[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: A patchset for KSSL's error messages
From: "Richard Hartmann" <richih.mailinglist () gmail ! com>
Date: 2008-02-01 18:09:57
Message-ID: 2d460de70802011009l1fa194e1o85e44676bb776372 () mail ! gmail ! com
[Download RAW message or body]
On Feb 1, 2008 6:00 PM, David Faure <faure@kde.org> wrote:
> Can you rework the enum change in a way that preserves the current values untouched,
> and adds all the new values after them?
I hope this patchset solves the problems you mentioned.The error
messages for SignatureFailed and Expired are, unfortunately,
beyond ugly. On the plus side, no user should ever see them as
any application using them directly is highly unlikely.
Richard
PS: You might want to switch your patch viewer of choice to ignore
whitespace changes as I changed quite a bit of the formatting to
be consistent with what I perceived to be the accepted standard.
I left kjavaappletserver.cpp's formatting alone as it uses tabs in
exactly four lines. If you want, I will happily change that file over
to tabs, as well
PPS: VIM's :set list is great ;)
["ksslcertificate.h.patch" (text/x-diff)]
--- orig/ksslcertificate.h 2008-02-01 15:23:35.303114064 +0100
+++ ksslcertificate.h 2008-02-01 18:54:46.525205859 +0100
@@ -1,6 +1,7 @@
/* This file is part of the KDE project
*
* Copyright (C) 2000-2003 George Staikos <staikos@kde.org>
+ * 2008 Richard Hartmann <richih-kde@net.in.tum.de>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -104,20 +105,39 @@
*/
static KSSLCertificate *fromX509(X509 *x5);
- /**
- * A CA certificate can be validated as Irrelevant when it was
- * not used to sign any other relevant certificate.
- */
+ /**
+ * A CA certificate can be validated as Irrelevant when it was
+ * not used to sign any other relevant certificate.
+ */
enum KSSLValidation { Unknown, Ok, NoCARoot, InvalidPurpose,
- PathLengthExceeded, InvalidCA, Expired,
- SelfSigned, ErrorReadingRoot, NoSSL,
- Revoked, Untrusted, SignatureFailed,
- Rejected, PrivateKeyFailed, InvalidHost,
- Irrelevant, SelfSignedChain
- };
+ PathLengthExceeded, InvalidCA,
+ GetIssuerCertFailed, DecodeIssuerPublicKeyFailed,
+ GetIssuerCertLocallyFailed,
+ CertificateNotYetValid, CertificateHasExpired,
+ CRLNotYetValid, CRLHasExpired,
+ CertificateFieldNotBeforeErroneous,
+ CertificateFieldNotAfterErroneous,
+ CRLFieldLastUpdateErroneous,
+ CRLFieldNextUpdateErroneous, SelfSigned,
+ ErrorReadingRoot, NoSSL, CertificateRevoked,
+ CertificateUntrusted, VerifyLeafSignatureFailed,
+ CertificateSignatureFailed, CRLSignatureFailed,
+ DecryptCertificateSignatureFailed,
+ DecryptCRLSignatureFailed, CertificateRejected,
+ PrivateKeyFailed, InvalidHost, Irrelevant,
+ SelfSignedInChain, ApplicationVerificationFailed,
+ AuthAndSubjectKeyIDAndNameMismatched,
+ AuthAndSubjectKeyIDMismatched, OutOfMemory,
+ GetCRLFailed, CertificateChainTooLong,
+ KeyMayNotSignCertificate,
+ // everything below this line has been kept for
+ // backwards compability. It can safely be deleted
+ Rejected, Revoked, Untrusted, SelfSignedChain,
+ SignatureFailed, Expired
+ };
enum KSSLPurpose { None=0, SSLServer=1, SSLClient=2,
- SMIMESign=3, SMIMEEncrypt=4, Any=5 };
+ SMIMESign=3, SMIMEEncrypt=4, Any=5 };
typedef QList<KSSLValidation> KSSLValidationList;
["ksslcertificate.cpp.patch" (text/x-diff)]
--- orig/ksslcertificate.cpp 2008-02-01 15:23:35.303114064 +0100
+++ ksslcertificate.cpp 2008-02-01 19:03:53.556379389 +0100
@@ -1,6 +1,7 @@
/* This file is part of the KDE project
*
* Copyright (C) 2000-2003 George Staikos <staikos@kde.org>
+ * 2008 Richard Hartmann <richih-kde@net.in.tum.de>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -128,40 +129,40 @@
KSSLCertificate *KSSLCertificate::fromX509(X509 *x5) {
-KSSLCertificate *n = NULL;
+ KSSLCertificate *n = NULL;
#ifdef KSSL_HAVE_SSL
if (x5) {
n = new KSSLCertificate;
n->setCert(KOSSL::self()->X509_dup(x5));
}
#endif
-return n;
+ return n;
}
KSSLCertificate *KSSLCertificate::fromString(const QByteArray &cert) {
- KSSLCertificate *n = NULL;
+ KSSLCertificate *n = NULL;
#ifdef KSSL_HAVE_SSL
- if (cert.isEmpty())
- return NULL;
+ if (cert.isEmpty())
+ return NULL;
- QByteArray qba = QByteArray::fromBase64(cert);
- unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
- X509 *x5c = KOSSL::self()->d2i_X509(NULL, &qbap, qba.size());
- if (!x5c) {
- return NULL;
- }
+ QByteArray qba = QByteArray::fromBase64(cert);
+ unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
