Botan: X.509 errors
Our goal is to simplify the ecosystem by consolidating the errors and their documentation (similarly to web documentation) and better explaining what the validation errors mean.
Correctly validating X.509 certificates turns out to be pretty complicated (e.g., Georgiev2012, Ukrop2019). Yet certificate validation is crucial for secure communication on the Internet (think TLS).
For every error, we aim to provide our redesigned documentation ( ), an example certificate ( ), original documentation provided by the library ( , unused or deprecated errors denoted by ). Furthermore, we provide links to corresponding errors from other libraries ( ). In the future, we plan on adding error frequencies based on IP-wide scans and elaborating on the consequences of individual errors.
Time validity errors
Errors occuring when a certificate is outside its validity period or when it is revoked by its CA.
Relevant links: Certificate Validity (RFC 5280), Certificate Revocation (RFC 5280)
(No detailed documentation provided by the library.)
Original error message:
Certificate is not yet valid (source)
Example certificates
Below you can download one or more example malformed certificates causing CERT_NOT_YET_VALID in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case not-yet-valid (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing CERT_NOT_YET_VALID in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_ERR_CERT_NOT_YET_VALID
- GnuTLS: GNUTLS_CERT_NOT_ACTIVATED
- Mbed TLS: MBEDTLS_X509_BADCERT_FUTURE
(No detailed documentation provided by the library.)
Original error message:
Certificate has expired (source)
Example certificates
Below you can download one or more example malformed certificates causing CERT_HAS_EXPIRED in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case expired (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing CERT_HAS_EXPIRED in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_ERR_CERT_HAS_EXPIRED
- GnuTLS: GNUTLS_CERT_EXPIRED
- Mbed TLS: MBEDTLS_X509_BADCERT_EXPIRED
(No detailed documentation provided by the library.)
Original error message:
CRL response is not yet valid (source)
(No detailed documentation provided by the library.)
Original error message:
CRL has expired (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP is not yet valid (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP response has expired (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP response is too old (source)
(No detailed documentation provided by the library.)
Original error message:
Certificate is revoked (source)
Trust or chain related errors
These errors occur when the trust chain to the root certificate is not built correctly or fails.
Relevant links: Certificate Paths (RFC 5280), Certificate Revocation Lists (RFC 5280), OCSP (RFC 2560)
(No detailed documentation provided by the library.)
Original error message:
Cannot establish trust (source)
Example certificates
Below you can download one or more example malformed certificates causing CANNOT_ESTABLISH_TRUST in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case self-signed-end-entity (see the generation script)
- Case self-signed-intermediate (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing CANNOT_ESTABLISH_TRUST in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- GnuTLS: GNUTLS_CERT_SIGNER_NOT_FOUND
- Mbed TLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED
(No detailed documentation provided by the library.)
Original error message:
Certificate chain does not end in a CA certificate (source)
(No detailed documentation provided by the library.)
Original error message:
Certificate public key invalid, no HTTP support compiled in (source)
(No detailed documentation provided by the library.)
Original error message:
Certificate issuer not found (source)
Example certificates
Below you can download one or more example malformed certificates causing CERT_ISSUER_NOT_FOUND in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case issuer-no-match-subject (see the generation script)
- Case trusted-only-intermediate (see the generation script)
- Case unknown-root-cn (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing CERT_ISSUER_NOT_FOUND in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
(No detailed documentation provided by the library.)
Original error message:
Loop in certificate chain (source)
(No detailed documentation provided by the library.)
Original error message:
Certificate chain too long (source)
Example certificates
Below you can download one or more example malformed certificates causing CERT_CHAIN_TOO_LONG in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case bc-path-len-exceeded (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing CERT_CHAIN_TOO_LONG in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_ERR_PATH_LENGTH_EXCEEDED
- GnuTLS: GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
- Mbed TLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED
(No detailed documentation provided by the library.)
Original error message:
Unable to find certificate issusing OCSP response (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP signature error (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP bad status (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP parsing valid (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP URL not available (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP server not available (source)
(No detailed documentation provided by the library.)
Original error message:
No revocation data (source)
Basic extension errors
Errors related to extensions in general or to the BasicConstraints standard extension.
Relevant links: Certificate Extensions (RFC 5280), BasicConstraints Extension (RFC 5280)
(No detailed documentation provided by the library.)
Original error message:
Unknown critical extension encountered (source)
Example certificates
Below you can download one or more example malformed certificates causing UNKNOWN_CRITICAL_EXTENSION in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case bc-path-len-negative (see the generation script)
- Case empty-ip-addr-blocks (see the generation script)
- Case ip-addr-blocks-no-subset (see the generation script)
- Case nc-minimum-not-zero (see the generation script)
- Case nc-unknown-name-type (see the generation script)
- Case proxy-ca (see the generation script)
- Case proxy-length-exceeded (see the generation script)
- Case proxy-name-no-match-issuer (see the generation script)
- Case proxy-with-san (see the generation script)
- Case unknown-critical-extension (see the generation script)
- Case valid-proxy (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing UNKNOWN_CRITICAL_EXTENSION in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_INVALID_EXTENSION, X509_V_ERR_UNNESTED_RESOURCE, X509_V_ERR_SUBTREE_MINMAX, X509_V_ERR_INVALID_NON_CA, X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION, X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, X509_V_OK
- GnuTLS: GNUTLS_E_SUCCESS, GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS, GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, GNUTLS_CERT_UNEXPECTED_OWNER, GNUTLS_CERT_SIGNER_NOT_CA
- Mbed TLS: MBEDTLS_ERR_X509_INVALID_EXTENSIONS
(No detailed documentation provided by the library.)
Original error message:
CA certificate not allowed to issue certs (source)
Example certificates
Below you can download one or more example malformed certificates causing CA_CERT_NOT_FOR_CERT_ISSUER in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case issuer-ca-false (see the generation script)
- Case no-certsign-in-keyusage (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing CA_CERT_NOT_FOR_CERT_ISSUER in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
(No detailed documentation provided by the library.)
Original error message:
Duplicate certificate extension encountered (source)
Example certificates
Below you can download one or more example malformed certificates causing DUPLICATE_CERT_EXTENSION in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case duplicate-bc-extension (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing DUPLICATE_CERT_EXTENSION in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
(No detailed documentation provided by the library.)
Original error message:
Encountered extension in certificate with version < 3 (source)
Name related errors
Errors signalizing problems with either hostname verification, NameConstaints standard extension or IP Address Delegation extension.
Relevant links: NameConstaints extension (RFC 5280), IP Address Delegation extension (RFC 3779), Certificate Common Name (RFC 5280)
(No detailed documentation provided by the library.)
Original error message:
Certificate does not match provided name (source)
Example certificates
Below you can download one or more example malformed certificates causing CERT_NAME_NOMATCH in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case empty-subject-and-no-san (see the generation script)
- Case host-no-match-cn (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing CERT_NAME_NOMATCH in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- GnuTLS: GNUTLS_CERT_UNEXPECTED_OWNER
- Mbed TLS: MBEDTLS_X509_BADCERT_CN_MISMATCH
(No detailed documentation provided by the library.)
Original error message:
Certificate issuer does not match subject of issuing cert (source)
(No detailed documentation provided by the library.)
Original error message:
Certificate does not pass name constraint (source)
Example certificates
Below you can download one or more example malformed certificates causing NAME_CONSTRAINT_ERROR in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case nc-maximum-present (see the generation script)
- Case nc-permitted-violation (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing NAME_CONSTRAINT_ERROR in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
(No detailed documentation provided by the library.)
Original error message:
Distinguished name too long (source)
Usage and policy errors
Errors related to standard extensions CertificatePolicies, KeyUsage and ExtendedKeyUsage.
Relevant links: KeyUsage extension (RFC5280), ExtendedKeyUsage extension (RFC5280), CertificatePolicies extension (RFC5280)
(No detailed documentation provided by the library.)
Original error message:
Certificate does not allow the requested usage (source)
Example certificates
Below you can download one or more example malformed certificates causing INVALID_USAGE in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case any-ext-key-usage (see the generation script)
- Case unknown-ext-key-usage (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing INVALID_USAGE in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
(No detailed documentation provided by the library.)
Original error message:
Certificate policy error (source)
(No detailed documentation provided by the library.)
Original error message:
Certificate contains duplicate policy (source)
(No detailed documentation provided by the library.)
Original error message:
CA certificate not allowed to issue CRLs (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP issuer's keyusage prohibits OCSP (source)
Algorithm related errors
Various errors signalizing usage of invalid or deprecated algorithms.
Relevant links: Algorithm and Key Size Profile for PKI (RFC 7935), Suite B Profile for TLS (RFC 6460)
(No detailed documentation provided by the library.)
Original error message:
Signature method too weak (source)
Example certificates
Below you can download one or more example malformed certificates causing SIGNATURE_METHOD_TOO_WEAK in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case issuer-rsa-key-1024 (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing SIGNATURE_METHOD_TOO_WEAK in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_ERR_CA_KEY_TOO_SMALL
- GnuTLS: GNUTLS_CERT_INSECURE_ALGORITHM
- Mbed TLS: MBEDTLS_X509_BADCERT_BAD_KEY
(No detailed documentation provided by the library.)
Original error message:
Certificate signed with unknown/unavailable algorithm (source)
(No detailed documentation provided by the library.)
Original error message:
Certificate signature has invalid parameters (source)
(No detailed documentation provided by the library.)
Original error message:
Hash function used is considered too weak for security (source)
Example certificates
Below you can download one or more example malformed certificates causing UNTRUSTED_HASH in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case issuer-hash-md5 (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing UNTRUSTED_HASH in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_ERR_CA_MD_TOO_WEAK
- GnuTLS: GNUTLS_CERT_INSECURE_ALGORITHM
- Mbed TLS: MBEDTLS_X509_BADCERT_BAD_MD
Formatting errors
These errors occur when a field of the certificate/CRL contains invalid values or is badly formatted.
Relevant links: Certificate Signature (RFC 5280), Certificate Time formatting (RFC 5280), Certificate Signature Algorithm (RFC 5280)
(No detailed documentation provided by the library.)
Original error message:
Signature error (source)
Example certificates
Below you can download one or more example malformed certificates causing SIGNATURE_ERROR in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case invalid-signature (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing SIGNATURE_ERROR in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_ERR_CERT_SIGNATURE_FAILURE
- GnuTLS: GNUTLS_CERT_SIGNATURE_FAILURE
- Mbed TLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED
(No detailed documentation provided by the library.)
Original error message:
CRL bad signature (source)
(No detailed documentation provided by the library.)
Original error message:
Botan::Decoding_error (source)
Example certificates
Below you can download one or more example malformed certificates causing DECODING_ERROR in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case pubkey-info-invalid-oid (see the generation script)
- Case v4-cert (see the generation script)
- Case wrong-signature-algorithm (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing DECODING_ERROR in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
(No detailed documentation provided by the library.)
Original error message:
Certificate serial number is negative (source)
(No detailed documentation provided by the library.)
Original error message:
Botan::Invalid_Argument (source)
(No detailed documentation provided by the library.)
Original error message:
Botan::Encoding_Error (source)
Example certificates
Below you can download one or more example malformed certificates causing ENCODING_ERROR in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case nc-empty (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing ENCODING_ERROR in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_OK
- GnuTLS: GNUTLS_CERT_UNEXPECTED_OWNER
- Mbed TLS: MBEDTLS_ERR_X509_INVALID_EXTENSIONS
Uncategorized errors
These errors are not yet categorized, deprecated or not used at all.
(No detailed documentation provided by the library.)
Original error message:
No CRL with matching distribution point for certificate (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP cert not listed (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP requests not available (source)
(No detailed documentation provided by the library.)
Original error message:
Signature on OCSP response was found valid (source)
(No detailed documentation provided by the library.)
Original error message:
OCSP response accepted as affirming unrevoked status for certificate (source)
(No detailed documentation provided by the library.)
Original error message:
Valid CRL examined (source)
(No detailed documentation provided by the library.)
Original error message:
Verified (source)
Example certificates
Below you can download one or more example malformed certificates causing VERIFIED in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case bc-not-critical-ca (see the generation script)
- Case bc-path-len-in-non-ca (see the generation script)
- Case cert_revoked (see the generation script)
- Case crl_has_expired (see the generation script)
- Case crl_not_yet_valid (see the generation script)
- Case crl_path_validation_error (see the generation script)
- Case crl_signature_failure (see the generation script)
- Case different_crl_scope (see the generation script)
- Case empty-ext-key-usage (see the generation script)
- Case error_in_crl_last_update_field (see the generation script)
- Case error_in_crl_next_update_field (see the generation script)
- Case keyusage_no_crl_sign (see the generation script)
- Case nc-excluded-violation (see the generation script)
- Case negative-serial-number (see the generation script)
- Case no-key-usage-in-ca (see the generation script)
- Case san-empty-email (see the generation script)
- Case san-null-byte-in-email (see the generation script)
- Case signature-algorithm-mismatch (see the generation script)
- Case unable_to_get_crl (see the generation script)
- Case unhandled_critical_crl_extension (see the generation script)
- Case valid-with-aia (see the generation script)
- Case valid-with-crldp (see the generation script)
- Case valid (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing VERIFIED in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_ERR_CA_BCONS_NOT_CRITICAL, X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN, X509_V_ERR_CERT_REVOKED, X509_V_ERR_CRL_HAS_EXPIRED, X509_V_ERR_CRL_NOT_YET_VALID, X509_V_ERR_CRL_PATH_VALIDATION_ERROR, X509_V_ERR_CRL_SIGNATURE_FAILURE, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, X509_V_ERR_EXCLUDED_VIOLATION, X509_V_OK, X509_V_ERR_CA_CERT_MISSING_KEY_USAGE, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_UNABLE_TO_GET_CRL, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
- GnuTLS: GNUTLS_E_SUCCESS, GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, GNUTLS_CERT_UNEXPECTED_OWNER, GNUTLS_E_CERTIFICATE_ERROR
- Mbed TLS: MBEDTLS_OK, MBEDTLS_ERR_X509_INVALID_EXTENSIONS
(No detailed documentation provided by the library.)
Original error message:
Botan::TLS_Exception (source)
Example certificates
Below you can download one or more example malformed certificates causing TLS_EXCEPTION in Botan. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.
- Case chain-loop (see the generation script)
- Case empty-key-usage-end-cert (see the generation script)
- Case end-entity-rsa-key-1024 (see the generation script)
- Case issuer-pubkey-info-invalid-oid (see the generation script)
- Case issuer-pubkey-invalid-oid-and-signature (see the generation script)
- Case v1-cert-with-extensions (see the generation script)
Corresponding errors
What validation errors do other libraries give for certificates causing TLS_EXCEPTION in Botan? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)
- OpenSSL: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_EE_KEY_TOO_SMALL, X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3
- GnuTLS: GNUTLS_CERT_SIGNER_NOT_FOUND, GNUTLS_E_KEY_USAGE_VIOLATION, GNUTLS_CERT_INSECURE_ALGORITHM, GNUTLS_E_CERTIFICATE_ERROR
- Mbed TLS: MBEDTLS_X509_BADCERT_KEY_USAGE, MBEDTLS_X509_BADCERT_NOT_TRUSTED, MBEDTLS_X509_BADCERT_BAD_KEY, MBEDTLS_ERR_X509_INVALID_FORMAT
About the project
The project is developed at the Centre for Research on Cryptography and Security (CRoCS) at Masaryk University, Brno, Czech Republic by Martin Ukrop, Pavol Žáčik, Marián Svitek, Eric Valčík with the help of Michaela Balážová and Matěj Grabovský. For more details, see the ReadMe file in the project repository on GitHub.
The authors are grateful for the financial support by Red Hat Czech and Kiwi.com.