check_ocsp_response: print OCSP response actual error on debug log

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/lib/cert-session.c b/lib/cert-session.c
index 2b415be30fbb01302f340f13baeaf8f2abc15d8a..dc3d9aebf8e2c29ff258f07853c214bb0e7a136b 100644 (file)
--- a/lib/cert-session.c
+++ b/lib/cert-session.c
@@ -297,6 +297,11 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
 
        /* do not consider revocation data if response was not verified */
        if (status != 0) {
+               char buf[MAX_OCSP_MSG_SIZE];
+
+               _gnutls_debug_log("OCSP rejection reason: %s\n",
+                                 _gnutls_ocsp_verify_status_to_str(status, buf));
+
                ret = gnutls_assert_val(0);
                check_failed = 1;
                *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS;

diff --git a/lib/includes/gnutls/ocsp.h b/lib/includes/gnutls/ocsp.h
index 966e1d5b8c870edefec4a6b51ebf2eb40f355fdb..e03aff49cd7ce5f46524e3c83f05e45d98f02de9 100644 (file)
--- a/lib/includes/gnutls/ocsp.h
+++ b/lib/includes/gnutls/ocsp.h
@@ -114,6 +114,9 @@ typedef enum gnutls_x509_crl_reason_t {
        GNUTLS_X509_CRLREASON_AACOMPROMISE = 10
 } gnutls_x509_crl_reason_t;
 
+/* When adding a verify failure reason update:
+ * _gnutls_ocsp_verify_status_to_str()
+ */
 /**
  * gnutls_ocsp_verify_reason_t:
  * @GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND: Signer cert not found.

diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 51a15c5c33f407340f13e99e1fc71fc8e5ee9b61..a413383748050dbf0d67eef9143da5bb4106b511 100644 (file)
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -2596,3 +2596,61 @@ time_t _gnutls_ocsp_get_validity(gnutls_ocsp_resp_t resp)
                return ntime;
        }
 }
+
+const char *_gnutls_ocsp_verify_status_to_str(gnutls_ocsp_verify_reason_t r, char out[MAX_OCSP_MSG_SIZE])
+{
+       gnutls_buffer_st str;
+       gnutls_datum_t buf;
+       int ret;
+
+       _gnutls_buffer_init(&str);
+
+       if (r == 0)
+               _gnutls_buffer_append_str(&str,
+                                         _
+                                         ("The OCSP response is trusted. "));
+
+       if (r & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
+               _gnutls_buffer_append_str(&str,
+                                         _
+                                         ("The OCSP response's signer could not be found. "));
+
+       if (r & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
+               _gnutls_buffer_append_str(&str,
+                                         _
+                                         ("Error in the signer's key usageflags. "));
+
+       if (r & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
+               _gnutls_buffer_append_str(&str,
+                                         _
+                                         ("The OCSP response's signer is not trusted. "));
+
+       if (r & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
+               _gnutls_buffer_append_str(&str,
+                                         _
+                                         ("The OCSP response depends on insecure algorithms. "));
+
+       if (r & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
+               _gnutls_buffer_append_str(&str,
+                                         _
+                                         ("The OCSP response's signature cannot be validated. "));
+
+       if (r & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
+               _gnutls_buffer_append_str(&str,
+                                         _
+                                         ("The OCSP response's signer's certificate is not activated. "));
+
+       if (r & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
+               _gnutls_buffer_append_str(&str,
+                                         _
+                                         ("The OCSP response's signer's certificate is expired. "));
+
+       ret = _gnutls_buffer_to_datum(&str, &buf, 1);
+       if (ret < 0)
+               return _("Memory error");
+
+       snprintf(out, MAX_OCSP_MSG_SIZE, "%s", buf.data);
+       gnutls_free(buf.data);
+
+       return out;
+}

diff --git a/lib/x509/ocsp.h b/lib/x509/ocsp.h
index 3d6418b1846c43a43fb1435b59758cfef5c793d4..07be1eeb253ed8f5967adaa7bf1965a7e264e2ce 100644 (file)
--- a/lib/x509/ocsp.h
+++ b/lib/x509/ocsp.h
@@ -28,3 +28,5 @@
 #define MAX_OCSP_VALIDITY_SECS (15*60*60*24)
 
 time_t _gnutls_ocsp_get_validity(gnutls_ocsp_resp_t resp);
+#define MAX_OCSP_MSG_SIZE 128
+const char *_gnutls_ocsp_verify_status_to_str(gnutls_ocsp_verify_reason_t r, char out[MAX_OCSP_MSG_SIZE]);