xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/common_cert_errors.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_COMMON_CERT_ERRORS_H_
6 #define BSSL_PKI_COMMON_CERT_ERRORS_H_
7 
8 #include <openssl/base.h>
9 
10 #include "cert_errors.h"
11 
12 // This file contains the set of "default" certificate errors (those
13 // defined by the core verification/path building code).
14 //
15 // Errors may be defined for other domains.
16 namespace bssl::cert_errors {
17 
18 // An internal error occurred which prevented path building or verification
19 // from finishing.
20 OPENSSL_EXPORT extern const CertErrorId kInternalError;
21 
22 // The verification time is after the certificate's notAfter time.
23 OPENSSL_EXPORT extern const CertErrorId kValidityFailedNotAfter;
24 
25 // The verification time is before the certificate's notBefore time.
26 OPENSSL_EXPORT extern const CertErrorId kValidityFailedNotBefore;
27 
28 // The certificate is actively distrusted by the trust store (this is separate
29 // from other revocation mechanisms).
30 OPENSSL_EXPORT extern const CertErrorId kDistrustedByTrustStore;
31 
32 // The certificate disagrees on what the signature algorithm was
33 // (Certificate.signatureAlgorithm != TBSCertificate.signature).
34 OPENSSL_EXPORT extern const CertErrorId kSignatureAlgorithmMismatch;
35 
36 // Certificate verification was called with an empty chain.
37 OPENSSL_EXPORT extern const CertErrorId kChainIsEmpty;
38 
39 // The certificate contains an unknown extension which is marked as critical.
40 OPENSSL_EXPORT extern const CertErrorId kUnconsumedCriticalExtension;
41 
42 // The target certificate appears to be a CA (has Basic Constraints CA=true)
43 // but is being used for TLS client or server authentication.
44 OPENSSL_EXPORT extern const CertErrorId kTargetCertShouldNotBeCa;
45 
46 // The certificate is being used to sign other certificates, however the
47 // keyCertSign KeyUsage was not set.
48 OPENSSL_EXPORT extern const CertErrorId kKeyCertSignBitNotSet;
49 
50 // The chain violates the max_path_length from BasicConstraints.
51 OPENSSL_EXPORT extern const CertErrorId kMaxPathLengthViolated;
52 
53 // The certificate being used to sign other certificates has a
54 // BasicConstraints extension, however it sets CA=false
55 OPENSSL_EXPORT extern const CertErrorId kBasicConstraintsIndicatesNotCa;
56 
57 // The certificate being used to sign other certificates does not include a
58 // BasicConstraints extension.
59 OPENSSL_EXPORT extern const CertErrorId kMissingBasicConstraints;
60 
61 // The certificate has a subject or subjectAltName that violates an issuer's
62 // name constraints.
63 OPENSSL_EXPORT extern const CertErrorId kNotPermittedByNameConstraints;
64 
65 // The chain has an excessive number of names and/or name constraints.
66 OPENSSL_EXPORT extern const CertErrorId kTooManyNameConstraintChecks;
67 
68 // The certificate's issuer field does not match the subject of its alleged
69 // issuer.
70 OPENSSL_EXPORT extern const CertErrorId kSubjectDoesNotMatchIssuer;
71 
72 // Failed to verify the certificate's signature using its issuer's public key.
73 OPENSSL_EXPORT extern const CertErrorId kVerifySignedDataFailed;
74 
75 // The certificate encodes its signature differently between
76 // Certificate.algorithm and TBSCertificate.signature, but it appears
77 // to be the same algorithm.
78 OPENSSL_EXPORT extern const CertErrorId kSignatureAlgorithmsDifferentEncoding;
79 
80 // The certificate verification is being done for serverAuth, however the
81 // certificate lacks serverAuth in its ExtendedKeyUsages.
82 OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuth;
83 
84 // The certificate verification is being done for clientAuth, however the
85 // certificate lacks clientAuth in its ExtendedKeyUsages.
86 OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuth;
87 
88 // The root certificate in a chain is not trusted.
89 OPENSSL_EXPORT extern const CertErrorId kCertIsNotTrustAnchor;
90 
91 // The chain is not valid for any policy, and an explicit policy was required.
92 // (Either because the relying party requested it during verificaiton, or it was
93 // requrested by a PolicyConstraints extension).
94 OPENSSL_EXPORT extern const CertErrorId kNoValidPolicy;
95 
96 // The certificate is trying to map to, or from, anyPolicy.
97 OPENSSL_EXPORT extern const CertErrorId kPolicyMappingAnyPolicy;
98 
99 // The public key in this certificate could not be parsed.
100 OPENSSL_EXPORT extern const CertErrorId kFailedParsingSpki;
101 
102 // The certificate's signature algorithm (used to verify its
103 // signature) is not acceptable by the consumer. What constitutes as
104 // "acceptable" is determined by the verification delegate.
105 OPENSSL_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm;
106 
107 // The certificate's public key is not acceptable by the consumer.
108 // What constitutes as "acceptable" is determined by the verification delegate.
109 OPENSSL_EXPORT extern const CertErrorId kUnacceptablePublicKey;
110 
111 // The certificate's EKU is missing serverAuth. However EKU ANY is present
112 // instead.
113 OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasAnyEKU;
114 
115 // The certificate's EKU is missing clientAuth. However EKU ANY is present
116 // instead.
117 OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuthButHasAnyEKU;
118 
119 // The certificate's EKU is missing both clientAuth and serverAuth.
120 OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuthOrServerAuth;
121 
122 // The certificate's EKU has OSCP Signing when it should not.
123 OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedOCSPSigning;
124 
125 // The certificate's EKU has Time Stamping when it should not.
126 OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedTimeStamping;
127 
128 // The certificate's EKU has Code Signing when it should not.
129 OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedCodeSigning;
130 
131 // The certificate does not have EKU.
132 OPENSSL_EXPORT extern const CertErrorId kEkuNotPresent;
133 
134 // The certificate has been revoked.
135 OPENSSL_EXPORT extern const CertErrorId kCertificateRevoked;
136 
137 // The certificate lacks a recognized revocation mechanism (i.e. OCSP/CRL).
138 // Emitted as an error when revocation checking expects certificates to have
139 // such info.
140 OPENSSL_EXPORT extern const CertErrorId kNoRevocationMechanism;
141 
142 // The certificate had a revocation mechanism, but when used it was unable to
143 // affirmatively say whether the certificate was unrevoked.
144 OPENSSL_EXPORT extern const CertErrorId kUnableToCheckRevocation;
145 
146 // Path building was unable to find any issuers for the certificate.
147 OPENSSL_EXPORT extern const CertErrorId kNoIssuersFound;
148 
149 // Deadline was reached during path building.
150 OPENSSL_EXPORT extern const CertErrorId kDeadlineExceeded;
151 
152 // Iteration limit was reached during path building.
153 OPENSSL_EXPORT extern const CertErrorId kIterationLimitExceeded;
154 
155 // Depth limit was reached during path building.
156 OPENSSL_EXPORT extern const CertErrorId kDepthLimitExceeded;
157 
158 }  // namespace bssl::cert_errors
159 
160 #endif  // BSSL_PKI_COMMON_CERT_ERRORS_H_
161