xmlsecurity/source/xmlsec/nss/secerror.cxx

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
   2 /*
   3  * This file is part of the LibreOffice project.
   4  *
   5  * This Source Code Form is subject to the terms of the Mozilla Public
   6  * License, v. 2.0. If a copy of the MPL was not distributed with this
   7  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
   8  *
   9  * This file incorporates work covered by the following license notice:
  10  *
  11  *   Licensed to the Apache Software Foundation (ASF) under one or more
  12  *   contributor license agreements. See the NOTICE file distributed
  13  *   with this work for additional information regarding copyright
  14  *   ownership. The ASF licenses this file to you under the Apache
  15  *   License, Version 2.0 (the "License"); you may not use this file
  16  *   except in compliance with the License. You may obtain a copy of
  17  *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
  18  */
  19
  20
  21 #include <secerr.h>
  22 #include "secerror.hxx"
  23 #include <nss.h>
  24 #include <certt.h>
  25 #include <sal/log.hxx>
  26
  27 struct ErrDesc {
  28     PRErrorCode const errNum;
  29     const char * errString;
  30 };
  31
  32
  33 const ErrDesc allDesc[] = {
  34
  35 #include "certerrors.h"
  36
  37 };
  38
  39
  40 /* Returns a UTF-8 encoded constant error string for "errNum".
  41  * Returns NULL of errNum is unknown.
  42  */
  43 const char *
  44 getCertError(PRErrorCode errNum)
  45 {
  46     for (const ErrDesc& i : allDesc)
  47     {
  48         if (i.errNum == errNum)
  49             return i.errString;
  50     }
  51
  52     return "";
  53 }
  54
  55 void
  56 printChainFailure(CERTVerifyLog *log)
  57 {
  58     unsigned int       depth  = static_cast<unsigned int>(-1);
  59     CERTVerifyLogNode *node   = nullptr;
  60
  61     if (log->count > 0)
  62     {
  63         SAL_INFO("xmlsecurity.xmlsec", "Bad certification path:");
  64         unsigned long errorFlags  = 0;
  65         for (node = log->head; node; node = node->next)
  66         {
  67             if (depth != node->depth)
  68             {
  69                 depth = node->depth;
  70                 SAL_INFO("xmlsecurity.xmlsec", "Certificate:  " << depth <<
  71                          node->cert->subjectName << ": " <<
  72                          (depth ? "[Certificate Authority]": ""));
  73             }
  74             SAL_INFO("xmlsecurity.xmlsec", "  ERROR " << node->error << ": " <<
  75                      getCertError(node->error));
  76             const char * specificError = nullptr;
  77             const char * issuer = nullptr;
  78             switch (node->error)
  79             {
  80             case SEC_ERROR_INADEQUATE_KEY_USAGE:
  81                 errorFlags = reinterpret_cast<unsigned long>(node->arg);
  82                 switch (errorFlags)
  83                 {
  84                 case KU_DIGITAL_SIGNATURE:
  85                     specificError = "Certificate cannot sign.";
  86                     break;
  87                 case KU_KEY_ENCIPHERMENT:
  88                     specificError = "Certificate cannot encrypt.";
  89                     break;
  90                 case KU_KEY_CERT_SIGN:
  91                     specificError = "Certificate cannot sign other certs.";
  92                     break;
  93                 default:
  94                     specificError = "[unknown usage].";
  95                     break;
  96                 }
  97                 break;
  98             case SEC_ERROR_INADEQUATE_CERT_TYPE:
  99                 errorFlags = reinterpret_cast<unsigned long>(node->arg);
 100                 switch (errorFlags)
 101                 {
 102                 case NS_CERT_TYPE_SSL_CLIENT:
 103                 case NS_CERT_TYPE_SSL_SERVER:
 104                     specificError = "Certificate cannot be used for SSL.";
 105                     break;
 106                 case NS_CERT_TYPE_SSL_CA:
 107                     specificError = "Certificate cannot be used as an SSL CA.";
 108                     break;
 109                 case NS_CERT_TYPE_EMAIL:
 110                     specificError = "Certificate cannot be used for SMIME.";
 111                     break;
 112                 case NS_CERT_TYPE_EMAIL_CA:
 113                     specificError = "Certificate cannot be used as an SMIME CA.";
 114                     break;
 115                 case NS_CERT_TYPE_OBJECT_SIGNING:
 116                     specificError = "Certificate cannot be used for object signing.";
 117                     break;
 118                 case NS_CERT_TYPE_OBJECT_SIGNING_CA:
 119                     specificError = "Certificate cannot be used as an object signing CA.";
 120                     break;
 121                 default:
 122                     specificError = "[unknown usage].";
 123                     break;
 124                 }
 125                 break;
 126             case SEC_ERROR_UNKNOWN_ISSUER:
 127                 specificError = "Unknown issuer:";
 128                 issuer = node->cert->issuerName;
 129                 break;
 130             case SEC_ERROR_UNTRUSTED_ISSUER:
 131                 specificError = "Untrusted issuer:";
 132                 issuer = node->cert->issuerName;
 133                 break;
 134             case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
 135                 specificError = "Expired issuer certificate:";
 136                 issuer = node->cert->issuerName;
 137                 break;
 138             default:
 139                 break;
 140             }
 141             if (specificError)
 142                 SAL_INFO("xmlsecurity.xmlsec", specificError);
 143             if (issuer)
 144                 SAL_INFO("xmlsecurity.xmlsec", issuer);
 145         }
 146     }
 147 }
 148
 149 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */