2016-05-17 18:52:22 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
1998-12-21 10:52:47 +00:00
|
|
|
*
|
2016-05-17 18:52:22 +00:00
|
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
1998-12-21 10:52:47 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <time.h>
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
|
2015-05-14 14:56:48 +00:00
|
|
|
#include "internal/cryptlib.h"
|
1999-04-23 22:13:45 +00:00
|
|
|
#include <openssl/lhash.h>
|
|
|
|
|
#include <openssl/buffer.h>
|
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
|
#include <openssl/asn1.h>
|
|
|
|
|
#include <openssl/x509.h>
|
|
|
|
|
#include <openssl/objects.h>
|
1998-12-21 10:52:47 +00:00
|
|
|
|
1999-04-19 21:31:43 +00:00
|
|
|
const char *X509_verify_cert_error_string(long n)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
|
switch ((int)n) {
|
|
|
|
|
case X509_V_OK:
|
|
|
|
|
return ("ok");
|
Suppress DANE TLSA reflection when verification fails
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails. However, this only happened when verification
failed during chain construction. Errors in verification of the
constructed chain did not have the intended effect on these functions.
This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails. Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail. They must of course first check
and save the real error, and restore the original error as quickly
as possible. Hiding by default seems to be the safer interface.
Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED.
This also changes the "-brief" output from s_client to include
verification results and TLSA match information.
Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).
Added a few more test-cases to danetest, that exercise the new
code.
Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().
Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error. [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 00:07:57 +00:00
|
|
|
case X509_V_ERR_UNSPECIFIED:
|
|
|
|
|
return ("unspecified certificate verification error");
|
2015-01-22 03:40:55 +00:00
|
|
|
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
|
|
|
|
return ("unable to get issuer certificate");
|
|
|
|
|
case X509_V_ERR_UNABLE_TO_GET_CRL:
|
|
|
|
|
return ("unable to get certificate CRL");
|
|
|
|
|
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
|
|
|
|
|
return ("unable to decrypt certificate's signature");
|
|
|
|
|
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
|
|
|
|
|
return ("unable to decrypt CRL's signature");
|
|
|
|
|
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
|
|
|
|
|
return ("unable to decode issuer public key");
|
|
|
|
|
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
|
|
|
|
|
return ("certificate signature failure");
|
|
|
|
|
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
|
|
|
|
|
return ("CRL signature failure");
|
|
|
|
|
case X509_V_ERR_CERT_NOT_YET_VALID:
|
|
|
|
|
return ("certificate is not yet valid");
|
|
|
|
|
case X509_V_ERR_CERT_HAS_EXPIRED:
|
|
|
|
|
return ("certificate has expired");
|
2016-02-09 19:17:13 +00:00
|
|
|
case X509_V_ERR_CRL_NOT_YET_VALID:
|
|
|
|
|
return ("CRL is not yet valid");
|
2015-01-22 03:40:55 +00:00
|
|
|
case X509_V_ERR_CRL_HAS_EXPIRED:
|
|
|
|
|
return ("CRL has expired");
|
|
|
|
|
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
|
|
|
|
|
return ("format error in certificate's notBefore field");
|
|
|
|
|
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
|
|
|
|
|
return ("format error in certificate's notAfter field");
|
|
|
|
|
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
|
|
|
|
|
return ("format error in CRL's lastUpdate field");
|
|
|
|
|
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
|
|
|
|
|
return ("format error in CRL's nextUpdate field");
|
|
|
|
|
case X509_V_ERR_OUT_OF_MEM:
|
|
|
|
|
return ("out of memory");
|
|
|
|
|
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
|
|
|
|
return ("self signed certificate");
|
|
|
|
|
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
|
|
|
|
|
return ("self signed certificate in certificate chain");
|
|
|
|
|
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
|
|
|
|
|
return ("unable to get local issuer certificate");
|
|
|
|
|
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
|
|
|
|
return ("unable to verify the first certificate");
|
|
|
|
|
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
|
|
|
|
|
return ("certificate chain too long");
|
|
|
|
|
case X509_V_ERR_CERT_REVOKED:
|
|
|
|
|
return ("certificate revoked");
|
|
|
|
|
case X509_V_ERR_INVALID_CA:
|
|
|
|
|
return ("invalid CA certificate");
|
|
|
|
|
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
|
|
|
|
|
return ("path length constraint exceeded");
|
|
|
|
|
case X509_V_ERR_INVALID_PURPOSE:
|
|
|
|
|
return ("unsupported certificate purpose");
|
|
|
|
|
case X509_V_ERR_CERT_UNTRUSTED:
|
|
|
|
|
return ("certificate not trusted");
|
|
|
|
|
case X509_V_ERR_CERT_REJECTED:
|
|
|
|
|
return ("certificate rejected");
|
|
|
|
|
case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
|
|
|
|
|
return ("subject issuer mismatch");
|
|
|
|
|
case X509_V_ERR_AKID_SKID_MISMATCH:
|
|
|
|
|
return ("authority and subject key identifier mismatch");
|
|
|
|
|
case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
|
|
|
|
|
return ("authority and issuer serial number mismatch");
|
|
|
|
|
case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
|
|
|
|
|
return ("key usage does not include certificate signing");
|
|
|
|
|
case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
|
|
|
|
|
return ("unable to get CRL issuer certificate");
|
|
|
|
|
case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
|
|
|
|
|
return ("unhandled critical extension");
|
|
|
|
|
case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
|
|
|
|
|
return ("key usage does not include CRL signing");
|
|
|
|
|
case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
|
|
|
|
|
return ("unhandled critical CRL extension");
|
2016-02-09 19:17:13 +00:00
|
|
|
case X509_V_ERR_INVALID_NON_CA:
|
|
|
|
|
return ("invalid non-CA certificate (has CA markings)");
|
|
|
|
|
case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
|
|
|
|
|
return ("proxy path length constraint exceeded");
|
|
|
|
|
case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
|
|
|
|
|
return ("key usage does not include digital signature");
|
|
|
|
|
case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
|
|
|
|
|
return
|
|
|
|
|
("proxy certificates not allowed, please set the appropriate flag");
|
2015-01-22 03:40:55 +00:00
|
|
|
case X509_V_ERR_INVALID_EXTENSION:
|
|
|
|
|
return ("invalid or inconsistent certificate extension");
|
|
|
|
|
case X509_V_ERR_INVALID_POLICY_EXTENSION:
|
|
|
|
|
return ("invalid or inconsistent certificate policy extension");
|
|
|
|
|
case X509_V_ERR_NO_EXPLICIT_POLICY:
|
|
|
|
|
return ("no explicit policy");
|
|
|
|
|
case X509_V_ERR_DIFFERENT_CRL_SCOPE:
|
|
|
|
|
return ("Different CRL scope");
|
|
|
|
|
case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
|
|
|
|
|
return ("Unsupported extension feature");
|
|
|
|
|
case X509_V_ERR_UNNESTED_RESOURCE:
|
|
|
|
|
return ("RFC 3779 resource not subset of parent's resources");
|
|
|
|
|
case X509_V_ERR_PERMITTED_VIOLATION:
|
|
|
|
|
return ("permitted subtree violation");
|
|
|
|
|
case X509_V_ERR_EXCLUDED_VIOLATION:
|
|
|
|
|
return ("excluded subtree violation");
|
|
|
|
|
case X509_V_ERR_SUBTREE_MINMAX:
|
|
|
|
|
return ("name constraints minimum and maximum not supported");
|
2016-02-09 19:17:13 +00:00
|
|
|
case X509_V_ERR_APPLICATION_VERIFICATION:
|
|
|
|
|
return ("application verification failure");
|
2015-01-22 03:40:55 +00:00
|
|
|
case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
|
|
|
|
|
return ("unsupported name constraint type");
|
|
|
|
|
case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
|
|
|
|
|
return ("unsupported or invalid name constraint syntax");
|
|
|
|
|
case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
|
|
|
|
|
return ("unsupported or invalid name syntax");
|
|
|
|
|
case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
|
|
|
|
|
return ("CRL path validation error");
|
|
|
|
|
case X509_V_ERR_PATH_LOOP:
|
|
|
|
|
return ("Path Loop");
|
|
|
|
|
case X509_V_ERR_SUITE_B_INVALID_VERSION:
|
|
|
|
|
return ("Suite B: certificate version invalid");
|
|
|
|
|
case X509_V_ERR_SUITE_B_INVALID_ALGORITHM:
|
|
|
|
|
return ("Suite B: invalid public key algorithm");
|
|
|
|
|
case X509_V_ERR_SUITE_B_INVALID_CURVE:
|
|
|
|
|
return ("Suite B: invalid ECC curve");
|
|
|
|
|
case X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM:
|
|
|
|
|
return ("Suite B: invalid signature algorithm");
|
|
|
|
|
case X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED:
|
|
|
|
|
return ("Suite B: curve not allowed for this LOS");
|
|
|
|
|
case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256:
|
|
|
|
|
return ("Suite B: cannot sign P-384 with P-256");
|
|
|
|
|
case X509_V_ERR_HOSTNAME_MISMATCH:
|
|
|
|
|
return ("Hostname mismatch");
|
|
|
|
|
case X509_V_ERR_EMAIL_MISMATCH:
|
|
|
|
|
return ("Email address mismatch");
|
|
|
|
|
case X509_V_ERR_IP_ADDRESS_MISMATCH:
|
|
|
|
|
return ("IP address mismatch");
|
Suppress DANE TLSA reflection when verification fails
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails. However, this only happened when verification
failed during chain construction. Errors in verification of the
constructed chain did not have the intended effect on these functions.
This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails. Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail. They must of course first check
and save the real error, and restore the original error as quickly
as possible. Hiding by default seems to be the safer interface.
Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED.
This also changes the "-brief" output from s_client to include
verification results and TLSA match information.
Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).
Added a few more test-cases to danetest, that exercise the new
code.
Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().
Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error. [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 00:07:57 +00:00
|
|
|
case X509_V_ERR_DANE_NO_MATCH:
|
|
|
|
|
return ("No matching DANE TLSA records");
|
2016-03-19 02:09:41 +00:00
|
|
|
case X509_V_ERR_EE_KEY_TOO_SMALL:
|
|
|
|
|
return ("EE certificate key too weak");
|
|
|
|
|
case X509_V_ERR_CA_KEY_TOO_SMALL:
|
|
|
|
|
return ("CA certificate key too weak");
|
|
|
|
|
case X509_V_ERR_CA_MD_TOO_WEAK:
|
|
|
|
|
return ("CA signature digest algorithm too weak");
|
2016-05-17 17:40:57 +00:00
|
|
|
case X509_V_ERR_INVALID_CALL:
|
|
|
|
|
return ("Invalid certificate verification context");
|
|
|
|
|
case X509_V_ERR_STORE_LOOKUP:
|
|
|
|
|
return ("Issuer certificate lookup error");
|
2016-05-13 04:36:56 +00:00
|
|
|
case X509_V_ERR_NO_VALID_SCTS:
|
|
|
|
|
return ("Certificate Transparency required, but no valid SCTs found");
|
2016-06-19 08:55:16 +00:00
|
|
|
case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION:
|
|
|
|
|
return ("proxy subject name violation");
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
default:
|
Suppress DANE TLSA reflection when verification fails
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails. However, this only happened when verification
failed during chain construction. Errors in verification of the
constructed chain did not have the intended effect on these functions.
This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails. Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail. They must of course first check
and save the real error, and restore the original error as quickly
as possible. Hiding by default seems to be the safer interface.
Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED.
This also changes the "-brief" output from s_client to include
verification results and TLSA match information.
Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).
Added a few more test-cases to danetest, that exercise the new
code.
Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().
Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error. [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 00:07:57 +00:00
|
|
|
/* Printing an error number into a static buffer is not thread-safe */
|
|
|
|
|
return ("unknown certificate verification error");
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
}
|