1 package x509
2
3 import "fmt"
4
5
6 const (
7 ErrInvalidID ErrorID = iota
8 ErrInvalidCertList
9 ErrTrailingCertList
10 ErrUnexpectedlyCriticalCertListExtension
11 ErrUnexpectedlyNonCriticalCertListExtension
12 ErrInvalidCertListAuthKeyID
13 ErrTrailingCertListAuthKeyID
14 ErrInvalidCertListIssuerAltName
15 ErrInvalidCertListCRLNumber
16 ErrTrailingCertListCRLNumber
17 ErrNegativeCertListCRLNumber
18 ErrInvalidCertListDeltaCRL
19 ErrTrailingCertListDeltaCRL
20 ErrNegativeCertListDeltaCRL
21 ErrInvalidCertListIssuingDP
22 ErrTrailingCertListIssuingDP
23 ErrCertListIssuingDPMultipleTypes
24 ErrCertListIssuingDPInvalidFullName
25 ErrInvalidCertListFreshestCRL
26 ErrInvalidCertListAuthInfoAccess
27 ErrTrailingCertListAuthInfoAccess
28 ErrUnhandledCriticalCertListExtension
29 ErrUnexpectedlyCriticalRevokedCertExtension
30 ErrUnexpectedlyNonCriticalRevokedCertExtension
31 ErrInvalidRevocationReason
32 ErrTrailingRevocationReason
33 ErrInvalidRevocationInvalidityDate
34 ErrTrailingRevocationInvalidityDate
35 ErrInvalidRevocationIssuer
36 ErrUnhandledCriticalRevokedCertExtension
37
38 ErrMaxID
39 )
40
41
42
43 var idToError map[ErrorID]Error
44
45 var errorInfo = []Error{
46 {
47 ID: ErrInvalidCertList,
48 Summary: "x509: failed to parse CertificateList: %v",
49 Field: "CertificateList",
50 SpecRef: "RFC 5280 s5.1",
51 Category: InvalidASN1Content,
52 Fatal: true,
53 },
54 {
55 ID: ErrTrailingCertList,
56 Summary: "x509: trailing data after CertificateList",
57 Field: "CertificateList",
58 SpecRef: "RFC 5280 s5.1",
59 Category: InvalidASN1Content,
60 Fatal: true,
61 },
62
63 {
64 ID: ErrUnexpectedlyCriticalCertListExtension,
65 Summary: "x509: certificate list extension %v marked critical but expected to be non-critical",
66 Field: "tbsCertList.crlExtensions.*.critical",
67 SpecRef: "RFC 5280 s5.2",
68 Category: MalformedCRL,
69 },
70 {
71 ID: ErrUnexpectedlyNonCriticalCertListExtension,
72 Summary: "x509: certificate list extension %v marked non-critical but expected to be critical",
73 Field: "tbsCertList.crlExtensions.*.critical",
74 SpecRef: "RFC 5280 s5.2",
75 Category: MalformedCRL,
76 },
77
78 {
79 ID: ErrInvalidCertListAuthKeyID,
80 Summary: "x509: failed to unmarshal certificate-list authority key-id: %v",
81 Field: "tbsCertList.crlExtensions.*.AuthorityKeyIdentifier",
82 SpecRef: "RFC 5280 s5.2.1",
83 Category: InvalidASN1Content,
84 Fatal: true,
85 },
86 {
87 ID: ErrTrailingCertListAuthKeyID,
88 Summary: "x509: trailing data after certificate list auth key ID",
89 Field: "tbsCertList.crlExtensions.*.AuthorityKeyIdentifier",
90 SpecRef: "RFC 5280 s5.2.1",
91 Category: InvalidASN1Content,
92 Fatal: true,
93 },
94 {
95 ID: ErrInvalidCertListIssuerAltName,
96 Summary: "x509: failed to parse CRL issuer alt name: %v",
97 Field: "tbsCertList.crlExtensions.*.IssuerAltName",
98 SpecRef: "RFC 5280 s5.2.2",
99 Category: InvalidASN1Content,
100 Fatal: true,
101 },
102 {
103 ID: ErrInvalidCertListCRLNumber,
104 Summary: "x509: failed to unmarshal certificate-list crl-number: %v",
105 Field: "tbsCertList.crlExtensions.*.CRLNumber",
106 SpecRef: "RFC 5280 s5.2.3",
107 Category: InvalidASN1Content,
108 Fatal: true,
109 },
110 {
111 ID: ErrTrailingCertListCRLNumber,
112 Summary: "x509: trailing data after certificate list crl-number",
113 Field: "tbsCertList.crlExtensions.*.CRLNumber",
114 SpecRef: "RFC 5280 s5.2.3",
115 Category: InvalidASN1Content,
116 Fatal: true,
117 },
118 {
119 ID: ErrNegativeCertListCRLNumber,
120 Summary: "x509: negative certificate list crl-number: %d",
121 Field: "tbsCertList.crlExtensions.*.CRLNumber",
122 SpecRef: "RFC 5280 s5.2.3",
123 Category: MalformedCRL,
124 Fatal: true,
125 },
126 {
127 ID: ErrInvalidCertListDeltaCRL,
128 Summary: "x509: failed to unmarshal certificate-list delta-crl: %v",
129 Field: "tbsCertList.crlExtensions.*.BaseCRLNumber",
130 SpecRef: "RFC 5280 s5.2.4",
131 Category: InvalidASN1Content,
132 Fatal: true,
133 },
134 {
135 ID: ErrTrailingCertListDeltaCRL,
136 Summary: "x509: trailing data after certificate list delta-crl",
137 Field: "tbsCertList.crlExtensions.*.BaseCRLNumber",
138 SpecRef: "RFC 5280 s5.2.4",
139 Category: InvalidASN1Content,
140 Fatal: true,
141 },
142 {
143 ID: ErrNegativeCertListDeltaCRL,
144 Summary: "x509: negative certificate list base-crl-number: %d",
145 Field: "tbsCertList.crlExtensions.*.BaseCRLNumber",
146 SpecRef: "RFC 5280 s5.2.4",
147 Category: MalformedCRL,
148 Fatal: true,
149 },
150 {
151 ID: ErrInvalidCertListIssuingDP,
152 Summary: "x509: failed to unmarshal certificate list issuing distribution point: %v",
153 Field: "tbsCertList.crlExtensions.*.IssuingDistributionPoint",
154 SpecRef: "RFC 5280 s5.2.5",
155 Category: InvalidASN1Content,
156 Fatal: true,
157 },
158 {
159 ID: ErrTrailingCertListIssuingDP,
160 Summary: "x509: trailing data after certificate list issuing distribution point",
161 Field: "tbsCertList.crlExtensions.*.IssuingDistributionPoint",
162 SpecRef: "RFC 5280 s5.2.5",
163 Category: InvalidASN1Content,
164 Fatal: true,
165 },
166 {
167 ID: ErrCertListIssuingDPMultipleTypes,
168 Summary: "x509: multiple cert types set in issuing-distribution-point: user:%v CA:%v attr:%v",
169 Field: "tbsCertList.crlExtensions.*.IssuingDistributionPoint",
170 SpecRef: "RFC 5280 s5.2.5",
171 SpecText: "at most one of onlyContainsUserCerts, onlyContainsCACerts, and onlyContainsAttributeCerts may be set to TRUE.",
172 Category: MalformedCRL,
173 Fatal: true,
174 },
175 {
176 ID: ErrCertListIssuingDPInvalidFullName,
177 Summary: "x509: failed to parse CRL issuing-distribution-point fullName: %v",
178 Field: "tbsCertList.crlExtensions.*.IssuingDistributionPoint.distributionPoint",
179 SpecRef: "RFC 5280 s5.2.5",
180 Category: InvalidASN1Content,
181 Fatal: true,
182 },
183 {
184 ID: ErrInvalidCertListFreshestCRL,
185 Summary: "x509: failed to unmarshal certificate list freshestCRL: %v",
186 Field: "tbsCertList.crlExtensions.*.FreshestCRL",
187 SpecRef: "RFC 5280 s5.2.6",
188 Category: InvalidASN1Content,
189 Fatal: true,
190 },
191 {
192 ID: ErrInvalidCertListAuthInfoAccess,
193 Summary: "x509: failed to unmarshal certificate list authority info access: %v",
194 Field: "tbsCertList.crlExtensions.*.AuthorityInfoAccess",
195 SpecRef: "RFC 5280 s5.2.7",
196 Category: InvalidASN1Content,
197 Fatal: true,
198 },
199 {
200 ID: ErrTrailingCertListAuthInfoAccess,
201 Summary: "x509: trailing data after certificate list authority info access",
202 Field: "tbsCertList.crlExtensions.*.AuthorityInfoAccess",
203 SpecRef: "RFC 5280 s5.2.7",
204 Category: InvalidASN1Content,
205 Fatal: true,
206 },
207 {
208 ID: ErrUnhandledCriticalCertListExtension,
209 Summary: "x509: unhandled critical extension in certificate list: %v",
210 Field: "tbsCertList.revokedCertificates.crlExtensions.*",
211 SpecRef: "RFC 5280 s5.2",
212 SpecText: "If a CRL contains a critical extension that the application cannot process, then the application MUST NOT use that CRL to determine the status of certificates.",
213 Category: MalformedCRL,
214 Fatal: true,
215 },
216
217 {
218 ID: ErrUnexpectedlyCriticalRevokedCertExtension,
219 Summary: "x509: revoked certificate extension %v marked critical but expected to be non-critical",
220 Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.critical",
221 SpecRef: "RFC 5280 s5.3",
222 Category: MalformedCRL,
223 },
224 {
225 ID: ErrUnexpectedlyNonCriticalRevokedCertExtension,
226 Summary: "x509: revoked certificate extension %v marked non-critical but expected to be critical",
227 Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.critical",
228 SpecRef: "RFC 5280 s5.3",
229 Category: MalformedCRL,
230 },
231
232 {
233 ID: ErrInvalidRevocationReason,
234 Summary: "x509: failed to parse revocation reason: %v",
235 Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.CRLReason",
236 SpecRef: "RFC 5280 s5.3.1",
237 Category: InvalidASN1Content,
238 Fatal: true,
239 },
240 {
241 ID: ErrTrailingRevocationReason,
242 Summary: "x509: trailing data after revoked certificate reason",
243 Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.CRLReason",
244 SpecRef: "RFC 5280 s5.3.1",
245 Category: InvalidASN1Content,
246 Fatal: true,
247 },
248 {
249 ID: ErrInvalidRevocationInvalidityDate,
250 Summary: "x509: failed to parse revoked certificate invalidity date: %v",
251 Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.InvalidityDate",
252 SpecRef: "RFC 5280 s5.3.2",
253 Category: InvalidASN1Content,
254 Fatal: true,
255 },
256 {
257 ID: ErrTrailingRevocationInvalidityDate,
258 Summary: "x509: trailing data after revoked certificate invalidity date",
259 Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.InvalidityDate",
260 SpecRef: "RFC 5280 s5.3.2",
261 Category: InvalidASN1Content,
262 Fatal: true,
263 },
264 {
265 ID: ErrInvalidRevocationIssuer,
266 Summary: "x509: failed to parse revocation issuer %v",
267 Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.CertificateIssuer",
268 SpecRef: "RFC 5280 s5.3.3",
269 Category: InvalidASN1Content,
270 Fatal: true,
271 },
272 {
273 ID: ErrUnhandledCriticalRevokedCertExtension,
274 Summary: "x509: unhandled critical extension in revoked certificate: %v",
275 Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*",
276 SpecRef: "RFC 5280 s5.3",
277 SpecText: "If a CRL contains a critical CRL entry extension that the application cannot process, then the application MUST NOT use that CRL to determine the status of any certificates.",
278 Category: MalformedCRL,
279 Fatal: true,
280 },
281 }
282
283 func init() {
284 idToError = make(map[ErrorID]Error, len(errorInfo))
285 for _, info := range errorInfo {
286 idToError[info.ID] = info
287 }
288 }
289
290
291 func NewError(id ErrorID, args ...interface{}) Error {
292 var err Error
293 if id >= ErrMaxID {
294 err.ID = id
295 err.Summary = fmt.Sprintf("Unknown error ID %v: args %+v", id, args)
296 err.Fatal = true
297 } else {
298 err = idToError[id]
299 err.Summary = fmt.Sprintf(err.Summary, args...)
300 }
301 return err
302 }
303
View as plain text