From: Dr. David von Oheimb Date: Mon, 27 Feb 2023 18:22:33 +0000 (+0100) Subject: doc/man3/X509_STORE_CTX_get_error.pod: make order consistent, add some missing entries X-Git-Tag: openssl-3.2.0-alpha1~1174 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1caa4835eb140682ba091bf328758fc6535e70bc;p=thirdparty%2Fopenssl.git doc/man3/X509_STORE_CTX_get_error.pod: make order consistent, add some missing entries Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/20450) --- diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 54decf73328..8fb38cf3e98 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -179,7 +179,7 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: return "subject signature algorithm and issuer public key algorithm mismatch"; case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: - return "cert info siganature and signature algorithm mismatch"; + return "cert info signature and signature algorithm mismatch"; case X509_V_ERR_INVALID_CA: return "invalid CA certificate"; case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA: @@ -213,6 +213,11 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS: return "Certificate public key has explicit ECC parameters"; + /* + * Entries must be kept consistent with include/openssl/x509_vfy.h.in + * and with doc/man3/X509_STORE_CTX_get_error.pod + */ + default: /* Printing an error number into a static buffer is not thread-safe */ return "unknown certificate verification error"; diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod index 8357f505686..123ecdc9b4c 100644 --- a/doc/man3/X509_STORE_CTX_get_error.pod +++ b/doc/man3/X509_STORE_CTX_get_error.pod @@ -220,10 +220,10 @@ The certificate chain length is greater than the supplied maximum depth. The certificate has been revoked. -=item B +=item B -A CA certificate is invalid. Either it is not a CA or its extensions are not -consistent with the supplied purpose. +The issuer certificate does not have a public key. =item B @@ -266,6 +266,44 @@ key usage does not include certificate signing> The current candidate issuer certificate was rejected because its C extension does not permit certificate signing. +=item B + +Unable to get CRL issuer certificate. + +=item B + +Unhandled critical extension. + +=item B + +Key usage does not include CRL signing. + +=item B + +Unhandled critical CRL extension. + +=item B + +Invalid non-CA certificate has CA markings. + +=item B + +Proxy path length constraint exceeded. + +=item B + +Key usage does not include digital signature, and therefore cannot sign +certificates. + +=item B + +Proxy certificates not allowed unless the B flag +is set. + =item B @@ -288,10 +326,14 @@ present. The only CRLs that could be found did not match the scope of the certificate. -=item B +=item B Some feature of a certificate extension is not supported. Unused. +=item B + +See RFC 3779 for details. + =item B A name constraint violation occurred in the permitted subtrees. @@ -306,6 +348,11 @@ name constraints minimum and maximum not supported> A certificate name constraints extension included a minimum or maximum field: this is not supported. +=item B + +An application specific error. This will never be returned unless explicitly +set by an application callback. + =item B @@ -319,58 +366,15 @@ The format of the name constraint is not recognised: for example an email address format of a form not mentioned in RFC3280. This could be caused by a garbage extension or some new feature not currently supported. +=item B + +Unsupported or invalid name syntax. + =item B An error occurred when attempting to verify the CRL path. This error can only happen if extended CRL checking is enabled. -=item B - -An application specific error. This will never be returned unless explicitly -set by an application callback. - -=item B - -Unable to get CRL issuer certificate. - -=item B - -Unhandled critical extension. - -=item B - -Key usage does not include CRL signing. - -=item B - -Unhandled critical CRL extension. - -=item B - -Invalid non-CA certificate has CA markings. - -=item B - -Proxy path length constraint exceeded. - -=item B - -Key usage does not include digital signature, and therefore cannot sign -certificates. - -=item B - -Proxy certificates not allowed unless the B flag -is set. - -=item B - -See RFC 3779 for details. - -=item B - -Unsupported or invalid name syntax. - =item B Path loop. @@ -434,15 +438,28 @@ Returned by the verify callback to indicate OCSP verification failed. Returned by the verify callback to indicate that the certificate is not recognized by the OCSP responder. -=item B +=item B -The issuer certificate does not have a public key. +Cannot find certificate signature algorithm. -=item B +=item B The issuer's public key is not of the type required by the signature in the subject's certificate. +=item B + +The algorithm given in the certificate info is inconsistent + with the one used for the certificate signature. + +=item B + +A CA certificate is invalid. Either it is not a CA or its extensions are not +consistent with the supplied purpose. + =back =head1 NOTES