• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_PKI_COMMON_CERT_ERRORS_H_
6 #define NET_CERT_PKI_COMMON_CERT_ERRORS_H_
7 
8 #include "net/base/net_export.h"
9 #include "net/cert/pki/cert_errors.h"
10 
11 // This file contains the set of "default" certificate errors (those
12 // defined by the core verification/path building code).
13 //
14 // Errors may be defined for other domains.
15 namespace net::cert_errors {
16 
17 // An internal error occurred which prevented path building or verification
18 // from finishing.
19 NET_EXPORT extern const CertErrorId kInternalError;
20 
21 // The verification time is after the certificate's notAfter time.
22 NET_EXPORT extern const CertErrorId kValidityFailedNotAfter;
23 
24 // The verification time is before the certificate's notBefore time.
25 NET_EXPORT extern const CertErrorId kValidityFailedNotBefore;
26 
27 // The certificate is actively distrusted by the trust store (this is separate
28 // from other revocation mechanisms).
29 NET_EXPORT extern const CertErrorId kDistrustedByTrustStore;
30 
31 // The certificate disagrees on what the signature algorithm was
32 // (Certificate.signatureAlgorithm != TBSCertificate.signature).
33 NET_EXPORT extern const CertErrorId kSignatureAlgorithmMismatch;
34 
35 // Certificate verification was called with an empty chain.
36 NET_EXPORT extern const CertErrorId kChainIsEmpty;
37 
38 // The certificate contains an unknown extension which is marked as critical.
39 NET_EXPORT extern const CertErrorId kUnconsumedCriticalExtension;
40 
41 // The target certificate appears to be a CA (has Basic Constraints CA=true)
42 // but is being used for TLS client or server authentication.
43 NET_EXPORT extern const CertErrorId kTargetCertShouldNotBeCa;
44 
45 // The certificate is being used to sign other certificates, however the
46 // keyCertSign KeyUsage was not set.
47 NET_EXPORT extern const CertErrorId kKeyCertSignBitNotSet;
48 
49 // The chain violates the max_path_length from BasicConstraints.
50 NET_EXPORT extern const CertErrorId kMaxPathLengthViolated;
51 
52 // The certificate being used to sign other certificates has a
53 // BasicConstraints extension, however it sets CA=false
54 NET_EXPORT extern const CertErrorId kBasicConstraintsIndicatesNotCa;
55 
56 // The certificate being used to sign other certificates does not include a
57 // BasicConstraints extension.
58 NET_EXPORT extern const CertErrorId kMissingBasicConstraints;
59 
60 // The certificate has a subject or subjectAltName that violates an issuer's
61 // name constraints.
62 NET_EXPORT extern const CertErrorId kNotPermittedByNameConstraints;
63 
64 // The chain has an excessive number of names and/or name constraints.
65 NET_EXPORT extern const CertErrorId kTooManyNameConstraintChecks;
66 
67 // The certificate's issuer field does not match the subject of its alleged
68 // issuer.
69 NET_EXPORT extern const CertErrorId kSubjectDoesNotMatchIssuer;
70 
71 // Failed to verify the certificate's signature using its issuer's public key.
72 NET_EXPORT extern const CertErrorId kVerifySignedDataFailed;
73 
74 // The certificate encodes its signature differently between
75 // Certificate.algorithm and TBSCertificate.signature, but it appears
76 // to be the same algorithm.
77 NET_EXPORT extern const CertErrorId kSignatureAlgorithmsDifferentEncoding;
78 
79 // The certificate verification is being done for serverAuth, however the
80 // certificate lacks serverAuth in its ExtendedKeyUsages.
81 NET_EXPORT extern const CertErrorId kEkuLacksServerAuth;
82 
83 // The certificate verification is being done for clientAuth, however the
84 // certificate lacks clientAuth in its ExtendedKeyUsages.
85 NET_EXPORT extern const CertErrorId kEkuLacksClientAuth;
86 
87 // The root certificate in a chain is not trusted.
88 NET_EXPORT extern const CertErrorId kCertIsNotTrustAnchor;
89 
90 // The chain is not valid for any policy, and an explicit policy was required.
91 // (Either because the relying party requested it during verificaiton, or it was
92 // requrested by a PolicyConstraints extension).
93 NET_EXPORT extern const CertErrorId kNoValidPolicy;
94 
95 // The certificate is trying to map to, or from, anyPolicy.
96 NET_EXPORT extern const CertErrorId kPolicyMappingAnyPolicy;
97 
98 // The public key in this certificate could not be parsed.
99 NET_EXPORT extern const CertErrorId kFailedParsingSpki;
100 
101 // The certificate's signature algorithm (used to verify its
102 // signature) is not acceptable by the consumer. What constitutes as
103 // "acceptable" is determined by the verification delegate.
104 NET_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm;
105 
106 // The certificate's public key is not acceptable by the consumer.
107 // What constitutes as "acceptable" is determined by the verification delegate.
108 NET_EXPORT extern const CertErrorId kUnacceptablePublicKey;
109 
110 // The certificate's EKU is missing serverAuth. However Netscape Server Gated
111 // Crypto is present instead.
112 NET_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasGatedCrypto;
113 
114 // The certificate's EKU is missing serverAuth. However EKU ANY is present
115 // instead.
116 NET_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasAnyEKU;
117 
118 // The certificate's EKU is missing clientAuth. However EKU ANY is present
119 // instead.
120 NET_EXPORT extern const CertErrorId kEkuLacksClientAuthButHasAnyEKU;
121 
122 // The certificate's EKU is missing both clientAuth and serverAuth.
123 NET_EXPORT extern const CertErrorId kEkuLacksClientAuthOrServerAuth;
124 
125 // The certificate's EKU has OSCP Signing when it should not.
126 NET_EXPORT extern const CertErrorId kEkuHasProhibitedOCSPSigning;
127 
128 // The certificate's EKU has Time Stamping when it should not.
129 NET_EXPORT extern const CertErrorId kEkuHasProhibitedTimeStamping;
130 
131 // The certificate's EKU has Code Signing when it should not.
132 NET_EXPORT extern const CertErrorId kEkuHasProhibitedCodeSigning;
133 
134 // The certificate does not have EKU.
135 NET_EXPORT extern const CertErrorId kEkuNotPresent;
136 
137 // The certificate has been revoked.
138 NET_EXPORT extern const CertErrorId kCertificateRevoked;
139 
140 // The certificate lacks a recognized revocation mechanism (i.e. OCSP/CRL).
141 // Emitted as an error when revocation checking expects certificates to have
142 // such info.
143 NET_EXPORT extern const CertErrorId kNoRevocationMechanism;
144 
145 // The certificate had a revocation mechanism, but when used it was unable to
146 // affirmatively say whether the certificate was unrevoked.
147 NET_EXPORT extern const CertErrorId kUnableToCheckRevocation;
148 
149 // Path building was unable to find any issuers for the certificate.
150 NET_EXPORT extern const CertErrorId kNoIssuersFound;
151 
152 // Deadline was reached during path building.
153 NET_EXPORT extern const CertErrorId kDeadlineExceeded;
154 
155 // Iteration limit was reached during path building.
156 NET_EXPORT extern const CertErrorId kIterationLimitExceeded;
157 
158 // Depth limit was reached during path building.
159 NET_EXPORT extern const CertErrorId kDepthLimitExceeded;
160 
161 }  // namespace net::cert_errors
162 
163 #endif  // NET_CERT_PKI_COMMON_CERT_ERRORS_H_
164