1 /* 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <time.h> 12 #include <errno.h> 13 14 #include "internal/cryptlib.h" 15 #include <openssl/buffer.h> 16 #include <openssl/evp.h> 17 #include <openssl/asn1.h> 18 #include <openssl/x509.h> 19 #include <openssl/objects.h> 20 X509_verify_cert_error_string(long n)21const char *X509_verify_cert_error_string(long n) 22 { 23 switch ((int)n) { 24 case X509_V_OK: 25 return "ok"; 26 case X509_V_ERR_UNSPECIFIED: 27 return "unspecified certificate verification error"; 28 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 29 return "unable to get issuer certificate"; 30 case X509_V_ERR_UNABLE_TO_GET_CRL: 31 return "unable to get certificate CRL"; 32 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 33 return "unable to decrypt certificate's signature"; 34 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 35 return "unable to decrypt CRL's signature"; 36 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 37 return "unable to decode issuer public key"; 38 case X509_V_ERR_CERT_SIGNATURE_FAILURE: 39 return "certificate signature failure"; 40 case X509_V_ERR_CRL_SIGNATURE_FAILURE: 41 return "CRL signature failure"; 42 case X509_V_ERR_CERT_NOT_YET_VALID: 43 return "certificate is not yet valid"; 44 case X509_V_ERR_CERT_HAS_EXPIRED: 45 return "certificate has expired"; 46 case X509_V_ERR_CRL_NOT_YET_VALID: 47 return "CRL is not yet valid"; 48 case X509_V_ERR_CRL_HAS_EXPIRED: 49 return "CRL has expired"; 50 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 51 return "format error in certificate's notBefore field"; 52 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 53 return "format error in certificate's notAfter field"; 54 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 55 return "format error in CRL's lastUpdate field"; 56 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 57 return "format error in CRL's nextUpdate field"; 58 case X509_V_ERR_OUT_OF_MEM: 59 return "out of memory"; 60 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 61 return "self signed certificate"; 62 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 63 return "self signed certificate in certificate chain"; 64 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 65 return "unable to get local issuer certificate"; 66 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 67 return "unable to verify the first certificate"; 68 case X509_V_ERR_CERT_CHAIN_TOO_LONG: 69 return "certificate chain too long"; 70 case X509_V_ERR_CERT_REVOKED: 71 return "certificate revoked"; 72 case X509_V_ERR_INVALID_CA: 73 return "invalid CA certificate"; 74 case X509_V_ERR_PATH_LENGTH_EXCEEDED: 75 return "path length constraint exceeded"; 76 case X509_V_ERR_INVALID_PURPOSE: 77 return "unsupported certificate purpose"; 78 case X509_V_ERR_CERT_UNTRUSTED: 79 return "certificate not trusted"; 80 case X509_V_ERR_CERT_REJECTED: 81 return "certificate rejected"; 82 case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: 83 return "subject issuer mismatch"; 84 case X509_V_ERR_AKID_SKID_MISMATCH: 85 return "authority and subject key identifier mismatch"; 86 case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: 87 return "authority and issuer serial number mismatch"; 88 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: 89 return "key usage does not include certificate signing"; 90 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 91 return "unable to get CRL issuer certificate"; 92 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: 93 return "unhandled critical extension"; 94 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: 95 return "key usage does not include CRL signing"; 96 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: 97 return "unhandled critical CRL extension"; 98 case X509_V_ERR_INVALID_NON_CA: 99 return "invalid non-CA certificate (has CA markings)"; 100 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: 101 return "proxy path length constraint exceeded"; 102 case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: 103 return "key usage does not include digital signature"; 104 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: 105 return 106 "proxy certificates not allowed, please set the appropriate flag"; 107 case X509_V_ERR_INVALID_EXTENSION: 108 return "invalid or inconsistent certificate extension"; 109 case X509_V_ERR_INVALID_POLICY_EXTENSION: 110 return "invalid or inconsistent certificate policy extension"; 111 case X509_V_ERR_NO_EXPLICIT_POLICY: 112 return "no explicit policy"; 113 case X509_V_ERR_DIFFERENT_CRL_SCOPE: 114 return "Different CRL scope"; 115 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: 116 return "Unsupported extension feature"; 117 case X509_V_ERR_UNNESTED_RESOURCE: 118 return "RFC 3779 resource not subset of parent's resources"; 119 case X509_V_ERR_PERMITTED_VIOLATION: 120 return "permitted subtree violation"; 121 case X509_V_ERR_EXCLUDED_VIOLATION: 122 return "excluded subtree violation"; 123 case X509_V_ERR_SUBTREE_MINMAX: 124 return "name constraints minimum and maximum not supported"; 125 case X509_V_ERR_APPLICATION_VERIFICATION: 126 return "application verification failure"; 127 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: 128 return "unsupported name constraint type"; 129 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: 130 return "unsupported or invalid name constraint syntax"; 131 case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: 132 return "unsupported or invalid name syntax"; 133 case X509_V_ERR_CRL_PATH_VALIDATION_ERROR: 134 return "CRL path validation error"; 135 case X509_V_ERR_PATH_LOOP: 136 return "Path Loop"; 137 case X509_V_ERR_SUITE_B_INVALID_VERSION: 138 return "Suite B: certificate version invalid"; 139 case X509_V_ERR_SUITE_B_INVALID_ALGORITHM: 140 return "Suite B: invalid public key algorithm"; 141 case X509_V_ERR_SUITE_B_INVALID_CURVE: 142 return "Suite B: invalid ECC curve"; 143 case X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: 144 return "Suite B: invalid signature algorithm"; 145 case X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED: 146 return "Suite B: curve not allowed for this LOS"; 147 case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: 148 return "Suite B: cannot sign P-384 with P-256"; 149 case X509_V_ERR_HOSTNAME_MISMATCH: 150 return "Hostname mismatch"; 151 case X509_V_ERR_EMAIL_MISMATCH: 152 return "Email address mismatch"; 153 case X509_V_ERR_IP_ADDRESS_MISMATCH: 154 return "IP address mismatch"; 155 case X509_V_ERR_DANE_NO_MATCH: 156 return "No matching DANE TLSA records"; 157 case X509_V_ERR_EE_KEY_TOO_SMALL: 158 return "EE certificate key too weak"; 159 case X509_V_ERR_CA_KEY_TOO_SMALL: 160 return "CA certificate key too weak"; 161 case X509_V_ERR_CA_MD_TOO_WEAK: 162 return "CA signature digest algorithm too weak"; 163 case X509_V_ERR_INVALID_CALL: 164 return "Invalid certificate verification context"; 165 case X509_V_ERR_STORE_LOOKUP: 166 return "Issuer certificate lookup error"; 167 case X509_V_ERR_NO_VALID_SCTS: 168 return "Certificate Transparency required, but no valid SCTs found"; 169 case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: 170 return "proxy subject name violation"; 171 case X509_V_ERR_OCSP_VERIFY_NEEDED: 172 return "OCSP verification needed"; 173 case X509_V_ERR_OCSP_VERIFY_FAILED: 174 return "OCSP verification failed"; 175 case X509_V_ERR_OCSP_CERT_UNKNOWN: 176 return "OCSP unknown cert"; 177 case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS: 178 return "Certificate public key has explicit ECC parameters"; 179 180 default: 181 /* Printing an error number into a static buffer is not thread-safe */ 182 return "unknown certificate verification error"; 183 } 184 } 185