1 files changed, 56 insertions, 15 deletions

diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 02bde640d8e8..61d41117e2c0 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -1,7 +1,7 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
@@ -58,9 +58,9 @@ const char *X509_verify_cert_error_string(long n)
     case X509_V_ERR_OUT_OF_MEM:
         return "out of memory";
     case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-        return "self signed certificate";
+        return "self-signed certificate";
     case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
-        return "self signed certificate in certificate chain";
+        return "self-signed certificate in certificate chain";
     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
         return "unable to get local issuer certificate";
     case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
@@ -69,12 +69,12 @@ const char *X509_verify_cert_error_string(long n)
         return "certificate chain too long";
     case X509_V_ERR_CERT_REVOKED:
         return "certificate revoked";
-    case X509_V_ERR_INVALID_CA:
-        return "invalid CA certificate";
+    case X509_V_ERR_NO_ISSUER_PUBLIC_KEY:
+        return "issuer certificate doesn't have a public key";
     case X509_V_ERR_PATH_LENGTH_EXCEEDED:
         return "path length constraint exceeded";
     case X509_V_ERR_INVALID_PURPOSE:
-        return "unsupported certificate purpose";
+        return "unsuitable certificate purpose";
     case X509_V_ERR_CERT_UNTRUSTED:
         return "certificate not trusted";
     case X509_V_ERR_CERT_REJECTED:
@@ -111,9 +111,9 @@ const char *X509_verify_cert_error_string(long n)
     case X509_V_ERR_NO_EXPLICIT_POLICY:
         return "no explicit policy";
     case X509_V_ERR_DIFFERENT_CRL_SCOPE:
-        return "Different CRL scope";
+        return "different CRL scope";
     case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
-        return "Unsupported extension feature";
+        return "unsupported extension feature";
     case X509_V_ERR_UNNESTED_RESOURCE:
         return "RFC 3779 resource not subset of parent's resources";
     case X509_V_ERR_PERMITTED_VIOLATION:
@@ -133,7 +133,7 @@ const char *X509_verify_cert_error_string(long n)
     case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
         return "CRL path validation error";
     case X509_V_ERR_PATH_LOOP:
-        return "Path Loop";
+        return "path loop";
     case X509_V_ERR_SUITE_B_INVALID_VERSION:
         return "Suite B: certificate version invalid";
     case X509_V_ERR_SUITE_B_INVALID_ALGORITHM:
@@ -147,13 +147,13 @@ const char *X509_verify_cert_error_string(long n)
     case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256:
         return "Suite B: cannot sign P-384 with P-256";
     case X509_V_ERR_HOSTNAME_MISMATCH:
-        return "Hostname mismatch";
+        return "hostname mismatch";
     case X509_V_ERR_EMAIL_MISMATCH:
-        return "Email address mismatch";
+        return "email address mismatch";
     case X509_V_ERR_IP_ADDRESS_MISMATCH:
         return "IP address mismatch";
     case X509_V_ERR_DANE_NO_MATCH:
-        return "No matching DANE TLSA records";
+        return "no matching DANE TLSA records";
     case X509_V_ERR_EE_KEY_TOO_SMALL:
         return "EE certificate key too weak";
     case X509_V_ERR_CA_KEY_TOO_SMALL:
@@ -161,9 +161,9 @@ const char *X509_verify_cert_error_string(long n)
     case X509_V_ERR_CA_MD_TOO_WEAK:
         return "CA signature digest algorithm too weak";
     case X509_V_ERR_INVALID_CALL:
-        return "Invalid certificate verification context";
+        return "invalid certificate verification context";
     case X509_V_ERR_STORE_LOOKUP:
-        return "Issuer certificate lookup error";
+        return "issuer certificate lookup error";
     case X509_V_ERR_NO_VALID_SCTS:
         return "Certificate Transparency required, but no valid SCTs found";
     case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION:
@@ -174,9 +174,50 @@ const char *X509_verify_cert_error_string(long n)
         return "OCSP verification failed";
     case X509_V_ERR_OCSP_CERT_UNKNOWN:
         return "OCSP unknown cert";
+    case X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM:
+        return "Cannot find certificate signature algorithm";
+    case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH:
+        return "subject signature algorithm and issuer public key algorithm mismatch";
+    case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY:
+        return "cert info signature and signature algorithm mismatch";
+    case X509_V_ERR_INVALID_CA:
+        return "invalid CA certificate";
+    case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA:
+        return "Path length invalid for non-CA cert";
+    case X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN:
+        return "Path length given without key usage keyCertSign";
+    case X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA:
+        return "Key usage keyCertSign invalid for non-CA cert";
+    case X509_V_ERR_ISSUER_NAME_EMPTY:
+        return "Issuer name empty";
+    case X509_V_ERR_SUBJECT_NAME_EMPTY:
+        return "Subject name empty";
+    case X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER:
+        return "Missing Authority Key Identifier";
+    case X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER:
+        return "Missing Subject Key Identifier";
+    case X509_V_ERR_EMPTY_SUBJECT_ALT_NAME:
+        return "Empty Subject Alternative Name extension";
+    case X509_V_ERR_CA_BCONS_NOT_CRITICAL:
+        return "Basic Constraints of CA cert not marked critical";
+    case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL:
+        return "Subject empty and Subject Alt Name extension not critical";
+    case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL:
+        return "Authority Key Identifier marked critical";
+    case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL:
+        return "Subject Key Identifier marked critical";
+    case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE:
+        return "CA cert does not include key usage extension";
+    case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3:
+        return "Using cert extension requires at least X509v3";
     case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS:
         return "Certificate public key has explicit ECC parameters";
 
+        /*
+         * Entries must be kept consistent with include/openssl/x509_vfy.h.in
+         * and with doc/man3/X509_STORE_CTX_get_error.pod
+         */
+
     default:
         /* Printing an error number into a static buffer is not thread-safe */
         return "unknown certificate verification error";