1 // Copyright 2017 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include "common_cert_errors.h"
16 
17 BSSL_NAMESPACE_BEGIN
18 namespace cert_errors {
19 
20 DEFINE_CERT_ERROR_ID(kInternalError, "Internal error");
21 DEFINE_CERT_ERROR_ID(kValidityFailedNotAfter, "Time is after notAfter");
22 DEFINE_CERT_ERROR_ID(kValidityFailedNotBefore, "Time is before notBefore");
23 DEFINE_CERT_ERROR_ID(kDistrustedByTrustStore, "Distrusted by trust store");
24 
25 DEFINE_CERT_ERROR_ID(
26     kSignatureAlgorithmMismatch,
27     "Certificate.signatureAlgorithm != TBSCertificate.signature");
28 
29 DEFINE_CERT_ERROR_ID(kChainIsEmpty, "Chain is empty");
30 DEFINE_CERT_ERROR_ID(kUnconsumedCriticalExtension,
31                      "Unconsumed critical extension");
32 DEFINE_CERT_ERROR_ID(kKeyCertSignBitNotSet, "keyCertSign bit is not set");
33 DEFINE_CERT_ERROR_ID(kKeyUsageIncorrectForRcsMlsClient,
34                      "KeyUsage must have only the digitalSignature bit set for "
35                      "rcsMlsClient auth");
36 DEFINE_CERT_ERROR_ID(kMaxPathLengthViolated, "max_path_length reached");
37 DEFINE_CERT_ERROR_ID(kBasicConstraintsIndicatesNotCa,
38                      "Basic Constraints indicates not a CA");
39 DEFINE_CERT_ERROR_ID(kTargetCertShouldNotBeCa,
40                      "Certificate has Basic Constraints indicating it is a CA "
41                      "when it should not be a CA");
42 DEFINE_CERT_ERROR_ID(kMissingBasicConstraints,
43                      "Does not have Basic Constraints");
44 DEFINE_CERT_ERROR_ID(kNotPermittedByNameConstraints,
45                      "Not permitted by name constraints");
46 DEFINE_CERT_ERROR_ID(kTooManyNameConstraintChecks,
47                      "Too many name constraints checks");
48 DEFINE_CERT_ERROR_ID(kSubjectDoesNotMatchIssuer,
49                      "subject does not match issuer");
50 DEFINE_CERT_ERROR_ID(kVerifySignedDataFailed, "VerifySignedData failed");
51 DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding,
52                      "Certificate.signatureAlgorithm is encoded differently "
53                      "than TBSCertificate.signature");
54 DEFINE_CERT_ERROR_ID(kEkuLacksServerAuth,
55                      "The extended key usage does not include server auth");
56 DEFINE_CERT_ERROR_ID(kEkuLacksServerAuthButHasAnyEKU,
57                      "The extended key usage does not include server auth but "
58                      "instead includes anyExtendeKeyUsage");
59 DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth,
60                      "The extended key usage does not include client auth");
61 DEFINE_CERT_ERROR_ID(kEkuLacksClientAuthButHasAnyEKU,
62                      "The extended key usage does not include client auth but "
63                      "instead includes anyExtendedKeyUsage");
64 DEFINE_CERT_ERROR_ID(kEkuLacksClientAuthOrServerAuth,
65                      "The extended key usage does not include client auth "
66                      "or server auth");
67 DEFINE_CERT_ERROR_ID(kEkuHasProhibitedOCSPSigning,
68                      "The extended key usage includes OCSP signing which "
69                      "is not permitted for this use");
70 DEFINE_CERT_ERROR_ID(kEkuHasProhibitedTimeStamping,
71                      "The extended key usage includes time stamping which "
72                      "is not permitted for this use");
73 DEFINE_CERT_ERROR_ID(kEkuHasProhibitedCodeSigning,
74                      "The extended key usage includes code signing which "
75                      "is not permitted for this use");
76 DEFINE_CERT_ERROR_ID(kEkuIncorrectForRcsMlsClient,
77                      "The extended key usage does not contain only the "
78                      "rcsMlsClient key purpose.");
79 DEFINE_CERT_ERROR_ID(kEkuIncorrectForC2PATimeStamping,
80                      "The extended key usage does not contain the time "
81                      "stamping key purpose, or contains prohibited key usages");
82 DEFINE_CERT_ERROR_ID(
83     kEkuIncorrectForC2PAManifest,
84     "The extended key usage must contain at least one of: email protection or "
85     "document signing, and must not contain prohibited key usages");
86 
87 DEFINE_CERT_ERROR_ID(kEkuNotPresent,
88                      "Certificate does not have extended key usage");
89 DEFINE_CERT_ERROR_ID(kCertIsNotTrustAnchor,
90                      "Certificate is not a trust anchor");
91 DEFINE_CERT_ERROR_ID(kNoValidPolicy, "No valid policy");
92 DEFINE_CERT_ERROR_ID(kPolicyMappingAnyPolicy,
93                      "PolicyMappings must not map anyPolicy");
94 DEFINE_CERT_ERROR_ID(kFailedParsingSpki, "Couldn't parse SubjectPublicKeyInfo");
95 DEFINE_CERT_ERROR_ID(kUnacceptableSignatureAlgorithm,
96                      "Unacceptable signature algorithm");
97 DEFINE_CERT_ERROR_ID(kUnacceptablePublicKey, "Unacceptable public key");
98 DEFINE_CERT_ERROR_ID(kCertificateRevoked, "Certificate is revoked");
99 DEFINE_CERT_ERROR_ID(kNoRevocationMechanism,
100                      "Certificate lacks a revocation mechanism");
101 DEFINE_CERT_ERROR_ID(kUnableToCheckRevocation, "Unable to check revocation");
102 DEFINE_CERT_ERROR_ID(kNoIssuersFound, "No matching issuer found");
103 DEFINE_CERT_ERROR_ID(kDeadlineExceeded, "Deadline exceeded");
104 DEFINE_CERT_ERROR_ID(kIterationLimitExceeded, "Iteration limit exceeded");
105 DEFINE_CERT_ERROR_ID(kDepthLimitExceeded, "Depth limit exceeded");
106 
107 }  // namespace cert_errors
108 BSSL_NAMESPACE_END
109