155714Skris/* crypto/x509/x509_txt.c */
255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
355714Skris * All rights reserved.
455714Skris *
555714Skris * This package is an SSL implementation written
655714Skris * by Eric Young (eay@cryptsoft.com).
755714Skris * The implementation was written so as to conform with Netscapes SSL.
8296341Sdelphij *
955714Skris * This library is free for commercial and non-commercial use as long as
1055714Skris * the following conditions are aheared to.  The following conditions
1155714Skris * apply to all code found in this distribution, be it the RC4, RSA,
1255714Skris * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
1355714Skris * included with this distribution is covered by the same copyright terms
1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15296341Sdelphij *
1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in
1755714Skris * the code are not to be removed.
1855714Skris * If this package is used in a product, Eric Young should be given attribution
1955714Skris * as the author of the parts of the library used.
2055714Skris * This can be in the form of a textual message at program startup or
2155714Skris * in documentation (online or textual) provided with the package.
22296341Sdelphij *
2355714Skris * Redistribution and use in source and binary forms, with or without
2455714Skris * modification, are permitted provided that the following conditions
2555714Skris * are met:
2655714Skris * 1. Redistributions of source code must retain the copyright
2755714Skris *    notice, this list of conditions and the following disclaimer.
2855714Skris * 2. Redistributions in binary form must reproduce the above copyright
2955714Skris *    notice, this list of conditions and the following disclaimer in the
3055714Skris *    documentation and/or other materials provided with the distribution.
3155714Skris * 3. All advertising materials mentioning features or use of this software
3255714Skris *    must display the following acknowledgement:
3355714Skris *    "This product includes cryptographic software written by
3455714Skris *     Eric Young (eay@cryptsoft.com)"
3555714Skris *    The word 'cryptographic' can be left out if the rouines from the library
3655714Skris *    being used are not cryptographic related :-).
37296341Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from
3855714Skris *    the apps directory (application code) you must include an acknowledgement:
3955714Skris *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40296341Sdelphij *
4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4455714Skris * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5155714Skris * SUCH DAMAGE.
52296341Sdelphij *
5355714Skris * The licence and distribution terms for any publically available version or
5455714Skris * derivative of this code cannot be changed.  i.e. this code cannot simply be
5555714Skris * copied and put under another distribution licence
5655714Skris * [including the GNU Public Licence.]
5755714Skris */
5855714Skris
5955714Skris#include <stdio.h>
6055714Skris#include <time.h>
6155714Skris#include <errno.h>
6255714Skris
6355714Skris#include "cryptlib.h"
6455714Skris#include <openssl/lhash.h>
6555714Skris#include <openssl/buffer.h>
6655714Skris#include <openssl/evp.h>
6755714Skris#include <openssl/asn1.h>
6855714Skris#include <openssl/x509.h>
6955714Skris#include <openssl/objects.h>
7055714Skris
7155714Skrisconst char *X509_verify_cert_error_string(long n)
72296341Sdelphij{
73296341Sdelphij    static char buf[100];
7455714Skris
75296341Sdelphij    switch ((int)n) {
76296341Sdelphij    case X509_V_OK:
77296341Sdelphij        return ("ok");
78296341Sdelphij    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
79296341Sdelphij        return ("unable to get issuer certificate");
80296341Sdelphij    case X509_V_ERR_UNABLE_TO_GET_CRL:
81296341Sdelphij        return ("unable to get certificate CRL");
82296341Sdelphij    case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
83296341Sdelphij        return ("unable to decrypt certificate's signature");
84296341Sdelphij    case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
85296341Sdelphij        return ("unable to decrypt CRL's signature");
86296341Sdelphij    case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
87296341Sdelphij        return ("unable to decode issuer public key");
88296341Sdelphij    case X509_V_ERR_CERT_SIGNATURE_FAILURE:
89296341Sdelphij        return ("certificate signature failure");
90296341Sdelphij    case X509_V_ERR_CRL_SIGNATURE_FAILURE:
91296341Sdelphij        return ("CRL signature failure");
92296341Sdelphij    case X509_V_ERR_CERT_NOT_YET_VALID:
93296341Sdelphij        return ("certificate is not yet valid");
94296341Sdelphij    case X509_V_ERR_CRL_NOT_YET_VALID:
95296341Sdelphij        return ("CRL is not yet valid");
96296341Sdelphij    case X509_V_ERR_CERT_HAS_EXPIRED:
97296341Sdelphij        return ("certificate has expired");
98296341Sdelphij    case X509_V_ERR_CRL_HAS_EXPIRED:
99296341Sdelphij        return ("CRL has expired");
100296341Sdelphij    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
101296341Sdelphij        return ("format error in certificate's notBefore field");
102296341Sdelphij    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
103296341Sdelphij        return ("format error in certificate's notAfter field");
104296341Sdelphij    case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
105296341Sdelphij        return ("format error in CRL's lastUpdate field");
106296341Sdelphij    case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
107296341Sdelphij        return ("format error in CRL's nextUpdate field");
108296341Sdelphij    case X509_V_ERR_OUT_OF_MEM:
109296341Sdelphij        return ("out of memory");
110296341Sdelphij    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
111296341Sdelphij        return ("self signed certificate");
112296341Sdelphij    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
113296341Sdelphij        return ("self signed certificate in certificate chain");
114296341Sdelphij    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
115296341Sdelphij        return ("unable to get local issuer certificate");
116296341Sdelphij    case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
117296341Sdelphij        return ("unable to verify the first certificate");
118296341Sdelphij    case X509_V_ERR_CERT_CHAIN_TOO_LONG:
119296341Sdelphij        return ("certificate chain too long");
120296341Sdelphij    case X509_V_ERR_CERT_REVOKED:
121296341Sdelphij        return ("certificate revoked");
122296341Sdelphij    case X509_V_ERR_INVALID_CA:
123296341Sdelphij        return ("invalid CA certificate");
124296341Sdelphij    case X509_V_ERR_INVALID_NON_CA:
125296341Sdelphij        return ("invalid non-CA certificate (has CA markings)");
126296341Sdelphij    case X509_V_ERR_PATH_LENGTH_EXCEEDED:
127296341Sdelphij        return ("path length constraint exceeded");
128296341Sdelphij    case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
129296341Sdelphij        return ("proxy path length constraint exceeded");
130296341Sdelphij    case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
131296341Sdelphij        return
132296341Sdelphij            ("proxy certificates not allowed, please set the appropriate flag");
133296341Sdelphij    case X509_V_ERR_INVALID_PURPOSE:
134296341Sdelphij        return ("unsupported certificate purpose");
135296341Sdelphij    case X509_V_ERR_CERT_UNTRUSTED:
136296341Sdelphij        return ("certificate not trusted");
137296341Sdelphij    case X509_V_ERR_CERT_REJECTED:
138296341Sdelphij        return ("certificate rejected");
139296341Sdelphij    case X509_V_ERR_APPLICATION_VERIFICATION:
140296341Sdelphij        return ("application verification failure");
141296341Sdelphij    case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
142296341Sdelphij        return ("subject issuer mismatch");
143296341Sdelphij    case X509_V_ERR_AKID_SKID_MISMATCH:
144296341Sdelphij        return ("authority and subject key identifier mismatch");
145296341Sdelphij    case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
146296341Sdelphij        return ("authority and issuer serial number mismatch");
147296341Sdelphij    case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
148296341Sdelphij        return ("key usage does not include certificate signing");
149296341Sdelphij    case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
150296341Sdelphij        return ("unable to get CRL issuer certificate");
151296341Sdelphij    case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
152296341Sdelphij        return ("unhandled critical extension");
153296341Sdelphij    case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
154296341Sdelphij        return ("key usage does not include CRL signing");
155296341Sdelphij    case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
156296341Sdelphij        return ("key usage does not include digital signature");
157296341Sdelphij    case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
158296341Sdelphij        return ("unhandled critical CRL extension");
159296341Sdelphij    case X509_V_ERR_INVALID_EXTENSION:
160296341Sdelphij        return ("invalid or inconsistent certificate extension");
161296341Sdelphij    case X509_V_ERR_INVALID_POLICY_EXTENSION:
162296341Sdelphij        return ("invalid or inconsistent certificate policy extension");
163296341Sdelphij    case X509_V_ERR_NO_EXPLICIT_POLICY:
164296341Sdelphij        return ("no explicit policy");
165296341Sdelphij    case X509_V_ERR_DIFFERENT_CRL_SCOPE:
166296341Sdelphij        return ("Different CRL scope");
167296341Sdelphij    case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
168296341Sdelphij        return ("Unsupported extension feature");
169296341Sdelphij    case X509_V_ERR_UNNESTED_RESOURCE:
170296341Sdelphij        return ("RFC 3779 resource not subset of parent's resources");
171238405Sjkim
172296341Sdelphij    case X509_V_ERR_PERMITTED_VIOLATION:
173296341Sdelphij        return ("permitted subtree violation");
174296341Sdelphij    case X509_V_ERR_EXCLUDED_VIOLATION:
175296341Sdelphij        return ("excluded subtree violation");
176296341Sdelphij    case X509_V_ERR_SUBTREE_MINMAX:
177296341Sdelphij        return ("name constraints minimum and maximum not supported");
178296341Sdelphij    case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
179296341Sdelphij        return ("unsupported name constraint type");
180296341Sdelphij    case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
181296341Sdelphij        return ("unsupported or invalid name constraint syntax");
182296341Sdelphij    case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
183296341Sdelphij        return ("unsupported or invalid name syntax");
184296341Sdelphij    case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
185296341Sdelphij        return ("CRL path validation error");
186238405Sjkim
187296341Sdelphij    default:
188296341Sdelphij        BIO_snprintf(buf, sizeof buf, "error number %ld", n);
189296341Sdelphij        return (buf);
190296341Sdelphij    }
191296341Sdelphij}
192