1c82f2877SAndrew Rist /**************************************************************
2*8ca5c324Smseidel *
3c82f2877SAndrew Rist * Licensed to the Apache Software Foundation (ASF) under one
4c82f2877SAndrew Rist * or more contributor license agreements. See the NOTICE file
5c82f2877SAndrew Rist * distributed with this work for additional information
6c82f2877SAndrew Rist * regarding copyright ownership. The ASF licenses this file
7c82f2877SAndrew Rist * to you under the Apache License, Version 2.0 (the
8c82f2877SAndrew Rist * "License"); you may not use this file except in compliance
9c82f2877SAndrew Rist * with the License. You may obtain a copy of the License at
10*8ca5c324Smseidel *
11c82f2877SAndrew Rist * http://www.apache.org/licenses/LICENSE-2.0
12*8ca5c324Smseidel *
13c82f2877SAndrew Rist * Unless required by applicable law or agreed to in writing,
14c82f2877SAndrew Rist * software distributed under the License is distributed on an
15c82f2877SAndrew Rist * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16c82f2877SAndrew Rist * KIND, either express or implied. See the License for the
17c82f2877SAndrew Rist * specific language governing permissions and limitations
18c82f2877SAndrew Rist * under the License.
19*8ca5c324Smseidel *
20c82f2877SAndrew Rist *************************************************************/
21c82f2877SAndrew Rist
22c82f2877SAndrew Rist
23cdf0e10cSrcweir
24cdf0e10cSrcweir #include "secerr.h"
25cdf0e10cSrcweir #include "sslerr.h"
26cdf0e10cSrcweir #include "nspr.h"
27cdf0e10cSrcweir #include "certt.h"
28cdf0e10cSrcweir
29cdf0e10cSrcweir #include "../diagnose.hxx"
30cdf0e10cSrcweir
31cdf0e10cSrcweir using namespace xmlsecurity;
32cdf0e10cSrcweir
33cdf0e10cSrcweir struct ErrDesc {
34cdf0e10cSrcweir PRErrorCode errNum;
35cdf0e10cSrcweir const char * errString;
36cdf0e10cSrcweir };
37cdf0e10cSrcweir
38cdf0e10cSrcweir
39cdf0e10cSrcweir
40cdf0e10cSrcweir const ErrDesc allDesc[] = {
41cdf0e10cSrcweir
42cdf0e10cSrcweir #include "certerrors.h"
43cdf0e10cSrcweir
44*8ca5c324Smseidel };
45cdf0e10cSrcweir
46cdf0e10cSrcweir
47cdf0e10cSrcweir
48cdf0e10cSrcweir /* Returns a UTF-8 encoded constant error string for "errNum".
49cdf0e10cSrcweir * Returns NULL of errNum is unknown.
50cdf0e10cSrcweir */
51cdf0e10cSrcweir const char *
getCertError(PRErrorCode errNum)52cdf0e10cSrcweir getCertError(PRErrorCode errNum)
53cdf0e10cSrcweir {
54cdf0e10cSrcweir static char sEmpty[] = "";
55cdf0e10cSrcweir const int numDesc = sizeof(allDesc) / sizeof(ErrDesc);
56cdf0e10cSrcweir for (int i = 0; i < numDesc; i++)
57cdf0e10cSrcweir {
58cdf0e10cSrcweir if (allDesc[i].errNum == errNum)
59cdf0e10cSrcweir return allDesc[i].errString;
60cdf0e10cSrcweir }
61cdf0e10cSrcweir
62cdf0e10cSrcweir return sEmpty;
63cdf0e10cSrcweir }
64cdf0e10cSrcweir
65cdf0e10cSrcweir void
printChainFailure(CERTVerifyLog * log)66cdf0e10cSrcweir printChainFailure(CERTVerifyLog *log)
67cdf0e10cSrcweir {
68cdf0e10cSrcweir unsigned long errorFlags = 0;
69cdf0e10cSrcweir unsigned int depth = (unsigned int)-1;
70cdf0e10cSrcweir const char * specificError = NULL;
71cdf0e10cSrcweir const char * issuer = NULL;
72cdf0e10cSrcweir CERTVerifyLogNode *node = NULL;
73*8ca5c324Smseidel
74cdf0e10cSrcweir if (log->count > 0)
75cdf0e10cSrcweir {
76*8ca5c324Smseidel xmlsec_trace("Bad certification path:");
77cdf0e10cSrcweir for (node = log->head; node; node = node->next)
78cdf0e10cSrcweir {