+ X509 *x5c = KOSSL::self()->d2i_X509(NULL, &qbap, qba.size());
+ if (!x5c) {
+ return NULL;
+ }
- n = new KSSLCertificate;
- n->setCert(x5c);
+ n = new KSSLCertificate;
+ n->setCert(x5c);
#endif
- return n;
+ return n;
}
QString KSSLCertificate::getSubject() const {
-QString rc = "";
+ QString rc = "";
#ifdef KSSL_HAVE_SSL
char *t = d->kossl->X509_NAME_oneline(d->kossl->X509_get_subject_name(d->m_cert), \
0, 0); @@ -170,12 +171,12 @@
rc = t;
d->kossl->OPENSSL_free(t);
#endif
-return rc;
+ return rc;
}
QString KSSLCertificate::getSerialNumber() const {
-QString rc = "";
+ QString rc = "";
#ifdef KSSL_HAVE_SSL
ASN1_INTEGER *aint = d->kossl->X509_get_serialNumber(d->m_cert);
@@ -184,16 +185,16 @@
// d->kossl->ASN1_INTEGER_free(aint); this makes the sig test fail
}
#endif
-return rc;
+ return rc;
}
QString KSSLCertificate::getSignatureText() const {
-QString rc = "";
+ QString rc = "";
#ifdef KSSL_HAVE_SSL
-char *s;
-int n, i;
+ char *s;
+ int n, i;
i = d->kossl->OBJ_obj2nid(d->m_cert->sig_alg->algorithm);
rc = i18n("Signature Algorithm: ");
@@ -212,7 +213,7 @@
#endif
-return rc;
+ return rc;
}
@@ -271,7 +272,7 @@
#endif
-return rc;
+ return rc;
}
@@ -294,7 +295,7 @@
#endif
-return rc;
+ return rc;
}
@@ -320,7 +321,7 @@
}
#endif
-return rc;
+ return rc;
}
@@ -336,7 +337,7 @@
#ifndef NO_RSA
if (pkey->type == EVP_PKEY_RSA) {
x = d->kossl->BN_bn2hex(pkey->pkey.rsa->n);
- rc = i18n("Key type: RSA (%1 bit)", strlen(x)*4) + \
'\n'; + rc = i18n("Key type: RSA (%1 bit)", strlen(x)*4) + '\n';
rc += i18n("Modulus: ");
for (unsigned int i = 0; i < strlen(x); i++) {
@@ -359,7 +360,7 @@
if (pkey->type == EVP_PKEY_DSA) {
x = d->kossl->BN_bn2hex(pkey->pkey.dsa->p);
// hack - this may not be always accurate
- rc = i18n("Key type: DSA (%1 bit)", strlen(x)*4) + \
'\n'; + rc = i18n("Key type: DSA (%1 bit)", strlen(x)*4) + '\n';
rc += i18n("Prime: ");
for (unsigned int i = 0; i < strlen(x); i++) {
@@ -413,7 +414,7 @@
}
#endif
-return rc;
+ return rc;
}
@@ -431,7 +432,7 @@
d->kossl->OPENSSL_free(t);
#endif
-return rc;
+ return rc;
}
void KSSLCertificate::setChain(void *c) {
@@ -444,107 +445,107 @@
void KSSLCertificate::setCert(X509 *c) {
#ifdef KSSL_HAVE_SSL
-d->m_cert = c;
-if (c) {
- d->_extensions.flags = 0;
- d->kossl->X509_check_purpose(c, -1, 0); // setup the fields (!!)
+ d->m_cert = c;
+ if (c) {
+ d->_extensions.flags = 0;
+ d->kossl->X509_check_purpose(c, -1, 0); // setup the fields (!!)
#if 0
- kDebug(7029) << "---------------- Certificate ------------------"
- << endl;
- kDebug(7029) << getSubject();
-#endif
-
- for (int j = 0; j < d->kossl->X509_PURPOSE_get_count(); j++) {
- X509_PURPOSE *ptmp = d->kossl->X509_PURPOSE_get0(j);
- int id = d->kossl->X509_PURPOSE_get_id(ptmp);
- for (int ca = 0; ca < 2; ca++) {
- int idret = d->kossl->X509_check_purpose(c, id, ca);
- if (idret == 1 || idret == 2) { // have it
-// kDebug() << "PURPOSE: " << id << (ca?" CA":"");
- if (!ca)
- d->_extensions.flags |= (1L <<(id-1));
- else d->_extensions.flags |= (1L <<(16+id-1));
- } else {
- if (!ca)
- d->_extensions.flags &= ~(1L <<(id-1));
- else d->_extensions.flags &= ~(1L <<(16+id-1));
+ kDebug(7029) << "---------------- Certificate ------------------"
+ << endl;
+ kDebug(7029) << getSubject();
+#endif
+
+ for (int j = 0; j < d->kossl->X509_PURPOSE_get_count(); j++) {
+ X509_PURPOSE *ptmp = d->kossl->X509_PURPOSE_get0(j);
+ int id = d->kossl->X509_PURPOSE_get_id(ptmp);
+ for (int ca = 0; ca < 2; ca++) {
+ int idret = d->kossl->X509_check_purpose(c, id, ca);
+ if (idret == 1 || idret == 2) { // have it
+ // kDebug() << "PURPOSE: " << id << (ca?" CA":"");
+ if (!ca)
+ d->_extensions.flags |= (1L <<(id-1));
+ else d->_extensions.flags |= (1L <<(16+id-1));
+ } else {
+ if (!ca)
+ d->_extensions.flags &= ~(1L <<(id-1));
+ else d->_extensions.flags &= ~(1L <<(16+id-1));
+ }
}
}
- }
#if 0
- kDebug(7029) << "flags: " << QString::number(c->ex_flags, 2)
- << "\nkeyusage: " << QString::number(c->ex_kusage, 2)
- << "\nxkeyusage: " << QString::number(c->ex_xkusage, 2)
- << "\nnscert: " << QString::number(c->ex_nscert, 2)
- << endl;
- if (c->ex_flags & EXFLAG_KUSAGE)
- kDebug(7029) << " --- Key Usage extensions found";
- else kDebug(7029) << " --- Key Usage extensions NOT found";
-
- if (c->ex_flags & EXFLAG_XKUSAGE)
- kDebug(7029) << " --- Extended key usage extensions found";
- else kDebug(7029) << " --- Extended key usage extensions NOT found";
-
- if (c->ex_flags & EXFLAG_NSCERT)
- kDebug(7029) << " --- NS extensions found";
- else kDebug(7029) << " --- NS extensions NOT found";
-
- if (d->_extensions.certTypeSSLCA())
- kDebug(7029) << "NOTE: this is an SSL CA file.";
- else kDebug(7029) << "NOTE: this is NOT an SSL CA file.";
-
- if (d->_extensions.certTypeEmailCA())
- kDebug(7029) << "NOTE: this is an EMAIL CA file.";
- else kDebug(7029) << "NOTE: this is NOT an EMAIL CA file.";
-
- if (d->_extensions.certTypeCodeCA())
- kDebug(7029) << "NOTE: this is a CODE CA file.";
- else kDebug(7029) << "NOTE: this is NOT a CODE CA file.";
-
- if (d->_extensions.certTypeSSLClient())
- kDebug(7029) << "NOTE: this is an SSL client.";
- else kDebug(7029) << "NOTE: this is NOT an SSL client.";
-
- if (d->_extensions.certTypeSSLServer())
- kDebug(7029) << "NOTE: this is an SSL server.";
- else kDebug(7029) << "NOTE: this is NOT an SSL server.";
-
- if (d->_extensions.certTypeNSSSLServer())
- kDebug(7029) << "NOTE: this is a NETSCAPE SSL server.";
- else kDebug(7029) << "NOTE: this is NOT a NETSCAPE SSL server.";
-
- if (d->_extensions.certTypeSMIME())
- kDebug(7029) << "NOTE: this is an SMIME certificate.";
- else kDebug(7029) << "NOTE: this is NOT an SMIME certificate.";
-
- if (d->_extensions.certTypeSMIMEEncrypt())
- kDebug(7029) << "NOTE: this is an SMIME encrypt cert.";
- else kDebug(7029) << "NOTE: this is NOT an SMIME encrypt cert.";
-
- if (d->_extensions.certTypeSMIMESign())
- kDebug(7029) << "NOTE: this is an SMIME sign cert.";
- else kDebug(7029) << "NOTE: this is NOT an SMIME sign cert.";
-
- if (d->_extensions.certTypeCRLSign())
- kDebug(7029) << "NOTE: this is a CRL signer.";
- else kDebug(7029) << "NOTE: this is NOT a CRL signer.";
+ kDebug(7029) << "flags: " << QString::number(c->ex_flags, 2)
+ << "\nkeyusage: " << QString::number(c->ex_kusage, 2)
+ << "\nxkeyusage: " << QString::number(c->ex_xkusage, 2)
+ << "\nnscert: " << QString::number(c->ex_nscert, 2)
+ << endl;
+ if (c->ex_flags & EXFLAG_KUSAGE)
+ kDebug(7029) << " --- Key Usage extensions found";
+ else kDebug(7029) << " --- Key Usage extensions NOT found";
+
+ if (c->ex_flags & EXFLAG_XKUSAGE)
+ kDebug(7029) << " --- Extended key usage extensions found";
+ else kDebug(7029) << " --- Extended key usage extensions NOT found";
+
+ if (c->ex_flags & EXFLAG_NSCERT)
+ kDebug(7029) << " --- NS extensions found";
+ else kDebug(7029) << " --- NS extensions NOT found";
+
+ if (d->_extensions.certTypeSSLCA())
+ kDebug(7029) << "NOTE: this is an SSL CA file.";
+ else kDebug(7029) << "NOTE: this is NOT an SSL CA file.";
+
+ if (d->_extensions.certTypeEmailCA())
+ kDebug(7029) << "NOTE: this is an EMAIL CA file.";
+ else kDebug(7029) << "NOTE: this is NOT an EMAIL CA file.";
+
+ if (d->_extensions.certTypeCodeCA())
+ kDebug(7029) << "NOTE: this is a CODE CA file.";
+ else kDebug(7029) << "NOTE: this is NOT a CODE CA file.";
+
+ if (d->_extensions.certTypeSSLClient())
+ kDebug(7029) << "NOTE: this is an SSL client.";
+ else kDebug(7029) << "NOTE: this is NOT an SSL client.";
+
+ if (d->_extensions.certTypeSSLServer())
+ kDebug(7029) << "NOTE: this is an SSL server.";
+ else kDebug(7029) << "NOTE: this is NOT an SSL server.";
+
+ if (d->_extensions.certTypeNSSSLServer())
+ kDebug(7029) << "NOTE: this is a NETSCAPE SSL server.";
+ else kDebug(7029) << "NOTE: this is NOT a NETSCAPE SSL server.";
+
+ if (d->_extensions.certTypeSMIME())
+ kDebug(7029) << "NOTE: this is an SMIME certificate.";
+ else kDebug(7029) << "NOTE: this is NOT an SMIME certificate.";
+
+ if (d->_extensions.certTypeSMIMEEncrypt())
+ kDebug(7029) << "NOTE: this is an SMIME encrypt cert.";
+ else kDebug(7029) << "NOTE: this is NOT an SMIME encrypt cert.";
+
+ if (d->_extensions.certTypeSMIMESign())
+ kDebug(7029) << "NOTE: this is an SMIME sign cert.";
+ else kDebug(7029) << "NOTE: this is NOT an SMIME sign cert.";
+
+ if (d->_extensions.certTypeCRLSign())
+ kDebug(7029) << "NOTE: this is a CRL signer.";
+ else kDebug(7029) << "NOTE: this is NOT a CRL signer.";
- kDebug(7029) << "-----------------------------------------------"
- << endl;
+ kDebug(7029) << "-----------------------------------------------"
+ << endl;
#endif
-}
+ }
#endif
-d->m_stateCached = false;
-d->m_stateCache = KSSLCertificate::Unknown;
+ d->m_stateCached = false;
+ d->m_stateCache = KSSLCertificate::Unknown;
}
X509 *KSSLCertificate::getCert() {
#ifdef KSSL_HAVE_SSL
return d->m_cert;
#endif
-return 0;
+ return 0;
}
// pull in the callback. It's common across multiple files but we want
@@ -564,7 +565,7 @@
int KSSLCertificate::purposeToOpenSSL(KSSLCertificate::KSSLPurpose p) const {
-int rc = 0;
+ int rc = 0;
#ifdef KSSL_HAVE_SSL
if (p == KSSLCertificate::SSLServer) {
rc = X509_PURPOSE_SSL_SERVER;
@@ -578,7 +579,7 @@
rc = X509_PURPOSE_ANY;
}
#endif
-return rc;
+ return rc;
}
@@ -729,7 +730,7 @@
//kDebug(7029) << "KSSL Validation procedure RESULTS: "
// << ksslv << endl;
- if (ksslv != NoCARoot && ksslv != InvalidCA) {
+ if (ksslv != NoCARoot && ksslv != InvalidCA && ksslv != GetIssuerCertFailed && \
ksslv != DecodeIssuerPublicKeyFailed && ksslv != GetIssuerCertLocallyFailed ) { \
d->m_stateCached = true; d->m_stateCache = ksslv;
}
@@ -758,150 +759,253 @@
KSSLCertificate::KSSLValidation KSSLCertificate::processError(int ec) {
-KSSLCertificate::KSSLValidation rc;
+ KSSLCertificate::KSSLValidation rc;
-rc = KSSLCertificate::Unknown;
+ rc = KSSLCertificate::Unknown;
#ifdef KSSL_HAVE_SSL
switch (ec) {
- case X509_V_OK: // OK
- rc = KSSLCertificate::Ok;
- break;
+ // see man 1 verify for a detailed listing of all error codes
- case X509_V_ERR_CERT_REJECTED:
- rc = KSSLCertificate::Rejected;
- break;
+ // error 0
+ case X509_V_OK:
+ rc = KSSLCertificate::Ok;
+ break;
- case X509_V_ERR_CERT_UNTRUSTED:
- rc = KSSLCertificate::Untrusted;
- break;
+ // error 2
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+ rc = KSSLCertificate::GetIssuerCertFailed;
+ break;
+ // error 3
+ case X509_V_ERR_UNABLE_TO_GET_CRL:
+ rc = KSSLCertificate::GetCRLFailed;
+ break;
- case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
- case X509_V_ERR_CERT_SIGNATURE_FAILURE:
- case X509_V_ERR_CRL_SIGNATURE_FAILURE:
- case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
- case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
- rc = KSSLCertificate::SignatureFailed;
- break;
+ // error 4
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+ rc = KSSLCertificate::DecryptCertificateSignatureFailed;
+ break;
- case X509_V_ERR_INVALID_CA:
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
- rc = KSSLCertificate::InvalidCA;
- break;
+ // error 5
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+ rc = KSSLCertificate::DecryptCRLSignatureFailed;
+ break;
+ // error 6
+ case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+ rc = KSSLCertificate::DecodeIssuerPublicKeyFailed;
+ break;
- case X509_V_ERR_INVALID_PURPOSE:
- rc = KSSLCertificate::InvalidPurpose;
- break;
+ // error 7
+ case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+ rc = KSSLCertificate::CertificateSignatureFailed;
+ break;
+ // error 8
+ case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+ rc = KSSLCertificate::CRLSignatureFailed;
+ break;
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- rc = KSSLCertificate::SelfSigned;
- break;
+ // error 9
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ rc = KSSLCertificate::CertificateNotYetValid;
+ break;
- case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
- rc = KSSLCertificate::SelfSignedChain;
- break;
+ // error 10
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ rc = KSSLCertificate::CertificateHasExpired;
+ kDebug(7029) << "KSSL apparently this is expired. Not after: "
+ << getNotAfter() << endl;
+ break;
- case X509_V_ERR_CERT_REVOKED:
- rc = KSSLCertificate::Revoked;
- break;
+ // error 11
+ case X509_V_ERR_CRL_NOT_YET_VALID:
+ rc = KSSLCertificate::CRLNotYetValid;
+ break;
- case X509_V_ERR_PATH_LENGTH_EXCEEDED:
- rc = KSSLCertificate::PathLengthExceeded;
- break;
+ // error 12
+ case X509_V_ERR_CRL_HAS_EXPIRED:
+ rc = KSSLCertificate::CRLHasExpired;
+ break;
- case X509_V_ERR_CERT_NOT_YET_VALID:
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_CRL_NOT_YET_VALID:
- case X509_V_ERR_CRL_HAS_EXPIRED:
- case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
- case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
- case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
- case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
- rc = KSSLCertificate::Expired;
- kDebug(7029) << "KSSL apparently this is expired. Not after: "
- << getNotAfter() << endl;
- break;
+ // error 13
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ rc = KSSLCertificate::CertificateFieldNotBeforeErroneous;
+ break;
- //case 1:
- case X509_V_ERR_APPLICATION_VERIFICATION:
- case X509_V_ERR_OUT_OF_MEM:
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- case X509_V_ERR_CERT_CHAIN_TOO_LONG:
- default:
- rc = KSSLCertificate::Unknown;
- break;
-}
+ // error 14
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ rc = KSSLCertificate::CertificateFieldNotAfterErroneous;
+ break;
+
+ // error 15 - unused as of OpenSSL 0.9.8g
+ case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+ rc = KSSLCertificate::CRLFieldLastUpdateErroneous;
+ break;
-d->m_stateCache = rc;
-d->m_stateCached = true;
+ // error 16 - unused as of OpenSSL 0.9.8g
+ case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+ rc = KSSLCertificate::CRLFieldNextUpdateErroneous;
+ break;
+
+ // error 17
+ case X509_V_ERR_OUT_OF_MEM:
+ rc = KSSLCertificate::OutOfMemory;
+ break;
+
+ // error 18
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ rc = KSSLCertificate::SelfSigned;
+ break;
+
+ // error 19
+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+ rc = KSSLCertificate::SelfSignedInChain;
+ break;
+
+ // error 20
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+ rc = KSSLCertificate::GetIssuerCertLocallyFailed;
+ break;
+
+ // error 21
+ case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+ rc = KSSLCertificate::VerifyLeafSignatureFailed;
+ break;
+
+ // error 22 - unused as of OpenSSL 0.9.8g
+ case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+ rc = KSSLCertificate::CertificateChainTooLong;
+ break;
+
+ // error 23 - unused as of OpenSSL 0.9.8g
+ case X509_V_ERR_CERT_REVOKED:
+ rc = KSSLCertificate::CertificateRevoked;
+ break;
+
+ // error 24
+ case X509_V_ERR_INVALID_CA:
+ rc = KSSLCertificate::InvalidCA;
+ break;
+
+ // error 25
+ case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+ rc = KSSLCertificate::PathLengthExceeded;
+ break;
+
+ // error 26
+ case X509_V_ERR_INVALID_PURPOSE:
+ rc = KSSLCertificate::InvalidPurpose;
+ break;
+
+ // error 27
+ case X509_V_ERR_CERT_UNTRUSTED:
+ rc = KSSLCertificate::CertificateUntrusted;
+ break;
+
+ // error 28
+ case X509_V_ERR_CERT_REJECTED:
+ rc = KSSLCertificate::CertificateRejected;
+ break;
+
+ // error 29 - only used with -issuer_checks
+ case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+ rc = KSSLCertificate::IssuerSubjectMismatched;
+ break;
+
+ // error 30 - only used with -issuer_checks
+ case X509_V_ERR_AKID_SKID_MISMATCH:
+ rc = KSSLCertificate::AuthAndSubjectKeyIDMismatched;
+ break;
+
+ // error 31 - only used with -issuer_checks
+ case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+ rc = KSSLCertificate::AuthAndSubjectKeyIDAndNameMismatched;
+ break;
+
+ // error 32
+ case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+ rc = KSSLCertificate::KeyMayNotSignCertificate;
+ break;
+
+
+ // error 50 - unused as of OpenSSL 0.9.8g
+ case X509_V_ERR_APPLICATION_VERIFICATION:
+ rc = KSSLCertificate::ApplicationVerificationFailed;
+ break;
+
+
+ default:
+ rc = KSSLCertificate::Unknown;
+ break;
+ }
+
+ d->m_stateCache = rc;
+ d->m_stateCached = true;
#endif
-return rc;
+ return rc;
}
QString KSSLCertificate::getNotBefore() const {
#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert));
+ return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert));
#else
-return QString();
+ return QString();
#endif
}
QString KSSLCertificate::getNotAfter() const {
#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert));
+ return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert));
#else
-return QString();
+ return QString();
#endif
}
QDateTime KSSLCertificate::getQDTNotBefore() const {
#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL);
+ return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL);
#else
-return QDateTime::currentDateTime();
+ return QDateTime::currentDateTime();
#endif
}
QDateTime KSSLCertificate::getQDTNotAfter() const {
#ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL);
+ return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL);
#else
-return QDateTime::currentDateTime();
+ return QDateTime::currentDateTime();
#endif
}
int operator==(KSSLCertificate &x, KSSLCertificate &y) {
#ifndef KSSL_HAVE_SSL
- return 1;
+ return 1;
#else
- if (!KOSSL::self()->X509_cmp(x.getCert(), y.getCert())) return 1;
- return 0;
+ if (!KOSSL::self()->X509_cmp(x.getCert(), y.getCert())) return 1;
+ return 0;
#endif
}
KSSLCertificate *KSSLCertificate::replicate() {
-// The new certificate doesn't have the cached value. It's probably
-// better this way. We can't anticipate every reason for doing this.
-KSSLCertificate *newOne = new KSSLCertificate();
+ // The new certificate doesn't have the cached value. It's probably
+ // better this way. We can't anticipate every reason for doing this.
+ KSSLCertificate *newOne = new KSSLCertificate();
#ifdef KSSL_HAVE_SSL
newOne->setCert(d->kossl->X509_dup(getCert()));
KSSLCertChain *c = d->_chain.replicate();
newOne->setChain(c->rawChain());
delete c;
#endif
-return newOne;
+ return newOne;
}
@@ -913,38 +1017,100 @@
QString KSSLCertificate::verifyText(KSSLValidation x) {
switch (x) {
-case KSSLCertificate::Ok:
- return i18n("The certificate is valid.");
-case KSSLCertificate::PathLengthExceeded:
-case KSSLCertificate::ErrorReadingRoot:
-case KSSLCertificate::NoCARoot:
- return i18n("Certificate signing authority root files could not be found so the \
certificate is not verified.");
-case KSSLCertificate::SelfSignedChain:
-case KSSLCertificate::InvalidCA:
- return i18n("Certificate signing authority is unknown or invalid.");
-case KSSLCertificate::SelfSigned:
- return i18n("Certificate is self-signed and thus may not be trustworthy.");
-case KSSLCertificate::Expired:
- return i18n("Certificate has expired.");
-case KSSLCertificate::Revoked:
- return i18n("Certificate has been revoked.");
-case KSSLCertificate::NoSSL:
- return i18n("SSL support was not found.");
-case KSSLCertificate::Untrusted:
- return i18n("Signature is untrusted.");
-case KSSLCertificate::SignatureFailed:
- return i18n("Signature test failed.");
-case KSSLCertificate::Rejected:
-case KSSLCertificate::InvalidPurpose:
- return i18n("Rejected, possibly due to an invalid purpose.");
-case KSSLCertificate::PrivateKeyFailed:
- return i18n("Private key test failed.");
-case KSSLCertificate::InvalidHost:
- return i18n("The certificate has not been issued for this host.");
-case KSSLCertificate::Irrelevant:
- return i18n("This certificate is not relevant.");
-default:
-break;
+ // messages for errors defined in verify(1)
+ case KSSLCertificate::Ok:
+ return i18n("The certificate is valid.");
+ case KSSLCertificate::GetIssuerCertFailed:
+ return i18n("Retrieval of the issuer certificate failed. This means the CA's \
(Certificate Authority) certificate can not be found."); + case \
KSSLCertificate::GetCRLFailed: + return i18n("Retrieval of the CRL (Certificate \
Revokation List) certificate failed. This means the CA's (Certificate Authority) CRL \
certificate can not be found."); + case \
KSSLCertificate::DecryptCertificateSignatureFailed: + return i18n("The decryption of \
the certificate's signature failed. This means it could not even be calculated as \
opposed to just not matching the expected result."); + case \
KSSLCertificate::DecryptCRLSignatureFailed: + return i18n("The decryption of the \
CRL's (Certificate Revokation List) signature failed. This means it could not even be \
calculated as opposed to just not matching the expected result."); + case \
KSSLCertificate::DecodeIssuerPublicKeyFailed: + return i18n("The decoding of the \
public key of the issuer failed. This means that the CA's (Certificate Authority) \
certificate can not be used to verify the certificate you wanted to use."); + case \
KSSLCertificate::CertificateSignatureFailed: + return i18n("The certificate's \
signature is invalid. This means that the certificate can not be verified."); + case \
KSSLCertificate::CRLSignatureFailed: + return i18n("The CRL's (Certificate \
Revokation List) signature is invalid. This means that the CRL can not be \
verified."); + case KSSLCertificate::CertificateNotYetValid:
+ return i18n("The certificate is not valid, yet.");
+ case KSSLCertificate::CertificateHasExpired:
+ return i18n("The certificate is not valid, any more.");
+ case KSSLCertificate::CRLNotYetValid:
+ return i18n("The CRL (Certificate Revokation List) is not valid, yet.");
+ case KSSLCertificate::CRLHasExpired:
+ return i18n("The CRL (Certificate Revokation List) is not valid, yet.");
+ case KSSLCertificate::CertificateFieldNotBeforeErroneous:
+ return i18n("The time format of the certificate's 'notBefore' field is invalid.");
+ case KSSLCertificate::CertificateFieldNotAfterErroneous:
+ return i18n("The time format of the certificate's 'notAfter' field is invalid.");
+ case KSSLCertificate::CRLFieldLastUpdateErroneous:
+ return i18n("The time format of the CRL's (Certificate Revokation List) \
'lastUpdate' field is invalid."); + case \
KSSLCertificate::CRLFieldNextUpdateErroneous: + return i18n("The time format of the \
CRL's (Certificate Revokation List) 'nextUpdate' field is invalid."); + case \
KSSLCertificate::OutOfMemory: + return i18n("The OpenSSL process ran out of \
memory."); + case KSSLCertificate::SelfSigned:
+ return i18n("The certificate is self-signed and not in the list of trusted \
certificates. If you want to accept this certificate, import it into the list of \
trusted certificates."); + case KSSLCertificate::SelfSignedChain: // this is \
obsolete and kept around for backwards compability, only + case \
KSSLCertificate::SelfSignedInChain: + return i18n("The certificate is self-signed. \
While the trust chain could be built up, the root CA's (Certificate Authority) \
certificate can not be found."); + case KSSLCertificate::GetIssuerCertLocallyFailed:
+ return i18n("The CA's (Certificate Authority) certificate can not be found. Most \
likely, your trust chain is broken."); + case \
KSSLCertificate::VerifyLeafSignatureFailed: + return i18n("The certificate can not \
be verified as it is the only certificate in the trust chain and not self-signed. If \
you self-sign the certificate, make sure to import it into the list of trusted \
certificates."); + case KSSLCertificate::CertificateChainTooLong:
