1X509_STORE_CTX_get_error(3)         OpenSSL        X509_STORE_CTX_get_error(3)
2
3
4

NAME

6       X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
7       X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert,
8       X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set
9       certificate verification status information
10

SYNOPSIS

12        #include <openssl/x509.h>
13        #include <openssl/x509_vfy.h>
14
15        int    X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
16        void   X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
17        int    X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
18        X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
19
20        STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
21
22        const char *X509_verify_cert_error_string(long n);
23

DESCRIPTION

25       These functions are typically called after X509_verify_cert() has
26       indicated an error or in a verification callback to determine the
27       nature of an error.
28
29       X509_STORE_CTX_get_error() returns the error code of ctx, see the ERROR
30       CODES section for a full description of all error codes.
31
32       X509_STORE_CTX_set_error() sets the error code of ctx to s. For example
33       it might be used in a verification callback to set an error based on
34       additional checks.
35
36       X509_STORE_CTX_get_error_depth() returns the depth of the error. This
37       is a non-negative integer representing where in the certificate chain
38       the error occurred. If it is zero it occurred in the end entity
39       certificate, one if it is the certificate which signed the end entity
40       certificate and so on.
41
42       X509_STORE_CTX_get_current_cert() returns the certificate in ctx which
43       caused the error or NULL if no certificate is relevant.
44
45       X509_STORE_CTX_get1_chain() returns a complete validate chain if a
46       previous call to X509_verify_cert() is successful. If the call to
47       X509_verify_cert() is not successful the returned chain may be
48       incomplete or invalid. The returned chain persists after the ctx
49       structure is freed, when it is no longer needed it should be free up
50       using:
51
52         sk_X509_pop_free(chain, X509_free);
53
54       X509_verify_cert_error_string() returns a human readable error string
55       for verification error n.
56

RETURN VALUES

58       X509_STORE_CTX_get_error() returns X509_V_OK or an error code.
59
60       X509_STORE_CTX_get_error_depth() returns a non-negative error depth.
61
62       X509_STORE_CTX_get_current_cert() returns the cerificate which caused
63       the error or NULL if no certificate is relevant to the error.
64
65       X509_verify_cert_error_string() returns a human readable error string
66       for verification error n.
67

ERROR CODES

69       A list of error codes and messages is shown below.  Some of the error
70       codes are defined but currently never returned: these are described as
71       "unused".
72
73       X509_V_OK: ok
74           the operation was successful.
75
76       X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
77           the issuer certificate could not be found: this occurs if the
78           issuer certificate of an untrusted certificate cannot be found.
79
80       X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL
81           the CRL of a certificate could not be found.
82
83       X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt
84       certificate's signature
85           the certificate signature could not be decrypted. This means that
86           the actual signature value could not be determined rather than it
87           not matching the expected value, this is only meaningful for RSA
88           keys.
89
90       X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's
91       signature
92           the CRL signature could not be decrypted: this means that the
93           actual signature value could not be determined rather than it not
94           matching the expected value.  Unused.
95
96       X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
97       public key
98           the public key in the certificate SubjectPublicKeyInfo could not be
99           read.
100
101       X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
102           the signature of the certificate is invalid.
103
104       X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure
105           the signature of the certificate is invalid.
106
107       X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid
108           the certificate is not yet valid: the notBefore date is after the
109           current time.
110
111       X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
112           the certificate has expired: that is the notAfter date is before
113           the current time.
114
115       X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
116           the CRL is not yet valid.
117
118       X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
119           the CRL has expired.
120
121       X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in
122       certificate's notBefore field
123           the certificate notBefore field contains an invalid time.
124
125       X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's
126       notAfter field
127           the certificate notAfter field contains an invalid time.
128
129       X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's
130       lastUpdate field
131           the CRL lastUpdate field contains an invalid time.
132
133       X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's
134       nextUpdate field
135           the CRL nextUpdate field contains an invalid time.
136
137       X509_V_ERR_OUT_OF_MEM: out of memory
138           an error occurred trying to allocate memory. This should never
139           happen.
140
141       X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
142           the passed certificate is self signed and the same certificate
143           cannot be found in the list of trusted certificates.
144
145       X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
146       certificate chain
147           the certificate chain could be built up using the untrusted
148           certificates but the root could not be found locally.
149
150       X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
151       issuer certificate
152           the issuer certificate of a locally looked up certificate could not
153           be found.  This normally means the list of trusted certificates is
154           not complete.
155
156       X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first
157       certificate
158           no signatures could be verified because the chain contains only one
159           certificate and it is not self signed.
160
161       X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
162           the certificate chain length is greater than the supplied maximum
163           depth. Unused.
164
165       X509_V_ERR_CERT_REVOKED: certificate revoked
166           the certificate has been revoked.
167
168       X509_V_ERR_INVALID_CA: invalid CA certificate
169           a CA certificate is invalid. Either it is not a CA or its
170           extensions are not consistent with the supplied purpose.
171
172       X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded
173           the basicConstraints pathlength parameter has been exceeded.
174
175       X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
176           the supplied certificate cannot be used for the specified purpose.
177
178       X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
179           the root CA is not marked as trusted for the specified purpose.
180
181       X509_V_ERR_CERT_REJECTED: certificate rejected
182           the root CA is marked to reject the specified purpose.
183
184       X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
185           the current candidate issuer certificate was rejected because its
186           subject name did not match the issuer name of the current
187           certificate. This is only set if issuer check debugging is enabled
188           it is used for status notification and is not in itself an error.
189
190       X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier
191       mismatch
192           the current candidate issuer certificate was rejected because its
193           subject key identifier was present and did not match the authority
194           key identifier current certificate. This is only set if issuer
195           check debugging is enabled it is used for status notification and
196           is not in itself an error.
197
198       X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial
199       number mismatch
200           the current candidate issuer certificate was rejected because its
201           issuer name and serial number was present and did not match the
202           authority key identifier of the current certificate. This is only
203           set if issuer check debugging is enabled it is used for status
204           notification and is not in itself an error.
205
206       X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate
207       signing
208           the current candidate issuer certificate was rejected because its
209           keyUsage extension does not permit certificate signing. This is
210           only set if issuer check debugging is enabled it is used for status
211           notification and is not in itself an error.
212
213       X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate
214       extension
215           A certificate extension had an invalid value (for example an
216           incorrect encoding) or some value inconsistent with other
217           extensions.
218
219       X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent
220       certificate policy extension
221           A certificate policies extension had an invalid value (for example
222           an incorrect encoding) or some value inconsistent with other
223           extensions. This error only occurs if policy processing is enabled.
224
225       X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy
226           The verification flags were set to require and explicit policy but
227           none was present.
228
229       X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope
230           The only CRLs that could be found did not match the scope of the
231           certificate.
232
233       X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature
234           Some feature of a certificate extension is not supported. Unused.
235
236       X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation
237           A name constraint violation occurred in the permitted subtrees.
238
239       X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation
240           A name constraint violation occurred in the excluded subtrees.
241
242       X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not
243       supported
244           A certificate name constraints extension included a minimum or
245           maximum field: this is not supported.
246
247       X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint
248       type
249           An unsupported name constraint type was encountered. OpenSSL
250           currently only supports directory name, DNS name, email and URI
251           types.
252
253       X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name
254       constraint syntax
255           The format of the name constraint is not recognised: for example an
256           email address format of a form not mentioned in RFC3280. This could
257           be caused by a garbage extension or some new feature not currently
258           supported.
259
260       X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error
261           An error occurred when attempting to verify the CRL path. This
262           error can only happen if extended CRL checking is enabled.
263
264       X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
265           an application specific error. This will never be returned unless
266           explicitly set by an application.
267

NOTES

269       The above functions should be used instead of directly referencing the
270       fields in the X509_VERIFY_CTX structure.
271
272       In versions of OpenSSL before 1.0 the current certificate returned by
273       X509_STORE_CTX_get_current_cert() was never NULL. Applications should
274       check the return value before printing out any debugging information
275       relating to the current certificate.
276
277       If an unrecognised error code is passed to
278       X509_verify_cert_error_string() the numerical value of the unknown code
279       is returned in a static buffer. This is not thread safe but will never
280       happen unless an invalid code is passed.
281

SEE ALSO

283       X509_verify_cert(3)
284

HISTORY

286       TBA
287
288
289
2901.0.2o                            2019-09-10       X509_STORE_CTX_get_error(3)
Impressum