Skip to content

Commit

Permalink
Document the x509 error codes
Browse files Browse the repository at this point in the history
Signed-off-by: Dan Čermák <[email protected]>
  • Loading branch information
dcermak committed Jan 27, 2021
1 parent 2e1e02a commit 3557fae
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 0 deletions.
41 changes: 41 additions & 0 deletions doc/api/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,47 @@ The first 3 are enabled by default. The last 2 `CCM`-based suites are supported
by TLSv1.3 because they may be more performant on constrained systems, but they
are not enabled by default since they offer less security.


## X509 Certificate Error codes

Multiple functions can fail due to certificate errors that are reported by
openssl. In such a case, the function provides a `Error` via its callback that
has the property `code` which can take one of the following values:

<!--
values are taken from src/crypto/crypto_common.cc
description are taken from deps/openssl/openssl/crypto/x509/x509_txt.c
-->
* `'UNABLE_TO_GET_ISSUER_CERT'`: unable to get issuer certificate
* `'UNABLE_TO_GET_CRL'`: unable to get certificate CRL
* `'UNABLE_TO_DECRYPT_CERT_SIGNATURE'`: unable to decrypt certificate's signature
* `'UNABLE_TO_DECRYPT_CRL_SIGNATURE'`: unable to decrypt CRL's signature
* `'UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'`: unable to decode issuer public key
* `'CERT_SIGNATURE_FAILURE'`: certificate signature failure
* `'CRL_SIGNATURE_FAILURE'`: CRL signature failure
* `'CERT_NOT_YET_VALID'`: certificate is not yet valid
* `'CERT_HAS_EXPIRED'`: certificate has expired
* `'CRL_NOT_YET_VALID'`: CRL is not yet valid
* `'CRL_HAS_EXPIRED'`: CRL has expired
* `'ERROR_IN_CERT_NOT_BEFORE_FIELD'`: format error in certificate's notBefore field
* `'ERROR_IN_CERT_NOT_AFTER_FIELD'`: format error in certificate's notAfter field
* `'ERROR_IN_CRL_LAST_UPDATE_FIELD'`: format error in CRL's lastUpdate field
* `'ERROR_IN_CRL_NEXT_UPDATE_FIELD'`: format error in CRL's nextUpdate field
* `'OUT_OF_MEM'`: out of memory
* `'DEPTH_ZERO_SELF_SIGNED_CERT'`: self signed certificate
* `'SELF_SIGNED_CERT_IN_CHAIN'`: self signed certificate in certificate chain
* `'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'`: unable to get local issuer certificate
* `'UNABLE_TO_VERIFY_LEAF_SIGNATURE'`: unable to verify the first certificate
* `'CERT_CHAIN_TOO_LONG'`: certificate chain too long
* `'CERT_REVOKED'`: certificate revoked
* `'INVALID_CA'`: invalid CA certificate
* `'PATH_LENGTH_EXCEEDED'`: path length constraint exceeded
* `'INVALID_PURPOSE'`: unsupported certificate purpose
* `'CERT_UNTRUSTED'`: certificate not trusted
* `'CERT_REJECTED'`: certificate rejected
* `'HOSTNAME_MISMATCH'`: Hostname mismatch


## Class: `tls.CryptoStream`
<!-- YAML
added: v0.3.4
Expand Down
2 changes: 2 additions & 0 deletions src/crypto/crypto_common.cc
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,8 @@ const char* X509ErrorCode(long err) { // NOLINT(runtime/int)
const char* code = "UNSPECIFIED";
#define CASE_X509_ERR(CODE) case X509_V_ERR_##CODE: code = #CODE; break;
switch (err) {
// if you modify anything in here, *please* update the respective section in
// doc/api/tls.md as well
CASE_X509_ERR(UNABLE_TO_GET_ISSUER_CERT)
CASE_X509_ERR(UNABLE_TO_GET_CRL)
CASE_X509_ERR(UNABLE_TO_DECRYPT_CERT_SIGNATURE)
Expand Down

0 comments on commit 3557fae

Please sign in to comment.