Add verification error codes

2 files changed, 123 insertions, 2 deletions

diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py
index f685e494..e6074e84 100644
--- a/cryptography/hazmat/bindings/openssl/err.py
+++ b/cryptography/hazmat/bindings/openssl/err.py
@@ -18,6 +18,8 @@ INCLUDES = """
 """
 
 TYPES = """
+static const long Cryptography_HAS_102_ERROR_CODES;
+static const long Cryptography_HAS_101_ERROR_CODES;
 static const int Cryptography_HAS_REMOVE_THREAD_STATE;
 static const int Cryptography_HAS_098H_ERROR_CODES;
 static const int Cryptography_HAS_098C_CAMELLIA_CODES;
@@ -221,6 +223,70 @@ static const int RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
 static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_01;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_02;
+
+static const int X509_V_OK;
+static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
+static const int X509_V_ERR_UNABLE_TO_GET_CRL;
+static const int X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE;
+static const int X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE;
+static const int X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+static const int X509_V_ERR_CERT_SIGNATURE_FAILURE;
+static const int X509_V_ERR_CRL_SIGNATURE_FAILURE;
+static const int X509_V_ERR_CERT_NOT_YET_VALID;
+static const int X509_V_ERR_CERT_HAS_EXPIRED;
+static const int X509_V_ERR_CRL_NOT_YET_VALID;
+static const int X509_V_ERR_CRL_HAS_EXPIRED;
+static const int X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
+static const int X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+static const int X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+static const int X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+static const int X509_V_ERR_OUT_OF_MEM;
+static const int X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+static const int X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+static const int X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
+static const int X509_V_ERR_CERT_CHAIN_TOO_LONG;
+static const int X509_V_ERR_CERT_REVOKED;
+static const int X509_V_ERR_INVALID_CA;
+static const int X509_V_ERR_PATH_LENGTH_EXCEEDED;
+static const int X509_V_ERR_INVALID_PURPOSE;
+static const int X509_V_ERR_CERT_UNTRUSTED;
+static const int X509_V_ERR_CERT_REJECTED;
+static const int X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
+static const int X509_V_ERR_AKID_SKID_MISMATCH;
+static const int X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+static const int X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+static const int X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
+static const int X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
+static const int X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
+static const int X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
+static const int X509_V_ERR_INVALID_NON_CA;
+static const int X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+static const int X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+static const int X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
+static const int X509_V_ERR_INVALID_EXTENSION;
+static const int X509_V_ERR_INVALID_POLICY_EXTENSION;
+static const int X509_V_ERR_NO_EXPLICIT_POLICY;
+static const int X509_V_ERR_DIFFERENT_CRL_SCOPE;
+static const int X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE;
+static const int X509_V_ERR_UNNESTED_RESOURCE;
+static const int X509_V_ERR_PERMITTED_VIOLATION;
+static const int X509_V_ERR_EXCLUDED_VIOLATION;
+static const int X509_V_ERR_SUBTREE_MINMAX;
+static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
+static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX;
+static const int X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+static const int X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
+static const int X509_V_ERR_SUITE_B_INVALID_VERSION;
+static const int X509_V_ERR_SUITE_B_INVALID_ALGORITHM;
+static const int X509_V_ERR_SUITE_B_INVALID_CURVE;
+static const int X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
+static const int X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;
+static const int X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256;
+static const int X509_V_ERR_HOSTNAME_MISMATCH;
+static const int X509_V_ERR_EMAIL_MISMATCH;
+static const int X509_V_ERR_IP_ADDRESS_MISMATCH;
+static const int X509_V_ERR_APPLICATION_VERIFICATION;
 """
 
 FUNCTIONS = """
@@ -277,6 +343,40 @@ static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED;
 """
 
 CUSTOMIZATIONS = """
+// OpenSSL 1.0.2+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+static const long Cryptography_HAS_102_ERROR_CODES = 1;
+#else
+static const long Cryptography_HAS_102_ERROR_CODES = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
+static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
+static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
+static const long X509_V_ERR_HOSTNAME_MISMATCH = 0;
+static const long X509_V_ERR_EMAIL_MISMATCH = 0;
+static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
+#endif
+
+// OpenSSL 1.0.1+
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+static const long Cryptography_HAS_101_ERROR_CODES = 1;
+#else
+static const long Cryptography_HAS_101_ERROR_CODES = 0;
+static const long X509_V_ERR_DIFFERENT_CRL_SCOPE = 0;
+static const long X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = 0;
+static const long X509_V_ERR_UNNESTED_RESOURCE = 0;
+static const long X509_V_ERR_PERMITTED_VIOLATION = 0;
+static const long X509_V_ERR_EXCLUDED_VIOLATION = 0;
+static const long X509_V_ERR_SUBTREE_MINMAX = 0;
+static const long X509_V_ERR_UNSUPPORTED_CONSTRALONG_TYPE = 0;
+static const long X509_V_ERR_UNSUPPORTED_CONSTRALONG_SYNTAX = 0;
+static const long X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = 0;
+static const long X509_V_ERR_CRL_PATH_VALIDATION_ERROR = 0;
+#endif
+
+// OpenSSL 1.0.0+
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
 static const long Cryptography_HAS_REMOVE_THREAD_STATE = 1;
 #else
@@ -311,6 +411,29 @@ static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED = 0;
 """
 
 CONDITIONAL_NAMES = {
+    "Cryptography_HAS_102_ERROR_CODES": [
+        'X509_V_ERR_SUITE_B_INVALID_VERSION',
+        'X509_V_ERR_SUITE_B_INVALID_ALGORITHM',
+        'X509_V_ERR_SUITE_B_INVALID_CURVE',
+        'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM',
+        'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED',
+        'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256',
+        'X509_V_ERR_HOSTNAME_MISMATCH',
+        'X509_V_ERR_EMAIL_MISMATCH',
+        'X509_V_ERR_IP_ADDRESS_MISMATCH'
+    ],
+    "Cryptography_HAS_101_ERROR_CODES": [
+        'X509_V_ERR_DIFFERENT_CRL_SCOPE',
+        'X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE',
+        'X509_V_ERR_UNNESTED_RESOURCE',
+        'X509_V_ERR_PERMITTED_VIOLATION',
+        'X509_V_ERR_EXCLUDED_VIOLATION',
+        'X509_V_ERR_SUBTREE_MINMAX',
+        'X509_V_ERR_UNSUPPORTED_CONSTRALONG_TYPE',
+        'X509_V_ERR_UNSUPPORTED_CONSTRALONG_SYNTAX',
+        'X509_V_ERR_UNSUPPORTED_NAME_SYNTAX',
+        'X509_V_ERR_CRL_PATH_VALIDATION_ERROR',
+    ],
     "Cryptography_HAS_REMOVE_THREAD_STATE": [
         "ERR_remove_thread_state"
     ],
diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py
index 165bc7a1..79f13b60 100644
--- a/cryptography/hazmat/bindings/openssl/ssl.py
+++ b/cryptography/hazmat/bindings/openssl/ssl.py
@@ -128,8 +128,6 @@ static const long SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
 static const long SSL_MODE_AUTO_RETRY;
 static const long SSL3_RANDOM_SIZE;
 typedef ... X509_STORE_CTX;
-static const long X509_V_OK;
-static const long X509_V_ERR_APPLICATION_VERIFICATION;
 typedef ... SSL_METHOD;
 typedef struct ssl_st {
     int version;