xmlsec/nss/secerror.cxx

*c82f2877SAndrew Rist/**************************************************************
*c82f2877SAndrew Rist *
*c82f2877SAndrew Rist * Licensed to the Apache Software Foundation (ASF) under one
*c82f2877SAndrew Rist * or more contributor license agreements.  See the NOTICE file
*c82f2877SAndrew Rist * distributed with this work for additional information
*c82f2877SAndrew Rist * regarding copyright ownership.  The ASF licenses this file
*c82f2877SAndrew Rist * to you under the Apache License, Version 2.0 (the
*c82f2877SAndrew Rist * "License"); you may not use this file except in compliance
*c82f2877SAndrew Rist * with the License.  You may obtain a copy of the License at
*c82f2877SAndrew Rist *
*c82f2877SAndrew Rist *   http://www.apache.org/licenses/LICENSE-2.0
*c82f2877SAndrew Rist *
*c82f2877SAndrew Rist * Unless required by applicable law or agreed to in writing,
*c82f2877SAndrew Rist * software distributed under the License is distributed on an
*c82f2877SAndrew Rist * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
*c82f2877SAndrew Rist * KIND, either express or implied.  See the License for the
*c82f2877SAndrew Rist * specific language governing permissions and limitations
*c82f2877SAndrew Rist * under the License.
*c82f2877SAndrew Rist *
*c82f2877SAndrew Rist *************************************************************/
*c82f2877SAndrew Rist
*c82f2877SAndrew Rist
cdf0e10cSrcweir
cdf0e10cSrcweir
cdf0e10cSrcweir#include "secerr.h"
cdf0e10cSrcweir#include "sslerr.h"
cdf0e10cSrcweir#include "nspr.h"
cdf0e10cSrcweir#include "certt.h"
cdf0e10cSrcweir
cdf0e10cSrcweir#include "../diagnose.hxx"
cdf0e10cSrcweir
cdf0e10cSrcweirusing namespace xmlsecurity;
cdf0e10cSrcweir
cdf0e10cSrcweirstruct ErrDesc {
cdf0e10cSrcweir    PRErrorCode	 errNum;
cdf0e10cSrcweir    const char * errString;
cdf0e10cSrcweir};
cdf0e10cSrcweir
cdf0e10cSrcweir
cdf0e10cSrcweir
cdf0e10cSrcweirconst ErrDesc allDesc[] = {
cdf0e10cSrcweir
cdf0e10cSrcweir#include "certerrors.h"
cdf0e10cSrcweir
cdf0e10cSrcweir};
cdf0e10cSrcweir
cdf0e10cSrcweir
cdf0e10cSrcweir
cdf0e10cSrcweir/* Returns a UTF-8 encoded constant error string for "errNum".
cdf0e10cSrcweir * Returns NULL of errNum is unknown.
cdf0e10cSrcweir */
cdf0e10cSrcweirconst char *
cdf0e10cSrcweirgetCertError(PRErrorCode errNum)
cdf0e10cSrcweir{
cdf0e10cSrcweir    static char sEmpty[] = "";
cdf0e10cSrcweir    const int numDesc = sizeof(allDesc) / sizeof(ErrDesc);
cdf0e10cSrcweir    for (int i = 0; i < numDesc; i++)
cdf0e10cSrcweir    {
cdf0e10cSrcweir        if (allDesc[i].errNum == errNum)
cdf0e10cSrcweir            return  allDesc[i].errString;
cdf0e10cSrcweir    }
cdf0e10cSrcweir
cdf0e10cSrcweir    return sEmpty;
cdf0e10cSrcweir}
cdf0e10cSrcweir
cdf0e10cSrcweirvoid
cdf0e10cSrcweirprintChainFailure(CERTVerifyLog *log)
cdf0e10cSrcweir{
cdf0e10cSrcweir    unsigned long errorFlags  = 0;
cdf0e10cSrcweir    unsigned int       depth  = (unsigned int)-1;
cdf0e10cSrcweir    const char * specificError = NULL;
cdf0e10cSrcweir    const char * issuer = NULL;
cdf0e10cSrcweir    CERTVerifyLogNode *node   = NULL;
cdf0e10cSrcweir
cdf0e10cSrcweir    if (log->count > 0)
cdf0e10cSrcweir    {
cdf0e10cSrcweir        xmlsec_trace("Bad certifcation path:");
cdf0e10cSrcweir        for (node = log->head; node; node = node->next)
cdf0e10cSrcweir        {
cdf0e10cSrcweir            if (depth != node->depth)
cdf0e10cSrcweir            {
cdf0e10cSrcweir                depth = node->depth;
cdf0e10cSrcweir                xmlsec_trace("Certificate:  %d. %s %s:", depth,
cdf0e10cSrcweir                        node->cert->subjectName,
cdf0e10cSrcweir                        depth ? "[Certificate Authority]": "");
cdf0e10cSrcweir            }
cdf0e10cSrcweir            xmlsec_trace("  ERROR %ld: %s", node->error,
cdf0e10cSrcweir                    getCertError(node->error));