79cdf0e10cSrcweir if (depth != node->depth)
80cdf0e10cSrcweir {
81cdf0e10cSrcweir depth = node->depth;
82cdf0e10cSrcweir xmlsec_trace("Certificate: %d. %s %s:", depth,
83*8ca5c324Smseidel node->cert->subjectName,
84cdf0e10cSrcweir depth ? "[Certificate Authority]": "");
85cdf0e10cSrcweir }
86cdf0e10cSrcweir xmlsec_trace(" ERROR %ld: %s", node->error,
87cdf0e10cSrcweir getCertError(node->error));
88cdf0e10cSrcweir specificError = NULL;
89cdf0e10cSrcweir issuer = NULL;
90cdf0e10cSrcweir switch (node->error)
91cdf0e10cSrcweir {
92cdf0e10cSrcweir case SEC_ERROR_INADEQUATE_KEY_USAGE:
93cdf0e10cSrcweir errorFlags = (unsigned long)node->arg;
94cdf0e10cSrcweir switch (errorFlags)
95cdf0e10cSrcweir {
96cdf0e10cSrcweir case KU_DIGITAL_SIGNATURE:
97cdf0e10cSrcweir specificError = "Certificate cannot sign.";
98cdf0e10cSrcweir break;
99cdf0e10cSrcweir case KU_KEY_ENCIPHERMENT:
100cdf0e10cSrcweir specificError = "Certificate cannot encrypt.";
101cdf0e10cSrcweir break;
102cdf0e10cSrcweir case KU_KEY_CERT_SIGN:
103cdf0e10cSrcweir specificError = "Certificate cannot sign other certs.";
104cdf0e10cSrcweir break;
105cdf0e10cSrcweir default:
106cdf0e10cSrcweir specificError = "[unknown usage].";
107cdf0e10cSrcweir break;
108cdf0e10cSrcweir }
109cdf0e10cSrcweir case SEC_ERROR_INADEQUATE_CERT_TYPE:
110cdf0e10cSrcweir errorFlags = (unsigned long)node->arg;
111cdf0e10cSrcweir switch (errorFlags)
112cdf0e10cSrcweir {
113cdf0e10cSrcweir case NS_CERT_TYPE_SSL_CLIENT:
114cdf0e10cSrcweir case NS_CERT_TYPE_SSL_SERVER:
115cdf0e10cSrcweir specificError = "Certificate cannot be used for SSL.";
116cdf0e10cSrcweir break;
117cdf0e10cSrcweir case NS_CERT_TYPE_SSL_CA:
118cdf0e10cSrcweir specificError = "Certificate cannot be used as an SSL CA.";
119cdf0e10cSrcweir break;
120cdf0e10cSrcweir case NS_CERT_TYPE_EMAIL:
121cdf0e10cSrcweir specificError = "Certificate cannot be used for SMIME.";
122cdf0e10cSrcweir break;
123cdf0e10cSrcweir case NS_CERT_TYPE_EMAIL_CA:
124cdf0e10cSrcweir specificError = "Certificate cannot be used as an SMIME CA.";
125cdf0e10cSrcweir break;
126cdf0e10cSrcweir case NS_CERT_TYPE_OBJECT_SIGNING:
127cdf0e10cSrcweir specificError = "Certificate cannot be used for object signing.";
128cdf0e10cSrcweir break;
129cdf0e10cSrcweir case NS_CERT_TYPE_OBJECT_SIGNING_CA:
130cdf0e10cSrcweir specificError = "Certificate cannot be used as an object signing CA.";
131cdf0e10cSrcweir break;
132cdf0e10cSrcweir default:
133cdf0e10cSrcweir specificError = "[unknown usage].";
134cdf0e10cSrcweir break;
135cdf0e10cSrcweir }
136cdf0e10cSrcweir case SEC_ERROR_UNKNOWN_ISSUER:
137cdf0e10cSrcweir specificError = "Unknown issuer:";
138cdf0e10cSrcweir issuer = node->cert->issuerName;
139cdf0e10cSrcweir break;
140cdf0e10cSrcweir case SEC_ERROR_UNTRUSTED_ISSUER:
141cdf0e10cSrcweir specificError = "Untrusted issuer:";
142cdf0e10cSrcweir issuer = node->cert->issuerName;
143cdf0e10cSrcweir break;
144cdf0e10cSrcweir case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
145cdf0e10cSrcweir specificError = "Expired issuer certificate:";
146cdf0e10cSrcweir issuer = node->cert->issuerName;
147cdf0e10cSrcweir break;
148cdf0e10cSrcweir default:
149cdf0e10cSrcweir break;
150cdf0e10cSrcweir }
151cdf0e10cSrcweir if (specificError)
152cdf0e10cSrcweir xmlsec_trace("%s", specificError);
153cdf0e10cSrcweir if (issuer)
154cdf0e10cSrcweir xmlsec_trace("%s", issuer);
155*8ca5c324Smseidel }
156cdf0e10cSrcweir }
157cdf0e10cSrcweir }
158