1X509_STORE_CTX_get_error(3) OpenSSL X509_STORE_CTX_get_error(3)
2
6 X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
7 X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert,
8 X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set
9 certificate verification status information
10
12 #include <openssl/x509.h>
13 #include <openssl/x509_vfy.h>
14 int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
16 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
17 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
18 X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
19 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
21 const char *X509_verify_cert_error_string(long n);
23
25 These functions are typically called after X509_verify_cert() has
26 indicated an error or in a verification callback to determine the
27 nature of an error.
28 X509_STORE_CTX_get_error() returns the error code of ctx, see the ERROR
30 CODES section for a full description of all error codes.
31 X509_STORE_CTX_set_error() sets the error code of ctx to s. For example
33 it might be used in a verification callback to set an error based on
34 additional checks.
35 X509_STORE_CTX_get_error_depth() returns the depth of the error. This
37 is a non-negative integer representing where in the certificate chain
38 the error occurred. If it is zero it occurred in the end entity
39 certificate, one if it is the certificate which signed the end entity
40 certificate and so on.
41 X509_STORE_CTX_get_current_cert() returns the certificate in ctx which
43 caused the error or NULL if no certificate is relevant.
44 X509_STORE_CTX_get1_chain() returns a complete validate chain if a
46 previous call to X509_verify_cert() is successful. If the call to
47 X509_verify_cert() is not successful the returned chain may be
48 incomplete or invalid. The returned chain persists after the ctx
49 structure is freed, when it is no longer needed it should be free up
50 using:
51 sk_X509_pop_free(chain, X509_free);
53 X509_verify_cert_error_string() returns a human readable error string
55 for verification error n.
56
58 X509_STORE_CTX_get_error() returns X509_V_OK or an error code.
59 X509_STORE_CTX_get_error_depth() returns a non-negative error depth.
61 X509_STORE_CTX_get_current_cert() returns the cerificate which caused
63 the error or NULL if no certificate is relevant to the error.
64 X509_verify_cert_error_string() returns a human readable error string
66 for verification error n.
67
69 A list of error codes and messages is shown below. Some of the error
70 codes are defined but currently never returned: these are described as
71 "unused".
72 X509_V_OK: ok
74 the operation was successful.
75 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
77 the issuer certificate could not be found: this occurs if the
78 issuer certificate of an untrusted certificate cannot be found.
79 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL
81 the CRL of a certificate could not be found.
82 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt
84 certificate's signature
85 the certificate signature could not be decrypted. This means that
86 the actual signature value could not be determined rather than it
87 not matching the expected value, this is only meaningful for RSA
88 keys.
89 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's
91 signature
92 the CRL signature could not be decrypted: this means that the
93 actual signature value could not be determined rather than it not
94 matching the expected value. Unused.
95 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
97 public key
98 the public key in the certificate SubjectPublicKeyInfo could not be
99 read.
100 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
102 the signature of the certificate is invalid.
103 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure
105 the signature of the certificate is invalid.
106 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid
108 the certificate is not yet valid: the notBefore date is after the
109 current time.
110 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
112 the certificate has expired: that is the notAfter date is before
113 the current time.
114 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
116 the CRL is not yet valid.
117 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
119 the CRL has expired.
120 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in
122 certificate's notBefore field
123 the certificate notBefore field contains an invalid time.
124 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's
126 notAfter field
127 the certificate notAfter field contains an invalid time.
128 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's
130 lastUpdate field
131 the CRL lastUpdate field contains an invalid time.
132 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's
134 nextUpdate field
135 the CRL nextUpdate field contains an invalid time.
136 X509_V_ERR_OUT_OF_MEM: out of memory
138 an error occurred trying to allocate memory. This should never
139 happen.
140 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
142 the passed certificate is self signed and the same certificate
143 cannot be found in the list of trusted certificates.
144 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
146 certificate chain
147 the certificate chain could be built up using the untrusted
148 certificates but the root could not be found locally.
149 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
151 issuer certificate
152 the issuer certificate of a locally looked up certificate could not
153 be found. This normally means the list of trusted certificates is
154 not complete.
155 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first
157 certificate
158 no signatures could be verified because the chain contains only one
159 certificate and it is not self signed.
160 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
162 the certificate chain length is greater than the supplied maximum
163 depth. Unused.
164 X509_V_ERR_CERT_REVOKED: certificate revoked
166 the certificate has been revoked.
167 X509_V_ERR_INVALID_CA: invalid CA certificate
169 a CA certificate is invalid. Either it is not a CA or its
170 extensions are not consistent with the supplied purpose.
171 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded
173 the basicConstraints pathlength parameter has been exceeded.
174 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
176 the supplied certificate cannot be used for the specified purpose.
177 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
179 the root CA is not marked as trusted for the specified purpose.
180 X509_V_ERR_CERT_REJECTED: certificate rejected
182 the root CA is marked to reject the specified purpose.
183 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
185 the current candidate issuer certificate was rejected because its
186 subject name did not match the issuer name of the current
187 certificate. This is only set if issuer check debugging is enabled
188 it is used for status notification and is not in itself an error.
189 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier
191 mismatch
192 the current candidate issuer certificate was rejected because its
193 subject key identifier was present and did not match the authority
194 key identifier current certificate. This is only set if issuer
195 check debugging is enabled it is used for status notification and
196 is not in itself an error.
197 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial
199 number mismatch
200 the current candidate issuer certificate was rejected because its
201 issuer name and serial number was present and did not match the
202 authority key identifier of the current certificate. This is only
203 set if issuer check debugging is enabled it is used for status
204 notification and is not in itself an error.
205 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate
207 signing
208 the current candidate issuer certificate was rejected because its
209 keyUsage extension does not permit certificate signing. This is
210 only set if issuer check debugging is enabled it is used for status
211 notification and is not in itself an error.
212 X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate
214 extension
215 A certificate extension had an invalid value (for example an
216 incorrect encoding) or some value inconsistent with other
217 extensions.
218 X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent
220 certificate policy extension
221 A certificate policies extension had an invalid value (for example
222 an incorrect encoding) or some value inconsistent with other
223 extensions. This error only occurs if policy processing is enabled.
224 X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy
226 The verification flags were set to require and explicit policy but
227 none was present.
228 X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope
230 The only CRLs that could be found did not match the scope of the
231 certificate.
232 X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature
234 Some feature of a certificate extension is not supported. Unused.
235 X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation
237 A name constraint violation occurred in the permitted subtrees.
238 X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation
240 A name constraint violation occurred in the excluded subtrees.
241 X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not
243 supported
244 A certificate name constraints extension included a minimum or
245 maximum field: this is not supported.
246 X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint
248 type
249 An unsupported name constraint type was encountered. OpenSSL
250 currently only supports directory name, DNS name, email and URI
251 types.
252 X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name
254 constraint syntax
255 The format of the name constraint is not recognised: for example an
256 email address format of a form not mentioned in RFC3280. This could
257 be caused by a garbage extension or some new feature not currently
258 supported.
259 X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error
261 An error occurred when attempting to verify the CRL path. This
262 error can only happen if extended CRL checking is enabled.
263 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
265 an application specific error. This will never be returned unless
266 explicitly set by an application.
267
269 The above functions should be used instead of directly referencing the
270 fields in the X509_VERIFY_CTX structure.
271 In versions of OpenSSL before 1.0 the current certificate returned by
273 X509_STORE_CTX_get_current_cert() was never NULL. Applications should
274 check the return value before printing out any debugging information
275 relating to the current certificate.
276 If an unrecognised error code is passed to
278 X509_verify_cert_error_string() the numerical value of the unknown code
279 is returned in a static buffer. This is not thread safe but will never
280 happen unless an invalid code is passed.
281
283 X509_verify_cert(3)
284
286 TBA
2871.0.2o 2018-03-27 X509_STORE_CTX_get_error(3)