1 /* 2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <time.h> 12 #include <errno.h> 13 14 #include "internal/cryptlib.h" 15 #include <openssl/buffer.h> 16 #include <openssl/evp.h> 17 #include <openssl/asn1.h> 18 #include <openssl/x509.h> 19 #include <openssl/objects.h> 20 X509_verify_cert_error_string(long n)21const char *X509_verify_cert_error_string(long n) 22 { 23 switch ((int)n) { 24 case X509_V_OK: 25 return "ok"; 26 case X509_V_ERR_UNSPECIFIED: 27 return "unspecified certificate verification error"; 28 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 29 return "unable to get issuer certificate"; 30 case X509_V_ERR_UNABLE_TO_GET_CRL: 31 return "unable to get certificate CRL"; 32 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 33 return "unable to decrypt certificate's signature"; 34 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 35 return "unable to decrypt CRL's signature"; 36 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 37 return "unable to decode issuer public key"; 38 case X509_V_ERR_CERT_SIGNATURE_FAILURE: 39 return "certificate signature failure"; 40 case X509_V_ERR_CRL_SIGNATURE_FAILURE: 41 return "CRL signature failure"; 42 case X509_V_ERR_CERT_NOT_YET_VALID: 43 return "certificate is not yet valid"; 44 case X509_V_ERR_CERT_HAS_EXPIRED: 45 return "certificate has expired"; 46 case X509_V_ERR_CRL_NOT_YET_VALID: 47 return "CRL is not yet valid"; 48 case X509_V_ERR_CRL_HAS_EXPIRED: 49 return "CRL has expired"; 50 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 51 return "format error in certificate's notBefore field"; 52 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 53 return "format error in certificate's notAfter field"; 54 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 55 return "format error in CRL's lastUpdate field"; 56 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 57 return "format error in CRL's nextUpdate field"; 58 case X509_V_ERR_OUT_OF_MEM: 59 return "out of memory"; 60 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 61 return "self-signed certificate"; 62 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 63 return "self-signed certificate in certificate chain"; 64 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 65 return "unable to get local issuer certificate"; 66 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 67 return "unable to verify the first certificate"; 68 case X509_V_ERR_CERT_CHAIN_TOO_LONG: 69 return "certificate chain too long"; 70 case X509_V_ERR_CERT_REVOKED: 71 return "certificate revoked"; 72 case X509_V_ERR_NO_ISSUER_PUBLIC_KEY: 73 return "issuer certificate doesn't have a public key"; 74 case X509_V_ERR_PATH_LENGTH_EXCEEDED: 75 return "path length constraint exceeded"; 76 case X509_V_ERR_INVALID_PURPOSE: 77 return "unsuitable certificate purpose"; 78 case X509_V_ERR_CERT_UNTRUSTED: 79 return "certificate not trusted"; 80 case X509_V_ERR_CERT_REJECTED: 81 return "certificate rejected"; 82 case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: 83 return "subject issuer mismatch"; 84 case X509_V_ERR_AKID_SKID_MISMATCH: 85 return "authority and subject key identifier mismatch"; 86 case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: 87 return "authority and issuer serial number mismatch"; 88 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: 89 return "key usage does not include certificate signing"; 90 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 91 return "unable to get CRL issuer certificate"; 92 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: 93 return "unhandled critical extension"; 94 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: 95 return "key usage does not include CRL signing"; 96 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: 97 return "unhandled critical CRL extension"; 98 case X509_V_ERR_INVALID_NON_CA: 99 return "invalid non-CA certificate (has CA markings)"; 100 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: 101 return "proxy path length constraint exceeded"; 102 case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: 103 return "key usage does not include digital signature"; 104 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: 105 return 106 "proxy certificates not allowed, please set the appropriate flag"; 107 case X509_V_ERR_INVALID_EXTENSION: 108 return "invalid or inconsistent certificate extension"; 109 case X509_V_ERR_INVALID_POLICY_EXTENSION: 110 return "invalid or inconsistent certificate policy extension"; 111 case X509_V_ERR_NO_EXPLICIT_POLICY: 112 return "no explicit policy"; 113 case X509_V_ERR_DIFFERENT_CRL_SCOPE: 114 return "different CRL scope"; 115 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: 116 return "unsupported extension feature"; 117 case X509_V_ERR_UNNESTED_RESOURCE: 118 return "RFC 3779 resource not subset of parent's resources"; 119 case X509_V_ERR_PERMITTED_VIOLATION: 120 return "permitted subtree violation"; 121 case X509_V_ERR_EXCLUDED_VIOLATION: 122 return "excluded subtree violation"; 123 case