1 /* Copyright (c) 2024, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #if !defined(OPENSSL_HEADER_BSSL_PKI_VERIFY_ERROR_H_) && defined(__cplusplus) 16 #define OPENSSL_HEADER_BSSL_PKI_VERIFY_ERROR_H_ 17 18 #include <string> 19 #include <string_view> 20 21 namespace bssl { 22 23 // VerifyError describes certificate chain validation result. 24 class OPENSSL_EXPORT VerifyError { 25 public: 26 VerifyError() = default; 27 VerifyError(const VerifyError &other) = default; 28 VerifyError &operator=(const VerifyError &other) = default; 29 30 // Code is the representation of a single error that we could 31 // find. 32 enum class StatusCode { 33 // PATH_VERIFIED means there were no errors, the certificate chain is valid. 34 PATH_VERIFIED, 35 36 // CERTIFICATE_INVALID_SIGNATURE means that the certificate's signature 37 // failed to verify. 38 CERTIFICATE_INVALID_SIGNATURE, 39 40 // CERTIFICATE_UNSUPPORTED_KEY means that the certificate's key type and/or 41 // size is not supported. 42 CERTIFICATE_UNSUPPORTED_KEY, 43 44 // CERTIFICATE_UNSUPPORTED_SIGNATURE ALGORITHM means that the signature 45 // algorithm is not supported. 46 CERTIFICATE_UNSUPPORTED_SIGNATURE_ALGORITHM, 47 48 // CERTIFICATE_REVOKED means that the certificate has been revoked. 49 CERTIFICATE_REVOKED, 50 51 // CERTIFICATE_NO_REVOCATION_MECHANISM means that revocation checking was 52 // required and no revocation mechanism was given for the certificate 53 CERTIFICATE_NO_REVOCATION_MECHANISM, 54 55 // CERTIFICATE_UNABLE_TO_CHECK_REVOCATION means that revocation checking was 56 // required and we were unable to check if the certificate was revoked via 57 // any revocation mechanism. 58 CERTIFICATE_UNABLE_TO_CHECK_REVOCATION, 59 60 // CERTIFICATE_EXPIRED means that the validation time is after the 61 // certificate's |notAfter| timestamp. 62 CERTIFICATE_EXPIRED, 63 64 // CERTIFICATE_NOT_YET_VALID means that the validation time is before the 65 // certificate's |notBefore| timestamp. 66 CERTIFICATE_NOT_YET_VALID, 67 68 // CERTIFICATE_NO_MATCHING_EKU means that the certificate's EKU does not 69 // allow the certificate to be used for the intended purpose. 70 CERTIFICATE_NO_MATCHING_EKU, 71 72 // CERTIFICATE_INVALID means that the certificate was structurally 73 // invalid, or invalid for some different reason than the above. 74 CERTIFICATE_INVALID, 75 76 // PATH_NOT_FOUND means that no path could be found from the leaf 77 // certificate to any trust anchor. 78 PATH_NOT_FOUND, 79 80 // PATH_ITERATION_COUNT_EXCEEDED means that the iteration limit for path 81 // building was hit and so the search for a valid path terminated early. 82 PATH_ITERATION_COUNT_EXCEEDED, 83 84 // PATH_DEADLINE_EXCEEDED means that the time limit for path building 85 // was hit and so the search for a valid path terminated early. 86 PATH_DEADLINE_EXCEEDED, 87 88 // PATH_DEPTH_LIMIT_REACHED means that path building was not able to find a 89 // path within the configured depth limit for verification. 90 PATH_DEPTH_LIMIT_REACHED, 91 92 // PATH_MULTIPLE_ERRORS indicates that there are multiple fatal 93 // errors present on the certificate chain, so that a single error could 94 // not be reported. 95 PATH_MULTIPLE_ERRORS, 96 97 // VERIFICATION_FAILURE means that something is wrong with the returned path 98 // that is not specific to a single certificate. There are many possible 99 // reasons for a verification to fail. 100 VERIFICATION_FAILURE, 101 }; 102 103 VerifyError(StatusCode code, ptrdiff_t offset, std::string diagnostic); 104 105 // Code returns the indicated error code for the certificate path. 106 StatusCode Code() const; 107 108 // Index returns the certificate in the chain for which the error first 109 // occured, starting with 0 for the leaf certificate. Later certificates in 110 // the chain may also exhibit the same error. If the error is not specific to 111 // a certificate, -1 is returned. 112 ptrdiff_t Index() const; 113 114 // DiagnosticString returns a string of diagnostic information related to this 115 // verification attempt. The string aims to be useful to debugging, but it is 116 // not stable and may not be processed programmatically or asserted on in 117 // tests. The string may be empty if no diagnostic information was available. 118 // 119 // The DiagnosticString is specifically not guaranteed to be unchanging for 120 // any given error code, as the diagnostic error message can contain 121 // information specific to the verification attempt and chain presented, due 122 // to there being multiple possible ways for, as an example, a certificate to 123 // be invalid, or that we are unable to build a path to a trust anchor. 124 // 125 // Needless to say, one should not attempt to parse the string that is 126 // returned. 127 const std::string &DiagnosticString() const; 128 129 private: 130 ptrdiff_t offset_ = -1; 131 StatusCode code_ = StatusCode::VERIFICATION_FAILURE; 132 std::string diagnostic_; 133 }; 134 135 } // namespace bssl 136 137 #endif // OPENSSL_HEADER_BSSL_PKI_VERIFY_ERROR_H_ 138