RubyGems - fluent-plugin-secure-forward-addproxy - Versions diffs - 0.3.3dev2 - Mend

fluent-plugin-secure-forward-addproxy 0.3.3dev2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

checksums.yaml +7 -0
data/.gitignore +9 -0
data/.travis.yml +4 -0
data/Gemfile +4 -0
data/README.md +444 -0
data/Rakefile +11 -0
data/bin/console +14 -0
data/bin/secure-forward-ca-generate +34 -0
data/bin/setup +7 -0
data/example/auth_client.conf +19 -0
data/example/auth_server.conf +30 -0
data/example/cert_client.conf +21 -0
data/example/cert_server.conf +35 -0
data/example/certs/cert.pem +18 -0
data/example/certs/key.pem +15 -0
data/example/client.conf +24 -0
data/example/client_proxy.conf +26 -0
data/example/insecure_client.conf +23 -0
data/example/insecure_server.conf +10 -0
data/example/server.conf +13 -0
data/fluent-plugin-secure-forward-addproxy.gemspec +23 -0
data/lib/fluent/plugin/in_secure_forward.rb +278 -0
data/lib/fluent/plugin/input_session.rb +219 -0
data/lib/fluent/plugin/openssl_util.rb +38 -0
data/lib/fluent/plugin/out_secure_forward.rb +280 -0
data/lib/fluent/plugin/output_node.rb +348 -0
data/lib/fluent/plugin/secure/forward/addproxy/version.rb +11 -0
data/lib/fluent/plugin/secure/forward/addproxy.rb +13 -0
data/lib/fluent/plugin/secure/forward/v033dev2/addproxy/version.rb +13 -0
data/lib/fluent/plugin/secure/forward/v033dev2/addproxy.rb +15 -0
data/lib/fluent/plugin/secure_forward/cert_util.rb +85 -0
data/test/helper.rb +66 -0
data/test/plugin/test_in_secure_forward.rb +237 -0
data/test/plugin/test_input_session.rb +43 -0
data/test/plugin/test_out_secure_forward.rb +147 -0
metadata +169 -0

data/example/client.conf ADDED Viewed

@@ -0,0 +1,24 @@
+<source>
+  type forward
+</source>
+<match test.**>
+  type secure_forward
+  secure yes
+  self_hostname client
+  shared_key hogeposxxx0
+  keepalive 30
+  ca_cert_path /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_cert.pem
+  enable_strict_verification yes
+  <server>
+    host localhost
+  </server>
+  # <server>
+  #   host localhost
+  #   standby yes
+  # </server>
+  # <server>
+  #   host localhost
+  # </server>
+  flush_interval 1s
+</match>

data/example/client_proxy.conf ADDED Viewed

@@ -0,0 +1,26 @@
+<source>
+  type forward
+</source>
+<match test.**>
+  type secure_forward
+  secure yes
+  self_hostname client
+  shared_key hogeposxxx0
+  keepalive 30
+  ca_cert_path /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_cert.pem
+  enable_strict_verification yes
+  <server>
+    proxy_uri http://foo.foo.local:3128
+    host localhost
+  </server>
+  # <server>
+  #   proxy_uri http://bar.bar.local:3128
+  #   host localhost
+  #   standby yes
+  # </server>
+  # <server>
+  #   host localhost
+  # </server>
+  flush_interval 1s
+</match>

data/example/insecure_client.conf ADDED Viewed

@@ -0,0 +1,23 @@
+<source>
+  type forward
+</source>
+<match test.**>
+  type secure_forward
+  secure no
+  self_hostname client
+  shared_key hogeposxxx0
+  keepalive 30
+  enable_strict_verification yes
+  <server>
+    host localhost
+  </server>
+  # <server>
+  #   host localhost
+  #   standby yes
+  # </server>
+  # <server>
+  #   host localhost
+  # </server>
+  flush_interval 1s
+</match>

data/example/insecure_server.conf ADDED Viewed

@@ -0,0 +1,10 @@
+<source>
+  type secure_forward
+  secure no
+  self_hostname localhost
+  shared_key hogeposxxx0
+</source>
+<match test.**>
+  type stdout
+</match>

data/example/server.conf ADDED Viewed

@@ -0,0 +1,13 @@
+<source>
+  type secure_forward
+  secure yes
+  self_hostname localhost
+  shared_key hogeposxxx0
+  ca_cert_path        /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_cert.pem
+  ca_private_key_path /Users/tagomoris/github/fluent-plugin-secure-forward/test/tmp/cadir/ca_key.pem
+  ca_private_key_passphrase testing secret phrase
+</source>
+<match test.**>
+  type stdout
+</match>

data/fluent-plugin-secure-forward-addproxy.gemspec ADDED Viewed

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |gem|
+  gem.name          = "fluent-plugin-secure-forward-addproxy"
+  gem.version       = "0.3.3dev2"
+  gem.authors       = ["TAGOMORI Satoshi"]
+  gem.email         = ["tagomoris@gmail.com"]
+  gem.summary       = %q{Fluentd input/output plugin to forward over SSL with authentications + proxy}
+  gem.description   = %q{fork from fluent-plugin-secure-forward 0.3.3dev2 }
+  gem.homepage      = "https://github.com/tagomoris/fluent-plugin-secure-forward"
+  gem.license       = "APLv2"
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+  gem.add_runtime_dependency "fluentd", ">= 0.10.46"
+  gem.add_runtime_dependency "fluent-mixin-config-placeholders", ">= 0.3.0"
+  gem.add_runtime_dependency "resolve-hostname"
+  gem.add_runtime_dependency "proxifier"
+  gem.add_development_dependency "test-unit"
+  gem.add_development_dependency "rake"
+end

data/lib/fluent/plugin/in_secure_forward.rb ADDED Viewed

@@ -0,0 +1,278 @@
+# -*- coding: utf-8 -*-
+require 'fluent/mixin/config_placeholders'
+module Fluent
+  class SecureForwardInput < Input
+  end
+end
+require_relative 'input_session'
+require_relative './secure_forward/cert_util'
+module Fluent
+  class SecureForwardInput < Input
+    DEFAULT_SECURE_LISTEN_PORT = 24284
+    Fluent::Plugin.register_input('secure_forward', self)
+    config_param :secure, :bool # if secure, cert_path or ca_cert_path required
+    config_param :self_hostname, :string
+    include Fluent::Mixin::ConfigPlaceholders
+    config_param :shared_key, :string
+    config_param :bind, :string, default: '0.0.0.0'
+    config_param :port, :integer, default: DEFAULT_SECURE_LISTEN_PORT
+    config_param :allow_keepalive, :bool, default: true #TODO: implement
+    config_param :allow_anonymous_source, :bool, default: true
+    config_param :authentication, :bool, default: false
+    config_param :ssl_version, :string, default: 'TLSv1_2'
+    config_param :ssl_ciphers, :string, default: nil
+    # Cert signed by public CA
+    config_param :cert_path, :string, default: nil
+    config_param :private_key_path, :string, default: nil
+    config_param :private_key_passphrase, :string, default: nil
+    # Cert automatically generated and signed by private CA
+    config_param :ca_cert_path, :string, default: nil
+    config_param :ca_private_key_path, :string, default: nil
+    config_param :ca_private_key_passphrase, :string, default: nil
+    # Otherwise: Cert automatically generated and signed by itself (for without any verification)
+    config_param :generate_private_key_length, :integer, default: 2048
+    config_param :generate_cert_country, :string, default: 'US'
+    config_param :generate_cert_state, :string, default: 'CA'
+    config_param :generate_cert_locality, :string, default: 'Mountain View'
+    config_param :generate_cert_common_name, :string, default: nil
+    config_param :read_length, :size, default: 8*1024*1024 # 8MB
+    config_param :read_interval_msec, :integer, default: 50 # 50ms
+    config_param :socket_interval_msec, :integer, default: 200 # 200ms
+    attr_reader :read_interval, :socket_interval
+    config_section :user, param_name: :users do
+      config_param :username, :string
+      config_param :password, :string
+    end
+    config_section :client, param_name: :clients do
+      config_param :host, :string, default: nil
+      config_param :network, :string, default: nil
+      config_param :shared_key, :string, default: nil
+      config_param :users, :string, default: nil # comma separated username list
+    end
+    attr_reader :nodes
+    attr_reader :sessions # node/socket/thread list which has sslsocket instance keepaliving to client
+    def initialize
+      super
+      require 'ipaddr'
+      require 'socket'
+      require 'openssl'
+      require 'digest'
+      require 'securerandom'
+    end
+    # Define `log` method for v0.10.42 or earlier
+    unless method_defined?(:log)
+      define_method("log") { $log }
+    end
+    def configure(conf)
+      super
+      if @secure
+        unless @cert_path || @ca_cert_path
+          raise Fluent::ConfigError, "cert_path or ca_cert_path required for secure communication"
+        end
+        if @cert_path
+          raise Fluent::ConfigError, "private_key_path required" unless @private_key_path
+          raise Fluent::ConfigError, "private_key_passphrase required" unless @private_key_passphrase
+        else # @ca_cert_path
+          raise Fluent::ConfigError, "ca_private_key_path required" unless @ca_private_key_path
+          raise Fluent::ConfigError, "ca_private_key_passphrase required" unless @ca_private_key_passphrase
+        end
+      else
+        log.warn "'insecure' mode has vulnerability for man-in-the-middle attacks for clients (output plugins)."
+      end
+      @read_interval = @read_interval_msec / 1000.0
+      @socket_interval = @socket_interval_msec / 1000.0
+      @nodes = []
+      @clients.each do |client|
+        if client.host && client.network
+          raise Fluent::ConfigError, "both of 'host' and 'network' are specified for client"
+        end
+        if !client.host && !client.network
+          raise Fluent::ConfigError, "Either of 'host' and 'network' must be specified for client"
+        end
+        source = nil
+        if client.host
+          begin
+            source = IPSocket.getaddress(client.host)
+          rescue SocketError => e
+            raise Fluent::ConfigError, "host '#{client.host}' cannot be resolved"
+          end
+        end
+        source_addr = begin
+                        IPAddr.new(source || client.network)
+                      rescue ArgumentError => e
+                        raise Fluent::ConfigError, "network '#{client.network}' address format is invalid"
+                      end
+        @nodes.push({
+            address: source_addr,
+            shared_key: (client.shared_key || @shared_key),
+            users: (client.users ? client.users.split(',') : nil)
+          })
+      end
+      @generate_cert_common_name ||= @self_hostname
+      # To check whether certificates are successfully generated/loaded at startup time
+      self.certificate
+      true
+    end
+    def start
+      super
+      OpenSSL::Random.seed(SecureRandom.random_bytes(16))
+      @sessions = []
+      @sock = nil
+      @listener = Thread.new(&method(:run))
+      @listener.abort_on_exception
+    end
+    def shutdown
+      @listener.kill
+      @listener.join
+      @sessions.each{ |s| s.shutdown }
+      @sock.close
+    end
+    def select_authenticate_users(node, username)
+      if node.nil? || node[:users].nil?
+        @users.select{|u| u.username == username}
+      else
+        @users.select{|u| node[:users].include?(u.username) && u.username == username}
+      end
+    end
+    def certificate
+      return @cert, @key if @cert && @key
+      if @cert_path
+        @key = OpenSSL::PKey::RSA.new(File.read(@private_key_path), @private_key_passphrase)
+        @cert = OpenSSL::X509::Certificate.new(File.read(@cert_path))
+      elsif @ca_cert_path
+        opts = {
+          ca_cert_path: @ca_cert_path,
+          ca_key_path: @ca_private_key_path,
+          ca_key_passphrase: @ca_private_key_passphrase,
+          private_key_length: @generate_private_key_length,
+          country: @generate_cert_country,
+          state: @generate_cert_state,
+          locality: @generate_cert_locality,
+          common_name: @generate_cert_common_name,
+        }
+        @cert, @key = Fluent::SecureForward::CertUtil.generate_server_pair(opts)
+      else
+        opts = {
+          private_key_length: @generate_private_key_length,
+          country: @generate_cert_country,
+          state: @generate_cert_state,
+          locality: @generate_cert_locality,
+          common_name: @generate_cert_common_name,
+        }
+        @cert, @key = Fluent::SecureForward::CertUtil.generate_self_signed_server_pair(opts)
+      end
+      return @cert, @key
+    end
+    def run # sslsocket server thread
+      log.trace "setup for ssl sessions"
+      cert, key = self.certificate
+      ctx = OpenSSL::SSL::SSLContext.new(@ssl_version)
+      if @secure
+        # inject OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+        # https://bugs.ruby-lang.org/issues/9424
+        ctx.set_params({})
+        if @ssl_ciphers
+          ctx.ciphers = @ssl_ciphers
+        else
+          ### follow httpclient configuration by nahi
+          # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
+          ctx.ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+        end
+      end
+      ctx.cert = cert
+      ctx.key = key
+      log.trace "start to listen", bind: @bind, port: @port
+      server = TCPServer.new(@bind, @port)
+      log.trace "starting SSL server", bind: @bind, port: @port
+      @sock = OpenSSL::SSL::SSLServer.new(server, ctx)
+      @sock.start_immediately = false
+      begin
+        log.trace "accepting sessions"
+        loop do
+          while socket = @sock.accept
+            log.trace "accept tcp connection (ssl session not established yet)"
+            @sessions.push Session.new(self, socket)
+            # cleanup closed session instance
+            @sessions.delete_if(&:closed?)
+            log.trace "session instances:", all: @sessions.size, closed: @sessions.select(&:closed?).size
+          end
+        end
+      rescue OpenSSL::SSL::SSLError => e
+        raise unless e.message.start_with?('SSL_accept SYSCALL') # signal trap on accept
+      end
+    end
+    def on_message(msg)
+      # NOTE: copy&paste from Fluent::ForwardInput#on_message(msg)
+      # TODO: format error
+      tag = msg[0].to_s
+      entries = msg[1]
+      if entries.class == String
+        # PackedForward
+        es = MessagePackEventStream.new(entries, @cached_unpacker)
+        Fluent::Engine.emit_stream(tag, es)
+      elsif entries.class == Array
+        # Forward
+        es = Fluent::MultiEventStream.new
+        entries.each {|e|
+          time = e[0].to_i
+          time = (now ||= Fluent::Engine.now) if time == 0
+          record = e[1]
+          es.add(time, record)
+        }
+        Fluent::Engine.emit_stream(tag, es)
+      else
+        # Message
+        time = msg[1]
+        time = Fluent::Engine.now if time == 0
+        record = msg[2]
+        Fluent::Engine.emit(tag, time, record)
+      end
+    end
+  end
+end

data/lib/fluent/plugin/input_session.rb ADDED Viewed

@@ -0,0 +1,219 @@
+require 'msgpack'
+require 'socket'
+require 'openssl'
+require 'digest'
+# require 'resolv'
+class Fluent::SecureForwardInput::Session
+  attr_accessor :receiver
+  attr_accessor :state, :thread, :node, :socket, :unpacker, :auth_salt
+  def initialize(receiver, socket)
+    @receiver = receiver
+    @state = :helo
+    @socket = socket
+    @socket.sync = true
+    @ipaddress = nil
+    @node = nil
+    @unpacker = MessagePack::Unpacker.new
+    @thread = Thread.new(&method(:start))
+  end
+  def log
+    @receiver.log
+  end
+  def closed?
+    @state == :closed
+  end
+  def established?
+    @state == :established
+  end
+  def generate_salt
+    OpenSSL::Random.random_bytes(16)
+  end
+  def check_node(ipaddress)
+    node = nil
+    @receiver.nodes.each do |n|
+      if n[:address].include?(ipaddress)
+        node = n
+        break
+      end
+    end
+    node
+  end
+  ## not implemented yet
+  # def check_hostname_reverse_lookup(ipaddress)
+  #   rev_name = Resolv.getname(ipaddress)
+  #   proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(rev_name, DUMMY_PORT)
+  #   unless ipaddr == ipaddress
+  #     return false
+  #   end
+  #   true
+  # end
+  def generate_helo
+    log.debug "generating helo"
+    # ['HELO', options(hash)]
+    [ 'HELO', {'nonce' => @shared_key_nonce, 'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
+  end
+  def check_ping(message)
+    log.debug "checking ping"
+    # ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + nonce + shared_key),
+    #  username || '', sha512\_hex(auth\_salt + username + password) || '']
+    unless message.size == 6 && message[0] == 'PING'
+      return false, 'invalid ping message'
+    end
+    ping, hostname, shared_key_salt, shared_key_hexdigest, username, password_digest = message
+    shared_key = if @node && @node[:shared_key]
+                   @node[:shared_key]
+                 else
+                   @receiver.shared_key
+                 end
+    serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(@shared_key_nonce).update(shared_key).hexdigest
+    if shared_key_hexdigest != serverside
+      log.warn "Shared key mismatch from '#{hostname}'"
+      return false, 'shared_key mismatch'
+    end
+    if @receiver.authentication
+      users = @receiver.select_authenticate_users(@node, username)
+      success = false
+      users.each do |user|
+        passhash = Digest::SHA512.new.update(@auth_key_salt).update(username).update(user[:password]).hexdigest
+        success ||= (passhash == password_digest)
+      end
+      unless success
+        log.warn "Authentication failed from client '#{hostname}', username '#{username}'"
+        return false, 'username/password mismatch'
+      end
+    end
+    return true, shared_key_salt
+  end
+  def generate_pong(auth_result, reason_or_salt)
+    log.debug "generating pong"
+    # ['PONG', bool(authentication result), 'reason if authentication failed',
+    #  self_hostname, sha512\_hex(salt + self_hostname + nonce + sharedkey)]
+    if not auth_result
+      return ['PONG', false, reason_or_salt, '', '']
+    end
+    shared_key = if @node && @node[:shared_key]
+                   @node[:shared_key]
+                 else
+                   @receiver.shared_key
+                 end
+    shared_key_hex = Digest::SHA512.new.update(reason_or_salt).update(@receiver.self_hostname).update(@shared_key_nonce).update(shared_key).hexdigest
+    [ 'PONG', true, '', @receiver.self_hostname, shared_key_hex ]
+  end
+  def on_read(data)
+    log.debug "on_read"
+    if self.established?
+      @receiver.on_message(data)
+    end
+    case @state
+    when :pingpong
+      success, reason_or_salt = self.check_ping(data)
+      if not success
+        send_data generate_pong(false, reason_or_salt)
+        self.shutdown
+        return
+      end
+      send_data generate_pong(true, reason_or_salt)
+      log.debug "connection established"
+      @state = :established
+    end
+  end
+  def send_data(data)
+    # not nonblock because write data (response) needs sequence
+    @socket.write data.to_msgpack
+  end
+  def start
+    log.debug "starting server"
+    log.trace "accepting ssl session"
+    begin
+      @socket.accept
+    rescue OpenSSL::SSL::SSLError => e
+      log.debug "failed to establish ssl session", error_class: e.class, error: e
+      self.shutdown
+      return
+    end
+    proto, port, host, ipaddr = @socket.io.peeraddr
+    @node = check_node(ipaddr)
+    if @node.nil? && (! @receiver.allow_anonymous_source)
+      log.warn "Connection required from unknown host '#{host}' (#{ipaddr}), disconnecting..."
+      self.shutdown
+      return
+    end
+    @shared_key_nonce = generate_salt
+    @auth_key_salt = generate_salt
+    buf = ''
+    read_length = @receiver.read_length
+    read_interval = @receiver.read_interval
+    socket_interval = @receiver.socket_interval
+    send_data generate_helo()
+    @state = :pingpong
+    loop do
+      begin
+        while @socket.read_nonblock(read_length, buf)
+          if buf == ''
+            sleep read_interval
+            next
+          end
+          @unpacker.feed_each(buf, &method(:on_read))
+          buf = ''
+        end
+      rescue OpenSSL::SSL::SSLError => e
+        # to wait i/o restart
+        sleep socket_interval
+      rescue EOFError => e
+        log.debug "Connection closed from '#{host}'(#{ipaddr})"
+        break
+      end
+    end
+  rescue Errno::ECONNRESET => e
+    # disconnected from client
+  rescue => e
+    log.warn "unexpected error in in_secure_forward", error_class: e.class, error: e
+  ensure
+    self.shutdown
+  end
+  def shutdown
+    @state = :closed
+    if @thread == Thread.current
+      @socket.close
+      @thread.kill
+    else
+      if @thread
+        @thread.kill
+        @thread.join
+      end
+      @socket.close
+    end
+  rescue => e
+    log.debug "#{e.class}:#{e.message}"
+  end
+end

data/lib/fluent/plugin/openssl_util.rb ADDED Viewed

@@ -0,0 +1,38 @@
+module Fluent::SecureForwardOutput::OpenSSLUtil
+  def self.verify_result_name(code)
+    case code
+    when OpenSSL::X509::V_OK then 'V_OK'
+    when OpenSSL::X509::V_ERR_AKID_SKID_MISMATCH then 'V_ERR_AKID_SKID_MISMATCH'
+    when OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION then 'V_ERR_APPLICATION_VERIFICATION'
+    when OpenSSL::X509::V_ERR_CERT_CHAIN_TOO_LONG then 'V_ERR_CERT_CHAIN_TOO_LONG'
+    when OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED then 'V_ERR_CERT_HAS_EXPIRED'
+    when OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID then 'V_ERR_CERT_NOT_YET_VALID'
+    when OpenSSL::X509::V_ERR_CERT_REJECTED then 'V_ERR_CERT_REJECTED'
+    when OpenSSL::X509::V_ERR_CERT_REVOKED then 'V_ERR_CERT_REVOKED'
+    when OpenSSL::X509::V_ERR_CERT_SIGNATURE_FAILURE then 'V_ERR_CERT_SIGNATURE_FAILURE'
+    when OpenSSL::X509::V_ERR_CERT_UNTRUSTED then 'V_ERR_CERT_UNTRUSTED'
+    when OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED then 'V_ERR_CRL_HAS_EXPIRED'
+    when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID then 'V_ERR_CRL_NOT_YET_VALID'
+    when OpenSSL::X509::V_ERR_CRL_SIGNATURE_FAILURE then 'V_ERR_CRL_SIGNATURE_FAILURE'
+    when OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT then 'V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT'
+    when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD'
+    when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD'
+    when OpenSSL::X509::V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD'
+    when OpenSSL::X509::V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD'
+    when OpenSSL::X509::V_ERR_INVALID_CA then 'V_ERR_INVALID_CA'
+    when OpenSSL::X509::V_ERR_INVALID_PURPOSE then 'V_ERR_INVALID_PURPOSE'
+    when OpenSSL::X509::V_ERR_KEYUSAGE_NO_CERTSIGN then 'V_ERR_KEYUSAGE_NO_CERTSIGN'
+    when OpenSSL::X509::V_ERR_OUT_OF_MEM then 'V_ERR_OUT_OF_MEM'
+    when OpenSSL::X509::V_ERR_PATH_LENGTH_EXCEEDED then 'V_ERR_PATH_LENGTH_EXCEEDED'
+    when OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN then 'V_ERR_SELF_SIGNED_CERT_IN_CHAIN'
+    when OpenSSL::X509::V_ERR_SUBJECT_ISSUER_MISMATCH then 'V_ERR_SUBJECT_ISSUER_MISMATCH'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE then 'V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL then 'V_ERR_UNABLE_TO_GET_CRL'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE then 'V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE'
+    end
+  end
+end