| // Copyright 2017 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_ |
| #define NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_ |
| |
| #include "net/base/net_export.h" |
| #include "net/cert/internal/cert_errors.h" |
| |
| // This file contains the set of "default" certificate errors (those |
| // defined by the core verification/path building code). |
| // |
| // Errors may be defined for other domains. |
| namespace net { |
| |
| namespace cert_errors { |
| |
| // The verification time is after the certificate's notAfter time. |
| NET_EXPORT extern const CertErrorId kValidityFailedNotAfter; |
| |
| // The verification time is before the certificate's notBefore time. |
| NET_EXPORT extern const CertErrorId kValidityFailedNotBefore; |
| |
| // The certificate is actively distrusted by the trust store (this is separate |
| // from other revocation mechanisms). |
| NET_EXPORT extern const CertErrorId kDistrustedByTrustStore; |
| |
| // The certificate disagrees on what the signature algorithm was |
| // (Certificate.signatureAlgorithm != TBSCertificate.signature). |
| NET_EXPORT extern const CertErrorId kSignatureAlgorithmMismatch; |
| |
| // Certificate verification was called with an empty chain. |
| NET_EXPORT extern const CertErrorId kChainIsEmpty; |
| |
| // Certificate verification was called with a chain of length 1, which is not |
| // supported (i.e. the target certificate cannot also be a trusted |
| // certificate). See https://crbug.com/814994. |
| NET_EXPORT extern const CertErrorId kChainIsLength1; |
| |
| // The certificate contains an unknown extension which is marked as critical. |
| NET_EXPORT extern const CertErrorId kUnconsumedCriticalExtension; |
| |
| // The target certificate appears to be a CA (has Basic Constraints CA=true), |
| // however does not have a keyUsage consistent with being a CA (keyCertSign). |
| NET_EXPORT extern const CertErrorId kTargetCertInconsistentCaBits; |
| |
| // The certificate is being used to sign other certificates, however the |
| // keyCertSign KeyUsage was not set. |
| NET_EXPORT extern const CertErrorId kKeyCertSignBitNotSet; |
| |
| // The chain violates the max_path_length from BasicConstraints. |
| NET_EXPORT extern const CertErrorId kMaxPathLengthViolated; |
| |
| // The certificate being used to sign other certificates has a |
| // BasicConstraints extension, however it sets CA=false |
| NET_EXPORT extern const CertErrorId kBasicConstraintsIndicatesNotCa; |
| |
| // The certificate being used to sign other certificates does not include a |
| // BasicConstraints extension. |
| NET_EXPORT extern const CertErrorId kMissingBasicConstraints; |
| |
| // The certificate has a subject or subjectAltName that violates an issuer's |
| // name constraints. |
| NET_EXPORT extern const CertErrorId kNotPermittedByNameConstraints; |
| |
| // The chain has an excessive number of names and/or name constraints. |
| NET_EXPORT extern const CertErrorId kTooManyNameConstraintChecks; |
| |
| // The certificate's issuer field does not match the subject of its alleged |
| // issuer. |
| NET_EXPORT extern const CertErrorId kSubjectDoesNotMatchIssuer; |
| |
| // Failed to verify the certificate's signature using its issuer's public key. |
| NET_EXPORT extern const CertErrorId kVerifySignedDataFailed; |
| |
| // The certificate encodes its signature differently between |
| // Certificate.algorithm and TBSCertificate.signature, but it appears |
| // to be the same algorithm. |
| NET_EXPORT extern const CertErrorId kSignatureAlgorithmsDifferentEncoding; |
| |
| // The certificate verification is being done for serverAuth, however the |
| // certificate lacks serverAuth in its ExtendedKeyUsages. |
| NET_EXPORT extern const CertErrorId kEkuLacksServerAuth; |
| |
| // The certificate verification is being done for clientAuth, however the |
| // certificate lacks clientAuth in its ExtendedKeyUsages. |
| NET_EXPORT extern const CertErrorId kEkuLacksClientAuth; |
| |
| // The root certificate in a chain is not trusted. |
| NET_EXPORT extern const CertErrorId kCertIsNotTrustAnchor; |
| |
| // The chain is not valid for any policy, and an explicit policy was required. |
| // (Either because the relying party requested it during verificaiton, or it was |
| // requrested by a PolicyConstraints extension). |
| NET_EXPORT extern const CertErrorId kNoValidPolicy; |
| |
| // The certificate is trying to map to, or from, anyPolicy. |
| NET_EXPORT extern const CertErrorId kPolicyMappingAnyPolicy; |
| |
| // The public key in this certificate could not be parsed. |
| NET_EXPORT extern const CertErrorId kFailedParsingSpki; |
| |
| // The certificate's signature algorithm (used to verify its |
| // signature) is not acceptable by the consumer. What constitutes as |
| // "acceptable" is determined by the verification delegate. |
| NET_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm; |
| |
| // The certificate's public key is not acceptable by the consumer. |
| // What constitutes as "acceptable" is determined by the verification delegate. |
| NET_EXPORT extern const CertErrorId kUnacceptablePublicKey; |
| |
| // The certificate's EKU is missing serverAuth. However Netscape Server Gated |
| // Crypto is present instead. |
| NET_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasGatedCrypto; |
| |
| // The certificate has been revoked. |
| NET_EXPORT extern const CertErrorId kCertificateRevoked; |
| |
| // The certificate lacks a recognized revocation mechanism (i.e. OCSP/CRL). |
| // Emitted as an error when revocation checking expects certificates to have |
| // such info. |
| NET_EXPORT extern const CertErrorId kNoRevocationMechanism; |
| |
| // The certificate had a revocation mechanism, but when used it was unable to |
| // affirmatively say whether the certificate was unrevoked. |
| NET_EXPORT extern const CertErrorId kUnableToCheckRevocation; |
| |
| } // namespace cert_errors |
| |
| } // namespace net |
| |
| #endif // NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_ |
