9 // Error is the error type usually returned by functions in CF SSL package.
10 // It contains a 4-digit error code where the most significant digit
11 // describes the category where the error occurred and the rest 3 digits
12 // describe the specific error reason.
14 ErrorCode int `json:"code"`
15 Message string `json:"message"`
18 // Category is the most significant digit of the error code.
21 // Reason is the last 3 digits of the error code.
25 // Success indicates no error occurred.
26 Success Category = 1000 * iota // 0XXX
28 // CertificateError indicates a fault in a certificate.
29 CertificateError // 1XXX
31 // PrivateKeyError indicates a fault in a private key.
32 PrivateKeyError // 2XXX
34 // IntermediatesError indicates a fault in an intermediate.
35 IntermediatesError // 3XXX
37 // RootError indicates a fault in a root.
40 // PolicyError indicates an error arising from a malformed or
41 // non-existent policy, or a breach of policy.
44 // DialError indicates a network fault.
47 // APIClientError indicates a problem with the API client.
48 APIClientError // 7XXX
50 // OCSPError indicates a problem with OCSP signing
53 // CSRError indicates a problem with CSR parsing
56 // CTError indicates a problem with the certificate transparency process
59 // CertStoreError indicates a problem with the certificate store
60 CertStoreError // 11XXX
63 // None is a non-specified error.
68 // Warning code for a success
70 BundleExpiringBit int = 1 << iota // 0x01
71 BundleNotUbiquitousBit // 0x02
76 Unknown Reason = iota // X000
82 // The following represent certificate non-parsing errors, and must be
83 // specified along with CertificateError.
85 // SelfSigned indicates that a certificate is self-signed and
86 // cannot be used in the manner being attempted.
87 SelfSigned Reason = 100 * (iota + 1) // Code 11XX
89 // VerifyFailed is an X.509 verification failure. The least two
90 // significant digits of 12XX is determined as the actual x509
92 VerifyFailed // Code 12XX
94 // BadRequest indicates that the certificate request is invalid.
95 BadRequest // Code 13XX
97 // MissingSerial indicates that the profile specified
98 // 'ClientProvidesSerialNumbers', but the SignRequest did not include a serial
100 MissingSerial // Code 14XX
104 certificateInvalid = 10 * (iota + 1) //121X
105 unknownAuthority //122x
108 // The following represent private-key non-parsing errors, and must be
109 // specified with PrivateKeyError.
111 // Encrypted indicates that the private key is a PKCS #8 encrypted
112 // private key. At this time, CFSSL does not support decrypting
114 Encrypted Reason = 100 * (iota + 1) //21XX
116 // NotRSAOrECC indicates that they key is not an RSA or ECC
117 // private key; these are the only two private key types supported
118 // at this time by CFSSL.
121 // KeyMismatch indicates that the private key does not match
122 // the public key or certificate being presented with the key.
125 // GenerationFailed indicates that a private key could not
127 GenerationFailed //24XX
129 // Unavailable indicates that a private key mechanism (such as
130 // PKCS #11) was requested but support for that mechanism is
135 // The following are policy-related non-parsing errors, and must be
136 // specified along with PolicyError.
138 // NoKeyUsages indicates that the profile does not permit any
139 // key usages for the certificate.
140 NoKeyUsages Reason = 100 * (iota + 1) // 51XX
142 // InvalidPolicy indicates that policy being requested is not
143 // a valid policy or does not exist.
144 InvalidPolicy // 52XX
146 // InvalidRequest indicates a certificate request violated the
147 // constraints of the policy being applied to the request.
148 InvalidRequest // 53XX
150 // UnknownProfile indicates that the profile does not exist.
151 UnknownProfile // 54XX
153 UnmatchedWhitelist // 55xx
156 // The following are API client related errors, and should be
157 // specified with APIClientError.
159 // AuthenticationFailure occurs when the client is unable
160 // to obtain an authentication token for the request.
161 AuthenticationFailure Reason = 100 * (iota + 1)
163 // JSONError wraps an encoding/json error.
166 // IOError wraps an io/ioutil error.
169 // ClientHTTPError wraps a net/http error.
172 // ServerRequestFailed covers any other failures from the API
177 // The following are OCSP related errors, and should be
178 // specified with OCSPError
180 // IssuerMismatch ocurs when the certificate in the OCSP signing
181 // request was not issued by the CA that this responder responds for.
182 IssuerMismatch Reason = 100 * (iota + 1) // 81XX
184 // InvalidStatus occurs when the OCSP signing requests includes an
185 // invalid value for the certificate status.
189 // Certificate transparency related errors specified with CTError
191 // PrecertSubmissionFailed occurs when submitting a precertificate to
192 // a log server fails
193 PrecertSubmissionFailed = 100 * (iota + 1)
196 // Certificate persistence related errors specified with CertStoreError
198 // InsertionFailed occurs when a SQL insert query failes to complete.
199 InsertionFailed = 100 * (iota + 1)
200 // RecordNotFound occurs when a SQL query targeting on one unique
201 // record failes to update the specified row in the table.
205 // The error interface implementation, which formats to a JSON object string.
206 func (e *Error) Error() string {
207 marshaled, err := json.Marshal(e)
211 return string(marshaled)
215 // New returns an error that contains an error code and message derived from
216 // the given category, reason. Currently, to avoid confusion, it is not
217 // allowed to create an error of category Success
218 func New(category Category, reason Reason) *Error {
219 errorCode := int(category) + int(reason)
225 msg = "No certificate provided"
227 msg = "Certificate not issued by this issuer"
229 msg = "Invalid revocation status"
231 case CertificateError:
234 msg = "Unknown certificate error"
236 msg = "Failed to read certificate"
238 msg = "Failed to decode certificate"
240 msg = "Failed to parse certificate"
242 msg = "Certificate is self signed"
244 msg = "Unable to verify certificate"
246 msg = "Invalid certificate request"
248 msg = "Missing serial number in request"
250 panic(fmt.Sprintf("Unsupported CFSSL error reason %d under category CertificateError.",
254 case PrivateKeyError:
257 msg = "Unknown private key error"
259 msg = "Failed to read private key"
261 msg = "Failed to decode private key"
263 msg = "Failed to parse private key"
265 msg = "Private key is encrypted."
267 msg = "Private key algorithm is not RSA or ECC"
269 msg = "Private key does not match public key"
270 case GenerationFailed:
271 msg = "Failed to new private key"
273 msg = "Private key is unavailable"
275 panic(fmt.Sprintf("Unsupported CFSSL error reason %d under category PrivateKeyError.",
278 case IntermediatesError:
281 msg = "Unknown intermediate certificate error"
283 msg = "Failed to read intermediate certificate"
285 msg = "Failed to decode intermediate certificate"
287 msg = "Failed to parse intermediate certificate"
289 panic(fmt.Sprintf("Unsupported CFSSL error reason %d under category IntermediatesError.",
295 msg = "Unknown root certificate error"
297 msg = "Failed to read root certificate"
299 msg = "Failed to decode root certificate"
301 msg = "Failed to parse root certificate"
303 panic(fmt.Sprintf("Unsupported CFSSL error reason %d under category RootError.",
309 msg = "Unknown policy error"
311 msg = "Invalid policy: no key usage available"
313 msg = "Invalid or unknown policy"
315 msg = "Policy violation request"
317 msg = "Unknown policy profile"
318 case UnmatchedWhitelist:
319 msg = "Request does not match policy whitelist"
321 panic(fmt.Sprintf("Unsupported CFSSL error reason %d under category PolicyError.",
327 msg = "Failed to dial remote server"
329 panic(fmt.Sprintf("Unsupported CFSSL error reason %d under category DialError.",
334 case AuthenticationFailure:
335 msg = "API client authentication failure"
337 msg = "API client JSON config error"
338 case ClientHTTPError:
339 msg = "API client HTTP error"
341 msg = "API client IO error"
342 case ServerRequestFailed:
343 msg = "API client error: Server request failed"
345 panic(fmt.Sprintf("Unsupported CFSSL error reason %d under category APIClientError.",
351 msg = "CSR parsing failed due to unknown error"
353 msg = "CSR file read failed"
355 msg = "CSR Parsing failed"
357 msg = "CSR Decode failed"
359 msg = "CSR Bad request"
361 panic(fmt.Sprintf("Unsupported CF-SSL error reason %d under category APIClientError.", reason))
366 msg = "Certificate transparency parsing failed due to unknown error"
367 case PrecertSubmissionFailed:
368 msg = "Certificate transparency precertificate submission failed"
370 panic(fmt.Sprintf("Unsupported CF-SSL error reason %d under category CTError.", reason))
375 msg = "Certificate store action failed due to unknown error"
377 panic(fmt.Sprintf("Unsupported CF-SSL error reason %d under category CertStoreError.", reason))
381 panic(fmt.Sprintf("Unsupported CFSSL error type: %d.",
384 return &Error{ErrorCode: errorCode, Message: msg}
387 // Wrap returns an error that contains the given error and an error code derived from
388 // the given category, reason and the error. Currently, to avoid confusion, it is not
389 // allowed to create an error of category Success
390 func Wrap(category Category, reason Reason, err error) *Error {
391 errorCode := int(category) + int(reason)
393 panic("Wrap needs a supplied error to initialize.")
396 // do not double wrap a error
399 panic("Unable to wrap a wrapped error.")
403 case CertificateError:
404 // given VerifyFailed , report the status with more detailed status code
405 // for some certificate errors we care.
406 if reason == VerifyFailed {
407 switch errorType := err.(type) {
408 case x509.CertificateInvalidError:
409 errorCode += certificateInvalid + int(errorType.Reason)
410 case x509.UnknownAuthorityError:
411 errorCode += unknownAuthority
414 case PrivateKeyError, IntermediatesError, RootError, PolicyError, DialError,
415 APIClientError, CSRError, CTError, CertStoreError:
416 // no-op, just use the error
418 panic(fmt.Sprintf("Unsupported CFSSL error type: %d.",
422 return &Error{ErrorCode: errorCode, Message: err.Error()}