change: return invalid credentials errors on custom nginx error codes for incorrect client cert (#96)

This improves the user feedback in some cases when supplying invalid
client certificates.

However this covers only a subset of possible server behaviors on
invalid client certificates, but those are the only cases which can be
clearly attributed to invalid/missing client certs.

Some common server responses from CSAF Provider on invalid or missing
client certificate:
- http status 400 (bad request):
https://docs.apigee.com/api-platform/troubleshoot/runtime/400-ssl-certificate-error
- custom NGINX http error codes 495 or 496:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors *(now
covered)*
- termination of connection (transport level error):
https://cloud.google.com/load-balancing/docs/mtls

## Why

Better error feedback.

## References

VTI-659

Author: mgoetzegb

cmd/csaf_downloader/downloader.go

@@ -35,6 +35,7 @@ import (
 	"golang.org/x/time/rate"
 
 	"github.com/gocsaf/csaf/v3/csaf"
+	"github.com/gocsaf/csaf/v3/internal/httpext"
 	"github.com/gocsaf/csaf/v3/internal/misc"
 	"github.com/gocsaf/csaf/v3/pkg/errs"
 	csafErrs "github.com/gocsaf/csaf/v3/pkg/errs"
@@ -487,7 +488,7 @@ func (dc *downloadContext) downloadAdvisory(
 
 	if resp.StatusCode != http.StatusOK {
 		switch {
-		case resp.StatusCode == http.StatusUnauthorized:
+		case resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == httpext.StatusNGINXInvalidClientCert || resp.StatusCode == httpext.StatusNGINXNoClientCert:
 			errorCh <- csafErrs.ErrInvalidCredentials{Message: fmt.Sprintf("invalid credentials to retrieve CSAF document %s at URL %s: %s", filename, file.URL(), resp.Status)}
 		case resp.StatusCode == http.StatusForbidden:
 			// if we have access to the feed containing the document, we also must have access to itself, otherwise this indicates a problem with the provider

csaf/advisories.go

@@ -19,6 +19,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/gocsaf/csaf/v3/internal/httpext"
 	"github.com/gocsaf/csaf/v3/internal/misc"
 	"github.com/gocsaf/csaf/v3/pkg/errs"
 	"github.com/gocsaf/csaf/v3/util"
@@ -232,7 +233,7 @@ func (afp *AdvisoryFileProcessor) loadChanges(
 
 	if resp.StatusCode != http.StatusOK {
 		switch { // we don't expect 401 and 403, as directory based feeds are supposed to be public, but just to be on the safe side
-		case resp.StatusCode == http.StatusUnauthorized:
+		case resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == httpext.StatusNGINXInvalidClientCert || resp.StatusCode == httpext.StatusNGINXNoClientCert:
 			return nil, errs.ErrInvalidCredentials{Message: fmt.Sprintf("invalid credentials for accessing %s: %s", changesURL, resp.Status)}
 		case resp.StatusCode == http.StatusForbidden:
 			return []AdvisoryFile{}, nil // user has insufficient permissions to access feed, no error

internal/httpext/status_codes.go

@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: 2025 Greenbone AG <https://greenbone.net>
+//
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package httpext
+
+const (
+	// non standard status code used by NGINX: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors
+	StatusNGINXInvalidClientCert = 495
+	StatusNGINXNoClientCert      = 496
+)