1*c82f2877SAndrew Rist /**************************************************************
2*c82f2877SAndrew Rist *
3*c82f2877SAndrew Rist * Licensed to the Apache Software Foundation (ASF) under one
4*c82f2877SAndrew Rist * or more contributor license agreements. See the NOTICE file
5*c82f2877SAndrew Rist * distributed with this work for additional information
6*c82f2877SAndrew Rist * regarding copyright ownership. The ASF licenses this file
7*c82f2877SAndrew Rist * to you under the Apache License, Version 2.0 (the
8*c82f2877SAndrew Rist * "License"); you may not use this file except in compliance
9*c82f2877SAndrew Rist * with the License. You may obtain a copy of the License at
10*c82f2877SAndrew Rist *
11*c82f2877SAndrew Rist * http://www.apache.org/licenses/LICENSE-2.0
12*c82f2877SAndrew Rist *
13*c82f2877SAndrew Rist * Unless required by applicable law or agreed to in writing,
14*c82f2877SAndrew Rist * software distributed under the License is distributed on an
15*c82f2877SAndrew Rist * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16*c82f2877SAndrew Rist * KIND, either express or implied. See the License for the
17*c82f2877SAndrew Rist * specific language governing permissions and limitations
18*c82f2877SAndrew Rist * under the License.
19*c82f2877SAndrew Rist *
20*c82f2877SAndrew Rist *************************************************************/
21*c82f2877SAndrew Rist
22*c82f2877SAndrew Rist
23cdf0e10cSrcweir
24cdf0e10cSrcweir
25cdf0e10cSrcweir #include "secerr.h"
26cdf0e10cSrcweir #include "sslerr.h"
27cdf0e10cSrcweir #include "nspr.h"
28cdf0e10cSrcweir #include "certt.h"
29cdf0e10cSrcweir
30cdf0e10cSrcweir #include "../diagnose.hxx"
31cdf0e10cSrcweir
32cdf0e10cSrcweir using namespace xmlsecurity;
33cdf0e10cSrcweir
34cdf0e10cSrcweir struct ErrDesc {
35cdf0e10cSrcweir PRErrorCode errNum;
36cdf0e10cSrcweir const char * errString;
37cdf0e10cSrcweir };
38cdf0e10cSrcweir
39cdf0e10cSrcweir
40cdf0e10cSrcweir
41cdf0e10cSrcweir const ErrDesc allDesc[] = {
42cdf0e10cSrcweir
43cdf0e10cSrcweir #include "certerrors.h"
44cdf0e10cSrcweir
45cdf0e10cSrcweir };
46cdf0e10cSrcweir
47cdf0e10cSrcweir
48cdf0e10cSrcweir
49cdf0e10cSrcweir /* Returns a UTF-8 encoded constant error string for "errNum".
50cdf0e10cSrcweir * Returns NULL of errNum is unknown.
51cdf0e10cSrcweir */
52cdf0e10cSrcweir const char *
getCertError(PRErrorCode errNum)53cdf0e10cSrcweir getCertError(PRErrorCode errNum)
54cdf0e10cSrcweir {
55cdf0e10cSrcweir static char sEmpty[] = "";
56cdf0e10cSrcweir const int numDesc = sizeof(allDesc) / sizeof(ErrDesc);
57cdf0e10cSrcweir for (int i = 0; i < numDesc; i++)
58cdf0e10cSrcweir {
59cdf0e10cSrcweir if (allDesc[i].errNum == errNum)
60cdf0e10cSrcweir return allDesc[i].errString;
61cdf0e10cSrcweir }
62cdf0e10cSrcweir
63cdf0e10cSrcweir return sEmpty;
64cdf0e10cSrcweir }
65cdf0e10cSrcweir
66cdf0e10cSrcweir void
printChainFailure(CERTVerifyLog * log)67cdf0e10cSrcweir printChainFailure(CERTVerifyLog *log)
68cdf0e10cSrcweir {
69cdf0e10cSrcweir unsigned long errorFlags = 0;
70cdf0e10cSrcweir unsigned int depth = (unsigned int)-1;
71cdf0e10cSrcweir const char * specificError = NULL;
72cdf0e10cSrcweir const char * issuer = NULL;
73cdf0e10cSrcweir CERTVerifyLogNode *node = NULL;
74cdf0e10cSrcweir
75cdf0e10cSrcweir if (log->count > 0)
76cdf0e10cSrcweir {
77cdf0e10cSrcweir xmlsec_trace("Bad certifcation path:");
78cdf0e10cSrcweir for (node = log->head; node; node = node->next)
79cdf0e10cSrcweir {