cdf0e10cSrcweir            specificError = NULL;
cdf0e10cSrcweir            issuer = NULL;
cdf0e10cSrcweir            switch (node->error)
cdf0e10cSrcweir            {
cdf0e10cSrcweir            case SEC_ERROR_INADEQUATE_KEY_USAGE:
cdf0e10cSrcweir                errorFlags = (unsigned long)node->arg;
cdf0e10cSrcweir                switch (errorFlags)
cdf0e10cSrcweir                {
cdf0e10cSrcweir                case KU_DIGITAL_SIGNATURE:
cdf0e10cSrcweir                    specificError = "Certificate cannot sign.";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                case KU_KEY_ENCIPHERMENT:
cdf0e10cSrcweir                    specificError = "Certificate cannot encrypt.";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                case KU_KEY_CERT_SIGN:
cdf0e10cSrcweir                    specificError = "Certificate cannot sign other certs.";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                default:
cdf0e10cSrcweir                    specificError = "[unknown usage].";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                }
cdf0e10cSrcweir            case SEC_ERROR_INADEQUATE_CERT_TYPE:
cdf0e10cSrcweir                errorFlags = (unsigned long)node->arg;
cdf0e10cSrcweir                switch (errorFlags)
cdf0e10cSrcweir                {
cdf0e10cSrcweir                case NS_CERT_TYPE_SSL_CLIENT:
cdf0e10cSrcweir                case NS_CERT_TYPE_SSL_SERVER:
cdf0e10cSrcweir                    specificError = "Certificate cannot be used for SSL.";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                case NS_CERT_TYPE_SSL_CA:
cdf0e10cSrcweir                    specificError = "Certificate cannot be used as an SSL CA.";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                case NS_CERT_TYPE_EMAIL:
cdf0e10cSrcweir                    specificError = "Certificate cannot be used for SMIME.";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                case NS_CERT_TYPE_EMAIL_CA:
cdf0e10cSrcweir                    specificError = "Certificate cannot be used as an SMIME CA.";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                case NS_CERT_TYPE_OBJECT_SIGNING:
cdf0e10cSrcweir                    specificError = "Certificate cannot be used for object signing.";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                case NS_CERT_TYPE_OBJECT_SIGNING_CA:
cdf0e10cSrcweir                    specificError = "Certificate cannot be used as an object signing CA.";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                default:
cdf0e10cSrcweir                    specificError = "[unknown usage].";
cdf0e10cSrcweir                    break;
cdf0e10cSrcweir                }
cdf0e10cSrcweir            case SEC_ERROR_UNKNOWN_ISSUER:
cdf0e10cSrcweir                specificError = "Unknown issuer:";
cdf0e10cSrcweir                issuer = node->cert->issuerName;
cdf0e10cSrcweir                break;
cdf0e10cSrcweir            case SEC_ERROR_UNTRUSTED_ISSUER:
cdf0e10cSrcweir                specificError = "Untrusted issuer:";
cdf0e10cSrcweir                issuer = node->cert->issuerName;
cdf0e10cSrcweir                break;
cdf0e10cSrcweir            case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
cdf0e10cSrcweir                specificError = "Expired issuer certificate:";
cdf0e10cSrcweir                issuer = node->cert->issuerName;
cdf0e10cSrcweir                break;
cdf0e10cSrcweir            default:
cdf0e10cSrcweir                break;
cdf0e10cSrcweir            }
cdf0e10cSrcweir            if (specificError)
cdf0e10cSrcweir                xmlsec_trace("%s", specificError);
cdf0e10cSrcweir            if (issuer)
cdf0e10cSrcweir                xmlsec_trace("%s", issuer);
cdf0e10cSrcweir        }
cdf0e10cSrcweir    }
cdf0e10cSrcweir}