naiveproxy/net/cert/internal/common_cert_errors.h
2018-12-09 21:59:24 -05:00

134 lines
5.5 KiB
C++

// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_
#define NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_
#include "net/base/net_export.h"
#include "net/cert/internal/cert_errors.h"
// This file contains the set of "default" certificate errors (those
// defined by the core verification/path building code).
//
// Errors may be defined for other domains.
namespace net {
namespace cert_errors {
// The verification time is after the certificate's notAfter time.
NET_EXPORT extern const CertErrorId kValidityFailedNotAfter;
// The verification time is before the certificate's notBefore time.
NET_EXPORT extern const CertErrorId kValidityFailedNotBefore;
// The certificate is actively distrusted by the trust store (this is separate
// from other revocation mechanisms).
NET_EXPORT extern const CertErrorId kDistrustedByTrustStore;
// The certificate disagrees on what the signature algorithm was
// (Certificate.signatureAlgorithm != TBSCertificate.signature).
NET_EXPORT extern const CertErrorId kSignatureAlgorithmMismatch;
// Certificate verification was called with an empty chain.
NET_EXPORT extern const CertErrorId kChainIsEmpty;
// Certificate verification was called with a chain of length 1, which is not
// supported (i.e. the target certificate cannot also be a trusted
// certificate). See https://crbug.com/814994.
NET_EXPORT extern const CertErrorId kChainIsLength1;
// The certificate contains an unknown extension which is marked as critical.
NET_EXPORT extern const CertErrorId kUnconsumedCriticalExtension;
// The target certificate appears to be a CA (has Basic Constraints CA=true),
// however does not have a keyUsage consistent with being a CA (keyCertSign).
NET_EXPORT extern const CertErrorId kTargetCertInconsistentCaBits;
// The certificate is being used to sign other certificates, however the
// keyCertSign KeyUsage was not set.
NET_EXPORT extern const CertErrorId kKeyCertSignBitNotSet;
// The chain violates the max_path_length from BasicConstraints.
NET_EXPORT extern const CertErrorId kMaxPathLengthViolated;
// The certificate being used to sign other certificates has a
// BasicConstraints extension, however it sets CA=false
NET_EXPORT extern const CertErrorId kBasicConstraintsIndicatesNotCa;
// The certificate being used to sign other certificates does not include a
// BasicConstraints extension.
NET_EXPORT extern const CertErrorId kMissingBasicConstraints;
// The certificate has a subject or subjectAltName that violates an issuer's
// name constraints.
NET_EXPORT extern const CertErrorId kNotPermittedByNameConstraints;
// The chain has an excessive number of names and/or name constraints.
NET_EXPORT extern const CertErrorId kTooManyNameConstraintChecks;
// The certificate's issuer field does not match the subject of its alleged
// issuer.
NET_EXPORT extern const CertErrorId kSubjectDoesNotMatchIssuer;
// Failed to verify the certificate's signature using its issuer's public key.
NET_EXPORT extern const CertErrorId kVerifySignedDataFailed;
// The certificate encodes its signature differently between
// Certificate.algorithm and TBSCertificate.signature, but it appears
// to be the same algorithm.
NET_EXPORT extern const CertErrorId kSignatureAlgorithmsDifferentEncoding;
// The certificate verification is being done for serverAuth, however the
// certificate lacks serverAuth in its ExtendedKeyUsages.
NET_EXPORT extern const CertErrorId kEkuLacksServerAuth;
// The certificate verification is being done for clientAuth, however the
// certificate lacks clientAuth in its ExtendedKeyUsages.
NET_EXPORT extern const CertErrorId kEkuLacksClientAuth;
// The root certificate in a chain is not trusted.
NET_EXPORT extern const CertErrorId kCertIsNotTrustAnchor;
// The chain is not valid for any policy, and an explicit policy was required.
// (Either because the relying party requested it during verificaiton, or it was
// requrested by a PolicyConstraints extension).
NET_EXPORT extern const CertErrorId kNoValidPolicy;
// The certificate is trying to map to, or from, anyPolicy.
NET_EXPORT extern const CertErrorId kPolicyMappingAnyPolicy;
// The public key in this certificate could not be parsed.
NET_EXPORT extern const CertErrorId kFailedParsingSpki;
// The certificate's signature algorithm (used to verify its
// signature) is not acceptable by the consumer. What constitutes as
// "acceptable" is determined by the verification delegate.
NET_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm;
// The certificate's public key is not acceptable by the consumer.
// What constitutes as "acceptable" is determined by the verification delegate.
NET_EXPORT extern const CertErrorId kUnacceptablePublicKey;
// The certificate's EKU is missing serverAuth. However Netscape Server Gated
// Crypto is present instead.
NET_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasGatedCrypto;
// The certificate has been revoked.
NET_EXPORT extern const CertErrorId kCertificateRevoked;
// The certificate lacks a recognized revocation mechanism (i.e. OCSP/CRL).
// Emitted as an error when revocation checking expects certificates to have
// such info.
NET_EXPORT extern const CertErrorId kNoRevocationMechanism;
// The certificate had a revocation mechanism, but when used it was unable to
// affirmatively say whether the certificate was unrevoked.
NET_EXPORT extern const CertErrorId kUnableToCheckRevocation;
} // namespace cert_errors
} // namespace net
#endif // NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_