convert X509 manuals from pod to mdoc

author: schwarze <> 2016-11-04 15:29:03 +0000
committer: schwarze <> 2016-11-04 15:29:03 +0000
commit: e23d00ab37299e14c06d5d2b599a3793e3d0575c (patch)
tree: f91172cf4f459119421ea45c97eb6fa4aec563bc /src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
parent: f34ab28d6356aae4d0458dd2076438a042314790 (diff)
download: openbsd-e23d00ab37299e14c06d5d2b599a3793e3d0575c.tar.gz
openbsd-e23d00ab37299e14c06d5d2b599a3793e3d0575c.tar.bz2
openbsd-e23d00ab37299e14c06d5d2b599a3793e3d0575c.zip
1 files changed, 0 insertions, 323 deletions
diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
deleted file mode 100644
index 270b265ce5..0000000000
--- a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
+++ /dev/null
@@ -1,323 +0,0 @@
-=pod
-=head1 NAME
-X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
-X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert,
-X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set
-certificate verification status information
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- #include <openssl/x509_vfy.h>
- int    X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
- void   X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
- int    X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
- X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
- STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
- const char *X509_verify_cert_error_string(long n);
-=head1 DESCRIPTION
-These functions are typically called after X509_verify_cert() has indicated
-an error or in a verification callback to determine the nature of an error.
-X509_STORE_CTX_get_error() returns the error code of B<ctx>, see
-the B<ERROR CODES> section for a full description of all error codes.
-X509_STORE_CTX_set_error() sets the error code of B<ctx> to B<s>. For example
-it might be used in a verification callback to set an error based on additional
-checks.
-X509_STORE_CTX_get_error_depth() returns the B<depth> of the error. This is a
-non-negative integer representing where in the certificate chain the error
-occurred. If it is zero it occurred in the end entity certificate, one if
-it is the certificate which signed the end entity certificate and so on.
-X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which
-caused the error or B<NULL> if no certificate is relevant.
-X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous
-call to X509_verify_cert() is successful. If the call to X509_verify_cert()
-is B<not> successful the returned chain may be incomplete or invalid. The
-returned chain persists after the B<ctx> structure is freed, when it is
-no longer needed it should be free up using:
-  sk_X509_pop_free(chain, X509_free);
-X509_verify_cert_error_string() returns a human readable error string for
-verification error B<n>.
-=head1 RETURN VALUES
-X509_STORE_CTX_get_error() returns B<X509_V_OK> or an error code.
-X509_STORE_CTX_get_error_depth() returns a non-negative error depth.
-X509_STORE_CTX_get_current_cert() returns the certificate which caused the
-error or B<NULL> if no certificate is relevant to the error.
-X509_verify_cert_error_string() returns a human readable error string for
-verification error B<n>.
-=head1 ERROR CODES
-A list of error codes and messages is shown below.  Some of the
-error codes are defined but currently never returned: these are described as
-"unused".
-=over 4
-=item B<X509_V_OK: ok>
-the operation was successful.
-=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
-the issuer certificate could not be found: this occurs if the issuer certificate
-of an untrusted certificate cannot be found.
-=item B<X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
-the CRL of a certificate could not be found.
-=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt
-certificate's signature>
-the certificate signature could not be decrypted. This means that the actual
-signature value could not be determined rather than it not matching the
-expected value, this is only meaningful for RSA keys.
-=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's
-signature>
-the CRL signature could not be decrypted: this means that the actual signature
-value could not be determined rather than it not matching the expected value.
-Unused.
-=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
-public key>
-the public key in the certificate SubjectPublicKeyInfo could not be read.
-=item B<X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure>
-the signature of the certificate is invalid.
-=item B<X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure>
-the signature of the certificate is invalid.
-=item B<X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid>
-the certificate is not yet valid: the notBefore date is after the current time.
-=item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
-the certificate has expired: that is the notAfter date is before the current
-time.
-=item B<X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
-the CRL is not yet valid.
-=item B<X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
-the CRL has expired.
-=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in
-certificate's notBefore field>
-the certificate notBefore field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's
-notAfter field>
-the certificate notAfter field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's
-lastUpdate field>
-the CRL lastUpdate field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's
-nextUpdate field>
-the CRL nextUpdate field contains an invalid time.
-=item B<X509_V_ERR_OUT_OF_MEM: out of memory>
-an error occurred trying to allocate memory. This should never happen.
-=item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
-the passed certificate is self signed and the same certificate cannot be found
-in the list of trusted certificates.
-=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
-certificate chain>
-the certificate chain could be built up using the untrusted certificates but
-the root could not be found locally.
-=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
-issuer certificate>
-the issuer certificate of a locally looked up certificate could not be found.
-This normally means the list of trusted certificates is not complete.
-=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first
-certificate>
-no signatures could be verified because the chain contains only one certificate
-and it is not self signed.
-=item B<X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long>
-the certificate chain length is greater than the supplied maximum depth. Unused.
-=item B<X509_V_ERR_CERT_REVOKED: certificate revoked>
-the certificate has been revoked.
-=item B<X509_V_ERR_INVALID_CA: invalid CA certificate>
-a CA certificate is invalid. Either it is not a CA or its extensions are not
-consistent with the supplied purpose.
-=item B<X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded>
-the basicConstraints pathlength parameter has been exceeded.
-=item B<X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose>
-the supplied certificate cannot be used for the specified purpose.
-=item B<X509_V_ERR_CERT_UNTRUSTED: certificate not trusted>
-the root CA is not marked as trusted for the specified purpose.
-=item B<X509_V_ERR_CERT_REJECTED: certificate rejected>
-the root CA is marked to reject the specified purpose.
-=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
-the current candidate issuer certificate was rejected because its subject name
-did not match the issuer name of the current certificate. This is only set
-if issuer check debugging is enabled it is used for status notification and
-is B<not> in itself an error.
-=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier
-mismatch>
-the current candidate issuer certificate was rejected because its subject key
-identifier was present and did not match the authority key identifier current
-certificate. This is only set if issuer check debugging is enabled it is used
-for status notification and is B<not> in itself an error.
-=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial
-number mismatch>
-the current candidate issuer certificate was rejected because its issuer name
-and serial number was present and did not match the authority key identifier of
-the current certificate. This is only set if issuer check debugging is enabled
-it is used for status notification and is B<not> in itself an error.
-=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate
-signing>
-the current candidate issuer certificate was rejected because its keyUsage
-extension does not permit certificate signing. This is only set if issuer check
-debugging is enabled it is used for status notification and is B<not> in itself
-an error.
-=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate
-extension>
-A certificate extension had an invalid value (for example an incorrect
-encoding) or some value inconsistent with other extensions.
-=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent
-certificate policy extension>
-A certificate policies extension had an invalid value (for example an incorrect
-encoding) or some value inconsistent with other extensions. This error only
-occurs if policy processing is enabled.
-=item B<X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy>
-The verification flags were set to require and explicit policy but none was
-present.
-=item B<X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope>
-The only CRLs that could be found did not match the scope of the certificate.
-=item B<X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature>
-Some feature of a certificate extension is not supported. Unused.
-=item B<X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation>
-A name constraint violation occurred in the permitted subtrees.
-=item B<X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation>
-A name constraint violation occurred in the excluded subtrees.
-=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not
-supported>
-A certificate name constraints extension included a minimum or maximum field:
-this is not supported.
-=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint
-type>
-An unsupported name constraint type was encountered. OpenSSL currently only
-supports directory name, DNS name, email and URI types.
-=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name
-constraint syntax>
-The format of the name constraint is not recognised: for example an email
-address format of a form not mentioned in RFC3280. This could be caused by
-a garbage extension or some new feature not currently supported.
-=item B<X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error>
-An error occurred when attempting to verify the CRL path. This error can only
-happen if extended CRL checking is enabled.
-=item B<X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
-an application specific error. This will never be returned unless explicitly
-set by an application.
-=back
-=head1 NOTES
-The above functions should be used instead of directly referencing the fields
-in the B<X509_VERIFY_CTX> structure.
-In versions of OpenSSL before 1.0 the current certificate returned by
-X509_STORE_CTX_get_current_cert() was never B<NULL>. Applications should
-check the return value before printing out any debugging information relating
-to the current certificate.
-If an unrecognised error code is passed to X509_verify_cert_error_string() the
-numerical value of the unknown code is returned in a static buffer. This is not
-thread safe but will never happen unless an invalid code is passed.
-=head1 SEE ALSO
-L<X509_verify_cert(3)|X509_verify_cert(3)>
-=cut
author	schwarze <>	2016-11-04 15:29:03 +0000
committer	schwarze <>	2016-11-04 15:29:03 +0000
commit	e23d00ab37299e14c06d5d2b599a3793e3d0575c (patch)
tree	f91172cf4f459119421ea45c97eb6fa4aec563bc /src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
parent	f34ab28d6356aae4d0458dd2076438a042314790 (diff)
download	openbsd-e23d00ab37299e14c06d5d2b599a3793e3d0575c.tar.gz openbsd-e23d00ab37299e14c06d5d2b599a3793e3d0575c.tar.bz2 openbsd-e23d00ab37299e14c06d5d2b599a3793e3d0575c.zip

diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod deleted file mode 100644 index 270b265ce5..0000000000 --- a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod +++ /dev/null
@@ -1,323 +0,0 @@
1	=pod
2
3	=head1 NAME
4
5	X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
6	X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert,
7	X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set
8	certificate verification status information
9
10	=head1 SYNOPSIS
11
12	#include <openssl/x509.h>
13	#include <openssl/x509_vfy.h>
14
15	int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
16	void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
17	int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
18	X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
19
20	STACK_OF(X509) X509_STORE_CTX_get1_chain(X509_STORE_CTX ctx);
21
22	const char *X509_verify_cert_error_string(long n);
23
24	=head1 DESCRIPTION
25
26	These functions are typically called after X509_verify_cert() has indicated
27	an error or in a verification callback to determine the nature of an error.
28
29	X509_STORE_CTX_get_error() returns the error code of B<ctx>, see
30	the B<ERROR CODES> section for a full description of all error codes.
31
32	X509_STORE_CTX_set_error() sets the error code of B<ctx> to B<s>. For example
33	it might be used in a verification callback to set an error based on additional
34	checks.
35
36	X509_STORE_CTX_get_error_depth() returns the B<depth> of the error. This is a
37	non-negative integer representing where in the certificate chain the error
38	occurred. If it is zero it occurred in the end entity certificate, one if
39	it is the certificate which signed the end entity certificate and so on.
40
41	X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which
42	caused the error or B<NULL> if no certificate is relevant.
43
44	X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous
45	call to X509_verify_cert() is successful. If the call to X509_verify_cert()
46	is B<not> successful the returned chain may be incomplete or invalid. The
47	returned chain persists after the B<ctx> structure is freed, when it is
48	no longer needed it should be free up using:
49
50	sk_X509_pop_free(chain, X509_free);
51
52	X509_verify_cert_error_string() returns a human readable error string for
53	verification error B<n>.
54
55	=head1 RETURN VALUES
56
57	X509_STORE_CTX_get_error() returns B<X509_V_OK> or an error code.
58
59	X509_STORE_CTX_get_error_depth() returns a non-negative error depth.
60
61	X509_STORE_CTX_get_current_cert() returns the certificate which caused the
62	error or B<NULL> if no certificate is relevant to the error.
63
64	X509_verify_cert_error_string() returns a human readable error string for
65	verification error B<n>.
66
67	=head1 ERROR CODES
68
69	A list of error codes and messages is shown below. Some of the
70	error codes are defined but currently never returned: these are described as
71	"unused".
72
73	=over 4
74
75	=item B<X509_V_OK: ok>
76
77	the operation was successful.
78
79	=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
80
81	the issuer certificate could not be found: this occurs if the issuer certificate
82	of an untrusted certificate cannot be found.
83
84	=item B<X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
85
86	the CRL of a certificate could not be found.
87
88	=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt
89	certificate's signature>
90
91	the certificate signature could not be decrypted. This means that the actual
92	signature value could not be determined rather than it not matching the
93	expected value, this is only meaningful for RSA keys.
94
95	=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's
96	signature>
97
98	the CRL signature could not be decrypted: this means that the actual signature
99	value could not be determined rather than it not matching the expected value.
100	Unused.
101
102	=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
103	public key>
104
105	the public key in the certificate SubjectPublicKeyInfo could not be read.
106
107	=item B<X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure>
108
109	the signature of the certificate is invalid.
110
111	=item B<X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure>
112
113	the signature of the certificate is invalid.
114
115	=item B<X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid>
116
117	the certificate is not yet valid: the notBefore date is after the current time.
118
119	=item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
120
121	the certificate has expired: that is the notAfter date is before the current
122	time.
123
124	=item B<X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
125
126	the CRL is not yet valid.
127
128	=item B<X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
129
130	the CRL has expired.
131
132	=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in
133	certificate's notBefore field>
134
135	the certificate notBefore field contains an invalid time.
136
137	=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's
138	notAfter field>
139
140	the certificate notAfter field contains an invalid time.
141
142	=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's
143	lastUpdate field>
144
145	the CRL lastUpdate field contains an invalid time.
146
147	=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's
148	nextUpdate field>
149
150	the CRL nextUpdate field contains an invalid time.
151
152	=item B<X509_V_ERR_OUT_OF_MEM: out of memory>
153
154	an error occurred trying to allocate memory. This should never happen.
155
156	=item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
157
158	the passed certificate is self signed and the same certificate cannot be found
159	in the list of trusted certificates.
160
161	=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
162	certificate chain>
163
164	the certificate chain could be built up using the untrusted certificates but
165	the root could not be found locally.
