1.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.25 2022/11/29 19:52:48 tb Exp $ 2.\" full merge up to: 3.\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100 4.\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100 5.\" 6.\" This file is a derived work. 7.\" The changes are covered by the following Copyright and license: 8.\" 9.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org> 10.\" 11.\" Permission to use, copy, modify, and distribute this software for any 12.\" purpose with or without fee is hereby granted, provided that the above 13.\" copyright notice and this permission notice appear in all copies. 14.\" 15.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 16.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 17.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 18.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 19.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22.\" 23.\" The original file was written by Dr. Stephen Henson <steve@openssl.org> 24.\" and Rich Salz <rsalz@openssl.org>. 25.\" Copyright (c) 2009, 2016 The OpenSSL Project. All rights reserved. 26.\" 27.\" Redistribution and use in source and binary forms, with or without 28.\" modification, are permitted provided that the following conditions 29.\" are met: 30.\" 31.\" 1. Redistributions of source code must retain the above copyright 32.\" notice, this list of conditions and the following disclaimer. 33.\" 34.\" 2. Redistributions in binary form must reproduce the above copyright 35.\" notice, this list of conditions and the following disclaimer in 36.\" the documentation and/or other materials provided with the 37.\" distribution. 38.\" 39.\" 3. All advertising materials mentioning features or use of this 40.\" software must display the following acknowledgment: 41.\" "This product includes software developed by the OpenSSL Project 42.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 43.\" 44.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 45.\" endorse or promote products derived from this software without 46.\" prior written permission. For written permission, please contact 47.\" openssl-core@openssl.org. 48.\" 49.\" 5. Products derived from this software may not be called "OpenSSL" 50.\" nor may "OpenSSL" appear in their names without prior written 51.\" permission of the OpenSSL Project. 52.\" 53.\" 6. Redistributions of any form whatsoever must retain the following 54.\" acknowledgment: 55.\" "This product includes software developed by the OpenSSL Project 56.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" 57.\" 58.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 59.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 60.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 61.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 62.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 63.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 64.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 65.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 66.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 67.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 68.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 69.\" OF THE POSSIBILITY OF SUCH DAMAGE. 70.\" 71.Dd $Mdocdate: November 29 2022 $ 72.Dt X509_STORE_CTX_GET_ERROR 3 73.Os 74.Sh NAME 75.Nm X509_STORE_CTX_get_error , 76.Nm X509_STORE_CTX_set_error , 77.Nm X509_STORE_CTX_get_error_depth , 78.Nm X509_STORE_CTX_set_error_depth , 79.Nm X509_STORE_CTX_get_current_cert , 80.Nm X509_STORE_CTX_set_current_cert , 81.Nm X509_STORE_CTX_get0_current_issuer , 82.Nm X509_STORE_CTX_get0_current_crl , 83.Nm X509_STORE_CTX_get0_parent_ctx , 84.Nm X509_STORE_CTX_get_num_untrusted , 85.Nm X509_STORE_CTX_get0_chain , 86.Nm X509_STORE_CTX_get_chain , 87.Nm X509_STORE_CTX_get1_chain , 88.Nm X509_STORE_CTX_set0_verified_chain , 89.Nm X509_STORE_CTX_get0_policy_tree , 90.Nm X509_STORE_CTX_get_explicit_policy , 91.Nm X509_verify_cert_error_string 92.Nd get or set certificate verification status information 93.Sh SYNOPSIS 94.In openssl/x509_vfy.h 95.Ft int 96.Fo X509_STORE_CTX_get_error 97.Fa "X509_STORE_CTX *ctx" 98.Fc 99.Ft void 100.Fo X509_STORE_CTX_set_error 101.Fa "X509_STORE_CTX *ctx" 102.Fa "int s" 103.Fc 104.Ft int 105.Fo X509_STORE_CTX_get_error_depth 106.Fa "X509_STORE_CTX *ctx" 107.Fc 108.Ft void 109.Fo X509_STORE_CTX_set_error_depth 110.Fa "X509_STORE_CTX *ctx" 111.Fa "int depth" 112.Fc 113.Ft X509 * 114.Fo X509_STORE_CTX_get_current_cert 115.Fa "X509_STORE_CTX *ctx" 116.Fc 117.Ft void 118.Fo X509_STORE_CTX_set_current_cert 119.Fa "X509_STORE_CTX *ctx" 120.Fa "X509 *cert" 121.Fc 122.Ft X509 * 123.Fo X509_STORE_CTX_get0_current_issuer 124.Fa "X509_STORE_CTX *ctx" 125.Fc 126.Ft X509_CRL * 127.Fo X509_STORE_CTX_get0_current_crl 128.Fa "X509_STORE_CTX *ctx" 129.Fc 130.Ft X509_STORE_CTX * 131.Fo X509_STORE_CTX_get0_parent_ctx 132.Fa "X509_STORE_CTX *ctx" 133.Fc 134.Ft int 135.Fo X509_STORE_CTX_get_num_untrusted 136.Fa "X509_STORE_CTX *ctx" 137.Fc 138.Ft STACK_OF(X509) * 139.Fo X509_STORE_CTX_get0_chain 140.Fa "X509_STORE_CTX *ctx" 141.Fc 142.Ft STACK_OF(X509) * 143.Fo X509_STORE_CTX_get_chain 144.Fa "X509_STORE_CTX *ctx" 145.Fc 146.Ft STACK_OF(X509) * 147.Fo X509_STORE_CTX_get1_chain 148.Fa "X509_STORE_CTX *ctx" 149.Fc 150.Ft void 151.Fo X509_STORE_CTX_set0_verified_chain 152.Fa "X509_STORE_CTX *ctx" 153.Fa "STACK_OF(X509) *chain" 154.Fc 155.Ft X509_POLICY_TREE * 156.Fo X509_STORE_CTX_get0_policy_tree 157.Fa "X509_STORE_CTX *ctx" 158.Fc 159.Ft int 160.Fo X509_STORE_CTX_get_explicit_policy 161.Fa "X509_STORE_CTX *ctx" 162.Fc 163.In openssl/x509.h 164.Ft const char * 165.Fo X509_verify_cert_error_string 166.Fa "long n" 167.Fc 168.Sh DESCRIPTION 169Most of these functions are typically called after 170.Xr X509_verify_cert 3 171to inspect status information related to certificate verification. 172Some may also be called in a verification callback to determine the 173nature of an error. 174.Pp 175.Fn X509_STORE_CTX_get_error 176returns the error code of 177.Fa ctx . 178See the 179.Sy ERROR CODES 180section for a full description of all error codes. 181.Pp 182.Fn X509_STORE_CTX_set_error 183sets the error code of 184.Fa ctx 185to 186.Fa s . 187For example it might be used in a verification callback to set an error 188based on additional checks. 189.Pp 190.Fn X509_STORE_CTX_get_error_depth 191returns the depth of the error. 192This is a non-negative integer representing where in the certificate 193chain the error occurred. 194If it is zero, it occurred in the end entity certificate, one if it is 195the certificate which signed the end entity certificate, and so on. 196.Pp 197.Fn X509_STORE_CTX_set_error_depth 198sets the error depth. 199This can be used in combination with 200.Fn X509_STORE_CTX_set_error 201to set the depth at which an error condition was detected. 202.Pp 203.Fn X509_STORE_CTX_get_current_cert 204returns the certificate in 205.Fa ctx 206which caused the error or 207.Dv NULL 208if no certificate is relevant. 209.Pp 210.Fn X509_STORE_CTX_set_current_cert 211sets the certificate which caused the error in 212.Fa ctx 213to the given 214.Fa cert . 215This value is not intended to remain valid for very long, 216and remains owned by the caller. 217It may be examined by a verification callback invoked to handle 218each error encountered during chain verification and is no longer 219required after such a callback. 220If a callback wishes the save the certificate for use after it returns, 221it needs to increment its reference count via 222.Xr X509_up_ref 3 . 223Once such a saved certificate is no longer needed, it can be freed with 224.Xr X509_free 3 . 225.Pp 226.Fn X509_STORE_CTX_get0_current_issuer 227returns the certificate that caused issuer validation to fail or 228.Dv NULL 229if no CA certificate is relevant. 230.Pp 231.Fn X509_STORE_CTX_get0_current_crl 232returns the certificate revocation list that caused CRL checking to fail or 233.Dv NULL 234if no CRL is relevant. 235.Pp 236When, during certification path validation, the need arises to check 237the validity of the certification path of a CRL issuer certificate, 238the library creates a new, temporary 239.Vt X509_STORE_CTX 240object. 241If 242.Fn X509_STORE_CTX_get0_parent_ctx 243is called on that temporary object, a pointer to the original 244certification path validation context is returned. 245This may be useful in callback functions called from 246.Xr X509_verify_cert 3 247or from its subroutines to find out whether the callback is called 248from the path validation of the target certificate or from the path 249validation of a related CRL issuer certificate, and if the latter, 250what the target certificate is. 251.Pp 252.Fn X509_STORE_CTX_get0_chain 253returns an internal pointer to a complete validate chain 254if a previous call to 255.Xr X509_verify_cert 3 256was successful. 257If the call to 258.Xr X509_verify_cert 3 259was not successful, the returned chain may be incomplete or invalid. 260.Fn X509_STORE_CTX_get_chain 261is a deprecated alias of 262.Fn X509_STORE_CTX_get0_chain . 263.Fn X509_STORE_CTX_get1_chain 264returns a deep copy of the same chain which persists even after the 265.Fa ctx 266structure is freed. 267When it is no longer needed, it should be freed using 268.Fn sk_X509_pop_free chain X509_free . 269.Pp 270.Fn X509_STORE_CTX_set0_verified_chain 271frees the validate chain generated by if a previous call to 272.Xr X509_verify_cert 3 , 273if any, and replaces it with the given 274.Fa chain . 275Ownership of the 276.Fa chain 277is transferred to the 278.Fa ctx , 279so it should not be freed by the caller. 280.Pp 281.Fn X509_verify_cert_error_string 282returns a human readable error string for verification error 283.Fa n . 284.Pp 285The above functions should be used instead of directly referencing the 286fields in the 287.Sy X509_VERIFY_CTX 288structure. 289.Pp 290In versions of OpenSSL before 1.0, the current certificate returned by 291.Fn X509_STORE_CTX_get_current_cert 292was never 293.Dv NULL . 294Applications should check the return value before printing out any 295debugging information relating to the current certificate. 296.Pp 297If an unrecognised error code is passed to 298.Fn X509_verify_cert_error_string , 299"Unknown certificate verification error" 300is returned. 301This should never happen unless an invalid code is passed. 302.Sh RETURN VALUES 303.Fn X509_STORE_CTX_get_error 304returns 305.Dv X509_V_OK 306or an error code. 307.Pp 308.Fn X509_STORE_CTX_get_error_depth 309returns a non-negative error depth. 310.Pp 311.Fn X509_STORE_CTX_get_current_cert , 312.Fn X509_STORE_CTX_get0_current_issuer , 313and 314.Fn X509_STORE_CTX_get0_current_crl 315return the object which caused the error or 316.Dv NULL 317if no object of the requested kind is relevant to the error. 318.Pp 319.Fn X509_STORE_CTX_get0_parent_ctx 320returns the parent context or 321.Dv NULL 322if 323.Fa ctx 324is not a temporary child context 325used for path validation of a CRL issuer certificate. 326.Pp 327.Fn X509_STORE_CTX_get_num_untrusted 328returns the number of untrusted certificates 329that were used in building the chain during a call to 330.Xr X509_verify_cert 3 . 331.Pp 332.Fn X509_STORE_CTX_get0_chain , 333.Fn X509_STORE_CTX_get_chain , 334and 335.Fn X509_STORE_CTX_get1_chain 336return a pointer to a stack of certificates or 337.Dv NULL 338if an error occurs. 339.Pp 340.Fn X509_STORE_CTX_get0_policy_tree 341returns an internal pointer to the 342.Fa valid_policy_tree 343created by 344.Xr X509_policy_check 3 345or 346.Dv NULL 347if validation failed or the resulting tree was empty. 348.Pp 349.Fn X509_STORE_CTX_get_explicit_policy 350returns the 351.Pf * Fa pexplicit_policy 352output argument of 353.Xr X509_policy_check 3 . 354If validation succeeded, it is 1 if 355.Dv X509_V_FLAG_EXPLICIT_POLICY 356was requested or 0 otherwise. 357.Pp 358.Fn X509_verify_cert_error_string 359returns a human readable error string for verification error 360.Fa n . 361.Sh ERROR CODES 362A list of error codes and messages is shown below. 363Some of the error codes are defined but currently never returned: 364these are described as "unused". 365.Bl -tag -width Ds 366.It Dv X509_V_OK : No ok 367The operation was successful. 368.It Dv X509_V_ERR_UNSPECIFIED : \ 369 No Unspecified certificate verification error 370An error was encountered during certificate verification and 371the internal routines failed to set a more specific error. 372.It Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT : \ 373 No unable to get issuer certificate 374The issuer certificate of a locally looked up certificate could not be found. 375This normally means the list of trusted certificates is not complete. 376.It Dv X509_V_ERR_UNABLE_TO_GET_CRL : No unable to get certificate CRL 377The CRL of a certificate could not be found. 378.It Dv X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE : \ 379 No unable to decrypt certificate's signature 380The certificate signature could not be decrypted. 381This means that the actual signature value could not be determined 382rather than it not matching the expected value. 383This is only meaningful for RSA keys. 384.It Dv X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE : \ 385 No unable to decrypt CRL's signature 386The CRL signature could not be decrypted: this means that the actual 387signature value could not be determined rather than it not matching the 388expected value. 389Unused. 390.It Dv X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY : \ 391 No unable to decode issuer public key 392The public key in the certificate 393.Vt SubjectPublicKeyInfo 394could not be read. 395.It Dv X509_V_ERR_CERT_SIGNATURE_FAILURE : No certificate signature failure 396The signature of the certificate is invalid. 397.It Dv X509_V_ERR_CRL_SIGNATURE_FAILURE : No CRL signature failure 398The signature of the CRL is invalid. 399.It Dv X509_V_ERR_CERT_NOT_YET_VALID : No certificate is not yet valid 400The certificate is not yet valid: the notBefore date is after the 401current time. 402.It Dv X509_V_ERR_CERT_HAS_EXPIRED : No certificate has expired 403The certificate has expired: that is the notAfter date is before the 404current time. 405.It Dv X509_V_ERR_CRL_NOT_YET_VALID : No CRL is not yet valid 406The CRL is not yet valid. 407.It Dv X509_V_ERR_CRL_HAS_EXPIRED : No CRL has expired 408The CRL has expired. 409.It Dv X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD : \ 410 No format error in certificate's notBefore field 411The certificate notBefore field contains an invalid time. 412.It Dv X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD : \ 413 No format error in certificate's notAfter field 414The certificate notAfter field contains an invalid time. 415.It Dv X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD : \ 416 No format error in CRL's lastUpdate field 417The CRL lastUpdate field contains an invalid time. 418.It Dv X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD : \ 419 No format error in CRL's nextUpdate field 420The CRL nextUpdate field contains an invalid time. 421.It Dv X509_V_ERR_OUT_OF_MEM : No out of memory 422An error occurred trying to allocate memory. 423This should never happen. 424.It Dv X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT : No self signed certificate 425The passed certificate is self signed and the same certificate cannot be 426found in the list of trusted certificates. 427.It Dv X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN : \ 428 No self signed certificate in certificate chain 429The certificate chain could be built up using the untrusted certificates 430but the root could not be found locally. 431.It Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY : \ 432 No unable to get local issuer certificate 433The issuer certificate could not be found: this occurs if the issuer 434certificate of an untrusted certificate cannot be found. 435.It Dv X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE : \ 436 No unable to verify the first certificate 437No signatures could be verified because the chain contains only one 438certificate and it is not self signed. 439.It Dv X509_V_ERR_CERT_CHAIN_TOO_LONG : No certificate chain too long 440The certificate chain length is greater than the supplied maximum depth. 441.It Dv X509_V_ERR_CERT_REVOKED : No certificate revoked 442The certificate has been revoked. 443.It Dv X509_V_ERR_INVALID_CA : No invalid CA certificate 444A CA certificate is invalid. 445Either it is not a CA or its extensions are not consistent with the 446supplied purpose. 447.It Dv X509_V_ERR_PATH_LENGTH_EXCEEDED : No path length constraint exceeded 448The basicConstraints path-length parameter has been exceeded. 449.It Dv X509_V_ERR_INVALID_PURPOSE : No unsupported certificate purpose 450The supplied certificate cannot be used for the specified purpose. 451.It Dv X509_V_ERR_CERT_UNTRUSTED : No certificate not trusted 452The root CA is not marked as trusted for the specified purpose. 453.It Dv X509_V_ERR_CERT_REJECTED : No certificate rejected 454The root CA is marked to reject the specified purpose. 455.It Dv X509_V_ERR_SUBJECT_ISSUER_MISMATCH : No subject issuer mismatch 456The current candidate issuer certificate was rejected because its 457subject name did not match the issuer name of the current certificate. 458This is only set if issuer check debugging is enabled; it is used for 459status notification and is 460.Sy not 461in itself an error. 462.It Dv X509_V_ERR_AKID_SKID_MISMATCH : \ 463 No authority and subject key identifier mismatch 464The current candidate issuer certificate was rejected because its 465subject key identifier was present and did not match the authority key 466identifier current certificate. 467This is only set if issuer check debugging is enabled; it is used for 468status notification and is 469.Sy not 470in itself an error. 471.It Dv X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH : \ 472 No authority and issuer serial number mismatch 473The current candidate issuer certificate was rejected because its issuer 474name and serial number was present and did not match the authority key 475identifier of the current certificate. 476This is only set if issuer check debugging is enabled; it is used for 477status notification and is 478.Sy not 479in itself an error. 480.It Dv X509_V_ERR_KEYUSAGE_NO_CERTSIGN : \ 481 No key usage does not include certificate signing 482The current candidate issuer certificate was rejected because its 483keyUsage extension does not permit certificate signing. 484This is only set if issuer check debugging is enabled it is used for 485status notification and is 486.Sy not 487in itself an error. 488.\" .It Dv X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER : \ 489.\" No unable to get CRL issuer certificate 490.\" .It Dv X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION : \ 491.\" No unhandled critical extension 492.\" .It Dv X509_V_ERR_KEYUSAGE_NO_CRL_SIGN : \ 493.\" No key usage does not include CRL signing 494.\" .It Dv X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION : \ 495.\" No unhandled critical CRL extension 496.\" .It Dv X509_V_ERR_INVALID_NON_CA : \ 497.\" No invalid non-CA certificate (has CA markings) 498.\" .It Dv X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED : \ 499.\" No proxy path length constraint exceeded 500.\" .It Dv X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE : \ 501.\" No key usage does not include digital signature 502.\" .It Dv X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED : \ 503.\" No proxy certificates not allowed, please set the appropriate flag 504.It Dv X509_V_ERR_INVALID_EXTENSION : \ 505 No invalid or inconsistent certificate extension 506A certificate extension had an invalid value (for example an incorrect 507encoding) or some value inconsistent with other extensions. 508.It Dv X509_V_ERR_INVALID_POLICY_EXTENSION : \ 509 No invalid or inconsistent certificate policy extension 510A certificate policies extension had an invalid value (for example an 511incorrect encoding) or some value inconsistent with other extensions. 512This error only occurs if policy processing is enabled. 513.It Dv X509_V_ERR_NO_EXPLICIT_POLICY : No no explicit policy 514The verification flags were set to require an explicit policy but none 515was present. 516.It Dv X509_V_ERR_DIFFERENT_CRL_SCOPE : No different CRL scope 517The only CRLs that could be found did not match the scope of the 518certificate. 519.It Dv X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE : \ 520 No unsupported extension feature 521Some feature of a certificate extension is not supported. 522Unused. 523.It Dv X509_V_ERR_UNNESTED_RESOURCE : \ 524 No RFC 3779 resource not subset of parent's resources 525When walking up a certificate chain, all resources specified in 526RFC 3779 extensions must be contained in the resources delegated in 527the issuer's RFC 3779 extensions. 528The error indicates that this is not the case or that the trust anchor 529has inheritance. 530.It Dv X509_V_ERR_PERMITTED_VIOLATION : No permitted subtree violation 531A name constraint violation occurred in the permitted subtrees. 532.It Dv X509_V_ERR_EXCLUDED_VIOLATION : No excluded subtree violation 533A name constraint violation occurred in the excluded subtrees. 534.It Dv X509_V_ERR_SUBTREE_MINMAX : \ 535 No name constraints minimum and maximum not supported 536A certificate name constraints extension included a minimum or maximum 537field: this is not supported. 538.It Dv X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE : \ 539 No unsupported name constraint type 540An unsupported name constraint type was encountered. 541OpenSSL currently only supports directory name, DNS name, email and URI 542types. 543.It Dv X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX : \ 544 No unsupported or invalid name constraint syntax 545The format of the name constraint is not recognised: for example an 546email address format of a form not mentioned in RFC 3280. 547This could be caused by a garbage extension or some new feature not 548currently supported. 549.\" X509_V_ERR_UNSUPPORTED_NAME_SYNTAX : No unsupported or invalid name syntax 550.It Dv X509_V_ERR_CRL_PATH_VALIDATION_ERROR : No CRL path validation error 551An error occurred when attempting to verify the CRL path. 552This error can only happen if extended CRL checking is enabled. 553.It Dv X509_V_ERR_APPLICATION_VERIFICATION : \ 554 No application verification failure 555An application specific error. 556This will never be returned unless explicitly set by an application. 557.\" .It Dv X509_V_ERR_HOSTNAME_MISMATCH : No Hostname mismatch 558.\" .It Dv X509_V_ERR_EMAIL_MISMATCH : No Email address mismatch 559.\" .It Dv X509_V_ERR_IP_ADDRESS_MISMATCH : No IP address mismatch 560.\" .It Dv X509_V_ERR_INVALID_CALL : \ 561.\" No Invalid certificate verification context 562.\" .It Dv X509_V_ERR_STORE_LOOKUP : No Issuer certificate lookup error 563.\" .It Dv X509_V_ERR_EE_KEY_TOO_SMALL : No EE certificate key too weak 564.\" .It Dv X509_V_ERR_CA_KEY_TOO_SMALL : No CA certificate key too weak 565.\" .It Dv X509_V_ERR_CA_MD_TOO_WEAK : \ 566.\" No CA signature digest algorithm too weak 567.El 568.Sh SEE ALSO 569.Xr X509_policy_check 3 , 570.Xr X509_policy_tree_level_count 3 , 571.Xr X509_STORE_CTX_new 3 , 572.Xr X509_STORE_CTX_set_verify 3 , 573.Xr X509_STORE_CTX_set_verify_cb 3 , 574.Xr X509_STORE_set_verify_cb 3 , 575.Xr X509_up_ref 3 , 576.Xr X509_verify_cert 3 577.Sh HISTORY 578.Fn X509_STORE_CTX_get_error , 579.Fn X509_STORE_CTX_set_error , 580.Fn X509_STORE_CTX_get_error_depth , 581.Fn X509_STORE_CTX_get_current_cert , 582.Fn X509_STORE_CTX_get_chain , 583and 584.Fn X509_verify_cert_error_string 585first appeared in SSLeay 0.8.0 and have been available since 586.Ox 2.4 . 587.Pp 588.Fn X509_STORE_CTX_get1_chain 589first appeared in OpenSSL 0.9.5 and has been available since 590.Ox 2.7 . 591.Pp 592.Fn X509_STORE_CTX_get0_policy_tree 593and 594.Fn X509_STORE_CTX_get_explicit_policy 595first appeared in OpenSSL 0.9.8 and have been available since 596.Ox 4.5 . 597.Pp 598.Fn X509_STORE_CTX_get0_current_issuer , 599.Fn X509_STORE_CTX_get0_current_crl , 600and 601.Fn X509_STORE_CTX_get0_parent_ctx 602first appeared in OpenSSL 1.0.0 and have been available since 603.Ox 4.9 . 604.Pp 605.Fn X509_STORE_CTX_get0_chain 606first appeared in OpenSSL 1.1.0 and has been available since 607.Ox 6.3 . 608.Pp 609.Fn X509_STORE_CTX_set_error_depth , 610.Fn X509_STORE_CTX_set_current_cert , 611.Fn X509_STORE_CTX_get_num_untrusted , 612and 613.Fn X509_STORE_CTX_set0_verified_chain 614first appeared in OpenSSL 1.1.0 and have been available since 615.Ox 7.1 . 616