Closed Bug 1052529 Opened 5 years ago Closed 5 years ago

some mozilla::pkix errors potentially aren't localizable

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla34

People

(Reporter: keeler, Assigned: Cykesiopka)

Details

Attachments

(1 file, 2 obsolete files)

It may be the case that we have to add the following to security/manager/locales/en-US/chrome/pipnss/nsserrors.properties :

MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE=The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY=The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case.
Attached patch bug1052529_v1.patch (obsolete) — Splinter Review
Assignee: nobody → cykesiopka.bmo
Status: NEW → ASSIGNED
Attachment #8477970 - Flags: review?(dkeeler)
Comment on attachment 8477970 [details] [diff] [review]
bug1052529_v1.patch

Review of attachment 8477970 [details] [diff] [review]:
-----------------------------------------------------------------

Awesome - thanks.
Attachment #8477970 - Flags: review?(dkeeler) → review+
Comment on attachment 8477970 [details] [diff] [review]
bug1052529_v1.patch

Review of attachment 8477970 [details] [diff] [review]:
-----------------------------------------------------------------

I suggest that you also add a comment to pkixnss.cpp, like this:

// Note that these error strings are not localizable.
// When these strings change, update the localization information too.
Attached patch bug1052529_v2.patch (obsolete) — Splinter Review
+ Add reminder comment about l10n to pkixnss.cpp, as suggested by Brian in comment 3

https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=d91ebff817bf
Attachment #8477970 - Attachment is obsolete: true
Attachment #8478818 - Flags: review+
Keywords: checkin-needed
Comment on attachment 8478818 [details] [diff] [review]
bug1052529_v2.patch

Review of attachment 8478818 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/pkix/lib/pkixnss.cpp
@@ +294,5 @@
>  void
>  RegisterErrorTable()
>  {
> +  // Note that these error strings are not localizable.
> +  // When these strings change, update the localization information too.

I suggest that you also copy this comment to the end, so that it appears at the top and the bottom. We usually add new entries at the end of the list, and in the code review tools, this comment at the top is likely to be chopped off, but the comment at the bottom is likely to be visible. Thus, the reviewer is more likely to notice this issue during review if the comment is (also) at the bottom.
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #5)
> I suggest that you also copy this comment to the end, so that it appears at
> the top and the bottom. We usually add new entries at the end of the list,
> and in the code review tools, this comment at the top is likely to be
> chopped off, but the comment at the bottom is likely to be visible. Thus,
> the reviewer is more likely to notice this issue during review if the
> comment is (also) at the bottom.

Good point. Will upload a new patch.
+ Add reminder comment to after ErrorTableText[] as well

Just adding an additional comment, so Try link from comment 4 still applies.
Attachment #8478818 - Attachment is obsolete: true
Attachment #8478851 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/b10a78245d32
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
I cannot access Google now - I get:
"Secure Connection Failed

An error occurred during a connection to www.google.com. The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden. (Error code: mozilla_pkix_error_key_pinning_failure)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem."

url:
https://www.google.com/search?safe=off&num=100&complete=0&pws=0&tbs=qdr:y&q=mozilla_pkix_error_key_pinning_failure

I believe I read earlier that the site could not be the certificate authority - however, for google, this is not true.
Tom, please file a new bug with steps to reproduce the problem you're seeing. Thanks.
Flags: needinfo?(tOM)
Flags: needinfo?(tOM)
You need to log in before you can comment on or make changes to this bug.