Common error messages

To be discussed, extended, corrected. Currently only Java implementation's messages. Each error message consists of: error code (string, to be processed by the software), message (string, human readable), category (a coarse grained identifier of the error's class) and position (integer, position in chain which caused the error or -1 if the whole chain is affected). Sometimes errors require a dynamic parameters.

Below is the list of codes and corresponding messages. For each code also the category is defined (using the convention code.category=CATEGORY_NAME). Dynamic parameters are marked as '{NUMBER}' and should be self-explanatory.

#
# Generic errors
#

unknown=Unknown error
unknown.category=OTHER

unknownMsg={0}
unknownMsg.category=OTHER

inputError=Input certificate chain processing error: {0}
inputError.category=GENERAL_INPUT

#
# Namespace related errors
#

nsUndefinedAndRequired=Namespace definition for the certificate issuer ({0}) is not defined, and namespaces are configured to be required.
nsUndefinedAndRequired.category=NAMESPACE

nsDeny=The certificate subject {0} is denied by the namespace policy: {1}
nsDeny.category=NAMESPACE

nsNotAccepted=The certificate subject {0} is not accepted by any rule of the the relevant namespace policies. Policies which matches the issuer are: {1}
nsNotAccepted.category=NAMESPACE


#
# Proxy certificate specific errors
#

proxyEECInChain=Certificate issued by an end-entity certificate or a proxy certificate is not a proxy proxy certificate.
proxyEECInChain.category=INCONSISTENT_PROXY_CHAIN

proxyLength=At the current position the proxy certificates chain exceeded its length limit.
proxyLength.category=INCONSISTENT_PROXY_CHAIN

proxyNoIssuer=Issuing end entity certificate was not found in the chain with proxy certificates.
proxyNoIssuer.category=INCONSISTENT_PROXY_CHAIN

proxyCASet=Proxy certificate has the cA field set
proxyCASet.category=INVALID_PROXY_CERT

proxyIssuerAltNameSet=Proxy certificate has the IssuerAlternativeName set
proxyIssuerAltNameSet.category=INVALID_PROXY_CERT

proxySubjectAltNameSet=Proxy certificate has the SubjectAlternativeName set
proxySubjectAltNameSet.category=INVALID_PROXY_CERT

proxyIssuedByCa=Proxy certificate issuer has the cA field set
proxyIssuedByCa.category=INCONSISTENT_PROXY_CHAIN

proxyNoIssuerSubject=Proxy certificate issuer has no Subject field set
proxyNoIssuerSubject.category=INVALID_PROXY_CERT

proxySubjectInconsistent=Proxy certificate issuer field is different than the issuing certificate subject field set.
proxySubjectInconsistent.category=INCONSISTENT_PROXY_CHAIN

proxyIssuerNoDsig=Proxy certificate issuer has no digital signature creation right
proxyIssuerNoDsig.category=INCONSISTENT_PROXY_CHAIN

proxySubjectOneRDN=The proxy certificate subject name has less then two elements
proxySubjectOneRDN.category=INVALID_PROXY_CERT

proxySubjectMultiLastRDN=The last RDN in proxy subject name is multivalued
proxySubjectMultiLastRDN.category=INVALID_PROXY_CERT

proxySubjectLastRDNNotCN=The last RDN in proxy subject name is not a CN
proxySubjectLastRDNNotCN.category=INVALID_PROXY_CERT

proxySubjectBaseWrong=The proxy subject without its last CN component is not equal to its issuer name
proxySubjectBaseWrong.category=INVALID_PROXY_CERT


#
# Regular X.509 path validation errors
#

noIssuerPublicKey=Trusted issuer of this certificate was not established
noIssuerPublicKey.category=X509_CHAIN

noBasicConstraints=The selected CA certificate does not contain the mandatory Basic Constraints extension
noBasicConstraints.category=X509_BASIC

pathLenghtExtended=Total chain length exceeds the limit
pathLenghtExtended.category=X509_CHAIN

conflictingTrustAnchors=More then one trusted CA certificate was found for the certificate chain
conflictingTrustAnchors.category=X509_CHAIN

noTrustAnchorFound=No trusted CA certificate was found for the certificate chain
noTrustAnchorFound.category=X509_CHAIN

trustButInvalidCert=CA certificate was found for the certificate chain but the initial certificate in chain is not issued (correctly signed) by the CA certificate
trustButInvalidCert.category=X509_CHAIN

signatureNotVerified=Unable to verify signature of certificates in the chain: {0}
signatureNotVerified.category=X509_BASIC

certificateNotYetValid=Certificate is not yet valid. Will be from: {0}
certificateNotYetValid.category=X509_BASIC

certificateExpired=Certificate has expired at: {0}
certificateExpired.category=X509_BASIC

noCACert=CA certificate was not found for the chain
noCACert.category=X509_CHAIN

noCertSign=Issuer of the certificate is not eligible to sign certificates as its certificate has no keyCertSign flag set in its KeyUsage extension.
noCertSign.category=X509_CHAIN

unknownCriticalExt=Unknown critical extension was found: {0}
unknownCriticalExt.category=X509_BASIC

certRevoked=Certificate was revoked at: {0}, the reason reported is: {1}
certRevoked.category=CRL

noBaseCRL=Base CRL for the delta CRL was not found
noBaseCRL.category=CRL

noValidCrlFound=No valid CRL was found for the CA which issued the chain
noValidCrlFound.category=CRL

For those errors, the human friendly messages were not yet prepared. Those errors should be rare. It will be improved over time, help is welcome!

certPathCheckerError
certPathValidDate
certWrongIssuer
criticalExtensionError
crlAuthInfoAccError
crlBCExtError
crlDistPoint
crlDistPtExtError
crlExtractionError
crlIssuerException
crlNbrExtError
crlNoIssuerPublicKey
crlOnlyAttrCert
crlOnlyCaCert
crlOnlyUserCert
crlReasonExtError
crlUpdateAvailable
crlVerifyFailed
deltaCrlExtError
distrPtExtError
emptyCertPath
errorProcesingBC
excludedDN
excludedEmail
excludedIP
explicitPolicy
invalidPolicy
invalidPolicyMapping
loadCrlDistPointError
localInvalidCRL
localValidCRL
ncExtError
ncSubjectNameError
noCrlInCertstore
noCrlSigningPermited
notPermittedDN
notPermittedEmail
notPermittedIP
notRevoked
noValidPolicyTree
ocspLocation
onlineCRLWrongCA
onlineInvalidCRL
onlineValidCRL
policyConstExtError
policyExtError
policyInhibitExtError
policyMapExtError
policyQualifierError
processLengthConstError
pubKeyError
QcEuCompliance
QcLimitValueAlpha
QcLimitValueNum
QcSSCD
QcStatementExtError
QcUnknownStatement
revokedAfterValidation
rootKeyIsValidButNotATrustAnchor
signatureNotVerified
subjAltNameExtError
totalPathLength
trustAnchorIssuerError
trustDNInvalid
trustPubKeyError
unknown

-- KrzysztofBenedyczak - 17-Oct-2011

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2011-11-13 - unknown
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback