Google Git
Sign in
boringssl / boringssl / a1843d660b47116207877614af53defa767be46a / . / pki / common_cert_errors.h
blob: 5e3f1b993ac5fabd46822a5f0d18e77d67346045 [file] [log] [blame]
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1// Copyright 2017 The Chromium Authors
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef BSSL_PKI_COMMON_CERT_ERRORS_H_
6#define BSSL_PKI_COMMON_CERT_ERRORS_H_
7
8#include "fillins/openssl_util.h"
9
10#include "cert_errors.h"
11
12// This file contains the set of "default" certificate errors (those
13// defined by the core verification/path building code).
14//
15// Errors may be defined for other domains.
16namespace bssl::cert_errors {
17
18// An internal error occurred which prevented path building or verification
19// from finishing.
20OPENSSL_EXPORT extern const CertErrorId kInternalError;
21
22// The verification time is after the certificate's notAfter time.
23OPENSSL_EXPORT extern const CertErrorId kValidityFailedNotAfter;
24
25// The verification time is before the certificate's notBefore time.
26OPENSSL_EXPORT extern const CertErrorId kValidityFailedNotBefore;
27
28// The certificate is actively distrusted by the trust store (this is separate
29// from other revocation mechanisms).
30OPENSSL_EXPORT extern const CertErrorId kDistrustedByTrustStore;
31
32// The certificate disagrees on what the signature algorithm was
33// (Certificate.signatureAlgorithm != TBSCertificate.signature).
34OPENSSL_EXPORT extern const CertErrorId kSignatureAlgorithmMismatch;
35
36// Certificate verification was called with an empty chain.
37OPENSSL_EXPORT extern const CertErrorId kChainIsEmpty;
38
39// The certificate contains an unknown extension which is marked as critical.
40OPENSSL_EXPORT extern const CertErrorId kUnconsumedCriticalExtension;
41
42// The target certificate appears to be a CA (has Basic Constraints CA=true)
43// but is being used for TLS client or server authentication.
44OPENSSL_EXPORT extern const CertErrorId kTargetCertShouldNotBeCa;
45
46// The certificate is being used to sign other certificates, however the
47// keyCertSign KeyUsage was not set.
48OPENSSL_EXPORT extern const CertErrorId kKeyCertSignBitNotSet;
49
50// The chain violates the max_path_length from BasicConstraints.
51OPENSSL_EXPORT extern const CertErrorId kMaxPathLengthViolated;
52
53// The certificate being used to sign other certificates has a
54// BasicConstraints extension, however it sets CA=false
55OPENSSL_EXPORT extern const CertErrorId kBasicConstraintsIndicatesNotCa;
56
57// The certificate being used to sign other certificates does not include a
58// BasicConstraints extension.
59OPENSSL_EXPORT extern const CertErrorId kMissingBasicConstraints;
60
61// The certificate has a subject or subjectAltName that violates an issuer's
62// name constraints.
63OPENSSL_EXPORT extern const CertErrorId kNotPermittedByNameConstraints;
64
65// The chain has an excessive number of names and/or name constraints.
66OPENSSL_EXPORT extern const CertErrorId kTooManyNameConstraintChecks;
67
68// The certificate's issuer field does not match the subject of its alleged
69// issuer.
70OPENSSL_EXPORT extern const CertErrorId kSubjectDoesNotMatchIssuer;
71
72// Failed to verify the certificate's signature using its issuer's public key.
73OPENSSL_EXPORT extern const CertErrorId kVerifySignedDataFailed;
74
75// The certificate encodes its signature differently between
76// Certificate.algorithm and TBSCertificate.signature, but it appears
77// to be the same algorithm.
78OPENSSL_EXPORT extern const CertErrorId kSignatureAlgorithmsDifferentEncoding;
79
80// The certificate verification is being done for serverAuth, however the
81// certificate lacks serverAuth in its ExtendedKeyUsages.
82OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuth;
83
84// The certificate verification is being done for clientAuth, however the
85// certificate lacks clientAuth in its ExtendedKeyUsages.
86OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuth;
87
88// The root certificate in a chain is not trusted.
89OPENSSL_EXPORT extern const CertErrorId kCertIsNotTrustAnchor;
90
91// The chain is not valid for any policy, and an explicit policy was required.
92// (Either because the relying party requested it during verificaiton, or it was
93// requrested by a PolicyConstraints extension).
94OPENSSL_EXPORT extern const CertErrorId kNoValidPolicy;
95
96// The certificate is trying to map to, or from, anyPolicy.
97OPENSSL_EXPORT extern const CertErrorId kPolicyMappingAnyPolicy;
98
99// The public key in this certificate could not be parsed.
100OPENSSL_EXPORT extern const CertErrorId kFailedParsingSpki;
101
102// The certificate's signature algorithm (used to verify its
103// signature) is not acceptable by the consumer. What constitutes as
104// "acceptable" is determined by the verification delegate.
105OPENSSL_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm;
106
107// The certificate's public key is not acceptable by the consumer.
108// What constitutes as "acceptable" is determined by the verification delegate.
109OPENSSL_EXPORT extern const CertErrorId kUnacceptablePublicKey;
110
111// The certificate's EKU is missing serverAuth. However Netscape Server Gated
112// Crypto is present instead.
113OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasGatedCrypto;
114
115// The certificate's EKU is missing serverAuth. However EKU ANY is present
116// instead.
117OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasAnyEKU;
118
119// The certificate's EKU is missing clientAuth. However EKU ANY is present
120// instead.
121OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuthButHasAnyEKU;
122
123// The certificate's EKU is missing both clientAuth and serverAuth.
124OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuthOrServerAuth;
125
126// The certificate's EKU has OSCP Signing when it should not.
127OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedOCSPSigning;
128
129// The certificate's EKU has Time Stamping when it should not.
130OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedTimeStamping;
131
132// The certificate's EKU has Code Signing when it should not.
133OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedCodeSigning;
134
135// The certificate does not have EKU.
136OPENSSL_EXPORT extern const CertErrorId kEkuNotPresent;
137
138// The certificate has been revoked.
139OPENSSL_EXPORT extern const CertErrorId kCertificateRevoked;
140
141// The certificate lacks a recognized revocation mechanism (i.e. OCSP/CRL).
142// Emitted as an error when revocation checking expects certificates to have
143// such info.
144OPENSSL_EXPORT extern const CertErrorId kNoRevocationMechanism;
145
146// The certificate had a revocation mechanism, but when used it was unable to
147// affirmatively say whether the certificate was unrevoked.
148OPENSSL_EXPORT extern const CertErrorId kUnableToCheckRevocation;
149
150// Path building was unable to find any issuers for the certificate.
151OPENSSL_EXPORT extern const CertErrorId kNoIssuersFound;
152
153// Deadline was reached during path building.
154OPENSSL_EXPORT extern const CertErrorId kDeadlineExceeded;
155
156// Iteration limit was reached during path building.
157OPENSSL_EXPORT extern const CertErrorId kIterationLimitExceeded;
158
159// Depth limit was reached during path building.
160OPENSSL_EXPORT extern const CertErrorId kDepthLimitExceeded;
161
Bob Beck257bfaa2023-07-25 10:07:38 -0700[diff] [blame]162} // namespace bssl::cert_errors
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]163
164#endif // BSSL_PKI_COMMON_CERT_ERRORS_H_