Google Git
Sign in
boringssl/boringssl.git/9770532afa91dd1441ba0d3e9d4bb86d7e501f19^!/.
commit
9770532afa91dd1441ba0d3e9d4bb86d7e501f19
[log]
author
Matthew Braithwaite <mab@google.com>
Fri Jan 05 09:05:33 2018 -0800
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Fri Jan 05 23:40:40 2018 +0000
tree
a13415c9c1adb3b962f7a652585d5cdfeed48553
parent
92e332501a71bf40129f1866bcb06ee3ed30d180 [diff]
Map NOT_YET_VALID errors to |certificate_expired|.

The language of RFC 5246 is "A certificate has expired or is not
currently valid", which sounds to me like |certificate_expired| should
pertain to any case where the current time is outside the
certificate's validity period.

Along the way, group the |unknown_ca| errors together.

Change-Id: I92c1fe3fc898283d0c7207625de36662cd0f784e
Reviewed-on: https://boringssl-review.googlesource.com/24624
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/ssl_x509.cc b/ssl/ssl_x509.cc
index 5c0365f..cc27a60 100644
--- a/ssl/ssl_x509.cc
+++ b/ssl/ssl_x509.cc

@@ -1240,9 +1240,16 @@
 
 int SSL_alert_from_verify_result(long result) {
   switch (result) {
-    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+    case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+    case X509_V_ERR_INVALID_CA:
+    case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
     case X509_V_ERR_UNABLE_TO_GET_CRL:
     case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+    case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
       return SSL_AD_UNKNOWN_CA;
 
     case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
@@ -1252,8 +1259,6 @@
     case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
     case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
     case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
-    case X509_V_ERR_CERT_NOT_YET_VALID:
-    case X509_V_ERR_CRL_NOT_YET_VALID:
     case X509_V_ERR_CERT_UNTRUSTED:
     case X509_V_ERR_CERT_REJECTED:
     case X509_V_ERR_HOSTNAME_MISMATCH:
@@ -1266,7 +1271,9 @@
       return SSL_AD_DECRYPT_ERROR;
 
     case X509_V_ERR_CERT_HAS_EXPIRED:
+    case X509_V_ERR_CERT_NOT_YET_VALID:
     case X509_V_ERR_CRL_HAS_EXPIRED:
+    case X509_V_ERR_CRL_NOT_YET_VALID:
       return SSL_AD_CERTIFICATE_EXPIRED;
 
     case X509_V_ERR_CERT_REVOKED:
@@ -1278,15 +1285,6 @@
     case X509_V_ERR_STORE_LOOKUP:
       return SSL_AD_INTERNAL_ERROR;
 
-    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
-    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
-    case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
-    case X509_V_ERR_CERT_CHAIN_TOO_LONG:
-    case X509_V_ERR_PATH_LENGTH_EXCEEDED:
-    case X509_V_ERR_INVALID_CA:
-      return SSL_AD_UNKNOWN_CA;
-
     case X509_V_ERR_APPLICATION_VERIFICATION:
       return SSL_AD_HANDSHAKE_FAILURE;