[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: A patchset for KSSL's error messages
From: "Richard Hartmann" <richih.mailinglist () gmail ! com>
Date: 2008-02-01 15:10:13
Message-ID: 2d460de70802010710t4895e44bv807861d4c3521c4b () mail ! gmail ! com
[Download RAW message or body]
Hi all,
at the suggestion of maelcum, I am sending my patchset to this
list. It adds useful and, hopefully, understandable error messages
for OpenSSL's verfiy routine[1]. You can also look at my bug
report[2], where the attached files can also be found.
If the patchset looks OK, I would appreciate it if someone could
apply it to both trunk and 3.5. If it does not, please let me know
what improvements you want to see. I could _not_ test the
patches in a live build as I lack a KDE trunk build setup, at the
moment, so applying this patch would mean someone would
need to apply it locally & build, though I don't think there should
be any errors as the code changes are trivial in nature.
I do not know how copyright & licensing from external contributors
is handled, but GPLv2+ is fine and, ttbomk, covers all current and
future licensing goals of KDE. If I need to sign/click/send email to
anything/-one, just let me know and I can do whatever the laws
need me to do :)
Best regards,
Richard Hartmann
[1] man verify 1
[2] http://bugs.kde.org/show_bug.cgi?id=156948
["ksslcertificate.h.patch" (text/x-diff)]
--- orig/ksslcertificate.h 2008-02-01 15:23:35.303114064 +0100
+++ ksslcertificate.h 2008-02-01 15:32:29.833575219 +0100
@@ -104,17 +104,32 @@
*/
static KSSLCertificate *fromX509(X509 *x5);
- /**
- * A CA certificate can be validated as Irrelevant when it was
- * not used to sign any other relevant certificate.
- */
+ /**
+ * A CA certificate can be validated as Irrelevant when it was
+ * not used to sign any other relevant certificate.
+ */
enum KSSLValidation { Unknown, Ok, NoCARoot, InvalidPurpose,
- PathLengthExceeded, InvalidCA, Expired,
- SelfSigned, ErrorReadingRoot, NoSSL,
- Revoked, Untrusted, SignatureFailed,
- Rejected, PrivateKeyFailed, InvalidHost,
- Irrelevant, SelfSignedChain
- };
+ PathLengthExceeded, InvalidCA,
+ GetIssuerCertFailed, DecodeIssuerPublicKeyFailed,
+ GetIssuerCertLocallyFailed,
+ CertificateNotYetValid, CertificateHasExpired,
+ CRLNotYetValid, CRLHasExpired,
+ CertificateFieldNotBeforeErroneous,
+ CertificateFieldNotAfterErroneous,
+ CRLFieldLastUpdateErroneous,
+ CRLFieldNextUpdateErroneous, SelfSigned,
+ ErrorReadingRoot, NoSSL, CertificateRevoked,
+ CertificateUntrusted, VerifyLeafSignatureFailed,
+ CertificateSignatureFailed, CRLSignatureFailed,
+ DecryptCertificateSignatureFailed,
+ DecryptCRLSignatureFailed, CertificateRejected,
+ PrivateKeyFailed, InvalidHost, Irrelevant,
+ SelfSignedInChain, ApplicationVerificationFailed,
+ AuthAndSubjectKeyIDAndNameMismatched,
+ AuthAndSubjectKeyIDMismatched, OutOfMemory,
+ GetCRLFailed, CertificateChainTooLong,
+ KeyMayNotSignCertificate
+ };
enum KSSLPurpose { None=0, SSLServer=1, SSLClient=2,
SMIMESign=3, SMIMEEncrypt=4, Any=5 };
["ksslcertificate.cpp.patch" (text/x-diff)]
--- orig/ksslcertificate.cpp 2008-02-01 15:23:35.303114064 +0100
+++ ksslcertificate.cpp 2008-02-01 15:43:19.870618719 +0100
@@ -729,7 +729,7 @@
//kDebug(7029) << "KSSL Validation procedure RESULTS: "
// << ksslv << endl;
- if (ksslv != NoCARoot && ksslv != InvalidCA) {
+ if (ksslv != NoCARoot && ksslv != InvalidCA && ksslv != GetIssuerCertFailed && \
ksslv != DecodeIssuerPublicKeyFailed && ksslv != GetIssuerCertLocallyFailed ) { \
d->m_stateCached = true; d->m_stateCache = ksslv;
}
@@ -763,76 +763,179 @@
rc = KSSLCertificate::Unknown;
#ifdef KSSL_HAVE_SSL
switch (ec) {
- case X509_V_OK: // OK
+
+ // see man 1 verify for a detailed listing of all error codes
+
+ // error 0
+ case X509_V_OK:
rc = KSSLCertificate::Ok;
break;
- case X509_V_ERR_CERT_REJECTED:
- rc = KSSLCertificate::Rejected;
+ // error 2
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+ rc = KSSLCertificate::GetIssuerCertFailed;
break;
+ // error 3
+ case X509_V_ERR_UNABLE_TO_GET_CRL:
+ rc = KSSLCertificate::GetCRLFailed;
+ break;
- case X509_V_ERR_CERT_UNTRUSTED:
- rc = KSSLCertificate::Untrusted;
+ // error 4
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+ rc = KSSLCertificate::DecryptCertificateSignatureFailed;
break;
+ // error 5
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+ rc = KSSLCertificate::DecryptCRLSignatureFailed;
+ break;
- case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+ // error 6
+ case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+ rc = KSSLCertificate::DecodeIssuerPublicKeyFailed;
+ break;
+
+ // error 7
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+ rc = KSSLCertificate::CertificateSignatureFailed;
+ break;
+
+ // error 8
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
- case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
- case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
- rc = KSSLCertificate::SignatureFailed;
+ rc = KSSLCertificate::CRLSignatureFailed;
break;
- case X509_V_ERR_INVALID_CA:
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
- rc = KSSLCertificate::InvalidCA;
+ // error 9
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ rc = KSSLCertificate::CertificateNotYetValid;
break;
+ // error 10
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ rc = KSSLCertificate::CertificateHasExpired;
+ kDebug(7029) << "KSSL apparently this is expired. Not after: "
+ << getNotAfter() << endl;
+ break;
- case X509_V_ERR_INVALID_PURPOSE:
- rc = KSSLCertificate::InvalidPurpose;
+ // error 11
+ case X509_V_ERR_CRL_NOT_YET_VALID:
+ rc = KSSLCertificate::CRLNotYetValid;
break;
+ // error 12
+ case X509_V_ERR_CRL_HAS_EXPIRED:
+ rc = KSSLCertificate::CRLHasExpired;
+ break;
+
+ // error 13
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ rc = KSSLCertificate::CertificateFieldNotBeforeErroneous;
+ break;
+
+ // error 14
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ rc = KSSLCertificate::CertificateFieldNotAfterErroneous;
+ break;
+ // error 15 - unused as of OpenSSL 0.9.8g
+ case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+ rc = KSSLCertificate::CRLFieldLastUpdateErroneous;
+ break;
+
+ // error 16 - unused as of OpenSSL 0.9.8g
+ case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+ rc = KSSLCertificate::CRLFieldNextUpdateErroneous;
+ break;
+
+ // error 17
+ case X509_V_ERR_OUT_OF_MEM:
+ rc = KSSLCertificate::OutOfMemory;
+ break;
+
+ // error 18
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
rc = KSSLCertificate::SelfSigned;
break;
+ // error 19
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
- rc = KSSLCertificate::SelfSignedChain;
+ rc = KSSLCertificate::SelfSignedInChain;
+ break;
+
+ // error 20
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+ rc = KSSLCertificate::GetIssuerCertLocallyFailed;
break;
+ // error 21
+ case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+ rc = KSSLCertificate::VerifyLeafSignatureFailed;
+ break;
+
+ // error 22 - unused as of OpenSSL 0.9.8g
+ case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+ rc = KSSLCertificate::CertificateChainTooLong;
+ break;
+
+ // error 23 - unused as of OpenSSL 0.9.8g
case X509_V_ERR_CERT_REVOKED:
- rc = KSSLCertificate::Revoked;
+ rc = KSSLCertificate::CertificateRevoked;
break;
+ // error 24
+ case X509_V_ERR_INVALID_CA:
+ rc = KSSLCertificate::InvalidCA;
+ break;
+
+ // error 25
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
rc = KSSLCertificate::PathLengthExceeded;
break;
- case X509_V_ERR_CERT_NOT_YET_VALID:
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_CRL_NOT_YET_VALID:
- case X509_V_ERR_CRL_HAS_EXPIRED:
- case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
- case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
- case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
- case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
- rc = KSSLCertificate::Expired;
- kDebug(7029) << "KSSL apparently this is expired. Not after: "
- << getNotAfter() << endl;
+ // error 26
+ case X509_V_ERR_INVALID_PURPOSE:
+ rc = KSSLCertificate::InvalidPurpose;
+ break;
+
+ // error 27
+ case X509_V_ERR_CERT_UNTRUSTED:
+ rc = KSSLCertificate::CertificateUntrusted;
break;
- //case 1:
+ // error 28
+ case X509_V_ERR_CERT_REJECTED:
+ rc = KSSLCertificate::CertificateRejected;
+ break;
+
+ // error 29 - only used with -issuer_checks
+ case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+ rc = KSSLCertificate::IssuerSubjectMismatched;
+ break;
+
+ // error 30 - only used with -issuer_checks
+ case X509_V_ERR_AKID_SKID_MISMATCH:
+ rc = KSSLCertificate::AuthAndSubjectKeyIDMismatched;
+ break;
+
+ // error 31 - only used with -issuer_checks
+ case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+ rc = KSSLCertificate::AuthAndSubjectKeyIDAndNameMismatched;
+ break;
+
+ // error 32
+ case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+ rc = KSSLCertificate::KeyMayNotSignCertificate;
+ break;
+
+
+ // error 50 - unused as of OpenSSL 0.9.8g
case X509_V_ERR_APPLICATION_VERIFICATION:
- case X509_V_ERR_OUT_OF_MEM:
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+ rc = KSSLCertificate::ApplicationVerificationFailed;
+ break;
+
+
default:
rc = KSSLCertificate::Unknown;
break;
@@ -913,30 +1016,80 @@
QString KSSLCertificate::verifyText(KSSLValidation x) {
switch (x) {
+// messages for errors defined in verify(1)
case KSSLCertificate::Ok:
return i18n("The certificate is valid.");
+case KSSLCertificate::GetIssuerCertFailed:
+ return i18n("Retrieval of the issuer certificate failed. This means the CA's \
(Certificate Authority) certificate can not be found."); +case \
KSSLCertificate::GetCRLFailed: + return i18n("Retrieval of the CRL (Certificate \
Revokation List) certificate failed. This means the CA's (Certificate Authority) CRL \
certificate can not be found."); +case \
KSSLCertificate::DecryptCertificateSignatureFailed: + return i18n("The decryption of \
the certificate's signature failed. This means it could not even be calculated as \
opposed to just not matching the expected result."); +case \
KSSLCertificate::DecryptCRLSignatureFailed: + return i18n("The decryption of the \
CRL's (Certificate Revokation List) signature failed. This means it could not even be \
calculated as opposed to just not matching the expected result."); +case \
KSSLCertificate::DecodeIssuerPublicKeyFailed: + return i18n("The decoding of the \
public key of the issuer failed. This means that the CA's (Certificate Authority) \
certificate can not be used to verify the certificate you wanted to use."); +case \
KSSLCertificate::CertificateSignatureFailed: + return i18n("The certificate's \
signature is invalid. This means that the certificate can not be verified."); +case \
KSSLCertificate::CRLSignatureFailed: + return i18n("The CRL's (Certificate Revokation \
List) signature is invalid. This means that the CRL can not be verified."); +case \
KSSLCertificate::CertificateNotYetValid: + return i18n("The certificate is not valid, \
yet."); +case KSSLCertificate::CertificateHasExpired:
+ return i18n("The certificate is not valid, any more.");
+case KSSLCertificate::CRLNotYetValid:
+ return i18n("The CRL (Certificate Revokation List) is not valid, yet.");
+case KSSLCertificate::CRLHasExpired:
+ return i18n("The CRL (Certificate Revokation List) is not valid, yet.");
+case KSSLCertificate::CertificateFieldNotBeforeErroneous:
+ return i18n("The time format of the certificate's 'notBefore' field is invalid.");
+case KSSLCertificate::CertificateFieldNotAfterErroneous:
+ return i18n("The time format of the certificate's 'notAfter' field is invalid.");
+case KSSLCertificate::CRLFieldLastUpdateErroneous:
+ return i18n("The time format of the CRL's (Certificate Revokation List) \
'lastUpdate' field is invalid."); +case KSSLCertificate::CRLFieldNextUpdateErroneous:
+ return i18n("The time format of the CRL's (Certificate Revokation List) \
'nextUpdate' field is invalid."); +case KSSLCertificate::OutOfMemory:
+ return i18n("The OpenSSL process ran out of memory.");
+case KSSLCertificate::SelfSigned:
+ return i18n("The certificate is self-signed and not in the list of trusted \
certificates. If you want to accept this certificate, import it into the list of \
trusted certificates."); +case KSSLCertificate::SelfSignedInChain:
+ return i18n("The certificate is self-signed. While the trust chain could be built \
up, the root CA's (Certificate Authority) certificate can not be found."); +case \
KSSLCertificate::GetIssuerCertLocallyFailed: + return i18n("The CA's (Certificate \
Authority) certificate can not be found. Most likely, your trust chain is broken."); \
+case KSSLCertificate::VerifyLeafSignatureFailed: + return i18n("The certificate can \
not be verified as it is the only certificate in the trust chain and not self-signed. \
If you self-sign the certificate, make sure to import it into the list of trusted \
certificates."); +case KSSLCertificate::CertificateChainTooLong:
+ return i18n("The certificate chain is longer than the maximum depth specified.");
+case KSSLCertificate::CertificateRevoked:
+ return i18n("The certificate has been revoked.");
+case KSSLCertificate::InvalidCA:
+ return i18n("The certificate's CA (Certificate Authority) is invalid.");
case KSSLCertificate::PathLengthExceeded:
+ return i18n("The length of the trust chain exceeded one of the CA's (Certificate \
Authority) 'pathlength' parameter, making all subsequent signatures invalid."); +case \
KSSLCertificate::InvalidPurpose: + return i18n("The certificate has not been signed \
for the purpose iyou tried to use it for. This means the CA (Certificate Authority) \
does not allow this usage."); +case KSSLCertificate::CertificateUntrusted:
+ return i18n("The root CA (Certificate Authority) is not trusted for the purpose you \
tried to use this certificate for."); +case KSSLCertificate::CertificateRejected:
+ return i18n("The root CA (Certificate Authority) has been marked to be rejected for \
the purpose you tried to use it for."); +case \
KSSLCertificate::IssuerSubjectMismatched: + return i18n("The certificate's CA's \
(Certificate Authority) does not match the name CA name of the certificate."); +case \
KSSLCertificate::AuthAndSubjectKeyIDMismatched: + return i18n("The CA's (Certificate \
Authority) certificate's key ID does not match the key ID in the 'Issuer' section of \
the certificate you are trying to use."); +case \
KSSLCertificate::AuthAndSubjectKeyIDAndNameMismatched: + return i18n("The CA's \
(Certificate Authority) certificate's key ID and name do not match the key ID and \
name in the 'Issuer' section of the certificate you are trying to use."); +case \
KSSLCertificate::KeyMayNotSignCertificate: + return i18n("The certificate's CA \
(Certificate Authority) is not allowed to sign certificates."); +case \
KSSLCertificate::ApplicationVerificationFailed: + return i18n("OpenSSL could not be \
verified."); +
+// other error messages
case KSSLCertificate::ErrorReadingRoot:
case KSSLCertificate::NoCARoot:
return i18n("Certificate signing authority root files could not be found so the \
certificate is not verified.");
-case KSSLCertificate::SelfSignedChain:
-case KSSLCertificate::InvalidCA:
- return i18n("Certificate signing authority is unknown or invalid.");
-case KSSLCertificate::SelfSigned:
- return i18n("Certificate is self-signed and thus may not be trustworthy.");
-case KSSLCertificate::Expired:
- return i18n("Certificate has expired.");
-case KSSLCertificate::Revoked:
- return i18n("Certificate has been revoked.");
case KSSLCertificate::NoSSL:
return i18n("SSL support was not found.");
-case KSSLCertificate::Untrusted:
- return i18n("Signature is untrusted.");
-case KSSLCertificate::SignatureFailed:
- return i18n("Signature test failed.");
-case KSSLCertificate::Rejected:
-case KSSLCertificate::InvalidPurpose:
- return i18n("Rejected, possibly due to an invalid purpose.");
case KSSLCertificate::PrivateKeyFailed:
return i18n("Private key test failed.");
case KSSLCertificate::InvalidHost:
["kjavaappletserver.cpp.patch" (text/x-diff)]
--- orig/kjavaappletserver.cpp 2008-02-01 15:23:35.303114064 +0100
+++ kjavaappletserver.cpp 2008-02-01 15:40:59.362611624 +0100
@@ -674,20 +674,66 @@
text += i18n("PathLengthExceeded"); break;
case KSSLCertificate::InvalidCA:
text += i18n("InvalidCA"); break;
- case KSSLCertificate::Expired:
- text += i18n("Expired"); break;
+ case KSSLCertificate::GetIssuerCertFailed:
+ text += i18n("GetIssuerCertFailed"); break;
+ case KSSLCertificate::DecodeIssuerPublicKeyFailed:
+ text += i18n("DecodeIssuerPublicKeyFailed"); break;
+ case KSSLCertificate::GetIssuerCertLocallyFailed:
+ text += i18n("GetIssuerCertLocallyFailed"); break;
+ case KSSLCertificate::CertificateNotYetValid:
+ text += i18n("CertificateNotYetValid"); break;
+ case KSSLCertificate::CertificateHasExpired:
+ text += i18n("CertificateHasExpired"); break;
+ case KSSLCertificate::CRLNotYetValid:
+ text += i18n("CRLNotYetValid"); break;
+ case KSSLCertificate::CRLHasExpired:
+ text += i18n("CRLHasExpired"); break;
+ case KSSLCertificate::CertificateFieldNotBeforeErroneous:
+ text += i18n("CertificateFieldNotBeforeErroneous"); break;
+ case KSSLCertificate::CertificateFieldNotAfterErroneous:
+ text += i18n("CertificateFieldNotAfterErroneous"); break;
+ case KSSLCertificate::ApplicationVerificationFailed:
+ text += i18n("ApplicationVerificationFailed"); break;
+ case KSSLCertificate::OutOfMemory:
+ text += i18n("OutOfMemory"); break;
+ case KSSLCertificate::GetCRLFailed:
+ text += i18n("GetCRLFailed"); break;
+ case KSSLCertificate::IssuerSubjectMismatched:
+ text += i18n("IssuerSubjectMismatched"); break;
+ case KSSLCertificate::AuthAndSubjectKeyIDMismatched:
+ text += i18n("AuthAndSubjectKeyIDMismatched"); break;
+ case KSSLCertificate::AuthAndSubjectKeyIDAndNameMismatched:
+ text += i18n("AuthAndSubjectKeyIDAndNameMismatched"); break;
+ case KSSLCertificate::CertificateChainTooLong:
+ text += i18n("CertificateChainTooLong"); break;
+ case KSSLCertificate::KeyMayNotSignCertificate:
+ text += i18n("KeyMayNotSignCertificate"); break;
+ case KSSLCertificate::CRLFieldLastUpdateErroneous:
+ text += i18n("CRLFieldLastUpdateErroneous"); break;
+ case KSSLCertificate::CRLFieldNextUpdateErroneous:
+ text += i18n("CRLFieldNextUpdateErroneous"); break;
+ case KSSLCertificate::SelfSignedInChain:
+ text += i18n("SelfSignedInChain"); break;
case KSSLCertificate::SelfSigned:
text += i18n("SelfSigned"); break;
case KSSLCertificate::ErrorReadingRoot:
text += i18n("ErrorReadingRoot"); break;
- case KSSLCertificate::Revoked:
- text += i18n("Revoked"); break;
- case KSSLCertificate::Untrusted:
- text += i18n("Untrusted"); break;
- case KSSLCertificate::SignatureFailed:
- text += i18n("SignatureFailed"); break;
- case KSSLCertificate::Rejected:
- text += i18n("Rejected"); break;
+ case KSSLCertificate::CertificateRevoked:
+ text += i18n("CertificateRevoked"); break;
+ case KSSLCertificate::CertificateUntrusted:
+ text += i18n("CertificateUntrusted"); break;
+ case KSSLCertificate::VerifyLeafSignatureFailed:
+ text += i18n("VerifyLeafSignatureFailed"); break;
+ case KSSLCertificate::CertificateSignatureFailed:
+ text += i18n("CertificateSignatureFailed"); break;
+ case KSSLCertificate::CRLSignatureFailed:
+ text += i18n("CRLSignatureFailed"); break;
+ case KSSLCertificate::DecryptCertificateSignatureFailed:
+ text += i18n("DecryptCertificateSignatureFailed"); break;
+ case KSSLCertificate::DecryptCRLSignatureFailed:
+ text += i18n("DecryptCRLSignatureFailed"); break;
+ case KSSLCertificate::CertificateRejected:
+ text += i18n("CertificateRejected"); break;
case KSSLCertificate::PrivateKeyFailed:
text += i18n("PrivateKeyFailed"); break;
case KSSLCertificate::InvalidHost:
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic