aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/x509/cert_status.cpp100
-rw-r--r--src/lib/x509/cert_status.h71
2 files changed, 146 insertions, 25 deletions
diff --git a/src/lib/x509/cert_status.cpp b/src/lib/x509/cert_status.cpp
new file mode 100644
index 000000000..e08e8efcc
--- /dev/null
+++ b/src/lib/x509/cert_status.cpp
@@ -0,0 +1,100 @@
+/*
+* (C) 2016 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/cert_status.h>
+
+namespace Botan {
+
+//static
+const char* to_string(Certificate_Status_Code code)
+ {
+ switch(code)
+ {
+ case Certificate_Status_Code::VERIFIED:
+ return "Verified";
+ case Certificate_Status_Code::OCSP_RESPONSE_GOOD:
+ return "OCSP response accepted as affirming unrevoked status for certificate";
+ case Certificate_Status_Code::OCSP_SIGNATURE_OK:
+ return "Signature on OCSP response was found valid";
+ case Certificate_Status_Code::VALID_CRL_CHECKED:
+ return "Valid CRL examined";
+
+ case Certificate_Status_Code::NO_REVOCATION_DATA:
+ return "No revocation data";
+ case Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK:
+ return "Signature method too weak";
+ case Certificate_Status_Code::UNTRUSTED_HASH:
+ return "Untrusted hash";
+
+ case Certificate_Status_Code::CERT_NOT_YET_VALID:
+ return "Certificate is not yet valid";
+ case Certificate_Status_Code::CERT_HAS_EXPIRED:
+ return "Certificate has expired";
+ case Certificate_Status_Code::OCSP_NOT_YET_VALID:
+ return "OCSP is not yet valid";
+ case Certificate_Status_Code::OCSP_HAS_EXPIRED:
+ return "OCSP has expired";
+ case Certificate_Status_Code::CRL_NOT_YET_VALID:
+ return "CRL is not yet valid";
+ case Certificate_Status_Code::CRL_HAS_EXPIRED:
+ return "CRL has expired";
+
+ case Certificate_Status_Code::CERT_ISSUER_NOT_FOUND:
+ return "Certificate issuer not found";
+ case Certificate_Status_Code::CANNOT_ESTABLISH_TRUST:
+ return "Cannot establish trust";
+ case Certificate_Status_Code::CERT_CHAIN_LOOP:
+ return "Loop in certificate chain";
+ case Certificate_Status_Code::CHAIN_LACKS_TRUST_ROOT:
+ return "Certificate chain does not end in a CA certificate";
+ case Certificate_Status_Code::CHAIN_NAME_MISMATCH:
+ return "Certificate issuer does not match subject of issuing cert";
+
+ case Certificate_Status_Code::POLICY_ERROR:
+ return "Policy error";
+ case Certificate_Status_Code::INVALID_USAGE:
+ return "Invalid usage";
+ case Certificate_Status_Code::CERT_CHAIN_TOO_LONG:
+ return "Certificate chain too long";
+ case Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER:
+ return "CA certificate not allowed to issue certs";
+ case Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER:
+ return "CA certificate not allowed to issue CRLs";
+ case Certificate_Status_Code::OCSP_CERT_NOT_LISTED:
+ return "OCSP cert not listed";
+ case Certificate_Status_Code::OCSP_BAD_STATUS:
+ return "OCSP bad status";
+ case Certificate_Status_Code::CERT_NAME_NOMATCH:
+ return "Certificate does not match provided name";
+ case Certificate_Status_Code::NAME_CONSTRAINT_ERROR:
+ return "Certificate does not pass name constraint";
+ case Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION:
+ return "Unknown critical extension encountered";
+ case Certificate_Status_Code::OCSP_SIGNATURE_ERROR:
+ return "OCSP signature error";
+ case Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND:
+ return "Unable to find certificate issusing OCSP response";
+ case Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE:
+ return "OCSP issuer's keyusage prohibits OCSP";
+ case Certificate_Status_Code::OCSP_RESPONSE_INVALID:
+ return "OCSP parsing valid";
+ case Certificate_Status_Code::OCSP_NO_HTTP:
+ return "OCSP requests not available, no HTTP support compiled in";
+ case Certificate_Status_Code::CERT_IS_REVOKED:
+ return "Certificate is revoked";
+ case Certificate_Status_Code::CRL_BAD_SIGNATURE:
+ return "CRL bad signature";
+ case Certificate_Status_Code::SIGNATURE_ERROR:
+ return "Signature error";
+ case Certificate_Status_Code::CERT_PUBKEY_INVALID:
+ return "Certificate public key invalid";
+ // intentionally no default so we are warned
+ }
+
+ return nullptr;
+ }
+
+}
diff --git a/src/lib/x509/cert_status.h b/src/lib/x509/cert_status.h
index b69bd1832..921fd2b09 100644
--- a/src/lib/x509/cert_status.h
+++ b/src/lib/x509/cert_status.h
@@ -14,50 +14,71 @@ namespace Botan {
* Certificate validation status code
*/
enum class Certificate_Status_Code {
- VERIFIED = 0x00000000,
- OCSP_RESPONSE_GOOD,
- NO_REVOCATION_DATA,
+ OK = 0,
+ VERIFIED = 0,
+
+ // Revocation status
+ OCSP_RESPONSE_GOOD = 1,
+ OCSP_SIGNATURE_OK = 2,
+ VALID_CRL_CHECKED = 3,
+ OCSP_NO_HTTP = 4,
+
+ // Errors
+ FIRST_ERROR_STATUS = 1000,
- // Local policy failures
SIGNATURE_METHOD_TOO_WEAK = 1000,
- UNTRUSTED_HASH,
+ UNTRUSTED_HASH = 1001,
+ NO_REVOCATION_DATA = 1002,
// Time problems
CERT_NOT_YET_VALID = 2000,
- CERT_HAS_EXPIRED,
- OCSP_NOT_YET_VALID,
- OCSP_HAS_EXPIRED,
- CRL_NOT_YET_VALID,
- CRL_HAS_EXPIRED,
+ CERT_HAS_EXPIRED = 2001,
+ OCSP_NOT_YET_VALID = 2002,
+ OCSP_HAS_EXPIRED = 2003,
+ CRL_NOT_YET_VALID = 2004,
+ CRL_HAS_EXPIRED = 2005,
// Chain generation problems
CERT_ISSUER_NOT_FOUND = 3000,
- CANNOT_ESTABLISH_TRUST,
-
- CERT_CHAIN_LOOP,
+ CANNOT_ESTABLISH_TRUST = 3001,
+ CERT_CHAIN_LOOP = 3002,
+ CHAIN_LACKS_TRUST_ROOT = 3003,
+ CHAIN_NAME_MISMATCH = 3004,
// Validation errors
POLICY_ERROR = 4000,
- INVALID_USAGE,
- CERT_CHAIN_TOO_LONG,
- CA_CERT_NOT_FOR_CERT_ISSUER,
- NAME_CONSTRAINT_ERROR,
+ INVALID_USAGE = 4001,
+ CERT_CHAIN_TOO_LONG = 4002,
+ CA_CERT_NOT_FOR_CERT_ISSUER = 4003,
+ NAME_CONSTRAINT_ERROR = 4004,
// Revocation errors
- CA_CERT_NOT_FOR_CRL_ISSUER,
- OCSP_CERT_NOT_LISTED,
- OCSP_BAD_STATUS,
-
- CERT_NAME_NOMATCH,
+ CA_CERT_NOT_FOR_CRL_ISSUER = 4005,
+ OCSP_CERT_NOT_LISTED = 4006,
+ OCSP_BAD_STATUS = 4007,
- UNKNOWN_CRITICAL_EXTENSION,
+ // Other problems
+ CERT_NAME_NOMATCH = 4008,
+ UNKNOWN_CRITICAL_EXTENSION = 4009,
+ OCSP_SIGNATURE_ERROR = 4501,
+ OCSP_ISSUER_NOT_FOUND = 4502,
+ OCSP_RESPONSE_MISSING_KEYUSAGE = 4503,
+ OCSP_RESPONSE_INVALID = 4504,
// Hard failures
CERT_IS_REVOKED = 5000,
- CRL_BAD_SIGNATURE,
- SIGNATURE_ERROR,
+ CRL_BAD_SIGNATURE = 5001,
+ SIGNATURE_ERROR = 5002,
+ CERT_PUBKEY_INVALID = 5003,
};
+/**
+* Convert a status code to a human readable diagnostic message
+* @param code the certifcate status
+* @return string literal constant, or nullptr if code unknown
+*/
+const char* to_string(Certificate_Status_Code code);
+
}
#endif