+ return i18n("The certificate chain is longer than the maximum depth specified.");
+ case KSSLCertificate::Revoked: // this is obsolete and kept around for \
backwards compability, only + case KSSLCertificate::CertificateRevoked:
+ return i18n("The certificate has been revoked.");
+ case KSSLCertificate::InvalidCA:
+ return i18n("The certificate's CA (Certificate Authority) is invalid.");
+ case KSSLCertificate::PathLengthExceeded:
+ return i18n("The length of the trust chain exceeded one of the CA's (Certificate \
Authority) 'pathlength' parameter, making all subsequent signatures invalid."); \
+ case KSSLCertificate::InvalidPurpose: + return i18n("The certificate has not been \
signed for the purpose iyou tried to use it for. This means the CA (Certificate \
Authority) does not allow this usage."); + case KSSLCertificate::Untrusted: // \
this is obsolete and kept around for backwards compability, only + case \
KSSLCertificate::CertificateUntrusted: + return i18n("The root CA (Certificate \
Authority) is not trusted for the purpose you tried to use this certificate for."); \
+ case KSSLCertificate::Rejected: // this is obsolete and kept around for \
backwards compability, only // this is obsolete and kept around for backwards \
compability, onle + case KSSLCertificate::CertificateRejected:
+ return i18n("The root CA (Certificate Authority) has been marked to be rejected \
for the purpose you tried to use it for."); + case \
KSSLCertificate::IssuerSubjectMismatched: + return i18n("The certificate's CA's \
(Certificate Authority) does not match the name CA name of the certificate."); + case \
KSSLCertificate::AuthAndSubjectKeyIDMismatched: + return i18n("The CA's (Certificate \
Authority) certificate's key ID does not match the key ID in the 'Issuer' section of \
the certificate you are trying to use."); + case \
KSSLCertificate::AuthAndSubjectKeyIDAndNameMismatched: + return i18n("The CA's \
(Certificate Authority) certificate's key ID and name do not match the key ID and \
name in the 'Issuer' section of the certificate you are trying to use."); + case \
KSSLCertificate::KeyMayNotSignCertificate: + return i18n("The certificate's CA \
(Certificate Authority) is not allowed to sign certificates."); + case \
KSSLCertificate::ApplicationVerificationFailed: + return i18n("OpenSSL could not be \
verified."); +
+
+ // this is obsolete and kept around for backwards compability, only
+ case KSSLCertificate::SignatureFailed:
+ return i18n("The signature test for this certificate failed. This could mean that \
the signature of this certificate or any in its trust path are invalid, could not be \
decoded or that the CRL (Certificate Revokation List) could not be verified. If you \
see this message, please let the author of the software you are using know that he or \
she should use the new, more specific error messages."); + case \
KSSLCertificate::Expired: + return i18n("This certificate, any in its trust path or \
its CA's (Certificate Authority) CRL (Certificate Revokation List) is not valid. Any \
of them could not be valid yet or not valid any more. If you see this message, please \
let the author of the software you are using know that he or she should use the new, \
morespecific error messages."); + // continue 'useful' messages
+
+ // other error messages
+ case KSSLCertificate::ErrorReadingRoot:
+ case KSSLCertificate::NoCARoot:
+ return i18n("Certificate signing authority root files could not be found so the \
certificate is not verified."); + case KSSLCertificate::NoSSL:
+ return i18n("SSL support was not found.");
+ case KSSLCertificate::PrivateKeyFailed:
+ return i18n("Private key test failed.");
+ case KSSLCertificate::InvalidHost:
+ return i18n("The certificate has not been issued for this host.");
+ case KSSLCertificate::Irrelevant:
+ return i18n("This certificate is not relevant.");
+ default:
+ break;
}
return i18n("The certificate is invalid.");
@@ -952,23 +1118,23 @@
QByteArray KSSLCertificate::toDer() {
-QByteArray qba;
+ QByteArray qba;
#ifdef KSSL_HAVE_SSL
- int certlen = d->kossl->i2d_X509(getCert(), NULL);
- if (certlen >= 0) {
-// These should technically be unsigned char * but it doesn't matter
-// for our purposes
-char *cert = new char[certlen];
-unsigned char *p = (unsigned char *)cert;
- // FIXME: return code!
- d->kossl->i2d_X509(getCert(), &p);
-
- // encode it into a QString
- qba = QByteArray(cert, certlen);
- delete[] cert;
- }
+ int certlen = d->kossl->i2d_X509(getCert(), NULL);
+ if (certlen >= 0) {
+ // These should technically be unsigned char * but it doesn't matter
+ // for our purposes
+ char *cert = new char[certlen];
+ unsigned char *p = (unsigned char *)cert;
+ // FIXME: return code!
+ d->kossl->i2d_X509(getCert(), &p);
+
+ // encode it into a QString
+ qba = QByteArray(cert, certlen);
+ delete[] cert;
+ }
#endif
-return qba;
+ return qba;
}
@@ -1057,26 +1223,26 @@
bool KSSLCertificate::setCert(const QString& cert) {
#ifdef KSSL_HAVE_SSL
- QByteArray qba, qbb = cert.toLocal8Bit();
- qba = QByteArray::fromBase64(qbb);
- unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
- X509 *x5c = KOSSL::self()->d2i_X509(NULL, &qbap, qba.size());
- if (x5c) {
- setCert(x5c);
- return true;
- }
+ QByteArray qba, qbb = cert.toLocal8Bit();
+ qba = QByteArray::fromBase64(qbb);
+ unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
+ X509 *x5c = KOSSL::self()->d2i_X509(NULL, &qbap, qba.size());
+ if (x5c) {
+ setCert(x5c);
+ return true;
