xmlsecurity/source/xmlsec/nss/secerror.cxx

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
   2 /*
   3  * This file is part of the LibreOffice project.
   4  *
   5  * This Source Code Form is subject to the terms of the Mozilla Public
   6  * License, v. 2.0. If a copy of the MPL was not distributed with this
   7  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
   8  *
   9  * This file incorporates work covered by the following license notice:
  10  *
  11  *   Licensed to the Apache Software Foundation (ASF) under one or more
  12  *   contributor license agreements. See the NOTICE file distributed
  13  *   with this work for additional information regarding copyright
  14  *   ownership. The ASF licenses this file to you under the Apache
  15  *   License, Version 2.0 (the "License"); you may not use this file
  16  *   except in compliance with the License. You may obtain a copy of
  17  *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
  18  */
  19
  20
  21 #include <secerr.h>
  22 #include "secerror.hxx"
  23 #include <nss.h>
  24 #include <certt.h>
  25 #include <sal/log.hxx>
  26
  27 namespace {
  28
  29 struct ErrDesc {
  30     PRErrorCode const errNum;
  31     const char * errString;
  32 };
  33
  34 }
  35
  36 const ErrDesc allDesc[] = {
  37
  38 #include "certerrors.h"
  39
  40 };
  41
  42
  43 /* Returns a UTF-8 encoded constant error string for "errNum".
  44  * Returns NULL of errNum is unknown.
  45  */
  46 const char *
  47 getCertError(PRErrorCode errNum)
  48 {
  49     for (const ErrDesc& i : allDesc)
  50     {
  51         if (i.errNum == errNum)
  52             return i.errString;
  53     }
  54
  55     return "";
  56 }
  57
  58 void
  59 printChainFailure(CERTVerifyLog *log)
  60 {
  61     unsigned int       depth  = static_cast<unsigned int>(-1);
  62     CERTVerifyLogNode *node   = nullptr;
  63
  64     if (log->count > 0)
  65     {
  66         SAL_INFO("xmlsecurity.xmlsec", "Bad certification path:");
  67         unsigned long errorFlags  = 0;
  68         for (node = log->head; node; node = node->next)
  69         {
  70             if (depth != node->depth)
  71             {
  72                 depth = node->depth;
  73                 SAL_INFO("xmlsecurity.xmlsec", "Certificate:  " << depth <<
  74                          node->cert->subjectName << ": " <<
  75                          (depth ? "[Certificate Authority]": ""));
  76             }
  77             SAL_INFO("xmlsecurity.xmlsec", "  ERROR " << node->error << ": " <<
  78                      getCertError(node->error));
  79             const char * specificError = nullptr;
  80             const char * issuer = nullptr;
  81             switch (node->error)
  82             {
  83             case SEC_ERROR_INADEQUATE_KEY_USAGE:
  84                 errorFlags = reinterpret_cast<unsigned long>(node->arg);
  85                 switch (errorFlags)
  86                 {
  87                 case KU_DIGITAL_SIGNATURE:
  88                     specificError = "Certificate cannot sign.";
  89                     break;
  90                 case KU_KEY_ENCIPHERMENT:
  91                     specificError = "Certificate cannot encrypt.";
  92                     break;
  93                 case KU_KEY_CERT_SIGN:
  94                     specificError = "Certificate cannot sign other certs.";
  95                     break;
  96                 default:
  97                     specificError = "[unknown usage].";
  98                     break;
  99                 }
 100                 break;
 101             case SEC_ERROR_INADEQUATE_CERT_TYPE:
 102                 errorFlags = reinterpret_cast<unsigned long>(node->arg);
 103                 switch (errorFlags)
 104                 {
 105                 case NS_CERT_TYPE_SSL_CLIENT:
 106                 case NS_CERT_TYPE_SSL_SERVER:
 107                     specificError = "Certificate cannot be used for SSL.";
 108                     break;
 109                 case NS_CERT_TYPE_SSL_CA:
 110                     specificError = "Certificate cannot be used as an SSL CA.";
 111                     break;
 112                 case NS_CERT_TYPE_EMAIL:
 113                     specificError = "Certificate cannot be used for SMIME.";
 114                     break;
 115                 case NS_CERT_TYPE_EMAIL_CA:
 116                     specificError = "Certificate cannot be used as an SMIME CA.";
 117                     break;
 118                 case NS_CERT_TYPE_OBJECT_SIGNING:
 119                     specificError = "Certificate cannot be used for object signing.";
 120                     break;
 121                 case NS_CERT_TYPE_OBJECT_SIGNING_CA:
 122                     specificError = "Certificate cannot be used as an object signing CA.";
 123                     break;
 124                 default:
 125                     specificError = "[unknown usage].";
 126                     break;
 127                 }
 128                 break;
 129             case SEC_ERROR_UNKNOWN_ISSUER:
 130                 specificError = "Unknown issuer:";
 131                 issuer = node->cert->issuerName;
 132                 break;
 133             case SEC_ERROR_UNTRUSTED_ISSUER:
 134                 specificError = "Untrusted issuer:";
 135                 issuer = node->cert->issuerName;
 136                 break;
 137             case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
 138                 specificError = "Expired issuer certificate:";
 139                 issuer = node->cert->issuerName;
 140                 break;
 141             default:
 142                 break;
 143             }
 144             if (specificError)
 145                 SAL_INFO("xmlsecurity.xmlsec", specificError);
 146             if (issuer)
 147                 SAL_INFO("xmlsecurity.xmlsec", issuer);
 148         }
 149     }
 150 }
 151
 152 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */