From 55f3dd4157de3f0618be76dcd07a56328e1104cd Mon Sep 17 00:00:00 2001
From: =?utf8?q?Daniel=20Kou=C5=99il?= <kouril@ics.muni.cz>
Date: Tue, 13 Dec 2011 09:04:55 +0000
Subject: [PATCH] Automatically generated descriptions of errors (incl. openssl
 error codes, if available)

---
 emi.canl.canl-c/Makefile             |  11 +-
 emi.canl.canl-c/src/canl.h           |   2 +-
 emi.canl.canl-c/src/canl_error_desc  | 194 +++++++++++++++++++++++++++++++++++
 emi.canl.canl-c/src/canl_locl.h      |   8 ++
 emi.canl.canl-c/src/gen_err_codes.pl |   2 +-
 emi.canl.canl-c/src/gen_err_desc.pl  |  69 +++++++++++++
 6 files changed, 281 insertions(+), 5 deletions(-)
 create mode 100644 emi.canl.canl-c/src/canl_error_desc
 create mode 100755 emi.canl.canl-c/src/gen_err_desc.pl

diff --git a/emi.canl.canl-c/Makefile b/emi.canl.canl-c/Makefile
index 8b5b9c4..1601204 100644
--- a/emi.canl.canl-c/Makefile
+++ b/emi.canl.canl-c/Makefile
@@ -51,7 +51,7 @@ major:=${shell \
 
 all: libcanl.la server client
 
-libcanl.la: canl.lo canl_err.lo canl_dns.lo canl_ssl.lo canl_cert.lo
+libcanl.la: canl.lo canl_err.lo canl_dns.lo canl_ssl.lo canl_cert.lo canl_err_desc.lo
 	${LINK} -rpath ${stagedir}${prefix}/${libdir} ${version_info} $+ ${LFLAGS_LIB} -o $@
 
 canl.lo: canl.c ${HEAD_CANL} 
@@ -81,9 +81,14 @@ server: ${OBJ_SER}
 ${OBJ_SER}: ${SRC_SER} ${HEAD_SER} libcanl.la
 	${COMPILE} -c ${top_srcdir}/src/${SRC_SER} ${CFLAGS_SER} -o $@
 
-canl_err.h: canl_error_codes
+canl_err.h: canl_error_codes 
 	${top_srcdir}/src/gen_err_codes.pl < $^ > $@
 
+canl_err_desc.lo: canl_err_desc.c ${HEAD_CANL}
+	${COMPILE} -c canl_err_desc.c ${CFLAGS_LIB} -o $@
+
+canl_err_desc.c: canl_error_codes canl_error_desc
+	${top_srcdir}/src/gen_err_desc.pl $^ > $@
 
 check:
 
@@ -98,4 +103,4 @@ stage: all
 	$(MAKE) install PREFIX=${stagedir}
 
 clean:
-	rm -rfv *.o *.lo libcanl.la .libs client server
+	rm -rfv *.o *.lo libcanl.la .libs client server canl_err.h canl_err_desc.c
diff --git a/emi.canl.canl-c/src/canl.h b/emi.canl.canl-c/src/canl.h
index d0c6440..2f7714c 100644
--- a/emi.canl.canl-c/src/canl.h
+++ b/emi.canl.canl-c/src/canl.h
@@ -3,7 +3,7 @@
 #include <sys/time.h>
 #include <sys/socket.h>
 
-#include "canl_err.h"
+#include <canl_err.h>
 
 typedef void *canl_io_handler;
 typedef void *canl_ctx;
diff --git a/emi.canl.canl-c/src/canl_error_desc b/emi.canl.canl-c/src/canl_error_desc
new file mode 100644
index 0000000..c33e51e
--- /dev/null
+++ b/emi.canl.canl-c/src/canl_error_desc
@@ -0,0 +1,194 @@
+#
+# Generic errors
+#
+
+unknown=Unknown error
+unknown.category=OTHER
+
+unknownMsg={0}
+unknownMsg.category=OTHER
+
+inputError=Input certificate chain processing error: {0}
+inputError.category=GENERAL_INPUT
+
+#
+# Namespace related errors
+#
+
+nsUndefinedAndRequired=Namespace definition for the certificate issuer ({0}) is not defined, and namespaces are configured to be required.
+nsUndefinedAndRequired.category=NAMESPACE
+
+nsDeny=The certificate subject {0} is denied by the namespace policy: {1}
+nsDeny.category=NAMESPACE
+
+nsNotAccepted=The certificate subject {0} is not accepted by any rule of the the relevant namespace policies. Policies which matches the issuer are: {1}
+nsNotAccepted.category=NAMESPACE
+
+
+#
+# Proxy certificate specific errors
+#
+
+proxyEECInChain=Certificate issued by an end-entity certificate or a proxy certificate is not a proxy proxy certificate.
+proxyEECInChain.category=INCONSISTENT_PROXY_CHAIN
+
+proxyLength=At the current position the proxy certificates chain exceeded its length limit.
+proxyLength.category=INCONSISTENT_PROXY_CHAIN
+
+proxyNoIssuer=Issuing end entity certificate was not found in the chain with proxy certificates.
+proxyNoIssuer.category=INCONSISTENT_PROXY_CHAIN
+
+proxyCASet=Proxy certificate has the cA field set
+proxyCASet.category=INVALID_PROXY_CERT
+
+proxyIssuerAltNameSet=Proxy certificate has the IssuerAlternativeName set
+proxyIssuerAltNameSet.category=INVALID_PROXY_CERT
+
+proxySubjectAltNameSet=Proxy certificate has the SubjectAlternativeName set
+proxySubjectAltNameSet.category=INVALID_PROXY_CERT
+
+proxyIssuedByCa=Proxy certificate issuer has the cA field set
+proxyIssuedByCa.category=INCONSISTENT_PROXY_CHAIN
+
+proxyNoIssuerSubject=Proxy certificate issuer has no Subject field set
+proxyNoIssuerSubject.category=INVALID_PROXY_CERT
+
+proxySubjectInconsistent=Proxy certificate issuer field is different than the issuing certificate subject field set.
+proxySubjectInconsistent.category=INCONSISTENT_PROXY_CHAIN
+
+proxyIssuerNoDsig=Proxy certificate issuer has no digital signature creation right
+proxyIssuerNoDsig.category=INCONSISTENT_PROXY_CHAIN
+
+proxySubjectOneRDN=The proxy certificate subject name has less then two elements
+proxySubjectOneRDN.category=INVALID_PROXY_CERT
+
+proxySubjectMultiLastRDN=The last RDN in proxy subject name is multivalued
+proxySubjectMultiLastRDN.category=INVALID_PROXY_CERT
+
+proxySubjectLastRDNNotCN=The last RDN in proxy subject name is not a CN
+proxySubjectLastRDNNotCN.category=INVALID_PROXY_CERT
+
+proxySubjectBaseWrong=The proxy subject without its last CN component is not equal to its issuer name
+proxySubjectBaseWrong.category=INVALID_PROXY_CERT
+
+
+#
+# Regular X.509 path validation errors
+#
+
+noIssuerPublicKey=Trusted issuer of this certificate was not established
+noIssuerPublicKey.category=X509_CHAIN
+
+noBasicConstraints=The selected CA certificate does not contain the mandatory Basic Constraints extension
