551 lines
28 KiB
HTML
551 lines
28 KiB
HTML
|
<?xml version="1.0" ?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||
|
<head>
|
||
|
<title>X509_STORE_CTX_get_error</title>
|
||
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
||
|
<link rev="made" href="mailto:root@localhost" />
|
||
|
</head>
|
||
|
|
||
|
<body style="background-color: white">
|
||
|
|
||
|
|
||
|
<!-- INDEX BEGIN -->
|
||
|
<div name="index">
|
||
|
<p><a name="__index__"></a></p>
|
||
|
|
||
|
<ul>
|
||
|
|
||
|
<li><a href="#name">NAME</a></li>
|
||
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
||
|
<li><a href="#description">DESCRIPTION</a></li>
|
||
|
<li><a href="#return_values">RETURN VALUES</a></li>
|
||
|
<li><a href="#error_codes">ERROR CODES</a></li>
|
||
|
<li><a href="#notes">NOTES</a></li>
|
||
|
<li><a href="#see_also">SEE ALSO</a></li>
|
||
|
<li><a href="#copyright">COPYRIGHT</a></li>
|
||
|
</ul>
|
||
|
|
||
|
<hr name="index" />
|
||
|
</div>
|
||
|
<!-- INDEX END -->
|
||
|
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="name">NAME</a></h1>
|
||
|
<p>X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
|
||
|
X509_STORE_CTX_get_error_depth, X509_STORE_CTX_set_error_depth,
|
||
|
X509_STORE_CTX_get_current_cert, X509_STORE_CTX_set_current_cert,
|
||
|
X509_STORE_CTX_get0_cert, X509_STORE_CTX_get1_chain,
|
||
|
X509_verify_cert_error_string - get or set certificate verification status
|
||
|
information</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
||
|
<pre>
|
||
|
#include <openssl/x509.h></pre>
|
||
|
<pre>
|
||
|
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
|
||
|
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
|
||
|
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
|
||
|
void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
|
||
|
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
|
||
|
void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
|
||
|
X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);</pre>
|
||
|
<pre>
|
||
|
STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);</pre>
|
||
|
<pre>
|
||
|
const char *X509_verify_cert_error_string(long n);</pre>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="description">DESCRIPTION</a></h1>
|
||
|
<p>These functions are typically called after X509_verify_cert() has indicated
|
||
|
an error or in a verification callback to determine the nature of an error.</p>
|
||
|
<p>X509_STORE_CTX_get_error() returns the error code of <strong>ctx</strong>, see
|
||
|
the <strong>ERROR CODES</strong> section for a full description of all error codes.</p>
|
||
|
<p>X509_STORE_CTX_set_error() sets the error code of <strong>ctx</strong> to <strong>s</strong>. For example
|
||
|
it might be used in a verification callback to set an error based on additional
|
||
|
checks.</p>
|
||
|
<p>X509_STORE_CTX_get_error_depth() returns the <strong>depth</strong> of the error. This is a
|
||
|
non-negative integer representing where in the certificate chain the error
|
||
|
occurred. If it is zero it occurred in the end entity certificate, one if
|
||
|
it is the certificate which signed the end entity certificate and so on.</p>
|
||
|
<p>X509_STORE_CTX_set_error_depth() sets the error <strong>depth</strong>.
|
||
|
This can be used in combination with X509_STORE_CTX_set_error() to set the
|
||
|
depth at which an error condition was detected.</p>
|
||
|
<p>X509_STORE_CTX_get_current_cert() returns the certificate in <strong>ctx</strong> which
|
||
|
caused the error or <strong>NULL</strong> if no certificate is relevant.</p>
|
||
|
<p>X509_STORE_CTX_set_current_cert() sets the certificate <strong>x</strong> in <strong>ctx</strong> which
|
||
|
caused the error.
|
||
|
This value is not intended to remain valid for very long, and remains owned by
|
||
|
the caller.
|
||
|
It may be examined by a verification callback invoked to handle each error
|
||
|
encountered during chain verification and is no longer required after such a
|
||
|
callback.
|
||
|
If a callback wishes the save the certificate for use after it returns, it
|
||
|
needs to increment its reference count via <em>X509_up_ref(3)</em>.
|
||
|
Once such a <em>saved</em> certificate is no longer needed it can be freed with
|
||
|
<em>X509_free(3)</em>.</p>
|
||
|
<p>X509_STORE_CTX_get0_cert() retrieves an internal pointer to the
|
||
|
certificate being verified by the <strong>ctx</strong>.</p>
|
||
|
<p>X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous
|
||
|
call to X509_verify_cert() is successful. If the call to X509_verify_cert()
|
||
|
is <strong>not</strong> successful the returned chain may be incomplete or invalid. The
|
||
|
returned chain persists after the <strong>ctx</strong> structure is freed, when it is
|
||
|
no longer needed it should be free up using:</p>
|
||
|
<pre>
|
||
|
sk_X509_pop_free(chain, X509_free);</pre>
|
||
|
<p>X509_verify_cert_error_string() returns a human readable error string for
|
||
|
verification error <strong>n</strong>.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="return_values">RETURN VALUES</a></h1>
|
||
|
<p>X509_STORE_CTX_get_error() returns <strong>X509_V_OK</strong> or an error code.</p>
|
||
|
<p>X509_STORE_CTX_get_error_depth() returns a non-negative error depth.</p>
|
||
|
<p>X509_STORE_CTX_get_current_cert() returns the certificate which caused the
|
||
|
error or <strong>NULL</strong> if no certificate is relevant to the error.</p>
|
||
|
<p>X509_verify_cert_error_string() returns a human readable error string for
|
||
|
verification error <strong>n</strong>.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="error_codes">ERROR CODES</a></h1>
|
||
|
<p>A list of error codes and messages is shown below. Some of the
|
||
|
error codes are defined but currently never returned: these are described as
|
||
|
"unused".</p>
|
||
|
<dl>
|
||
|
<dt><strong><a name="x509_v_ok_ok" class="item"><strong>X509_V_OK: ok</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The operation was successful.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unspecified_unspecified_certificate_verification_error" class="item"><strong>X509_V_ERR_UNSPECIFIED: unspecified certificate verification error</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Unspecified error; should not happen.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unable_to_get_issuer_cert_unable_to_get_issuer_certificate" class="item"><strong>X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The issuer certificate of a locally looked up certificate could not be found.
|
||
|
This normally means the list of trusted certificates is not complete.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unable_to_get_crl_unable_to_get_certificate_crl" class="item"><strong>X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The CRL of a certificate could not be found.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unable_to_decrypt_cert_signature_unable_to_decrypt_certificate_s_signature" class="item"><strong>X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate signature could not be decrypted. This means that the actual
|
||
|
signature value could not be determined rather than it not matching the
|
||
|
expected value, this is only meaningful for RSA keys.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unable_to_decrypt_crl_signature_unable_to_decrypt_crl_s_signature" class="item"><strong>X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The CRL signature could not be decrypted: this means that the actual signature
|
||
|
value could not be determined rather than it not matching the expected value.
|
||
|
Unused.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unable_to_decode_issuer_public_key_unable_to_decode_issuer_public_key" class="item"><strong>X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The public key in the certificate <code>SubjectPublicKeyInfo</code> field could
|
||
|
not be read.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_cert_signature_failure_certificate_signature_failure" class="item"><strong>X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The signature of the certificate is invalid.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_crl_signature_failure_crl_signature_failure" class="item"><strong>X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The signature of the certificate is invalid.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_cert_not_yet_valid_certificate_is_not_yet_valid" class="item"><strong>X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate is not yet valid: the <code>notBefore</code> date is after the
|
||
|
current time.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_cert_has_expired_certificate_has_expired" class="item"><strong>X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate has expired: that is the <code>notAfter</code> date is before the
|
||
|
current time.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_crl_not_yet_valid_crl_is_not_yet_valid" class="item"><strong>X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The CRL is not yet valid.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_crl_has_expired_crl_has_expired" class="item"><strong>X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The CRL has expired.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_error_in_cert_not_before_field_format_error_in_certificate_s_notbefore_field" class="item"><strong>X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate <strong>notBefore</strong> field contains an invalid time.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_error_in_cert_not_after_field_format_error_in_certificate_s_notafter_field" class="item"><strong>X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate <strong>notAfter</strong> field contains an invalid time.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_error_in_crl_last_update_field_format_error_in_crl_s_lastupdate_field" class="item"><strong>X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The CRL <strong>lastUpdate</strong> field contains an invalid time.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_error_in_crl_next_update_field_format_error_in_crl_s_nextupdate_field" class="item"><strong>X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The CRL <strong>nextUpdate</strong> field contains an invalid time.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_out_of_mem_out_of_memory" class="item"><strong>X509_V_ERR_OUT_OF_MEM: out of memory</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>An error occurred trying to allocate memory.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_depth_zero_self_signed_cert_self_signed_certificate" class="item"><strong>X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The passed certificate is self-signed and the same certificate cannot be found
|
||
|
in the list of trusted certificates.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_self_signed_cert_in_chain_self_signed_certificate_in_certificate_chain" class="item"><strong>X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate chain could be built up using the untrusted certificates but
|
||
|
the root could not be found locally.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unable_to_get_issuer_cert_locally_unable_to_get_local_issuer_certificate" class="item"><strong>X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The issuer certificate could not be found: this occurs if the issuer certificate
|
||
|
of an untrusted certificate cannot be found.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unable_to_verify_leaf_signature_unable_to_verify_the_first_certificate" class="item"><strong>X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>No signatures could be verified because the chain contains only one certificate
|
||
|
and it is not self signed.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_cert_chain_too_long_certificate_chain_too_long" class="item"><strong>X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate chain length is greater than the supplied maximum depth. Unused.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_cert_revoked_certificate_revoked" class="item"><strong>X509_V_ERR_CERT_REVOKED: certificate revoked</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate has been revoked.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_invalid_ca_invalid_ca_certificate" class="item"><strong>X509_V_ERR_INVALID_CA: invalid CA certificate</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A CA certificate is invalid. Either it is not a CA or its extensions are not
|
||
|
consistent with the supplied purpose.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_path_length_exceeded_path_length_constraint_exceeded" class="item"><strong>X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The basicConstraints path-length parameter has been exceeded.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_invalid_purpose_unsupported_certificate_purpose" class="item"><strong>X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The supplied certificate cannot be used for the specified purpose.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_cert_untrusted_certificate_not_trusted" class="item"><strong>X509_V_ERR_CERT_UNTRUSTED: certificate not trusted</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The root CA is not marked as trusted for the specified purpose.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_cert_rejected_certificate_rejected" class="item"><strong>X509_V_ERR_CERT_REJECTED: certificate rejected</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The root CA is marked to reject the specified purpose.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_subject_issuer_mismatch_subject_issuer_mismatch" class="item"><strong>X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The current candidate issuer certificate was rejected because its subject name
|
||
|
did not match the issuer name of the current certificate.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_akid_skid_mismatch_authority_and_subject_key_identifier_mismatch" class="item"><strong>X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The current candidate issuer certificate was rejected because its subject key
|
||
|
identifier was present and did not match the authority key identifier current
|
||
|
certificate.
|
||
|
Not used as of OpenSSL 1.1.0.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_akid_issuer_serial_mismatch_authority_and_issuer_serial_number_mismatch" class="item"><strong>X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The current candidate issuer certificate was rejected because its issuer name
|
||
|
and serial number was present and did not match the authority key identifier of
|
||
|
the current certificate.
|
||
|
Not used as of OpenSSL 1.1.0.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_keyusage_no_certsign_key_usage_does_not_include_certificate_signing" class="item"><strong>X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The current candidate issuer certificate was rejected because its <strong>keyUsage</strong>
|
||
|
extension does not permit certificate signing.
|
||
|
Not used as of OpenSSL 1.1.0.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_invalid_extension_invalid_or_inconsistent_certificate_extension" class="item"><strong>X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A certificate extension had an invalid value (for example an incorrect
|
||
|
encoding) or some value inconsistent with other extensions.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_invalid_policy_extension_invalid_or_inconsistent_certificate_policy_extension" class="item"><strong>X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A certificate policies extension had an invalid value (for example an incorrect
|
||
|
encoding) or some value inconsistent with other extensions. This error only
|
||
|
occurs if policy processing is enabled.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_no_explicit_policy_no_explicit_policy" class="item"><strong>X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The verification flags were set to require and explicit policy but none was
|
||
|
present.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_different_crl_scope_different_crl_scope" class="item"><strong>X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The only CRLs that could be found did not match the scope of the certificate.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unsupported_extension_feature_unsupported_extension_feature" class="item"><strong>X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Some feature of a certificate extension is not supported. Unused.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_permitted_violation_permitted_subtree_violation" class="item"><strong>X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A name constraint violation occurred in the permitted subtrees.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_excluded_violation_excluded_subtree_violation" class="item"><strong>X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A name constraint violation occurred in the excluded subtrees.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_subtree_minmax_name_constraints_minimum_and_maximum_not_supported" class="item"><strong>X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A certificate name constraints extension included a minimum or maximum field:
|
||
|
this is not supported.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unsupported_constraint_type_unsupported_name_constraint_type" class="item"><strong>X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>An unsupported name constraint type was encountered. OpenSSL currently only
|
||
|
supports directory name, DNS name, email and URI types.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unsupported_constraint_syntax_unsupported_or_invalid_name_constraint_syntax" class="item"><strong>X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The format of the name constraint is not recognised: for example an email
|
||
|
address format of a form not mentioned in <a href="http://www.ietf.org/rfc/rfc3280.txt" class="rfc">RFC3280</a>. This could be caused by
|
||
|
a garbage extension or some new feature not currently supported.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_crl_path_validation_error_crl_path_validation_error" class="item"><strong>X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>An error occurred when attempting to verify the CRL path. This error can only
|
||
|
happen if extended CRL checking is enabled.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_application_verification_application_verification_failure" class="item"><strong>X509_V_ERR_APPLICATION_VERIFICATION: application verification failure</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>An application specific error. This will never be returned unless explicitly
|
||
|
set by an application callback.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unable_to_get_crl_issuer_unable_to_get_crl_issuer_certificate" class="item"><strong>X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get CRL issuer certificate</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Unable to get CRL issuer certificate.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unhandled_critical_extension_unhandled_critical_extension" class="item"><strong>X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Unhandled critical extension.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_keyusage_no_crl_sign_key_usage_does_not_include_crl_signing" class="item"><strong>X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Key usage does not include CRL signing.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unhandled_critical_crl_extension_unhandled_critical_crl_extension" class="item"><strong>X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Unhandled critical CRL extension.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="certificate" class="item"><strong>X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Invalid non-CA certificate has CA markings.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_proxy_path_length_exceeded_proxy_path_length_contraint_exceeded" class="item"><strong>X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length contraint exceeded</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Proxy path length constraint exceeded.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_keyusage_no_digital_signature_key_usage_does_not_include_digital_signature" class="item"><strong>X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: key usage does not include digital signature</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Key usage does not include digital signature, and therefore cannot sign
|
||
|
certificates.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_proxy_certificates_not_allowed_proxy_certificates_not_allowed_please_set_the_appropriate_flag" class="item"><strong>X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: proxy certificates not allowed, please set the appropriate flag</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Proxy certificates not allowed unless the <strong>-allow_proxy_certs</strong> option is used.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unnested_resource_rfc_3779_resource_not_subset_of_parent_s_resrouces" class="item"><strong>X509_V_ERR_UNNESTED_RESOURCE: <a href="http://www.ietf.org/rfc/rfc3779.txt" class="rfc">RFC 3779</a> resource not subset of parent's resrouces</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>See <a href="http://www.ietf.org/rfc/rfc3779.txt" class="rfc">RFC 3779</a> for details.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_unsupported_name_syntax_unsupported_or_invalid_name_syntax" class="item"><strong>X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Unsupported or invalid name syntax.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_path_loop_path_loop" class="item"><strong>X509_V_ERR_PATH_LOOP: path loop</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Path loop.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_hostname_mismatch_hostname_mismatch" class="item"><strong>X509_V_ERR_HOSTNAME_MISMATCH: hostname mismatch</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Hostname mismatch.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_email_mismatch_email_address_mismatch" class="item"><strong>X509_V_ERR_EMAIL_MISMATCH: email address mismatch</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Email address mismatch.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_ip_address_mismatch_ip_address_mismatch" class="item"><strong>X509_V_ERR_IP_ADDRESS_MISMATCH: IP address mismatch</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>IP address mismatch.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_dane_no_match_no_matching_dane_tlsa_records" class="item"><strong>X509_V_ERR_DANE_NO_MATCH: no matching DANE TLSA records</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>DANE TLSA authentication is enabled, but no TLSA records matched the
|
||
|
certificate chain.
