Fix for bug 94413 - OCSP needs more fine tuned error messages. r=wtc

2003-09-30 01:18:55 +00:00 · 2003-09-30 01:18:55 +00:00 · 347ed6b99f
--- a/security/nss/cmd/lib/SECerrs.h
+++ b/security/nss/cmd/lib/SECerrs.h
@ -474,3 +474,6 @@ ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM,	(SEC_ERROR_BASE + 142),

 ER3(SEC_ERROR_UNRECOGNIZED_OID,			(SEC_ERROR_BASE + 143),
 "Unrecognized Object IDentifier.")
+
+ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT,	(SEC_ERROR_BASE + 144),
+"Invalid OCSP signing certificate in OCSP response.")
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@ -35,7 +35,7 @@
 * Implementation of OCSP services, for both client and server.
 * (XXX, really, mostly just for client right now, but intended to do both.)
 *
- * $Id: ocsp.c,v 1.15 2002/12/12 06:05:28 nelsonb%netscape.com Exp $
+ * $Id: ocsp.c,v 1.16 2003/09/30 01:15:43 jpierre%netscape.com Exp $
 */

 #include "prerror.h"
@ -2478,8 +2478,10 @@ ocsp_CheckSignature(ocspSignature *signature, void *tbs,
     */
    rv = CERT_VerifyCert(handle, signerCert, PR_TRUE, certUsage, checkTime,
 			 pwArg, NULL);
-    if (rv != SECSuccess)
+    if (rv != SECSuccess) {
+        PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
 	goto finish;
+    }

    /*
     * Now get the public key from the signer's certificate; we need
--- a/security/nss/lib/util/secerr.h
+++ b/security/nss/lib/util/secerr.h
@ -189,7 +189,8 @@ SEC_ERROR_EXTRA_INPUT                       =   (SEC_ERROR_BASE + 140),
 /* error codes used by elliptic curve code */
 SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE	    =	(SEC_ERROR_BASE + 141),
 SEC_ERROR_UNSUPPORTED_EC_POINT_FORM	    =	(SEC_ERROR_BASE + 142),
-SEC_ERROR_UNRECOGNIZED_OID		    =	(SEC_ERROR_BASE + 143)
+SEC_ERROR_UNRECOGNIZED_OID		    =	(SEC_ERROR_BASE + 143),
+SEC_ERROR_OCSP_INVALID_SIGNING_CERT	    =   (SEC_ERROR_BASE + 144)

 } SECErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */