1*b1cdbd2cSJim Jagielski /**************************************************************
2*b1cdbd2cSJim Jagielski *
3*b1cdbd2cSJim Jagielski * Licensed to the Apache Software Foundation (ASF) under one
4*b1cdbd2cSJim Jagielski * or more contributor license agreements. See the NOTICE file
5*b1cdbd2cSJim Jagielski * distributed with this work for additional information
6*b1cdbd2cSJim Jagielski * regarding copyright ownership. The ASF licenses this file
7*b1cdbd2cSJim Jagielski * to you under the Apache License, Version 2.0 (the
8*b1cdbd2cSJim Jagielski * "License"); you may not use this file except in compliance
9*b1cdbd2cSJim Jagielski * with the License. You may obtain a copy of the License at
10*b1cdbd2cSJim Jagielski *
11*b1cdbd2cSJim Jagielski * http://www.apache.org/licenses/LICENSE-2.0
12*b1cdbd2cSJim Jagielski *
13*b1cdbd2cSJim Jagielski * Unless required by applicable law or agreed to in writing,
14*b1cdbd2cSJim Jagielski * software distributed under the License is distributed on an
15*b1cdbd2cSJim Jagielski * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16*b1cdbd2cSJim Jagielski * KIND, either express or implied. See the License for the
17*b1cdbd2cSJim Jagielski * specific language governing permissions and limitations
18*b1cdbd2cSJim Jagielski * under the License.
19*b1cdbd2cSJim Jagielski *
20*b1cdbd2cSJim Jagielski *************************************************************/
21*b1cdbd2cSJim Jagielski
22*b1cdbd2cSJim Jagielski
23*b1cdbd2cSJim Jagielski
24*b1cdbd2cSJim Jagielski
25*b1cdbd2cSJim Jagielski #include "secerr.h"
26*b1cdbd2cSJim Jagielski #include "sslerr.h"
27*b1cdbd2cSJim Jagielski #include "nspr.h"
28*b1cdbd2cSJim Jagielski #include "certt.h"
29*b1cdbd2cSJim Jagielski
30*b1cdbd2cSJim Jagielski #include "../diagnose.hxx"
31*b1cdbd2cSJim Jagielski
32*b1cdbd2cSJim Jagielski using namespace xmlsecurity;
33*b1cdbd2cSJim Jagielski
34*b1cdbd2cSJim Jagielski struct ErrDesc {
35*b1cdbd2cSJim Jagielski PRErrorCode errNum;
36*b1cdbd2cSJim Jagielski const char * errString;
37*b1cdbd2cSJim Jagielski };
38*b1cdbd2cSJim Jagielski
39*b1cdbd2cSJim Jagielski
40*b1cdbd2cSJim Jagielski
41*b1cdbd2cSJim Jagielski const ErrDesc allDesc[] = {
42*b1cdbd2cSJim Jagielski
43*b1cdbd2cSJim Jagielski #include "certerrors.h"
44*b1cdbd2cSJim Jagielski
45*b1cdbd2cSJim Jagielski };
46*b1cdbd2cSJim Jagielski
47*b1cdbd2cSJim Jagielski
48*b1cdbd2cSJim Jagielski
49*b1cdbd2cSJim Jagielski /* Returns a UTF-8 encoded constant error string for "errNum".
50*b1cdbd2cSJim Jagielski * Returns NULL of errNum is unknown.
51*b1cdbd2cSJim Jagielski */
52*b1cdbd2cSJim Jagielski const char *
getCertError(PRErrorCode errNum)53*b1cdbd2cSJim Jagielski getCertError(PRErrorCode errNum)
54*b1cdbd2cSJim Jagielski {
55*b1cdbd2cSJim Jagielski static char sEmpty[] = "";
56*b1cdbd2cSJim Jagielski const int numDesc = sizeof(allDesc) / sizeof(ErrDesc);
57*b1cdbd2cSJim Jagielski for (int i = 0; i < numDesc; i++)
58*b1cdbd2cSJim Jagielski {
59*b1cdbd2cSJim Jagielski if (allDesc[i].errNum == errNum)
60*b1cdbd2cSJim Jagielski return allDesc[i].errString;
61*b1cdbd2cSJim Jagielski }
62*b1cdbd2cSJim Jagielski
63*b1cdbd2cSJim Jagielski return sEmpty;
64*b1cdbd2cSJim Jagielski }
65*b1cdbd2cSJim Jagielski
66*b1cdbd2cSJim Jagielski void
printChainFailure(CERTVerifyLog * log)67*b1cdbd2cSJim Jagielski printChainFailure(CERTVerifyLog *log)
68*b1cdbd2cSJim Jagielski {
69*b1cdbd2cSJim Jagielski unsigned long errorFlags = 0;
70*b1cdbd2cSJim Jagielski unsigned int depth = (unsigned int)-1;
71*b1cdbd2cSJim Jagielski const char * specificError = NULL;
72*b1cdbd2cSJim Jagielski const char * issuer = NULL;
73*b1cdbd2cSJim Jagielski CERTVerifyLogNode *node = NULL;
74*b1cdbd2cSJim Jagielski
75*b1cdbd2cSJim Jagielski if (log->count > 0)
76*b1cdbd2cSJim Jagielski {
77*b1cdbd2cSJim Jagielski xmlsec_trace("Bad certifcation path:");
78*b1cdbd2cSJim Jagielski for (node = log->head; node; node = node->next)
79*b1cdbd2cSJim Jagielski {
80*b1cdbd2cSJim Jagielski if (depth != node->depth)
81*b1cdbd2cSJim Jagielski {
82*b1cdbd2cSJim Jagielski depth = node->depth;
83*b1cdbd2cSJim Jagielski xmlsec_trace("Certificate: %d. %s %s:", depth,
84*b1cdbd2cSJim Jagielski node->cert->subjectName,
85*b1cdbd2cSJim Jagielski depth ? "[Certificate Authority]": "");
86*b1cdbd2cSJim Jagielski }
87*b1cdbd2cSJim Jagielski xmlsec_trace(" ERROR %ld: %s", node->error,
88*b1cdbd2cSJim Jagielski getCertError(node->error));
89*b1cdbd2cSJim Jagielski specificError = NULL;
90*b1cdbd2cSJim Jagielski issuer = NULL;
91*b1cdbd2cSJim Jagielski switch (node->error)
92*b1cdbd2cSJim Jagielski {
93*b1cdbd2cSJim Jagielski case SEC_ERROR_INADEQUATE_KEY_USAGE:
94*b1cdbd2cSJim Jagielski errorFlags = (unsigned long)node->arg;
95*b1cdbd2cSJim Jagielski switch (errorFlags)
96*b1cdbd2cSJim Jagielski {
97*b1cdbd2cSJim Jagielski case KU_DIGITAL_SIGNATURE:
98*b1cdbd2cSJim Jagielski specificError = "Certificate cannot sign.";
99*b1cdbd2cSJim Jagielski break;
100*b1cdbd2cSJim Jagielski case KU_KEY_ENCIPHERMENT:
101*b1cdbd2cSJim Jagielski specificError = "Certificate cannot encrypt.";
102*b1cdbd2cSJim Jagielski break;
103*b1cdbd2cSJim Jagielski case KU_KEY_CERT_SIGN:
104*b1cdbd2cSJim Jagielski specificError = "Certificate cannot sign other certs.";
105*b1cdbd2cSJim Jagielski break;
106*b1cdbd2cSJim Jagielski default:
107*b1cdbd2cSJim Jagielski specificError = "[unknown usage].";
108*b1cdbd2cSJim Jagielski break;
109*b1cdbd2cSJim Jagielski }
110*b1cdbd2cSJim Jagielski case SEC_ERROR_INADEQUATE_CERT_TYPE:
111*b1cdbd2cSJim Jagielski errorFlags = (unsigned long)node->arg;
112*b1cdbd2cSJim Jagielski switch (errorFlags)
113*b1cdbd2cSJim Jagielski {
114*b1cdbd2cSJim Jagielski case NS_CERT_TYPE_SSL_CLIENT:
115*b1cdbd2cSJim Jagielski case NS_CERT_TYPE_SSL_SERVER:
116*b1cdbd2cSJim Jagielski specificError = "Certificate cannot be used for SSL.";
117*b1cdbd2cSJim Jagielski break;
118*b1cdbd2cSJim Jagielski case NS_CERT_TYPE_SSL_CA:
119*b1cdbd2cSJim Jagielski specificError = "Certificate cannot be used as an SSL CA.";
120*b1cdbd2cSJim Jagielski break;
121*b1cdbd2cSJim Jagielski case NS_CERT_TYPE_EMAIL:
122*b1cdbd2cSJim Jagielski specificError = "Certificate cannot be used for SMIME.";
123*b1cdbd2cSJim Jagielski break;
124*b1cdbd2cSJim Jagielski case NS_CERT_TYPE_EMAIL_CA:
125*b1cdbd2cSJim Jagielski specificError = "Certificate cannot be used as an SMIME CA.";
126*b1cdbd2cSJim Jagielski break;
127*b1cdbd2cSJim Jagielski case NS_CERT_TYPE_OBJECT_SIGNING:
128*b1cdbd2cSJim Jagielski specificError = "Certificate cannot be used for object signing.";
129*b1cdbd2cSJim Jagielski break;
130*b1cdbd2cSJim Jagielski case NS_CERT_TYPE_OBJECT_SIGNING_CA:
131*b1cdbd2cSJim Jagielski specificError = "Certificate cannot be used as an object signing CA.";
132*b1cdbd2cSJim Jagielski break;
133*b1cdbd2cSJim Jagielski default:
134*b1cdbd2cSJim Jagielski specificError = "[unknown usage].";
135*b1cdbd2cSJim Jagielski break;
136*b1cdbd2cSJim Jagielski }
137*b1cdbd2cSJim Jagielski case SEC_ERROR_UNKNOWN_ISSUER:
138*b1cdbd2cSJim Jagielski specificError = "Unknown issuer:";
139*b1cdbd2cSJim Jagielski issuer = node->cert->issuerName;
140*b1cdbd2cSJim Jagielski break;
141*b1cdbd2cSJim Jagielski case SEC_ERROR_UNTRUSTED_ISSUER:
142*b1cdbd2cSJim Jagielski specificError = "Untrusted issuer:";
143*b1cdbd2cSJim Jagielski issuer = node->cert->issuerName;
144*b1cdbd2cSJim Jagielski break;
145*b1cdbd2cSJim Jagielski case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
146*b1cdbd2cSJim Jagielski specificError = "Expired issuer certificate:";
147*b1cdbd2cSJim Jagielski issuer = node->cert->issuerName;
148*b1cdbd2cSJim Jagielski break;
149*b1cdbd2cSJim Jagielski default:
150*b1cdbd2cSJim Jagielski break;
151*b1cdbd2cSJim Jagielski }
152*b1cdbd2cSJim Jagielski if (specificError)
153*b1cdbd2cSJim Jagielski xmlsec_trace("%s", specificError);
154*b1cdbd2cSJim Jagielski if (issuer)
155*b1cdbd2cSJim Jagielski xmlsec_trace("%s", issuer);
156*b1cdbd2cSJim Jagielski }
157*b1cdbd2cSJim Jagielski }
158*b1cdbd2cSJim Jagielski }
159