+noBasicConstraints.category=X509_BASIC
+
+pathLenghtExtended=Total chain length exceeds the limit
+pathLenghtExtended.category=X509_CHAIN
+
+conflictingTrustAnchors=More then one trusted CA certificate was found for the certificate chain
+conflictingTrustAnchors.category=X509_CHAIN
+
+noTrustAnchorFound=No trusted CA certificate was found for the certificate chain
+noTrustAnchorFound.category=X509_CHAIN
+noTrustAnchorFound.openssl_code=ERR_LIB_X509V3,X509V3_R_NO_ISSUER_CERTIFICATE
+
+trustButInvalidCert=CA certificate was found for the certificate chain but the initial certificate in chain is not issued (correctly signed) by the CA certificate
+trustButInvalidCert.category=X509_CHAIN
+
+signatureNotVerified=Unable to verify signature of certificates in the chain: {0}
+signatureNotVerified.category=X509_BASIC
+
+certificateNotYetValid=Certificate is not yet valid. Will be from: {0}
+certificateNotYetValid.category=X509_BASIC
+
+certificateExpired=Certificate has expired at: {0}
+certificateExpired.category=X509_BASIC
+
+noCACert=CA certificate was not found for the chain
+noCACert.category=X509_CHAIN
+
+noCertSign=Issuer of the certificate is not eligible to sign certificates as its certificate has no keyCertSign flag set in its KeyUsage extension.
+noCertSign.category=X509_CHAIN
+
+unknownCriticalExt=Unknown critical extension was found: {0}
+unknownCriticalExt.category=X509_BASIC
+
+certRevoked=Certificate was revoked at: {0}, the reason reported is: {1}
+certRevoked.category=CRL
+
+noBaseCRL=Base CRL for the delta CRL was not found
+noBaseCRL.category=CRL
+
+noValidCrlFound=No valid CRL was found for the CA which issued the chain
+noValidCrlFound.category=CRL
+
+#
+# Rare errors lacking "translations" and meta-information
+#
+#
+# certPathCheckerError
+# certPathValidDate
+# certWrongIssuer
+# criticalExtensionError
+# crlAuthInfoAccError
+# crlBCExtError
+# crlDistPoint
+# crlDistPtExtError
+# crlExtractionError
+# crlIssuerException
+# crlNbrExtError
+# crlNoIssuerPublicKey
+# crlOnlyAttrCert
+# crlOnlyCaCert
+# crlOnlyUserCert
+# crlReasonExtError
+# crlUpdateAvailable
+# crlVerifyFailed
+# deltaCrlExtError
+# distrPtExtError
+# emptyCertPath
+# errorProcesingBC
+# excludedDN
+# excludedEmail
+# excludedIP
+# explicitPolicy
+# invalidPolicy
+# invalidPolicyMapping
+# loadCrlDistPointError
+# localInvalidCRL
+# localValidCRL
+# ncExtError
+# ncSubjectNameError
+# noCrlInCertstore
+# noCrlSigningPermited
+# notPermittedDN
+# notPermittedEmail
+# notPermittedIP
+# notRevoked
+# noValidPolicyTree
+# ocspLocation
+# onlineCRLWrongCA
+# onlineInvalidCRL
+# onlineValidCRL
+# policyConstExtError
+# policyExtError
+# policyInhibitExtError
+# policyMapExtError
+# policyQualifierError
+# processLengthConstError
+# pubKeyError
+# QcEuCompliance
+# QcLimitValueAlpha
+# QcLimitValueNum
+# QcSSCD
+# QcStatementExtError
+# QcUnknownStatement
+# revokedAfterValidation
+# rootKeyIsValidButNotATrustAnchor
+# signatureNotVerified
+# subjAltNameExtError
+# totalPathLength
+# trustAnchorIssuerError
+# trustDNInvalid
+# trustPubKeyError
+# unknown
diff --git a/emi.canl.canl-c/src/canl_locl.h b/emi.canl.canl-c/src/canl_locl.h
index 28522ee..9d11e49 100644
--- a/emi.canl.canl-c/src/canl_locl.h
+++ b/emi.canl.canl-c/src/canl_locl.h
@@ -16,6 +16,13 @@
 
 #include "canl.h"
 
+typedef struct canl_err_desc {
+    CANL_ERROR code;
+    const char *desc;
+    unsigned long openssl_lib;
+    unsigned long openssl_reason;
+} canl_err_desc;
+
 typedef enum _CANL_ERROR_ORIGIN
 {
     unknown_error = 0,
@@ -24,6 +31,7 @@ typedef enum _CANL_ERROR_ORIGIN
     colin_error
 } CANL_ERROR_ORIGIN;
 
+
 typedef struct _cert_key_store {
     X509 *cert;
     EVP_PKEY *key;
diff --git a/emi.canl.canl-c/src/gen_err_codes.pl b/emi.canl.canl-c/src/gen_err_codes.pl
index 7fafde2..04ef224 100755
--- a/emi.canl.canl-c/src/gen_err_codes.pl
+++ b/emi.canl.canl-c/src/gen_err_codes.pl
@@ -11,7 +11,7 @@ typedef enum _CANL_ERROR {);
 while (<STDIN>) {
     chomp;
     next if /^\s*#/;
-    printf ("\n    EMI_Err_%s,", $_);
+    printf ("\n    CANL_ERR_%s,", $_);
 }
 
 print STDOUT qq (
diff --git a/emi.canl.canl-c/src/gen_err_desc.pl b/emi.canl.canl-c/src/gen_err_desc.pl
new file mode 100755
index 0000000..3aca980
--- /dev/null
+++ b/emi.canl.canl-c/src/gen_err_desc.pl
@@ -0,0 +1,69 @@
+#!/usr/bin/perl
+
+my $codes_file = $ARGV[0];
+my $desc_file = $ARGV[1];
+
+my %codes;
+my $err_name, $err_dsc, $openssl_err_lib, $openssl_err_reason;
+
+sub make_c_line
+{
+    my ($err_name, $err_dsc, $openssl_err_lib, $openssl_err_reason) = @_;
+
+    printf("\n    { CANL_ERR_%s, \"%s\", %s, %s },",
+	   $err_name, $err_dsc,
+	   ($openssl_err_lib) ? $openssl_err_lib : "ERR_LIB_NONE",
+	   ($openssl_err_reason) ? $openssl_err_reason : 0);
+}
+
+die ("Usage: $0 <codes> <description>") if (!$codes_file || !$desc_file);
+
+open (ERRS, $codes_file) or die ("Failed to open $codes_file: $!");
+while (<ERRS>) {
+    chomp;
+    next if /^\s*#/;
+    $codes{$_} = 1;
+}
+close (ERRS);
+
+print qq (/*
+ * Automatically generated file. Don't edit.
+ */
+
+#include "canl_locl.h"
+
+struct canl_err_desc canl_err_descs[] = {);
+
+open (DESC, $desc_file) or die ("Failed to open $desc_file: $!");
+while (<DESC>) {
+    chomp;
+    next if /^\s*#/;
+
+    $line = $_;
+    if (!$line) {
+	make_c_line($err_name, $err_dsc, $openssl_err_lib, $openssl_err_reason)
+	    if ($err_name);
+	$err_name = $err_dsc = $openssl_err_lib = $openssl_err_reason = "";
+	next;
+    }
+
+    if (!$err_name) {
+	($err_name, $err_dsc) = split(/=/, $line, 2);
+	defined($codes{$err_name}) or die("Unknown error code ('$err_name') read");
+	next;
+    }
+
+    if ($line =~ m/(.+)\.openssl_code=(.+),(.+)/) {
+	($name, $openssl_err_lib, $openssl_err_reason) = ($1,$2,$3);
+	die ("Parsing error (\"$line\")") if ($name != $err_name);
+	next;
+    }
+}
+close (DESC);
+
+make_c_line ($err_name, $err_dsc, $openssl_err_lib, $openssl_err_reason)
+    if ($err_name);
+
+print STDOUT qq (
+};
+);
-- 
1.8.2.3