src/net/cert/internal/common_cert_errors.h - cobalt - Git at Google

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_
 #define NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_

 #include "net/base/net_export.h"
 #include "net/cert/internal/cert_errors.h"

 // This file contains the set of "default" certificate errors (those
 // defined by the core verification/path building code).
 //
 // Errors may be defined for other domains.
 namespace net {

 namespace cert_errors {

 // The verification time is after the certificate's notAfter time.
 NET_EXPORT extern const CertErrorId kValidityFailedNotAfter;

 // The verification time is before the certificate's notBefore time.
 NET_EXPORT extern const CertErrorId kValidityFailedNotBefore;

 // The certificate is actively distrusted by the trust store (this is separate
 // from other revocation mechanisms).
 NET_EXPORT extern const CertErrorId kDistrustedByTrustStore;

 // The certificate disagrees on what the signature algorithm was
 // (Certificate.signatureAlgorithm != TBSCertificate.signature).
 NET_EXPORT extern const CertErrorId kSignatureAlgorithmMismatch;

 // Certificate verification was called with an empty chain.
 NET_EXPORT extern const CertErrorId kChainIsEmpty;

 // Certificate verification was called with a chain of length 1, which is not
 // supported (i.e. the target certificate cannot also be a trusted
 // certificate). See https://crbug.com/814994.
 NET_EXPORT extern const CertErrorId kChainIsLength1;

 // The certificate contains an unknown extension which is marked as critical.
 NET_EXPORT extern const CertErrorId kUnconsumedCriticalExtension;

 // The target certificate appears to be a CA (has Basic Constraints CA=true),
 // however does not have a keyUsage consistent with being a CA (keyCertSign).
 NET_EXPORT extern const CertErrorId kTargetCertInconsistentCaBits;

 // The certificate is being used to sign other certificates, however the
 // keyCertSign KeyUsage was not set.
 NET_EXPORT extern const CertErrorId kKeyCertSignBitNotSet;

 // The chain violates the max_path_length from BasicConstraints.
 NET_EXPORT extern const CertErrorId kMaxPathLengthViolated;

 // The certificate being used to sign other certificates has a
 // BasicConstraints extension, however it sets CA=false
 NET_EXPORT extern const CertErrorId kBasicConstraintsIndicatesNotCa;

 // The certificate being used to sign other certificates does not include a
 // BasicConstraints extension.
 NET_EXPORT extern const CertErrorId kMissingBasicConstraints;

 // The certificate has a subject or subjectAltName that violates an issuer's
 // name constraints.
 NET_EXPORT extern const CertErrorId kNotPermittedByNameConstraints;

 // The chain has an excessive number of names and/or name constraints.
 NET_EXPORT extern const CertErrorId kTooManyNameConstraintChecks;

 // The certificate's issuer field does not match the subject of its alleged
 // issuer.
 NET_EXPORT extern const CertErrorId kSubjectDoesNotMatchIssuer;

 // Failed to verify the certificate's signature using its issuer's public key.
 NET_EXPORT extern const CertErrorId kVerifySignedDataFailed;

 // The certificate encodes its signature differently between
 // Certificate.algorithm and TBSCertificate.signature, but it appears
 // to be the same algorithm.
 NET_EXPORT extern const CertErrorId kSignatureAlgorithmsDifferentEncoding;

 // The certificate verification is being done for serverAuth, however the
 // certificate lacks serverAuth in its ExtendedKeyUsages.
 NET_EXPORT extern const CertErrorId kEkuLacksServerAuth;

 // The certificate verification is being done for clientAuth, however the
 // certificate lacks clientAuth in its ExtendedKeyUsages.
 NET_EXPORT extern const CertErrorId kEkuLacksClientAuth;

 // The root certificate in a chain is not trusted.
 NET_EXPORT extern const CertErrorId kCertIsNotTrustAnchor;

 // The chain is not valid for any policy, and an explicit policy was required.
 // (Either because the relying party requested it during verificaiton, or it was
 // requrested by a PolicyConstraints extension).
 NET_EXPORT extern const CertErrorId kNoValidPolicy;

 // The certificate is trying to map to, or from, anyPolicy.
 NET_EXPORT extern const CertErrorId kPolicyMappingAnyPolicy;

 // The public key in this certificate could not be parsed.
 NET_EXPORT extern const CertErrorId kFailedParsingSpki;

 // The certificate's signature algorithm (used to verify its
 // signature) is not acceptable by the consumer. What constitutes as
 // "acceptable" is determined by the verification delegate.
 NET_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm;

 // The certificate's public key is not acceptable by the consumer.
 // What constitutes as "acceptable" is determined by the verification delegate.
 NET_EXPORT extern const CertErrorId kUnacceptablePublicKey;

 // The certificate's EKU is missing serverAuth. However Netscape Server Gated
 // Crypto is present instead.
 NET_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasGatedCrypto;

 // The certificate has been revoked.
 NET_EXPORT extern const CertErrorId kCertificateRevoked;

 // The certificate lacks a recognized revocation mechanism (i.e. OCSP/CRL).
 // Emitted as an error when revocation checking expects certificates to have
 // such info.
 NET_EXPORT extern const CertErrorId kNoRevocationMechanism;

 // The certificate had a revocation mechanism, but when used it was unable to
 // affirmatively say whether the certificate was unrevoked.
 NET_EXPORT extern const CertErrorId kUnableToCheckRevocation;

 }  // namespace cert_errors

 }  // namespace net

 #endif  // NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_
	// Copyright 2017 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_
	#define NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_

	#include "net/base/net_export.h"
	#include "net/cert/internal/cert_errors.h"

	// This file contains the set of "default" certificate errors (those
	// defined by the core verification/path building code).
	//
	// Errors may be defined for other domains.
	namespace net {

	namespace cert_errors {

	// The verification time is after the certificate's notAfter time.
	NET_EXPORT extern const CertErrorId kValidityFailedNotAfter;

	// The verification time is before the certificate's notBefore time.
	NET_EXPORT extern const CertErrorId kValidityFailedNotBefore;

	// The certificate is actively distrusted by the trust store (this is separate
	// from other revocation mechanisms).
	NET_EXPORT extern const CertErrorId kDistrustedByTrustStore;

	// The certificate disagrees on what the signature algorithm was
	// (Certificate.signatureAlgorithm != TBSCertificate.signature).
	NET_EXPORT extern const CertErrorId kSignatureAlgorithmMismatch;

	// Certificate verification was called with an empty chain.
	NET_EXPORT extern const CertErrorId kChainIsEmpty;

	// Certificate verification was called with a chain of length 1, which is not
	// supported (i.e. the target certificate cannot also be a trusted
	// certificate). See https://crbug.com/814994.
	NET_EXPORT extern const CertErrorId kChainIsLength1;

	// The certificate contains an unknown extension which is marked as critical.
	NET_EXPORT extern const CertErrorId kUnconsumedCriticalExtension;

	// The target certificate appears to be a CA (has Basic Constraints CA=true),
	// however does not have a keyUsage consistent with being a CA (keyCertSign).
	NET_EXPORT extern const CertErrorId kTargetCertInconsistentCaBits;

	// The certificate is being used to sign other certificates, however the
	// keyCertSign KeyUsage was not set.
	NET_EXPORT extern const CertErrorId kKeyCertSignBitNotSet;

	// The chain violates the max_path_length from BasicConstraints.
	NET_EXPORT extern const CertErrorId kMaxPathLengthViolated;

	// The certificate being used to sign other certificates has a
	// BasicConstraints extension, however it sets CA=false
	NET_EXPORT extern const CertErrorId kBasicConstraintsIndicatesNotCa;

	// The certificate being used to sign other certificates does not include a
	// BasicConstraints extension.
	NET_EXPORT extern const CertErrorId kMissingBasicConstraints;

	// The certificate has a subject or subjectAltName that violates an issuer's
	// name constraints.
	NET_EXPORT extern const CertErrorId kNotPermittedByNameConstraints;

	// The chain has an excessive number of names and/or name constraints.
	NET_EXPORT extern const CertErrorId kTooManyNameConstraintChecks;

	// The certificate's issuer field does not match the subject of its alleged
	// issuer.
	NET_EXPORT extern const CertErrorId kSubjectDoesNotMatchIssuer;

	// Failed to verify the certificate's signature using its issuer's public key.
	NET_EXPORT extern const CertErrorId kVerifySignedDataFailed;

	// The certificate encodes its signature differently between
	// Certificate.algorithm and TBSCertificate.signature, but it appears
	// to be the same algorithm.
	NET_EXPORT extern const CertErrorId kSignatureAlgorithmsDifferentEncoding;

	// The certificate verification is being done for serverAuth, however the
	// certificate lacks serverAuth in its ExtendedKeyUsages.
	NET_EXPORT extern const CertErrorId kEkuLacksServerAuth;

	// The certificate verification is being done for clientAuth, however the
	// certificate lacks clientAuth in its ExtendedKeyUsages.
	NET_EXPORT extern const CertErrorId kEkuLacksClientAuth;

	// The root certificate in a chain is not trusted.
	NET_EXPORT extern const CertErrorId kCertIsNotTrustAnchor;

	// The chain is not valid for any policy, and an explicit policy was required.
	// (Either because the relying party requested it during verificaiton, or it was
	// requrested by a PolicyConstraints extension).
	NET_EXPORT extern const CertErrorId kNoValidPolicy;

	// The certificate is trying to map to, or from, anyPolicy.
	NET_EXPORT extern const CertErrorId kPolicyMappingAnyPolicy;

	// The public key in this certificate could not be parsed.
	NET_EXPORT extern const CertErrorId kFailedParsingSpki;

	// The certificate's signature algorithm (used to verify its
	// signature) is not acceptable by the consumer. What constitutes as
	// "acceptable" is determined by the verification delegate.
	NET_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm;

	// The certificate's public key is not acceptable by the consumer.
	// What constitutes as "acceptable" is determined by the verification delegate.
	NET_EXPORT extern const CertErrorId kUnacceptablePublicKey;

	// The certificate's EKU is missing serverAuth. However Netscape Server Gated
	// Crypto is present instead.
	NET_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasGatedCrypto;

	// The certificate has been revoked.
	NET_EXPORT extern const CertErrorId kCertificateRevoked;

	// The certificate lacks a recognized revocation mechanism (i.e. OCSP/CRL).
	// Emitted as an error when revocation checking expects certificates to have
	// such info.
	NET_EXPORT extern const CertErrorId kNoRevocationMechanism;

	// The certificate had a revocation mechanism, but when used it was unable to
	// affirmatively say whether the certificate was unrevoked.
	NET_EXPORT extern const CertErrorId kUnableToCheckRevocation;

	} // namespace cert_errors

	} // namespace net

	#endif // NET_CERT_INTERNAL_COMMON_CERT_ERRORS_H_