166
167	=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
168	issuer certificate>
169
170	the issuer certificate of a locally looked up certificate could not be found.
171	This normally means the list of trusted certificates is not complete.
172
173	=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first
174	certificate>
175
176	no signatures could be verified because the chain contains only one certificate
177	and it is not self signed.
178
179	=item B<X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long>
180
181	the certificate chain length is greater than the supplied maximum depth. Unused.
182
183	=item B<X509_V_ERR_CERT_REVOKED: certificate revoked>
184
185	the certificate has been revoked.
186
187	=item B<X509_V_ERR_INVALID_CA: invalid CA certificate>
188
189	a CA certificate is invalid. Either it is not a CA or its extensions are not
190	consistent with the supplied purpose.
191
192	=item B<X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded>
193
194	the basicConstraints pathlength parameter has been exceeded.
195
196	=item B<X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose>
197
198	the supplied certificate cannot be used for the specified purpose.
199
200	=item B<X509_V_ERR_CERT_UNTRUSTED: certificate not trusted>
201
202	the root CA is not marked as trusted for the specified purpose.
203
204	=item B<X509_V_ERR_CERT_REJECTED: certificate rejected>
205
206	the root CA is marked to reject the specified purpose.
207
208	=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
209
210	the current candidate issuer certificate was rejected because its subject name
211	did not match the issuer name of the current certificate. This is only set
212	if issuer check debugging is enabled it is used for status notification and
213	is B<not> in itself an error.
214
215	=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier
216	mismatch>
217
218	the current candidate issuer certificate was rejected because its subject key
219	identifier was present and did not match the authority key identifier current
220	certificate. This is only set if issuer check debugging is enabled it is used
221	for status notification and is B<not> in itself an error.
222
223	=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial
224	number mismatch>
225
226	the current candidate issuer certificate was rejected because its issuer name
227	and serial number was present and did not match the authority key identifier of
228	the current certificate. This is only set if issuer check debugging is enabled
229	it is used for status notification and is B<not> in itself an error.
230
231	=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate
232	signing>
233
234	the current candidate issuer certificate was rejected because its keyUsage
235	extension does not permit certificate signing. This is only set if issuer check
236	debugging is enabled it is used for status notification and is B<not> in itself
237	an error.
238
239	=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate
240	extension>
241
242	A certificate extension had an invalid value (for example an incorrect
243	encoding) or some value inconsistent with other extensions.
244
245
246	=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent
247	certificate policy extension>
248
249	A certificate policies extension had an invalid value (for example an incorrect
250	encoding) or some value inconsistent with other extensions. This error only
251	occurs if policy processing is enabled.
252
253	=item B<X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy>
254
255	The verification flags were set to require and explicit policy but none was
256	present.
257
258	=item B<X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope>
259
260	The only CRLs that could be found did not match the scope of the certificate.
261
262	=item B<X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature>
263
264	Some feature of a certificate extension is not supported. Unused.
265
266	=item B<X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation>
267
268	A name constraint violation occurred in the permitted subtrees.
269
270	=item B<X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation>
271
272	A name constraint violation occurred in the excluded subtrees.
273
274	=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not
275	supported>
276
277	A certificate name constraints extension included a minimum or maximum field:
278	this is not supported.
279
280	=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint
281	type>
282
283	An unsupported name constraint type was encountered. OpenSSL currently only
284	supports directory name, DNS name, email and URI types.
285
286	=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name
287	constraint syntax>
288
289	The format of the name constraint is not recognised: for example an email
290	address format of a form not mentioned in RFC3280. This could be caused by
291	a garbage extension or some new feature not currently supported.
292
293	=item B<X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error>
294
295	An error occurred when attempting to verify the CRL path. This error can only
296	happen if extended CRL checking is enabled.
297
298	=item B<X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
299
300	an application specific error. This will never be returned unless explicitly
301	set by an application.
302
303	=back
304
305	=head1 NOTES
306
307	The above functions should be used instead of directly referencing the fields
308	in the B<X509_VERIFY_CTX> structure.
309
310	In versions of OpenSSL before 1.0 the current certificate returned by
311	X509_STORE_CTX_get_current_cert() was never B<NULL>. Applications should
312	check the return value before printing out any debugging information relating
313	to the current certificate.
314
315	If an unrecognised error code is passed to X509_verify_cert_error_string() the
316	numerical value of the unknown code is returned in a static buffer. This is not
317	thread safe but will never happen unless an invalid code is passed.
318
319	=head1 SEE ALSO
320
321	L<X509_verify_cert(3)\|X509_verify_cert(3)>
322
323	=cut