From 347ed6b99f213831a2c23d1f25b861703c3b7828 Mon Sep 17 00:00:00 2001 From: "jpierre%netscape.com" Date: Tue, 30 Sep 2003 01:18:55 +0000 Subject: [PATCH] Fix for bug 94413 - OCSP needs more fine tuned error messages. r=wtc --- security/nss/cmd/lib/SECerrs.h | 3 +++ security/nss/lib/certhigh/ocsp.c | 6 ++++-- security/nss/lib/util/secerr.h | 3 ++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/cmd/lib/SECerrs.h index e566e3983f39..218d43be19a8 100644 --- a/security/nss/cmd/lib/SECerrs.h +++ b/security/nss/cmd/lib/SECerrs.h @@ -474,3 +474,6 @@ ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, (SEC_ERROR_BASE + 142), ER3(SEC_ERROR_UNRECOGNIZED_OID, (SEC_ERROR_BASE + 143), "Unrecognized Object IDentifier.") + +ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT, (SEC_ERROR_BASE + 144), +"Invalid OCSP signing certificate in OCSP response.") diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index 82750cfa1501..0ad01950cbbe 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -35,7 +35,7 @@ * Implementation of OCSP services, for both client and server. * (XXX, really, mostly just for client right now, but intended to do both.) * - * $Id: ocsp.c,v 1.15 2002/12/12 06:05:28 nelsonb%netscape.com Exp $ + * $Id: ocsp.c,v 1.16 2003/09/30 01:15:43 jpierre%netscape.com Exp $ */ #include "prerror.h" @@ -2478,8 +2478,10 @@ ocsp_CheckSignature(ocspSignature *signature, void *tbs, */ rv = CERT_VerifyCert(handle, signerCert, PR_TRUE, certUsage, checkTime, pwArg, NULL); - if (rv != SECSuccess) + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); goto finish; + } /* * Now get the public key from the signer's certificate; we need diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h index e69449e7f5bb..d1bb335fc3bc 100644 --- a/security/nss/lib/util/secerr.h +++ b/security/nss/lib/util/secerr.h @@ -189,7 +189,8 @@ SEC_ERROR_EXTRA_INPUT = (SEC_ERROR_BASE + 140), /* error codes used by elliptic curve code */ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE = (SEC_ERROR_BASE + 141), SEC_ERROR_UNSUPPORTED_EC_POINT_FORM = (SEC_ERROR_BASE + 142), -SEC_ERROR_UNRECOGNIZED_OID = (SEC_ERROR_BASE + 143) +SEC_ERROR_UNRECOGNIZED_OID = (SEC_ERROR_BASE + 143), +SEC_ERROR_OCSP_INVALID_SIGNING_CERT = (SEC_ERROR_BASE + 144) } SECErrorCodes; #endif /* NO_SECURITY_ERROR_ENUM */