Explicitly number all Certificate_Status_Code enum values

Add a to_string function for this type.
author: Jack Lloyd <[email protected]> 2016-11-21 19:57:08 -0500
committer: Jack Lloyd <[email protected]> 2016-11-23 08:31:06 -0500
commit: 13be30e33e0aac0e5d566d77c4775293a2c363f7 (patch)
tree: d8214fc772899f087c84d89cc01687232297b241 /src/lib
parent: 1f3ac78ab5652a712d5dd81af792d6bd33c296e9 (diff)
2 files changed, 146 insertions, 25 deletions
diff --git a/src/lib/x509/cert_status.cpp b/src/lib/x509/cert_status.cpp
new file mode 100644
index 000000000..e08e8efcc
--- /dev/null
+++ b/src/lib/x509/cert_status.cpp
@@ -0,0 +1,100 @@
+/*
+* (C) 2016 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/cert_status.h>
+
+namespace Botan {
+
+//static
+const char* to_string(Certificate_Status_Code code)
+   {
+   switch(code)
+      {
+      case Certificate_Status_Code::VERIFIED:
+         return "Verified";
+      case Certificate_Status_Code::OCSP_RESPONSE_GOOD:
+         return "OCSP response accepted as affirming unrevoked status for certificate";
+      case Certificate_Status_Code::OCSP_SIGNATURE_OK:
+         return "Signature on OCSP response was found valid";
+      case Certificate_Status_Code::VALID_CRL_CHECKED:
+         return "Valid CRL examined";
+
+      case Certificate_Status_Code::NO_REVOCATION_DATA:
+         return "No revocation data";
+      case Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK:
+         return "Signature method too weak";
+      case Certificate_Status_Code::UNTRUSTED_HASH:
+         return "Untrusted hash";
+
+      case Certificate_Status_Code::CERT_NOT_YET_VALID:
+         return "Certificate is not yet valid";
+      case Certificate_Status_Code::CERT_HAS_EXPIRED:
+         return "Certificate has expired";
+      case Certificate_Status_Code::OCSP_NOT_YET_VALID:
+         return "OCSP is not yet valid";
+      case Certificate_Status_Code::OCSP_HAS_EXPIRED:
+         return "OCSP has expired";
+      case Certificate_Status_Code::CRL_NOT_YET_VALID:
+         return "CRL is not yet valid";
+      case Certificate_Status_Code::CRL_HAS_EXPIRED:
+         return "CRL has expired";
+
+      case Certificate_Status_Code::CERT_ISSUER_NOT_FOUND:
+         return "Certificate issuer not found";
+      case Certificate_Status_Code::CANNOT_ESTABLISH_TRUST:
+         return "Cannot establish trust";
+      case Certificate_Status_Code::CERT_CHAIN_LOOP:
+         return "Loop in certificate chain";
+      case Certificate_Status_Code::CHAIN_LACKS_TRUST_ROOT:
+         return "Certificate chain does not end in a CA certificate";
+      case Certificate_Status_Code::CHAIN_NAME_MISMATCH:
+         return "Certificate issuer does not match subject of issuing cert";
+
+      case Certificate_Status_Code::POLICY_ERROR:
+         return "Policy error";
+      case Certificate_Status_Code::INVALID_USAGE:
+         return "Invalid usage";
+      case Certificate_Status_Code::CERT_CHAIN_TOO_LONG:
+         return "Certificate chain too long";
+      case Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER:
+         return "CA certificate not allowed to issue certs";
+      case Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER:
+         return "CA certificate not allowed to issue CRLs";
+      case Certificate_Status_Code::OCSP_CERT_NOT_LISTED:
+         return "OCSP cert not listed";
+      case Certificate_Status_Code::OCSP_BAD_STATUS:
+         return "OCSP bad status";
+      case Certificate_Status_Code::CERT_NAME_NOMATCH:
+         return "Certificate does not match provided name";
+      case Certificate_Status_Code::NAME_CONSTRAINT_ERROR:
+         return "Certificate does not pass name constraint";
+      case Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION:
+         return "Unknown critical extension encountered";
+      case Certificate_Status_Code::OCSP_SIGNATURE_ERROR:
+         return "OCSP signature error";
+      case Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND:
+         return "Unable to find certificate issusing OCSP response";
+      case Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE:
+         return "OCSP issuer's keyusage prohibits OCSP";
+      case Certificate_Status_Code::OCSP_RESPONSE_INVALID:
+         return "OCSP parsing valid";
+      case Certificate_Status_Code::OCSP_NO_HTTP:
+         return "OCSP requests not available, no HTTP support compiled in";
+      case Certificate_Status_Code::CERT_IS_REVOKED:
+         return "Certificate is revoked";
+      case Certificate_Status_Code::CRL_BAD_SIGNATURE:
+         return "CRL bad signature";
+      case Certificate_Status_Code::SIGNATURE_ERROR:
+         return "Signature error";
+      case Certificate_Status_Code::CERT_PUBKEY_INVALID:
+         return "Certificate public key invalid";
+         // intentionally no default so we are warned
+      }
+
+   return nullptr;
+   }
+
+}
diff --git a/src/lib/x509/cert_status.h b/src/lib/x509/cert_status.h
index b69bd1832..921fd2b09 100644
--- a/src/lib/x509/cert_status.h
+++ b/src/lib/x509/cert_status.h
@@ -14,50 +14,71 @@ namespace Botan {
 * Certificate validation status code
 */
 enum class Certificate_Status_Code {
-   VERIFIED = 0x00000000,
-   OCSP_RESPONSE_GOOD,
-   NO_REVOCATION_DATA,
+   OK = 0,
+   VERIFIED = 0,
+
+   // Revocation status
+   OCSP_RESPONSE_GOOD = 1,
+   OCSP_SIGNATURE_OK = 2,
+   VALID_CRL_CHECKED = 3,
+   OCSP_NO_HTTP = 4,
+
+   // Errors
+   FIRST_ERROR_STATUS = 1000,
 
-   // Local policy failures
    SIGNATURE_METHOD_TOO_WEAK = 1000,
-   UNTRUSTED_HASH,
+   UNTRUSTED_HASH = 1001,
+   NO_REVOCATION_DATA = 1002,
 
    // Time problems
    CERT_NOT_YET_VALID = 2000,
-   CERT_HAS_EXPIRED,
-   OCSP_NOT_YET_VALID,
-   OCSP_HAS_EXPIRED,
-   CRL_NOT_YET_VALID,
-   CRL_HAS_EXPIRED,
+   CERT_HAS_EXPIRED = 2001,
+   OCSP_NOT_YET_VALID = 2002,
+   OCSP_HAS_EXPIRED = 2003,
+   CRL_NOT_YET_VALID = 2004,
+   CRL_HAS_EXPIRED = 2005,
 
    // Chain generation problems
    CERT_ISSUER_NOT_FOUND = 3000,
-   CANNOT_ESTABLISH_TRUST,
-
-   CERT_CHAIN_LOOP,
+   CANNOT_ESTABLISH_TRUST = 3001,
+   CERT_CHAIN_LOOP = 3002,
+   CHAIN_LACKS_TRUST_ROOT = 3003,
+   CHAIN_NAME_MISMATCH = 3004,
 
    // Validation errors
    POLICY_ERROR = 4000,
-   INVALID_USAGE,
-   CERT_CHAIN_TOO_LONG,
-   CA_CERT_NOT_FOR_CERT_ISSUER,
-   NAME_CONSTRAINT_ERROR,
+   INVALID_USAGE = 4001,
+   CERT_CHAIN_TOO_LONG = 4002,
+   CA_CERT_NOT_FOR_CERT_ISSUER = 4003,
+   NAME_CONSTRAINT_ERROR = 4004,
 
    // Revocation errors
-   CA_CERT_NOT_FOR_CRL_ISSUER,
-   OCSP_CERT_NOT_LISTED,
-   OCSP_BAD_STATUS,
-
-   CERT_NAME_NOMATCH,
+   CA_CERT_NOT_FOR_CRL_ISSUER = 4005,
+   OCSP_CERT_NOT_LISTED = 4006,
+   OCSP_BAD_STATUS = 4007,
 
-   UNKNOWN_CRITICAL_EXTENSION,
+   // Other problems
+   CERT_NAME_NOMATCH = 4008,
+   UNKNOWN_CRITICAL_EXTENSION = 4009,
+   OCSP_SIGNATURE_ERROR = 4501,
+   OCSP_ISSUER_NOT_FOUND = 4502,
+   OCSP_RESPONSE_MISSING_KEYUSAGE = 4503,
+   OCSP_RESPONSE_INVALID = 4504,
 
    // Hard failures
    CERT_IS_REVOKED = 5000,
-   CRL_BAD_SIGNATURE,
-   SIGNATURE_ERROR,
+   CRL_BAD_SIGNATURE = 5001,
+   SIGNATURE_ERROR = 5002,
+   CERT_PUBKEY_INVALID = 5003,
 };
 
+/**
+* Convert a status code to a human readable diagnostic message
+* @param code the certifcate status
+* @return string literal constant, or nullptr if code unknown
+*/
+const char* to_string(Certificate_Status_Code code);
+
 }
 
 #endif
author	Jack Lloyd <[email protected]>	2016-11-21 19:57:08 -0500
committer	Jack Lloyd <[email protected]>	2016-11-23 08:31:06 -0500
commit	13be30e33e0aac0e5d566d77c4775293a2c363f7 (patch)
tree	d8214fc772899f087c84d89cc01687232297b241 /src/lib
parent	1f3ac78ab5652a712d5dd81af792d6bd33c296e9 (diff)