80cdf0e10cSrcweir if (depth != node->depth)
81cdf0e10cSrcweir {
82cdf0e10cSrcweir depth = node->depth;
83cdf0e10cSrcweir xmlsec_trace("Certificate: %d. %s %s:", depth,
84cdf0e10cSrcweir node->cert->subjectName,
85cdf0e10cSrcweir depth ? "[Certificate Authority]": "");
86cdf0e10cSrcweir }
87cdf0e10cSrcweir xmlsec_trace(" ERROR %ld: %s", node->error,
88cdf0e10cSrcweir getCertError(node->error));
89cdf0e10cSrcweir specificError = NULL;
90cdf0e10cSrcweir issuer = NULL;
91cdf0e10cSrcweir switch (node->error)
92cdf0e10cSrcweir {
93cdf0e10cSrcweir case SEC_ERROR_INADEQUATE_KEY_USAGE:
94cdf0e10cSrcweir errorFlags = (unsigned long)node->arg;
95cdf0e10cSrcweir switch (errorFlags)
96cdf0e10cSrcweir {
97cdf0e10cSrcweir case KU_DIGITAL_SIGNATURE:
98cdf0e10cSrcweir specificError = "Certificate cannot sign.";
99cdf0e10cSrcweir break;
100cdf0e10cSrcweir case KU_KEY_ENCIPHERMENT:
101cdf0e10cSrcweir specificError = "Certificate cannot encrypt.";
102cdf0e10cSrcweir break;
103cdf0e10cSrcweir case KU_KEY_CERT_SIGN:
104cdf0e10cSrcweir specificError = "Certificate cannot sign other certs.";
105cdf0e10cSrcweir break;
106cdf0e10cSrcweir default:
107cdf0e10cSrcweir specificError = "[unknown usage].";
108cdf0e10cSrcweir break;
109cdf0e10cSrcweir }
110cdf0e10cSrcweir case SEC_ERROR_INADEQUATE_CERT_TYPE:
111cdf0e10cSrcweir errorFlags = (unsigned long)node->arg;
112cdf0e10cSrcweir switch (errorFlags)
113cdf0e10cSrcweir {
114cdf0e10cSrcweir case NS_CERT_TYPE_SSL_CLIENT:
115cdf0e10cSrcweir case NS_CERT_TYPE_SSL_SERVER:
116cdf0e10cSrcweir specificError = "Certificate cannot be used for SSL.";
117cdf0e10cSrcweir break;
118cdf0e10cSrcweir case NS_CERT_TYPE_SSL_CA:
119cdf0e10cSrcweir specificError = "Certificate cannot be used as an SSL CA.";
120cdf0e10cSrcweir break;
121cdf0e10cSrcweir case NS_CERT_TYPE_EMAIL:
122cdf0e10cSrcweir specificError = "Certificate cannot be used for SMIME.";
123cdf0e10cSrcweir break;
124cdf0e10cSrcweir case NS_CERT_TYPE_EMAIL_CA:
125cdf0e10cSrcweir specificError = "Certificate cannot be used as an SMIME CA.";
126cdf0e10cSrcweir break;
127cdf0e10cSrcweir case NS_CERT_TYPE_OBJECT_SIGNING:
128cdf0e10cSrcweir specificError = "Certificate cannot be used for object signing.";
129cdf0e10cSrcweir break;
130cdf0e10cSrcweir case NS_CERT_TYPE_OBJECT_SIGNING_CA:
131cdf0e10cSrcweir specificError = "Certificate cannot be used as an object signing CA.";
132cdf0e10cSrcweir break;
133cdf0e10cSrcweir default:
134cdf0e10cSrcweir specificError = "[unknown usage].";
135cdf0e10cSrcweir break;
136cdf0e10cSrcweir }
137cdf0e10cSrcweir case SEC_ERROR_UNKNOWN_ISSUER:
138cdf0e10cSrcweir specificError = "Unknown issuer:";
139cdf0e10cSrcweir issuer = node->cert->issuerName;
140cdf0e10cSrcweir break;
141cdf0e10cSrcweir case SEC_ERROR_UNTRUSTED_ISSUER:
142cdf0e10cSrcweir specificError = "Untrusted issuer:";
143cdf0e10cSrcweir issuer = node->cert->issuerName;
144cdf0e10cSrcweir break;
145cdf0e10cSrcweir case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
146cdf0e10cSrcweir specificError = "Expired issuer certificate:";
147cdf0e10cSrcweir issuer = node->cert->issuerName;
148cdf0e10cSrcweir break;
149cdf0e10cSrcweir default:
150cdf0e10cSrcweir break;
151cdf0e10cSrcweir }
152cdf0e10cSrcweir if (specificError)
153cdf0e10cSrcweir xmlsec_trace("%s", specificError);
154cdf0e10cSrcweir if (issuer)
155cdf0e10cSrcweir xmlsec_trace("%s", issuer);
156cdf0e10cSrcweir }
157cdf0e10cSrcweir }
158cdf0e10cSrcweir }
159