diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-12-13 08:00:38 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-05 08:57:22 +0100 |
| commit | de666f21d452f0b962840dd98350098268b729c8 (patch) | |
| tree | 213add13fb4ee490bbfdf2e5ce390f56788a0f32 | |
| parent | 3bc89c515f6bda98c9b4a3f3bc8d1834b1f869fc (diff) | |
| download | gnutls-de666f21d452f0b962840dd98350098268b729c8.tar.gz | |
check_ocsp_response: print OCSP response actual error on debug log
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | lib/cert-session.c | 5 | ||||
| -rw-r--r-- | lib/includes/gnutls/ocsp.h | 3 | ||||
| -rw-r--r-- | lib/x509/ocsp.c | 58 | ||||
| -rw-r--r-- | lib/x509/ocsp.h | 2 |
4 files changed, 68 insertions, 0 deletions
diff --git a/lib/cert-session.c b/lib/cert-session.c index 2b415be30f..dc3d9aebf8 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -297,6 +297,11 @@ check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, /* do not consider revocation data if response was not verified */ if (status != 0) { + char buf[MAX_OCSP_MSG_SIZE]; + + _gnutls_debug_log("OCSP rejection reason: %s\n", + _gnutls_ocsp_verify_status_to_str(status, buf)); + ret = gnutls_assert_val(0); check_failed = 1; *ostatus |= GNUTLS_CERT_INVALID_OCSP_STATUS; diff --git a/lib/includes/gnutls/ocsp.h b/lib/includes/gnutls/ocsp.h index 966e1d5b8c..e03aff49cd 100644 --- a/lib/includes/gnutls/ocsp.h +++ b/lib/includes/gnutls/ocsp.h @@ -114,6 +114,9 @@ typedef enum gnutls_x509_crl_reason_t { GNUTLS_X509_CRLREASON_AACOMPROMISE = 10 } gnutls_x509_crl_reason_t; +/* When adding a verify failure reason update: + * _gnutls_ocsp_verify_status_to_str() + */ /** * gnutls_ocsp_verify_reason_t: * @GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND: Signer cert not found. diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index 51a15c5c33..a413383748 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -2596,3 +2596,61 @@ time_t _gnutls_ocsp_get_validity(gnutls_ocsp_resp_t resp) return ntime; } } + +const char *_gnutls_ocsp_verify_status_to_str(gnutls_ocsp_verify_reason_t r, char out[MAX_OCSP_MSG_SIZE]) +{ + gnutls_buffer_st str; + gnutls_datum_t buf; + int ret; + + _gnutls_buffer_init(&str); + + if (r == 0) + _gnutls_buffer_append_str(&str, + _ + ("The OCSP response is trusted. ")); + + if (r & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND) + _gnutls_buffer_append_str(&str, + _ + ("The OCSP response's signer could not be found. ")); + + if (r & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR) + _gnutls_buffer_append_str(&str, + _ + ("Error in the signer's key usageflags. ")); + + if (r & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER) + _gnutls_buffer_append_str(&str, + _ + ("The OCSP response's signer is not trusted. ")); + + if (r & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) + _gnutls_buffer_append_str(&str, + _ + ("The OCSP response depends on insecure algorithms. ")); + + if (r & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE) + _gnutls_buffer_append_str(&str, + _ + ("The OCSP response's signature cannot be validated. ")); + + if (r & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED) + _gnutls_buffer_append_str(&str, + _ + ("The OCSP response's signer's certificate is not activated. ")); + + if (r & GNUTLS_OCSP_VERIFY_CERT_EXPIRED) + _gnutls_buffer_append_str(&str, + _ + ("The OCSP response's signer's certificate is expired. ")); + + ret = _gnutls_buffer_to_datum(&str, &buf, 1); + if (ret < 0) + return _("Memory error"); + + snprintf(out, MAX_OCSP_MSG_SIZE, "%s", buf.data); + gnutls_free(buf.data); + + return out; +} diff --git a/lib/x509/ocsp.h b/lib/x509/ocsp.h index 3d6418b184..07be1eeb25 100644 --- a/lib/x509/ocsp.h +++ b/lib/x509/ocsp.h @@ -28,3 +28,5 @@ #define MAX_OCSP_VALIDITY_SECS (15*60*60*24) time_t _gnutls_ocsp_get_validity(gnutls_ocsp_resp_t resp); +#define MAX_OCSP_MSG_SIZE 128 +const char *_gnutls_ocsp_verify_status_to_str(gnutls_ocsp_verify_reason_t r, char out[MAX_OCSP_MSG_SIZE]); |