/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ /* * This file is part of the LibreOffice project. * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * This file incorporates work covered by the following license notice: * * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed * with this work for additional information regarding copyright * ownership. The ASF licenses this file to you under the Apache * License, Version 2.0 (the "License"); you may not use this file * except in compliance with the License. You may obtain a copy of * the License at http://www.apache.org/licenses/LICENSE-2.0 . */ #include #include "secerror.hxx" #include #include #include namespace { struct ErrDesc { PRErrorCode const errNum; const char * errString; }; } const ErrDesc allDesc[] = { #include "certerrors.h" }; /* Returns a UTF-8 encoded constant error string for "errNum". * Returns NULL of errNum is unknown. */ const char * getCertError(PRErrorCode errNum) { for (const ErrDesc& i : allDesc) { if (i.errNum == errNum) return i.errString; } return ""; } void printChainFailure(CERTVerifyLog *log) { unsigned int depth = static_cast(-1); CERTVerifyLogNode *node = nullptr; if (log->count > 0) { SAL_INFO("xmlsecurity.xmlsec", "Bad certification path:"); unsigned long errorFlags = 0; for (node = log->head; node; node = node->next) { if (depth != node->depth) { depth = node->depth; SAL_INFO("xmlsecurity.xmlsec", "Certificate: " << depth << node->cert->subjectName << ": " << (depth ? "[Certificate Authority]": "")); } SAL_INFO("xmlsecurity.xmlsec", " ERROR " << node->error << ": " << getCertError(node->error)); const char * specificError = nullptr; const char * issuer = nullptr; switch (node->error) { case SEC_ERROR_INADEQUATE_KEY_USAGE: errorFlags = reinterpret_cast(node->arg); switch (errorFlags) { case KU_DIGITAL_SIGNATURE: specificError = "Certificate cannot sign."; break; case KU_KEY_ENCIPHERMENT: specificError = "Certificate cannot encrypt."; break; case KU_KEY_CERT_SIGN: specificError = "Certificate cannot sign other certs."; break; default: specificError = "[unknown usage]."; break; } break; case SEC_ERROR_INADEQUATE_CERT_TYPE: errorFlags = reinterpret_cast(node->arg); switch (errorFlags) { case NS_CERT_TYPE_SSL_CLIENT: case NS_CERT_TYPE_SSL_SERVER: specificError = "Certificate cannot be used for SSL."; break; case NS_CERT_TYPE_SSL_CA: specificError = "Certificate cannot be used as an SSL CA."; break; case NS_CERT_TYPE_EMAIL: specificError = "Certificate cannot be used for SMIME."; break; case NS_CERT_TYPE_EMAIL_CA: specificError = "Certificate cannot be used as an SMIME CA."; break; case NS_CERT_TYPE_OBJECT_SIGNING: specificError = "Certificate cannot be used for object signing."; break; case NS_CERT_TYPE_OBJECT_SIGNING_CA: specificError = "Certificate cannot be used as an object signing CA."; break; default: specificError = "[unknown usage]."; break; } break; case SEC_ERROR_UNKNOWN_ISSUER: specificError = "Unknown issuer:"; issuer = node->cert->issuerName; break; case SEC_ERROR_UNTRUSTED_ISSUER: specificError = "Untrusted issuer:"; issuer = node->cert->issuerName; break; case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: specificError = "Expired issuer certificate:"; issuer = node->cert->issuerName; break; default: break; } if (specificError) SAL_INFO("xmlsecurity.xmlsec", specificError); if (issuer) SAL_INFO("xmlsecurity.xmlsec", issuer); } } } /* vim:set shiftwidth=4 softtabstop=4 expandtab: */