xmlsecurity/source/xmlsec/nss/secerror.cxx

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
   2 /*
   3  * This file is part of the LibreOffice project.
   4  *
   5  * This Source Code Form is subject to the terms of the Mozilla Public
   6  * License, v. 2.0. If a copy of the MPL was not distributed with this
   7  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
   8  *
   9  * This file incorporates work covered by the following license notice:
  10  *
  11  *   Licensed to the Apache Software Foundation (ASF) under one or more
  12  *   contributor license agreements. See the NOTICE file distributed
  13  *   with this work for additional information regarding copyright
  14  *   ownership. The ASF licenses this file to you under the Apache
  15  *   License, Version 2.0 (the "License"); you may not use this file
  16  *   except in compliance with the License. You may obtain a copy of
  17  *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
  18  */
  19
  20
  21 #include "secerr.h"
  22 #include "sslerr.h"
  23 #include "nspr.h"
  24 #include "nss.h"
  25 #include "certt.h"
  26 #include <sal/macros.h>
  27
  28 #include "../diagnose.hxx"
  29
  30 using namespace xmlsecurity;
  31
  32 struct ErrDesc {
  33     PRErrorCode  errNum;
  34     const char * errString;
  35 };
  36
  37
  38
  39 const ErrDesc allDesc[] = {
  40
  41 #include "certerrors.h"
  42
  43 };
  44
  45
  46
  47 /* Returns a UTF-8 encoded constant error string for "errNum".
  48  * Returns NULL of errNum is unknown.
  49  */
  50 const char *
  51 getCertError(PRErrorCode errNum)
  52 {
  53     static char sEmpty[] = "";
  54     const int numDesc = SAL_N_ELEMENTS(allDesc);
  55     for (int i = 0; i < numDesc; i++)
  56     {
  57         if (allDesc[i].errNum == errNum)
  58             return  allDesc[i].errString;
  59     }
  60
  61     return sEmpty;
  62 }
  63
  64 void
  65 printChainFailure(CERTVerifyLog *log)
  66 {
  67     unsigned int       depth  = (unsigned int)-1;
  68     const char * specificError = NULL;
  69     const char * issuer = NULL;
  70     CERTVerifyLogNode *node   = NULL;
  71
  72     if (log->count > 0)
  73     {
  74         xmlsec_trace("Bad certifcation path:");
  75         unsigned long errorFlags  = 0;
  76         for (node = log->head; node; node = node->next)
  77         {
  78             if (depth != node->depth)
  79             {
  80                 depth = node->depth;
  81                 xmlsec_trace("Certificate:  %d. %s %s:", depth,
  82                         node->cert->subjectName,
  83                         depth ? "[Certificate Authority]": "");
  84             }
  85             xmlsec_trace("  ERROR %ld: %s", node->error,
  86                     getCertError(node->error));
  87             specificError = NULL;
  88             issuer = NULL;
  89             switch (node->error)
  90             {
  91             case SEC_ERROR_INADEQUATE_KEY_USAGE:
  92                 errorFlags = (unsigned long)node->arg;
  93                 switch (errorFlags)
  94                 {
  95                 case KU_DIGITAL_SIGNATURE:
  96                     specificError = "Certificate cannot sign.";
  97                     break;
  98                 case KU_KEY_ENCIPHERMENT:
  99                     specificError = "Certificate cannot encrypt.";
 100                     break;
 101                 case KU_KEY_CERT_SIGN:
 102                     specificError = "Certificate cannot sign other certs.";
 103                     break;
 104                 default:
 105                     specificError = "[unknown usage].";
 106                     break;
 107                 }
 108                 break;
 109             case SEC_ERROR_INADEQUATE_CERT_TYPE:
 110                 errorFlags = (unsigned long)node->arg;
 111                 switch (errorFlags)
 112                 {
 113                 case NS_CERT_TYPE_SSL_CLIENT:
 114                 case NS_CERT_TYPE_SSL_SERVER:
 115                     specificError = "Certificate cannot be used for SSL.";
 116                     break;
 117                 case NS_CERT_TYPE_SSL_CA:
 118                     specificError = "Certificate cannot be used as an SSL CA.";
 119                     break;
 120                 case NS_CERT_TYPE_EMAIL:
 121                     specificError = "Certificate cannot be used for SMIME.";
 122                     break;
 123                 case NS_CERT_TYPE_EMAIL_CA:
 124                     specificError = "Certificate cannot be used as an SMIME CA.";
 125                     break;
 126                 case NS_CERT_TYPE_OBJECT_SIGNING:
 127                     specificError = "Certificate cannot be used for object signing.";
 128                     break;
 129                 case NS_CERT_TYPE_OBJECT_SIGNING_CA:
 130                     specificError = "Certificate cannot be used as an object signing CA.";
 131                     break;
 132                 default:
 133                     specificError = "[unknown usage].";
 134                     break;
 135                 }
 136                 break;
 137             case SEC_ERROR_UNKNOWN_ISSUER:
 138                 specificError = "Unknown issuer:";
 139                 issuer = node->cert->issuerName;
 140                 break;
 141             case SEC_ERROR_UNTRUSTED_ISSUER:
 142                 specificError = "Untrusted issuer:";
 143                 issuer = node->cert->issuerName;
 144                 break;
 145             case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
 146                 specificError = "Expired issuer certificate:";
 147                 issuer = node->cert->issuerName;
 148                 break;
 149             default:
 150                 break;
 151             }
 152             if (specificError)
 153                 xmlsec_trace("%s", specificError);
 154             if (issuer)
 155                 xmlsec_trace("%s", issuer);
 156         }
 157     }
 158 }
 159
 160 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */