mirror of https://github.com/k3s-io/k3s
303 lines
9.9 KiB
Go
303 lines
9.9 KiB
Go
package x509
|
|
|
|
import "fmt"
|
|
|
|
// To preserve error IDs, only append to this list, never insert.
|
|
const (
|
|
ErrInvalidID ErrorID = iota
|
|
ErrInvalidCertList
|
|
ErrTrailingCertList
|
|
ErrUnexpectedlyCriticalCertListExtension
|
|
ErrUnexpectedlyNonCriticalCertListExtension
|
|
ErrInvalidCertListAuthKeyID
|
|
ErrTrailingCertListAuthKeyID
|
|
ErrInvalidCertListIssuerAltName
|
|
ErrInvalidCertListCRLNumber
|
|
ErrTrailingCertListCRLNumber
|
|
ErrNegativeCertListCRLNumber
|
|
ErrInvalidCertListDeltaCRL
|
|
ErrTrailingCertListDeltaCRL
|
|
ErrNegativeCertListDeltaCRL
|
|
ErrInvalidCertListIssuingDP
|
|
ErrTrailingCertListIssuingDP
|
|
ErrCertListIssuingDPMultipleTypes
|
|
ErrCertListIssuingDPInvalidFullName
|
|
ErrInvalidCertListFreshestCRL
|
|
ErrInvalidCertListAuthInfoAccess
|
|
ErrTrailingCertListAuthInfoAccess
|
|
ErrUnhandledCriticalCertListExtension
|
|
ErrUnexpectedlyCriticalRevokedCertExtension
|
|
ErrUnexpectedlyNonCriticalRevokedCertExtension
|
|
ErrInvalidRevocationReason
|
|
ErrTrailingRevocationReason
|
|
ErrInvalidRevocationInvalidityDate
|
|
ErrTrailingRevocationInvalidityDate
|
|
ErrInvalidRevocationIssuer
|
|
ErrUnhandledCriticalRevokedCertExtension
|
|
|
|
ErrMaxID
|
|
)
|
|
|
|
// idToError gives a template x509.Error for each defined ErrorID; where the Summary
|
|
// field may hold format specifiers that take field parameters.
|
|
var idToError map[ErrorID]Error
|
|
|
|
var errorInfo = []Error{
|
|
{
|
|
ID: ErrInvalidCertList,
|
|
Summary: "x509: failed to parse CertificateList: %v",
|
|
Field: "CertificateList",
|
|
SpecRef: "RFC 5280 s5.1",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrTrailingCertList,
|
|
Summary: "x509: trailing data after CertificateList",
|
|
Field: "CertificateList",
|
|
SpecRef: "RFC 5280 s5.1",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
|
|
{
|
|
ID: ErrUnexpectedlyCriticalCertListExtension,
|
|
Summary: "x509: certificate list extension %v marked critical but expected to be non-critical",
|
|
Field: "tbsCertList.crlExtensions.*.critical",
|
|
SpecRef: "RFC 5280 s5.2",
|
|
Category: MalformedCRL,
|
|
},
|
|
{
|
|
ID: ErrUnexpectedlyNonCriticalCertListExtension,
|
|
Summary: "x509: certificate list extension %v marked non-critical but expected to be critical",
|
|
Field: "tbsCertList.crlExtensions.*.critical",
|
|
SpecRef: "RFC 5280 s5.2",
|
|
Category: MalformedCRL,
|
|
},
|
|
|
|
{
|
|
ID: ErrInvalidCertListAuthKeyID,
|
|
Summary: "x509: failed to unmarshal certificate-list authority key-id: %v",
|
|
Field: "tbsCertList.crlExtensions.*.AuthorityKeyIdentifier",
|
|
SpecRef: "RFC 5280 s5.2.1",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrTrailingCertListAuthKeyID,
|
|
Summary: "x509: trailing data after certificate list auth key ID",
|
|
Field: "tbsCertList.crlExtensions.*.AuthorityKeyIdentifier",
|
|
SpecRef: "RFC 5280 s5.2.1",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrInvalidCertListIssuerAltName,
|
|
Summary: "x509: failed to parse CRL issuer alt name: %v",
|
|
Field: "tbsCertList.crlExtensions.*.IssuerAltName",
|
|
SpecRef: "RFC 5280 s5.2.2",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrInvalidCertListCRLNumber,
|
|
Summary: "x509: failed to unmarshal certificate-list crl-number: %v",
|
|
Field: "tbsCertList.crlExtensions.*.CRLNumber",
|
|
SpecRef: "RFC 5280 s5.2.3",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrTrailingCertListCRLNumber,
|
|
Summary: "x509: trailing data after certificate list crl-number",
|
|
Field: "tbsCertList.crlExtensions.*.CRLNumber",
|
|
SpecRef: "RFC 5280 s5.2.3",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrNegativeCertListCRLNumber,
|
|
Summary: "x509: negative certificate list crl-number: %d",
|
|
Field: "tbsCertList.crlExtensions.*.CRLNumber",
|
|
SpecRef: "RFC 5280 s5.2.3",
|
|
Category: MalformedCRL,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrInvalidCertListDeltaCRL,
|
|
Summary: "x509: failed to unmarshal certificate-list delta-crl: %v",
|
|
Field: "tbsCertList.crlExtensions.*.BaseCRLNumber",
|
|
SpecRef: "RFC 5280 s5.2.4",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrTrailingCertListDeltaCRL,
|
|
Summary: "x509: trailing data after certificate list delta-crl",
|
|
Field: "tbsCertList.crlExtensions.*.BaseCRLNumber",
|
|
SpecRef: "RFC 5280 s5.2.4",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrNegativeCertListDeltaCRL,
|
|
Summary: "x509: negative certificate list base-crl-number: %d",
|
|
Field: "tbsCertList.crlExtensions.*.BaseCRLNumber",
|
|
SpecRef: "RFC 5280 s5.2.4",
|
|
Category: MalformedCRL,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrInvalidCertListIssuingDP,
|
|
Summary: "x509: failed to unmarshal certificate list issuing distribution point: %v",
|
|
Field: "tbsCertList.crlExtensions.*.IssuingDistributionPoint",
|
|
SpecRef: "RFC 5280 s5.2.5",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrTrailingCertListIssuingDP,
|
|
Summary: "x509: trailing data after certificate list issuing distribution point",
|
|
Field: "tbsCertList.crlExtensions.*.IssuingDistributionPoint",
|
|
SpecRef: "RFC 5280 s5.2.5",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrCertListIssuingDPMultipleTypes,
|
|
Summary: "x509: multiple cert types set in issuing-distribution-point: user:%v CA:%v attr:%v",
|
|
Field: "tbsCertList.crlExtensions.*.IssuingDistributionPoint",
|
|
SpecRef: "RFC 5280 s5.2.5",
|
|
SpecText: "at most one of onlyContainsUserCerts, onlyContainsCACerts, and onlyContainsAttributeCerts may be set to TRUE.",
|
|
Category: MalformedCRL,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrCertListIssuingDPInvalidFullName,
|
|
Summary: "x509: failed to parse CRL issuing-distribution-point fullName: %v",
|
|
Field: "tbsCertList.crlExtensions.*.IssuingDistributionPoint.distributionPoint",
|
|
SpecRef: "RFC 5280 s5.2.5",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrInvalidCertListFreshestCRL,
|
|
Summary: "x509: failed to unmarshal certificate list freshestCRL: %v",
|
|
Field: "tbsCertList.crlExtensions.*.FreshestCRL",
|
|
SpecRef: "RFC 5280 s5.2.6",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrInvalidCertListAuthInfoAccess,
|
|
Summary: "x509: failed to unmarshal certificate list authority info access: %v",
|
|
Field: "tbsCertList.crlExtensions.*.AuthorityInfoAccess",
|
|
SpecRef: "RFC 5280 s5.2.7",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrTrailingCertListAuthInfoAccess,
|
|
Summary: "x509: trailing data after certificate list authority info access",
|
|
Field: "tbsCertList.crlExtensions.*.AuthorityInfoAccess",
|
|
SpecRef: "RFC 5280 s5.2.7",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrUnhandledCriticalCertListExtension,
|
|
Summary: "x509: unhandled critical extension in certificate list: %v",
|
|
Field: "tbsCertList.revokedCertificates.crlExtensions.*",
|
|
SpecRef: "RFC 5280 s5.2",
|
|
SpecText: "If a CRL contains a critical extension that the application cannot process, then the application MUST NOT use that CRL to determine the status of certificates.",
|
|
Category: MalformedCRL,
|
|
Fatal: true,
|
|
},
|
|
|
|
{
|
|
ID: ErrUnexpectedlyCriticalRevokedCertExtension,
|
|
Summary: "x509: revoked certificate extension %v marked critical but expected to be non-critical",
|
|
Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.critical",
|
|
SpecRef: "RFC 5280 s5.3",
|
|
Category: MalformedCRL,
|
|
},
|
|
{
|
|
ID: ErrUnexpectedlyNonCriticalRevokedCertExtension,
|
|
Summary: "x509: revoked certificate extension %v marked non-critical but expected to be critical",
|
|
Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.critical",
|
|
SpecRef: "RFC 5280 s5.3",
|
|
Category: MalformedCRL,
|
|
},
|
|
|
|
{
|
|
ID: ErrInvalidRevocationReason,
|
|
Summary: "x509: failed to parse revocation reason: %v",
|
|
Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.CRLReason",
|
|
SpecRef: "RFC 5280 s5.3.1",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrTrailingRevocationReason,
|
|
Summary: "x509: trailing data after revoked certificate reason",
|
|
Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.CRLReason",
|
|
SpecRef: "RFC 5280 s5.3.1",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrInvalidRevocationInvalidityDate,
|
|
Summary: "x509: failed to parse revoked certificate invalidity date: %v",
|
|
Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.InvalidityDate",
|
|
SpecRef: "RFC 5280 s5.3.2",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrTrailingRevocationInvalidityDate,
|
|
Summary: "x509: trailing data after revoked certificate invalidity date",
|
|
Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.InvalidityDate",
|
|
SpecRef: "RFC 5280 s5.3.2",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrInvalidRevocationIssuer,
|
|
Summary: "x509: failed to parse revocation issuer %v",
|
|
Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*.CertificateIssuer",
|
|
SpecRef: "RFC 5280 s5.3.3",
|
|
Category: InvalidASN1Content,
|
|
Fatal: true,
|
|
},
|
|
{
|
|
ID: ErrUnhandledCriticalRevokedCertExtension,
|
|
Summary: "x509: unhandled critical extension in revoked certificate: %v",
|
|
Field: "tbsCertList.revokedCertificates.crlEntryExtensions.*",
|
|
SpecRef: "RFC 5280 s5.3",
|
|
SpecText: "If a CRL contains a critical CRL entry extension that the application cannot process, then the application MUST NOT use that CRL to determine the status of any certificates.",
|
|
Category: MalformedCRL,
|
|
Fatal: true,
|
|
},
|
|
}
|
|
|
|
func init() {
|
|
idToError = make(map[ErrorID]Error, len(errorInfo))
|
|
for _, info := range errorInfo {
|
|
idToError[info.ID] = info
|
|
}
|
|
}
|
|
|
|
// NewError builds a new x509.Error based on the template for the given id.
|
|
func NewError(id ErrorID, args ...interface{}) Error {
|
|
var err Error
|
|
if id >= ErrMaxID {
|
|
err.ID = id
|
|
err.Summary = fmt.Sprintf("Unknown error ID %v: args %+v", id, args)
|
|
err.Fatal = true
|
|
} else {
|
|
err = idToError[id]
|
|
err.Summary = fmt.Sprintf(err.Summary, args...)
|
|
}
|
|
return err
|
|
}
|