredMsg1="%S" is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on %S. -serverCertExpiredTitle=Server Certificate Expired -serverCertNotYetValedMsg1="%S" is a site that uses a security certificate to encrypt data during transmission, but its certificate will not be valid until %S. -serverCertNotYetValidTitle=Server Certificate Not Yet Valid -serverCertExpiredMsg2=You should check to make sure that your computer's time (currently set to %S) is correct. #Preferences resetPreferences=Use this button to reset %S's security preferences to their factory settings. diff --git a/mozilla/security/manager/pki/resources/content/WebSitesOverlay.xul b/mozilla/security/manager/pki/resources/content/WebSitesOverlay.xul index ce8da8d4e6a..beafa6b2765 100644 --- a/mozilla/security/manager/pki/resources/content/WebSitesOverlay.xul +++ b/mozilla/security/manager/pki/resources/content/WebSitesOverlay.xul @@ -22,6 +22,7 @@ - Contributor(s): - Bob Lord - Ian McGreer + - Kai Engert - - Alternatively, the contents of this file may be used under the terms of - either the GNU General Public License Version 2 or later (the "GPL"), or @@ -55,6 +56,14 @@ + + + - - - - - - - -