|
||
|
This error is only possible in <em>openssl-s_client(1)</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_ee_key_too_small_ee_certificate_key_too_weak" class="item"><strong>X509_V_ERR_EE_KEY_TOO_SMALL: EE certificate key too weak</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>EE certificate key too weak.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_err_ca_key_too_small_ca_certificate_key_too_weak" class="item"><strong>X509_ERR_CA_KEY_TOO_SMALL: CA certificate key too weak</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>CA certificate key too weak.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_err_ca_md_too_weak_ca_signature_digest_algorithm_too_weak" class="item"><strong>X509_ERR_CA_MD_TOO_WEAK: CA signature digest algorithm too weak</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>CA signature digest algorithm too weak.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_invalid_call_invalid_certificate_verification_context" class="item"><strong>X509_V_ERR_INVALID_CALL: invalid certificate verification context</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>invalid certificate verification context.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_store_lookup_issuer_certificate_lookup_error" class="item"><strong>X509_V_ERR_STORE_LOOKUP: issuer certificate lookup error</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Issuer certificate lookup error.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_no_valid_scts_certificate_transparency_required_but_no_valid_scts_found" class="item"><strong>X509_V_ERR_NO_VALID_SCTS: certificate transparency required, but no valid SCTs found</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Certificate Transparency required, but no valid SCTs found.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_proxy_subject_name_violation_proxy_subject_name_violation" class="item"><strong>X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: proxy subject name violation</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Proxy subject name violation.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_ocsp_verify_needed_ocsp_verification_needed" class="item"><strong>X509_V_ERR_OCSP_VERIFY_NEEDED: OCSP verification needed</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Returned by the verify callback to indicate an OCSP verification is needed.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_ocsp_verify_failed_ocsp_verification_failed" class="item"><strong>X509_V_ERR_OCSP_VERIFY_FAILED: OCSP verification failed</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Returned by the verify callback to indicate OCSP verification failed.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_err_ocsp_cert_unknown_ocsp_unknown_cert" class="item"><strong>X509_V_ERR_OCSP_CERT_UNKNOWN: OCSP unknown cert</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Returned by the verify callback to indicate that the certificate is not
|
||
|
recognized by the OCSP responder.</p>
|
||
|
</li>
|
||
|
<li><strong><a name="v_error_no_issuer_publi_key_issuer_certificate_doesn_t_have_a_public_key" class="item"><strong>509_V_ERROR_NO_ISSUER_PUBLI_KEY, issuer certificate doesn't have a public key</strong></a></strong>
|
||
|
|
||
|
<p>The issuer certificate does not have a public key.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="x509_v_error_signature_algorithm_mismatch_subject_signature_algorithm_and_issuer_public_key_algoritm_mismatch" class="item"><strong>X509_V_ERROR_SIGNATURE_ALGORITHM_MISMATCH, Subject signature algorithm and issuer public key algoritm mismatch</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The issuer's public key is not of the type required by the signature in
|
||
|
the subject's certificate.</p>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="notes">NOTES</a></h1>
|
||
|
<p>The above functions should be used instead of directly referencing the fields
|
||
|
in the <strong>X509_VERIFY_CTX</strong> structure.</p>
|
||
|
<p>In versions of OpenSSL before 1.0 the current certificate returned by
|
||
|
X509_STORE_CTX_get_current_cert() was never <strong>NULL</strong>. Applications should
|
||
|
check the return value before printing out any debugging information relating
|
||
|
to the current certificate.</p>
|
||
|
<p>If an unrecognised error code is passed to X509_verify_cert_error_string() the
|
||
|
numerical value of the unknown code is returned in a static buffer. This is not
|
||
|
thread safe but will never happen unless an invalid code is passed.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="see_also">SEE ALSO</a></h1>
|
||
|
<p><em>X509_verify_cert(3)</em>,
|
||
|
<em>X509_up_ref(3)</em>,
|
||
|
<em>X509_free(3)</em>.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="copyright">COPYRIGHT</a></h1>
|
||
|
<p>Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved.</p>
|
||
|
<p>Licensed under the Apache License 2.0 (the "License"). You may not use
|
||
|
this file except in compliance with the License. You can obtain a copy
|
||
|
in the file LICENSE in the source distribution or at
|
||
|
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
|
||
|
|
||
|
</body>
|
||
|
|
||
|
</html>
|