1*cdf0e10cSrcweir /************************************************************************* 2*cdf0e10cSrcweir * 3*cdf0e10cSrcweir * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4*cdf0e10cSrcweir * 5*cdf0e10cSrcweir * Copyright 2008 by Sun Microsystems, Inc. 6*cdf0e10cSrcweir * 7*cdf0e10cSrcweir * OpenOffice.org - a multi-platform office productivity suite 8*cdf0e10cSrcweir * 9*cdf0e10cSrcweir * $RCSfile: securityenvironment_nssimpl.cxx,v $ 10*cdf0e10cSrcweir * $Revision: 1.23 $ 11*cdf0e10cSrcweir * 12*cdf0e10cSrcweir * This file is part of OpenOffice.org. 13*cdf0e10cSrcweir * 14*cdf0e10cSrcweir * OpenOffice.org is free software: you can redistribute it and/or modify 15*cdf0e10cSrcweir * it under the terms of the GNU Lesser General Public License version 3 16*cdf0e10cSrcweir * only, as published by the Free Software Foundation. 17*cdf0e10cSrcweir * 18*cdf0e10cSrcweir * OpenOffice.org is distributed in the hope that it will be useful, 19*cdf0e10cSrcweir * but WITHOUT ANY WARRANTY; without even the implied warranty of 20*cdf0e10cSrcweir * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 21*cdf0e10cSrcweir * GNU Lesser General Public License version 3 for more details 22*cdf0e10cSrcweir * (a copy is included in the LICENSE file that accompanied this code). 23*cdf0e10cSrcweir * 24*cdf0e10cSrcweir * You should have received a copy of the GNU Lesser General Public License 25*cdf0e10cSrcweir * version 3 along with OpenOffice.org. If not, see 26*cdf0e10cSrcweir * <http://www.openoffice.org/license.html> 27*cdf0e10cSrcweir * for a copy of the LGPLv3 License. 28*cdf0e10cSrcweir * 29*cdf0e10cSrcweir ************************************************************************/ 30*cdf0e10cSrcweir 31*cdf0e10cSrcweir 32*cdf0e10cSrcweir #include "secerr.h" 33*cdf0e10cSrcweir #include "sslerr.h" 34*cdf0e10cSrcweir #include "nspr.h" 35*cdf0e10cSrcweir #include "certt.h" 36*cdf0e10cSrcweir 37*cdf0e10cSrcweir #include "../diagnose.hxx" 38*cdf0e10cSrcweir 39*cdf0e10cSrcweir using namespace xmlsecurity; 40*cdf0e10cSrcweir 41*cdf0e10cSrcweir struct ErrDesc { 42*cdf0e10cSrcweir PRErrorCode errNum; 43*cdf0e10cSrcweir const char * errString; 44*cdf0e10cSrcweir }; 45*cdf0e10cSrcweir 46*cdf0e10cSrcweir 47*cdf0e10cSrcweir 48*cdf0e10cSrcweir const ErrDesc allDesc[] = { 49*cdf0e10cSrcweir 50*cdf0e10cSrcweir #include "certerrors.h" 51*cdf0e10cSrcweir 52*cdf0e10cSrcweir }; 53*cdf0e10cSrcweir 54*cdf0e10cSrcweir 55*cdf0e10cSrcweir 56*cdf0e10cSrcweir /* Returns a UTF-8 encoded constant error string for "errNum". 57*cdf0e10cSrcweir * Returns NULL of errNum is unknown. 58*cdf0e10cSrcweir */ 59*cdf0e10cSrcweir const char * 60*cdf0e10cSrcweir getCertError(PRErrorCode errNum) 61*cdf0e10cSrcweir { 62*cdf0e10cSrcweir static char sEmpty[] = ""; 63*cdf0e10cSrcweir const int numDesc = sizeof(allDesc) / sizeof(ErrDesc); 64*cdf0e10cSrcweir for (int i = 0; i < numDesc; i++) 65*cdf0e10cSrcweir { 66*cdf0e10cSrcweir if (allDesc[i].errNum == errNum) 67*cdf0e10cSrcweir return allDesc[i].errString; 68*cdf0e10cSrcweir } 69*cdf0e10cSrcweir 70*cdf0e10cSrcweir return sEmpty; 71*cdf0e10cSrcweir } 72*cdf0e10cSrcweir 73*cdf0e10cSrcweir void 74*cdf0e10cSrcweir printChainFailure(CERTVerifyLog *log) 75*cdf0e10cSrcweir { 76*cdf0e10cSrcweir unsigned long errorFlags = 0; 77*cdf0e10cSrcweir unsigned int depth = (unsigned int)-1; 78*cdf0e10cSrcweir const char * specificError = NULL; 79*cdf0e10cSrcweir const char * issuer = NULL; 80*cdf0e10cSrcweir CERTVerifyLogNode *node = NULL; 81*cdf0e10cSrcweir 82*cdf0e10cSrcweir if (log->count > 0) 83*cdf0e10cSrcweir { 84*cdf0e10cSrcweir xmlsec_trace("Bad certifcation