X509_V_ERR_SUBTREE_MINMAX: 124 return "name constraints minimum and maximum not supported"; 125 case X509_V_ERR_APPLICATION_VERIFICATION: 126 return "application verification failure"; 127 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: 128 return "unsupported name constraint type"; 129 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: 130 return "unsupported or invalid name constraint syntax"; 131 case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: 132 return "unsupported or invalid name syntax"; 133 case X509_V_ERR_CRL_PATH_VALIDATION_ERROR: 134 return "CRL path validation error"; 135 case X509_V_ERR_PATH_LOOP: 136 return "path loop"; 137 case X509_V_ERR_SUITE_B_INVALID_VERSION: 138 return "Suite B: certificate version invalid"; 139 case X509_V_ERR_SUITE_B_INVALID_ALGORITHM: 140 return "Suite B: invalid public key algorithm"; 141 case X509_V_ERR_SUITE_B_INVALID_CURVE: 142 return "Suite B: invalid ECC curve"; 143 case X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: 144 return "Suite B: invalid signature algorithm"; 145 case X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED: 146 return "Suite B: curve not allowed for this LOS"; 147 case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: 148 return "Suite B: cannot sign P-384 with P-256"; 149 case X509_V_ERR_HOSTNAME_MISMATCH: 150 return "hostname mismatch"; 151 case X509_V_ERR_EMAIL_MISMATCH: 152 return "email address mismatch"; 153 case X509_V_ERR_IP_ADDRESS_MISMATCH: 154 return "IP address mismatch"; 155 case X509_V_ERR_DANE_NO_MATCH: 156 return "no matching DANE TLSA records"; 157 case X509_V_ERR_EE_KEY_TOO_SMALL: 158 return "EE certificate key too weak"; 159 case X509_V_ERR_CA_KEY_TOO_SMALL: 160 return "CA certificate key too weak"; 161 case X509_V_ERR_CA_MD_TOO_WEAK: 162 return "CA signature digest algorithm too weak"; 163 case X509_V_ERR_INVALID_CALL: 164 return "invalid certificate verification context"; 165 case X509_V_ERR_STORE_LOOKUP: 166 return "issuer certificate lookup error"; 167 case X509_V_ERR_NO_VALID_SCTS: 168 return "Certificate Transparency required, but no valid SCTs found"; 169 case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: 170 return "proxy subject name violation"; 171 case X509_V_ERR_OCSP_VERIFY_NEEDED: 172 return "OCSP verification needed"; 173 case X509_V_ERR_OCSP_VERIFY_FAILED: 174 return "OCSP verification failed"; 175 case X509_V_ERR_OCSP_CERT_UNKNOWN: 176 return "OCSP unknown cert"; 177 case X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM: 178 return "Cannot find certificate signature algorithm"; 179 case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: 180 return "subject signature algorithm and issuer public key algorithm mismatch"; 181 case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: 182 return "cert info signature and signature algorithm mismatch"; 183 case X509_V_ERR_INVALID_CA: 184 return "invalid CA certificate"; 185 case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA: 186 return "Path length invalid for non-CA cert"; 187 case X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN: 188 return "Path length given without key usage keyCertSign"; 189 case X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA: 190 return "Key usage keyCertSign invalid for non-CA cert"; 191 case X509_V_ERR_ISSUER_NAME_EMPTY: 192 return "Issuer name empty"; 193 case X509_V_ERR_SUBJECT_NAME_EMPTY: 194 return "Subject name empty"; 195 case X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER: 196 return "Missing Authority Key Identifier"; 197 case X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER: 198 return "Missing Subject Key Identifier"; 199 case X509_V_ERR_EMPTY_SUBJECT_ALT_NAME: 200 return "Empty Subject Alternative Name extension"; 201 case X509_V_ERR_CA_BCONS_NOT_CRITICAL: 202 return "Basic Constraints of CA cert not marked critical"; 203 case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL: 204 return "Subject empty and Subject Alt Name extension not critical"; 205 case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL: 206 return "Authority Key Identifier marked critical"; 207 case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL: 208 return "Subject Key Identifier marked critical"; 209 case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE: 210 return "CA cert does not include key usage extension"; 211 case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3: 212 return "Using cert extension requires at least X509v3"; 213 case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS: 214 return "Certificate public key has explicit ECC parameters"; 215 case X509_V_ERR_RPK_UNTRUSTED: 216 return "Raw public key untrusted, no trusted keys configured"; 217 218 /* 219 * Entries must be kept consistent with include/openssl/x509_vfy.h.in 220 * and with doc/man3/X509_STORE_CTX_get_error.pod 221 */ 222 223 default: 224 /* Printing an error number into a static buffer is not thread-safe */ 225 return "unknown certificate verification error"; 226 } 227 } 228