+ }
#endif
-return false;
+ return false;
}
KSSLX509V3& KSSLCertificate::x509V3Extensions() {
-return d->_extensions;
+ return d->_extensions;
}
bool KSSLCertificate::isSigner() {
-return d->_extensions.certTypeCA();
+ return d->_extensions.certTypeCA();
}
@@ -1110,30 +1276,30 @@
QDataStream& operator<<(QDataStream& s, const KSSLCertificate& r) {
- QStringList qsl;
- QList<KSSLCertificate *> cl = \
const_cast<KSSLCertificate&>(r).chain().getChain(); + QStringList qsl;
+ QList<KSSLCertificate *> cl = const_cast<KSSLCertificate&>(r).chain().getChain();
- foreach(KSSLCertificate *c, cl) {
- qsl << c->toString();
- }
+ foreach(KSSLCertificate *c, cl) {
+ qsl << c->toString();
+ }
- qDeleteAll(cl);
- s << const_cast<KSSLCertificate&>(r).toString() << qsl;
+ qDeleteAll(cl);
+ s << const_cast<KSSLCertificate&>(r).toString() << qsl;
- return s;
+ return s;
}
QDataStream& operator>>(QDataStream& s, KSSLCertificate& r) {
-QStringList qsl;
-QString cert;
+ QStringList qsl;
+ QString cert;
-s >> cert >> qsl;
+ s >> cert >> qsl;
- if (r.setCert(cert) && !qsl.isEmpty())
- r.chain().setCertChain(qsl);
+ if (r.setCert(cert) && !qsl.isEmpty())
+ r.chain().setCertChain(qsl);
-return s;
+ return s;
}
["kjavaappletserver.cpp.patch" (text/x-diff)]
--- orig/kjavaappletserver.cpp 2008-02-01 15:23:35.303114064 +0100
+++ kjavaappletserver.cpp 2008-02-01 18:42:14.482349379 +0100
@@ -2,6 +2,7 @@
*
* Copyright (C) 2000 Richard Moore <rich@kde.org>
* 2000 Wynn Wilkes <wynnw@caldera.com>
+ * 2008 Richard Hartmann <richih-kde@net.in.tum.de>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -70,7 +71,7 @@
#define KJAS_GET_URLDATA (char)12
#define KJAS_URLDATA (char)13
#define KJAS_SHUTDOWN_SERVER (char)14
-#define KJAS_JAVASCRIPT_EVENT (char)15
+#define KJAS_JAVASCRIPT_EVENT (char)15
#define KJAS_GET_MEMBER (char)16
#define KJAS_CALL_MEMBER (char)17
#define KJAS_PUT_MEMBER (char)18
@@ -674,20 +675,66 @@
text += i18n("PathLengthExceeded"); break;
case KSSLCertificate::InvalidCA:
text += i18n("InvalidCA"); break;
- case KSSLCertificate::Expired:
- text += i18n("Expired"); break;
+ case KSSLCertificate::GetIssuerCertFailed:
+ text += i18n("GetIssuerCertFailed"); break;
+ case KSSLCertificate::DecodeIssuerPublicKeyFailed:
+ text += i18n("DecodeIssuerPublicKeyFailed"); break;
+ case KSSLCertificate::GetIssuerCertLocallyFailed:
+ text += i18n("GetIssuerCertLocallyFailed"); break;
+ case KSSLCertificate::CertificateNotYetValid:
+ text += i18n("CertificateNotYetValid"); break;
+ case KSSLCertificate::CertificateHasExpired:
+ text += i18n("CertificateHasExpired"); break;
+ case KSSLCertificate::CRLNotYetValid:
+ text += i18n("CRLNotYetValid"); break;
+ case KSSLCertificate::CRLHasExpired:
+ text += i18n("CRLHasExpired"); break;
+ case KSSLCertificate::CertificateFieldNotBeforeErroneous:
+ text += i18n("CertificateFieldNotBeforeErroneous"); break;
+ case KSSLCertificate::CertificateFieldNotAfterErroneous:
+ text += i18n("CertificateFieldNotAfterErroneous"); break;
+ case KSSLCertificate::ApplicationVerificationFailed:
+ text += i18n("ApplicationVerificationFailed"); break;
+ case KSSLCertificate::OutOfMemory:
+ text += i18n("OutOfMemory"); break;
+ case KSSLCertificate::GetCRLFailed:
+ text += i18n("GetCRLFailed"); break;
+ case KSSLCertificate::IssuerSubjectMismatched:
+ text += i18n("IssuerSubjectMismatched"); break;
+ case KSSLCertificate::AuthAndSubjectKeyIDMismatched:
+ text += i18n("AuthAndSubjectKeyIDMismatched"); break;
+ case KSSLCertificate::AuthAndSubjectKeyIDAndNameMismatched:
+ text += i18n("AuthAndSubjectKeyIDAndNameMismatched"); break;
+ case KSSLCertificate::CertificateChainTooLong:
+ text += i18n("CertificateChainTooLong"); break;
+ case KSSLCertificate::KeyMayNotSignCertificate:
+ text += i18n("KeyMayNotSignCertificate"); break;
+ case KSSLCertificate::CRLFieldLastUpdateErroneous:
+ text += i18n("CRLFieldLastUpdateErroneous"); break;
+ case KSSLCertificate::CRLFieldNextUpdateErroneous:
+ text += i18n("CRLFieldNextUpdateErroneous"); break;
+ case KSSLCertificate::SelfSignedInChain:
+ text += i18n("SelfSignedInChain"); break;
case KSSLCertificate::SelfSigned:
text += i18n("SelfSigned"); break;
case KSSLCertificate::ErrorReadingRoot:
text += i18n("ErrorReadingRoot"); break;
- case KSSLCertificate::Revoked:
- text += i18n("Revoked"); break;
- case KSSLCertificate::Untrusted:
- text += i18n("Untrusted"); break;
- case KSSLCertificate::SignatureFailed:
- text += i18n("SignatureFailed"); break;
- case KSSLCertificate::Rejected:
- text += i18n("Rejected"); break;
+ case KSSLCertificate::CertificateRevoked:
+ text += i18n("CertificateRevoked"); break;
+ case KSSLCertificate::CertificateUntrusted:
+ text += i18n("CertificateUntrusted"); break;
+ case KSSLCertificate::VerifyLeafSignatureFailed:
+ text += i18n("VerifyLeafSignatureFailed"); break;
+ case KSSLCertificate::CertificateSignatureFailed:
+ text += i18n("CertificateSignatureFailed"); break;
+ case KSSLCertificate::CRLSignatureFailed:
+ text += i18n("CRLSignatureFailed"); break;
+ case KSSLCertificate::DecryptCertificateSignatureFailed:
+ text += i18n("DecryptCertificateSignatureFailed"); break;
+ case KSSLCertificate::DecryptCRLSignatureFailed:
+ text += i18n("DecryptCRLSignatureFailed"); break;
+ case KSSLCertificate::CertificateRejected:
+ text += i18n("CertificateRejected"); break;
case KSSLCertificate::PrivateKeyFailed:
text += i18n("PrivateKeyFailed"); break;
case KSSLCertificate::InvalidHost:
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic