Move peer chain security checks into x509_vfy.c

[openssl.git] / crypto / x509 / x509_txt.c

diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index f7f27e97ef37f4207bc91733498f4ec20ca7b6dd..8a9a7f04449a542fa2f4b4439c571b570a2db0a0 100644 (file)
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -203,6 +203,12 @@ const char *X509_verify_cert_error_string(long n)
         return ("IP address mismatch");
     case X509_V_ERR_DANE_NO_MATCH:
         return ("No matching DANE TLSA records");
+    case X509_V_ERR_EE_KEY_TOO_SMALL:
+        return ("EE certificate key too weak");
+    case X509_V_ERR_CA_KEY_TOO_SMALL:
+        return ("CA certificate key too weak");
+    case X509_V_ERR_CA_MD_TOO_WEAK:
+        return ("CA signature digest algorithm too weak");
 
     default:
         /* Printing an error number into a static buffer is not thread-safe */