Closed Bug 982536 Opened 6 years ago Closed 3 years ago

Error messages for SEC_ERROR_UNKNOWN_ISSUER and SEC_ERROR_UNTRUSTED_ISSUER are misleading when mozilla::pkix is enabled

Categories

(Core :: Security: PSM, defect, minor)

defect
Not set
minor

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: briansmith, Unassigned)

References

Details

The error message for SEC_ERROR_UNKNOWN_ISSUER is currently:
"The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)"

This may (or may not, I don't know) be the right thing to say for the NSS classic code, but it is definitely wrong for insanity::pkix because insanity::pkix uses this error code whenever it fails to build a cert chain. The error message, at least in the insanity::pkix case, should say something like "The certificate is not trusted because no trusted issuer chain was provided" or "The certificate is not trusted because the issuer is not trusted." We should look at the existing text for SEC_ERROR_UNTRUSTED_ISSUER and see if that fits. 

SEC_ERROR_UNTRUSTED_ISSUER is used solely for active distrust in insanity::pkix. We should adjust the error message here to say something like "The certificate is not trusted because the issuer certificate has been distrusted."
Duplicate of this bug: 982538
Summary: Error messages for SEC_ERROR_UNKNOWN_ISSUER and SEC_ERROR_UNTRUSTED_ISSUER are misleading when insanity::pkix is enabled → Error messages for SEC_ERROR_UNKNOWN_ISSUER and SEC_ERROR_UNTRUSTED_ISSUER are misleading when mozilla::pkix is enabled
The unknown issuer string was updated in bug 1131227 to include more possible explanations. I believe the untrusted issuer case will only ever be encountered if the user has used certutil to set the terminal bit on a CA (without also setting the trust bit), which is pretty much what the error text says: "Peer’s certificate issuer has been marked as not trusted by the user." So I think we're good here in either case.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.