1*c82f2877SAndrew Rist /************************************************************** 2*c82f2877SAndrew Rist * 3*c82f2877SAndrew Rist * Licensed to the Apache Software Foundation (ASF) under one 4*c82f2877SAndrew Rist * or more contributor license agreements. See the NOTICE file 5*c82f2877SAndrew Rist * distributed with this work for additional information 6*c82f2877SAndrew Rist * regarding copyright ownership. The ASF licenses this file 7*c82f2877SAndrew Rist * to you under the Apache License, Version 2.0 (the 8*c82f2877SAndrew Rist * "License"); you may not use this file except in compliance 9*c82f2877SAndrew Rist * with the License. You may obtain a copy of the License at 10*c82f2877SAndrew Rist * 11*c82f2877SAndrew Rist * http://www.apache.org/licenses/LICENSE-2.0 12*c82f2877SAndrew Rist * 13*c82f2877SAndrew Rist * Unless required by applicable law or agreed to in writing, 14*c82f2877SAndrew Rist * software distributed under the License is distributed on an 15*c82f2877SAndrew Rist * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16*c82f2877SAndrew Rist * KIND, either express or implied. See the License for the 17*c82f2877SAndrew Rist * specific language governing permissions and limitations 18*c82f2877SAndrew Rist * under the License. 19*c82f2877SAndrew Rist * 20*c82f2877SAndrew Rist *************************************************************/ 21*c82f2877SAndrew Rist 22*c82f2877SAndrew Rist 23cdf0e10cSrcweir 24cdf0e10cSrcweir 25cdf0e10cSrcweir #include "secerr.h" 26cdf0e10cSrcweir #include "sslerr.h" 27cdf0e10cSrcweir #include "nspr.h" 28cdf0e10cSrcweir #include "certt.h" 29cdf0e10cSrcweir 30cdf0e10cSrcweir #include "../diagnose.hxx" 31cdf0e10cSrcweir 32cdf0e10cSrcweir using namespace xmlsecurity; 33cdf0e10cSrcweir 34cdf0e10cSrcweir struct ErrDesc { 35cdf0e10cSrcweir PRErrorCode errNum; 36cdf0e10cSrcweir const char * errString; 37cdf0e10cSrcweir }; 38cdf0e10cSrcweir 39cdf0e10cSrcweir 40cdf0e10cSrcweir 41cdf0e10cSrcweir const ErrDesc allDesc[] = { 42cdf0e10cSrcweir 43cdf0e10cSrcweir #include "certerrors.h" 44cdf0e10cSrcweir 45cdf0e10cSrcweir }; 46cdf0e10cSrcweir 47cdf0e10cSrcweir 48cdf0e10cSrcweir 49cdf0e10cSrcweir /* Returns a UTF-8 encoded constant error string for "errNum". 50cdf0e10cSrcweir * Returns NULL of errNum is unknown. 51cdf0e10cSrcweir */ 52cdf0e10cSrcweir const char * 53cdf0e10cSrcweir getCertError(PRErrorCode errNum) 54cdf0e10cSrcweir { 55cdf0e10cSrcweir static char sEmpty[] = ""; 56cdf0e10cSrcweir const int numDesc = sizeof(allDesc) / sizeof(ErrDesc); 57cdf0e10cSrcweir for (int i = 0; i < numDesc; i++) 58cdf0e10cSrcweir { 59cdf0e10cSrcweir if (allDesc[i].errNum == errNum) 60cdf0e10cSrcweir return allDesc[i].errString; 61cdf0e10cSrcweir } 62cdf0e10cSrcweir 63cdf0e10cSrcweir return sEmpty; 64cdf0e10cSrcweir } 65cdf0e10cSrcweir 66cdf0e10cSrcweir void 67cdf0e10cSrcweir printChainFailure(CERTVerifyLog *log) 68cdf0e10cSrcweir { 69cdf0e10cSrcweir unsigned long errorFlags = 0; 70cdf0e10cSrcweir unsigned int depth = (unsigned int)-1; 71cdf0e10cSrcweir const char * specificError = NULL; 72cdf0e10cSrcweir const char * issuer = NULL; 73cdf0e10cSrcweir CERTVerifyLogNode *node = NULL; 74cdf0e10cSrcweir 75cdf0e10cSrcweir if (log->count > 0) 76cdf0e10cSrcweir { 77cdf0e10cSrcweir xmlsec_trace("Bad certifcation path:"); 78cdf0e10cSrcweir for (node = log->head; node; node = node->next) 79cdf0e10cSrcweir { 80cdf0e10cSrcweir if (depth != node->depth) 81cdf0e10cSrcweir { 82cdf0e10cSrcweir depth = node->depth; 83cdf0e10cSrcweir xmlsec_trace("Certificate: %d. %s %s:", depth, 84cdf0e10cSrcweir node->cert->subjectName, 85cdf0e10cSrcweir depth ? "[Certificate Authority]": ""); 86cdf0e10cSrcweir } 87cdf0e10cSrcweir xmlsec_trace(" ERROR %ld: %s", node->error, 88cdf0e10cSrcweir getCertError(node->error)); 89cdf0e10cSrcweir specificError = NULL; 90cdf0e10cSrcweir issuer = NULL; 91cdf0e10cSrcweir switch (node->error) 92cdf0e10cSrcweir { 93cdf0e10cSrcweir case SEC_ERROR_INADEQUATE_KEY_USAGE: 94cdf0e10cSrcweir errorFlags = (unsigned long)node->arg; 95cdf0e10cSrcweir switch (errorFlags) 96cdf0e10cSrcweir { 97cdf0e10cSrcweir case KU_DIGITAL_SIGNATURE: 98cdf0e10cSrcweir specificError = "Certificate cannot sign."; 99cdf0e10cSrcweir break; 100cdf0e10cSrcweir case KU_KEY_ENCIPHERMENT: 101cdf0e10cSrcweir specificError = "Certificate cannot encrypt."; 102cdf0e10cSrcweir break; 103cdf0e10cSrcweir case KU_KEY_CERT_SIGN: 104cdf0e10cSrcweir specificError = "Certificate cannot sign other certs."; 105cdf0e10cSrcweir break; 106cdf0e10cSrcweir default: 107cdf0e10cSrcweir specificError = "[unknown usage]."; 108cdf0e10cSrcweir break; 109cdf0e10cSrcweir } 110cdf0e10cSrcweir case SEC_ERROR_INADEQUATE_CERT_TYPE: 111cdf0e10cSrcweir errorFlags = (unsigned long)node->arg; 112cdf0e10cSrcweir switch (errorFlags) 113cdf0e10cSrcweir { 114cdf0e10cSrcweir case NS_CERT_TYPE_SSL_CLIENT: 115cdf0e10cSrcweir case NS_CERT_TYPE_SSL_SERVER: 116cdf0e10cSrcweir specificError = "Certificate cannot be used for SSL."; 117cdf0e10cSrcweir break; 118cdf0e10cSrcweir case NS_CERT_TYPE_SSL_CA: 119cdf0e10cSrcweir specificError = "Certificate cannot be used as an SSL CA."; 120cdf0e10cSrcweir break; 121cdf0e10cSrcweir case NS_CERT_TYPE_EMAIL: 122cdf0e10cSrcweir specificError = "Certificate cannot be used for SMIME."; 123cdf0e10cSrcweir break; 124cdf0e10cSrcweir case NS_CERT_TYPE_EMAIL_CA: 125cdf0e10cSrcweir specificError = "Certificate cannot be used as an SMIME CA."; 126cdf0e10cSrcweir break; 127cdf0e10cSrcweir case NS_CERT_TYPE_OBJECT_SIGNING: 128cdf0e10cSrcweir specificError = "Certificate cannot be used for object signing."; 129cdf0e10cSrcweir break; 130cdf0e10cSrcweir case NS_CERT_TYPE_OBJECT_SIGNING_CA: 131cdf0e10cSrcweir specificError = "Certificate cannot be used as an object signing CA."; 132cdf0e10cSrcweir break; 133cdf0e10cSrcweir default: 134cdf0e10cSrcweir specificError = "[unknown usage]."; 135cdf0e10cSrcweir break; 136cdf0e10cSrcweir } 137cdf0e10cSrcweir case SEC_ERROR_UNKNOWN_ISSUER: 138cdf0e10cSrcweir specificError = "Unknown issuer:"; 139cdf0e10cSrcweir issuer = node->cert->issuerName; 140cdf0e10cSrcweir break; 141cdf0e10cSrcweir case SEC_ERROR_UNTRUSTED_ISSUER: 142cdf0e10cSrcweir specificError = "Untrusted issuer:"; 143cdf0e10cSrcweir issuer = node->cert->issuerName; 144cdf0e10cSrcweir break; 145cdf0e10cSrcweir case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: 146cdf0e10cSrcweir specificError = "Expired issuer certificate:"; 147cdf0e10cSrcweir issuer = node->cert->issuerName; 148cdf0e10cSrcweir break; 149cdf0e10cSrcweir default: 150cdf0e10cSrcweir break; 151cdf0e10cSrcweir } 152cdf0e10cSrcweir if (specificError) 153cdf0e10cSrcweir xmlsec_trace("%s", specificError); 154cdf0e10cSrcweir if (issuer) 155cdf0e10cSrcweir xmlsec_trace("%s", issuer); 156cdf0e10cSrcweir } 157cdf0e10cSrcweir } 158cdf0e10cSrcweir } 159