path:"); 85*cdf0e10cSrcweir for (node = log->head; node; node = node->next) 86*cdf0e10cSrcweir { 87*cdf0e10cSrcweir if (depth != node->depth) 88*cdf0e10cSrcweir { 89*cdf0e10cSrcweir depth = node->depth; 90*cdf0e10cSrcweir xmlsec_trace("Certificate: %d. %s %s:", depth, 91*cdf0e10cSrcweir node->cert->subjectName, 92*cdf0e10cSrcweir depth ? "[Certificate Authority]": ""); 93*cdf0e10cSrcweir } 94*cdf0e10cSrcweir xmlsec_trace(" ERROR %ld: %s", node->error, 95*cdf0e10cSrcweir getCertError(node->error)); 96*cdf0e10cSrcweir specificError = NULL; 97*cdf0e10cSrcweir issuer = NULL; 98*cdf0e10cSrcweir switch (node->error) 99*cdf0e10cSrcweir { 100*cdf0e10cSrcweir case SEC_ERROR_INADEQUATE_KEY_USAGE: 101*cdf0e10cSrcweir errorFlags = (unsigned long)node->arg; 102*cdf0e10cSrcweir switch (errorFlags) 103*cdf0e10cSrcweir { 104*cdf0e10cSrcweir case KU_DIGITAL_SIGNATURE: 105*cdf0e10cSrcweir specificError = "Certificate cannot sign."; 106*cdf0e10cSrcweir break; 107*cdf0e10cSrcweir case KU_KEY_ENCIPHERMENT: 108*cdf0e10cSrcweir specificError = "Certificate cannot encrypt."; 109*cdf0e10cSrcweir break; 110*cdf0e10cSrcweir case KU_KEY_CERT_SIGN: 111*cdf0e10cSrcweir specificError = "Certificate cannot sign other certs."; 112*cdf0e10cSrcweir break; 113*cdf0e10cSrcweir default: 114*cdf0e10cSrcweir specificError = "[unknown usage]."; 115*cdf0e10cSrcweir break; 116*cdf0e10cSrcweir } 117*cdf0e10cSrcweir case SEC_ERROR_INADEQUATE_CERT_TYPE: 118*cdf0e10cSrcweir errorFlags = (unsigned long)node->arg; 119*cdf0e10cSrcweir switch (errorFlags) 120*cdf0e10cSrcweir { 121*cdf0e10cSrcweir case NS_CERT_TYPE_SSL_CLIENT: 122*cdf0e10cSrcweir case NS_CERT_TYPE_SSL_SERVER: 123*cdf0e10cSrcweir specificError = "Certificate cannot be used for SSL."; 124*cdf0e10cSrcweir break; 125*cdf0e10cSrcweir case NS_CERT_TYPE_SSL_CA: 126*cdf0e10cSrcweir specificError = "Certificate cannot be used as an SSL CA."; 127*cdf0e10cSrcweir break; 128*cdf0e10cSrcweir case NS_CERT_TYPE_EMAIL: 129*cdf0e10cSrcweir specificError = "Certificate cannot be used for SMIME."; 130*cdf0e10cSrcweir break; 131*cdf0e10cSrcweir case NS_CERT_TYPE_EMAIL_CA: 132*cdf0e10cSrcweir specificError = "Certificate cannot be used as an SMIME CA."; 133*cdf0e10cSrcweir break; 134*cdf0e10cSrcweir case NS_CERT_TYPE_OBJECT_SIGNING: 135*cdf0e10cSrcweir specificError = "Certificate cannot be used for object signing."; 136*cdf0e10cSrcweir break; 137*cdf0e10cSrcweir case NS_CERT_TYPE_OBJECT_SIGNING_CA: 138*cdf0e10cSrcweir specificError = "Certificate cannot be used as an object signing CA."; 139*cdf0e10cSrcweir break; 140*cdf0e10cSrcweir default: 141*cdf0e10cSrcweir specificError = "[unknown usage]."; 142*cdf0e10cSrcweir break; 143*cdf0e10cSrcweir } 144*cdf0e10cSrcweir case SEC_ERROR_UNKNOWN_ISSUER: 145*cdf0e10cSrcweir specificError = "Unknown issuer:"; 146*cdf0e10cSrcweir issuer = node->cert->issuerName; 147*cdf0e10cSrcweir break; 148*cdf0e10cSrcweir case SEC_ERROR_UNTRUSTED_ISSUER: 149*cdf0e10cSrcweir specificError = "Untrusted issuer:"; 150*cdf0e10cSrcweir issuer = node->cert->issuerName; 151*cdf0e10cSrcweir break; 152*cdf0e10cSrcweir case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: 153*cdf0e10cSrcweir specificError = "Expired issuer certificate:"; 154*cdf0e10cSrcweir issuer = node->cert->issuerName; 155*cdf0e10cSrcweir break; 156*cdf0e10cSrcweir default: 157*cdf0e10cSrcweir break; 158*cdf0e10cSrcweir } 159*cdf0e10cSrcweir if (specificError) 160*cdf0e10cSrcweir xmlsec_trace("%s", specificError); 161*cdf0e10cSrcweir if (issuer) 162*cdf0e10cSrcweir xmlsec_trace("%s", issuer); 163*cdf0e10cSrcweir } 164*cdf0e10cSrcweir } 165*cdf0e10cSrcweir } 166