1 // Copyright 2017 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BSSL_PKI_COMMON_CERT_ERRORS_H_ 6 #define BSSL_PKI_COMMON_CERT_ERRORS_H_ 7 8 #include "fillins/openssl_util.h" 9 10 #include "cert_errors.h" 11 12 // This file contains the set of "default" certificate errors (those 13 // defined by the core verification/path building code). 14 // 15 // Errors may be defined for other domains. 16 namespace bssl::cert_errors { 17 18 // An internal error occurred which prevented path building or verification 19 // from finishing. 20 OPENSSL_EXPORT extern const CertErrorId kInternalError; 21 22 // The verification time is after the certificate's notAfter time. 23 OPENSSL_EXPORT extern const CertErrorId kValidityFailedNotAfter; 24 25 // The verification time is before the certificate's notBefore time. 26 OPENSSL_EXPORT extern const CertErrorId kValidityFailedNotBefore; 27 28 // The certificate is actively distrusted by the trust store (this is separate 29 // from other revocation mechanisms). 30 OPENSSL_EXPORT extern const CertErrorId kDistrustedByTrustStore; 31 32 // The certificate disagrees on what the signature algorithm was 33 // (Certificate.signatureAlgorithm != TBSCertificate.signature). 34 OPENSSL_EXPORT extern const CertErrorId kSignatureAlgorithmMismatch; 35 36 // Certificate verification was called with an empty chain. 37 OPENSSL_EXPORT extern const CertErrorId kChainIsEmpty; 38 39 // The certificate contains an unknown extension which is marked as critical. 40 OPENSSL_EXPORT extern const CertErrorId kUnconsumedCriticalExtension; 41 42 // The target certificate appears to be a CA (has Basic Constraints CA=true) 43 // but is being used for TLS client or server authentication. 44 OPENSSL_EXPORT extern const CertErrorId kTargetCertShouldNotBeCa; 45 46 // The certificate is being used to sign other certificates, however the 47 // keyCertSign KeyUsage was not set. 48 OPENSSL_EXPORT extern const CertErrorId kKeyCertSignBitNotSet; 49 50 // The chain violates the max_path_length from BasicConstraints. 51 OPENSSL_EXPORT extern const CertErrorId kMaxPathLengthViolated; 52 53 // The certificate being used to sign other certificates has a 54 // BasicConstraints extension, however it sets CA=false 55 OPENSSL_EXPORT extern const CertErrorId kBasicConstraintsIndicatesNotCa; 56 57 // The certificate being used to sign other certificates does not include a 58 // BasicConstraints extension. 59 OPENSSL_EXPORT extern const CertErrorId kMissingBasicConstraints; 60 61 // The certificate has a subject or subjectAltName that violates an issuer's 62 // name constraints. 63 OPENSSL_EXPORT extern const CertErrorId kNotPermittedByNameConstraints; 64 65 // The chain has an excessive number of names and/or name constraints. 66 OPENSSL_EXPORT extern const CertErrorId kTooManyNameConstraintChecks; 67 68 // The certificate's issuer field does not match the subject of its alleged 69 // issuer. 70 OPENSSL_EXPORT extern const CertErrorId kSubjectDoesNotMatchIssuer; 71 72 // Failed to verify the certificate's signature using its issuer's public key. 73 OPENSSL_EXPORT extern const CertErrorId kVerifySignedDataFailed; 74 75 // The certificate encodes its signature differently between 76 // Certificate.algorithm and TBSCertificate.signature, but it appears 77 // to be the same algorithm. 78 OPENSSL_EXPORT extern const CertErrorId kSignatureAlgorithmsDifferentEncoding; 79 80 // The certificate verification is being done for serverAuth, however the 81 // certificate lacks serverAuth in its ExtendedKeyUsages. 82 OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuth; 83 84 // The certificate verification is being done for clientAuth, however the 85 // certificate lacks clientAuth in its ExtendedKeyUsages. 86 OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuth; 87 88 // The root certificate in a chain is not trusted. 89 OPENSSL_EXPORT extern const CertErrorId kCertIsNotTrustAnchor; 90 91 // The chain is not valid for any policy, and an explicit policy was required. 92 // (Either because the relying party requested it during verificaiton, or it was 93 // requrested by a PolicyConstraints extension). 94 OPENSSL_EXPORT extern const CertErrorId kNoValidPolicy; 95 96 // The certificate is trying to map to, or from, anyPolicy. 97 OPENSSL_EXPORT extern const CertErrorId kPolicyMappingAnyPolicy; 98 99 // The public key in this certificate could not be parsed. 100 OPENSSL_EXPORT extern const CertErrorId kFailedParsingSpki; 101 102 // The certificate's signature algorithm (used to verify its 103 // signature) is not acceptable by the consumer. What constitutes as 104 // "acceptable" is determined by the verification delegate. 105 OPENSSL_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm; 106 107 // The certificate's public key is not acceptable by the consumer. 108 // What constitutes as "acceptable" is determined by the verification delegate. 109 OPENSSL_EXPORT extern const CertErrorId kUnacceptablePublicKey; 110 111 // The certificate's EKU is missing serverAuth. However Netscape Server Gated 112 // Crypto is present instead. 113 OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasGatedCrypto; 114 115 // The certificate's EKU is missing serverAuth. However EKU ANY is present 116 // instead. 117 OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasAnyEKU; 118 119 // The certificate's EKU is missing clientAuth. However EKU ANY is present 120 // instead. 121 OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuthButHasAnyEKU; 122 123 // The certificate's EKU is missing both clientAuth and serverAuth. 124 OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuthOrServerAuth; 125 126 // The certificate's EKU has OSCP Signing when it should not. 127 OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedOCSPSigning; 128 129 // The certificate's EKU has Time Stamping when it should not. 130 OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedTimeStamping; 131 132 // The certificate's EKU has Code Signing when it should not. 133 OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedCodeSigning; 134 135 // The certificate does not have EKU. 136 OPENSSL_EXPORT extern const CertErrorId kEkuNotPresent; 137 138 // The certificate has been revoked. 139 OPENSSL_EXPORT extern const CertErrorId kCertificateRevoked; 140 141 // The certificate lacks a recognized revocation mechanism (i.e. OCSP/CRL). 142 // Emitted as an error when revocation checking expects certificates to have 143 // such info. 144 OPENSSL_EXPORT extern const CertErrorId kNoRevocationMechanism; 145 146 // The certificate had a revocation mechanism, but when used it was unable to 147 // affirmatively say whether the certificate was unrevoked. 148 OPENSSL_EXPORT extern const CertErrorId kUnableToCheckRevocation; 149 150 // Path building was unable to find any issuers for the certificate. 151 OPENSSL_EXPORT extern const CertErrorId kNoIssuersFound; 152 153 // Deadline was reached during path building. 154 OPENSSL_EXPORT extern const CertErrorId kDeadlineExceeded; 155 156 // Iteration limit was reached during path building. 157 OPENSSL_EXPORT extern const CertErrorId kIterationLimitExceeded; 158 159 // Depth limit was reached during path building. 160 OPENSSL_EXPORT extern const CertErrorId kDepthLimitExceeded; 161 162 } // namespace bssl::cert_errors 163 164 #endif // BSSL_PKI_COMMON_CERT_ERRORS_H_ 165