get.pme.sh/pnats@v0.0.0-20240304004023-26bb5a137ed0/server/certidp/messages.go

get.pme.sh/pnats@v0.0.0-20240304004023-26bb5a137ed0/server/certidp/messages.go (about)

     1  // Copyright 2023 The NATS Authors
     2  // Licensed under the Apache License, Version 2.0 (the "License");
     3  // you may not use this file except in compliance with the License.
     4  // You may obtain a copy of the License at
     5  //
     6  // http://www.apache.org/licenses/LICENSE-2.0
     7  //
     8  // Unless required by applicable law or agreed to in writing, software
     9  // distributed under the License is distributed on an "AS IS" BASIS,
    10  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11  // See the License for the specific language governing permissions and
    12  // limitations under the License.
    13  
    14  package certidp
    15  
    16  var (
    17  	// Returned errors
    18  	ErrIllegalPeerOptsConfig              = "expected map to define OCSP peer options, got [%T]"
    19  	ErrIllegalCacheOptsConfig             = "expected map to define OCSP peer cache options, got [%T]"
    20  	ErrParsingPeerOptFieldGeneric         = "error parsing tls peer config, unknown field [%q]"
    21  	ErrParsingPeerOptFieldTypeConversion  = "error parsing tls peer config, conversion error: %s"
    22  	ErrParsingCacheOptFieldTypeConversion = "error parsing OCSP peer cache config, conversion error: %s"
    23  	ErrUnableToPlugTLSEmptyConfig         = "unable to plug TLS verify connection, config is nil"
    24  	ErrMTLSRequired                       = "OCSP peer verification for client connections requires TLS verify (mTLS) to be enabled"
    25  	ErrUnableToPlugTLSClient              = "unable to register client OCSP verification"
    26  	ErrUnableToPlugTLSServer              = "unable to register server OCSP verification"
    27  	ErrCannotWriteCompressed              = "error writing to compression writer: %w"
    28  	ErrCannotReadCompressed               = "error reading compression reader: %w"
    29  	ErrTruncatedWrite                     = "short write on body (%d != %d)"
    30  	ErrCannotCloseWriter                  = "error closing compression writer: %w"
    31  	ErrParsingCacheOptFieldGeneric        = "error parsing OCSP peer cache config, unknown field [%q]"
    32  	ErrUnknownCacheType                   = "error parsing OCSP peer cache config, unknown type [%s]"
    33  	ErrInvalidChainlink                   = "invalid chain link"
    34  	ErrBadResponderHTTPStatus             = "bad OCSP responder http status: [%d]"
    35  	ErrNoAvailOCSPServers                 = "no available OCSP servers"
    36  	ErrFailedWithAllRequests              = "exhausted OCSP responders: %w"
    37  
    38  	// Direct logged errors
    39  	ErrLoadCacheFail          = "Unable to load OCSP peer cache: %s"
    40  	ErrSaveCacheFail          = "Unable to save OCSP peer cache: %s"
    41  	ErrBadCacheTypeConfig     = "Unimplemented OCSP peer cache type [%v]"
    42  	ErrResponseCompressFail   = "Unable to compress OCSP response for key [%s]: %s"
    43  	ErrResponseDecompressFail = "Unable to decompress OCSP response for key [%s]: %s"
    44  	ErrPeerEmptyNoEvent       = "Peer certificate is nil, cannot send OCSP peer reject event"
    45  	ErrPeerEmptyAutoReject    = "Peer certificate is nil, rejecting OCSP peer"
    46  
    47  	// Debug information
    48  	DbgPlugTLSForKind        = "Plugging TLS OCSP peer for [%s]"
    49  	DbgNumServerChains       = "Peer OCSP enabled: %d TLS server chain(s) will be evaluated"
    50  	DbgNumClientChains       = "Peer OCSP enabled: %d TLS client chain(s) will be evaluated"
    51  	DbgLinksInChain          = "Chain [%d]: %d total link(s)"
    52  	DbgSelfSignedValid       = "Chain [%d] is self-signed, thus peer is valid"
    53  	DbgValidNonOCSPChain     = "Chain [%d] has no OCSP eligible links, thus peer is valid"
    54  	DbgChainIsOCSPEligible   = "Chain [%d] has %d OCSP eligible link(s)"
    55  	DbgChainIsOCSPValid      = "Chain [%d] is OCSP valid for all eligible links, thus peer is valid"
    56  	DbgNoOCSPValidChains     = "No OCSP valid chains, thus peer is invalid"
    57  	DbgCheckingCacheForCert  = "Checking OCSP peer cache for [%s], key [%s]"
    58  	DbgCurrentResponseCached = "Cached OCSP response is current, status [%s]"
    59  	DbgExpiredResponseCached = "Cached OCSP response is expired, status [%s]"
    60  	DbgOCSPValidPeerLink     = "OCSP verify pass for [%s]"
    61  	DbgCachingResponse       = "Caching OCSP response for [%s], key [%s]"
    62  	DbgAchievedCompression   = "OCSP response compression ratio: [%f]"
    63  	DbgCacheHit              = "OCSP peer cache hit for key [%s]"
    64  	DbgCacheMiss             = "OCSP peer cache miss for key [%s]"
    65  	DbgPreservedRevocation   = "Revoked OCSP response for key [%s] preserved by cache policy"
    66  	DbgDeletingCacheResponse = "Deleting OCSP peer cached response for key [%s]"
    67  	DbgStartingCache         = "Starting OCSP peer cache"
    68  	DbgStoppingCache         = "Stopping OCSP peer cache"
    69  	DbgLoadingCache          = "Loading OCSP peer cache [%s]"
    70  	DbgNoCacheFound          = "No OCSP peer cache found, starting with empty cache"
    71  	DbgSavingCache           = "Saving OCSP peer cache [%s]"
    72  	DbgCacheSaved            = "Saved OCSP peer cache successfully (%d bytes)"
    73  	DbgMakingCARequest       = "Trying OCSP responder url [%s]"
    74  	DbgResponseExpired       = "OCSP response NextUpdate [%s] is before now [%s] with clockskew [%s]"
    75  	DbgResponseTTLExpired    = "OCSP response cache expiry [%s] is before now [%s] with clockskew [%s]"
    76  	DbgResponseFutureDated   = "OCSP response ThisUpdate [%s] is before now [%s] with clockskew [%s]"
    77  	DbgCacheSaveTimerExpired = "OCSP peer cache save timer expired"
    78  	DbgCacheDirtySave        = "OCSP peer cache is dirty, saving"
    79  
    80  	// Returned to peer as TLS reject reason
    81  	MsgTLSClientRejectConnection = "client not OCSP valid"
    82  	MsgTLSServerRejectConnection = "server not OCSP valid"
    83  
    84  	// Expected runtime errors (direct logged)
    85  	ErrCAResponderCalloutFail  = "Attempt to obtain OCSP response from CA responder for [%s] failed: %s"
    86  	ErrNewCAResponseNotCurrent = "New OCSP CA response obtained for [%s] but not current"
    87  	ErrCAResponseParseFailed   = "Could not parse OCSP CA response for [%s]: %s"
    88  	ErrOCSPInvalidPeerLink     = "OCSP verify fail for [%s] with CA status [%s]"
    89  
    90  	// Policy override warnings (direct logged)
    91  	MsgAllowWhenCAUnreachableOccurred             = "Failed to obtain OCSP CA response for [%s] but AllowWhenCAUnreachable set; no cached revocation so allowing"
    92  	MsgAllowWhenCAUnreachableOccurredCachedRevoke = "Failed to obtain OCSP CA response for [%s] but AllowWhenCAUnreachable set; cached revocation exists so rejecting"
    93  	MsgAllowWarnOnlyOccurred                      = "OCSP verify fail for [%s] but WarnOnly is true so allowing"
    94  
    95  	// Info (direct logged)
    96  	MsgCacheOnline  = "OCSP peer cache online, type [%s]"
    97  	MsgCacheOffline = "OCSP peer cache offline, type [%s]"
    98  
    99  	// OCSP cert invalid reasons (debug and event reasons)
   100  	MsgFailedOCSPResponseFetch       = "Failed OCSP response fetch"
   101  	MsgOCSPResponseNotEffective      = "OCSP response not in effectivity window"
   102  	MsgFailedOCSPResponseParse       = "Failed OCSP response parse"
   103  	MsgOCSPResponseInvalidStatus     = "Invalid OCSP response status: %s"
   104  	MsgOCSPResponseDelegationInvalid = "Invalid OCSP response delegation: %s"
   105  	MsgCachedOCSPResponseInvalid     = "Invalid cached OCSP response for [%s] with fingerprint [%s]"
   106  )