diff --git a/src/crypto.cpp b/src/crypto.cpp index 11a754788a8bc2d37084edf486b0bd145785fbd5..cf36bc6da86b41e3e4a5843d3a4aca6eb88eb233 100644 --- a/src/crypto.cpp +++ b/src/crypto.cpp @@ -1392,8 +1392,23 @@ OcspResponse::verifyDirect(const Certificate& crt, const Blob& nonce) ret = gnutls_ocsp_resp_verify_direct(response, crt.issuer->cert, &verify, 0); if (ret < 0) throw CryptoException(gnutls_strerror(ret)); - if (verify != 0) - throw CryptoException("Error verifying response signature " + std::to_string(verify)); + if (verify) { + if (verify & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND) + throw CryptoException("Signer cert not found"); + if (verify & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR) + throw CryptoException("Signer cert keyusage error"); + if (verify & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER) + throw CryptoException("Signer cert is not trusted"); + if (verify & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) + throw CryptoException("Insecure algorithm"); + if (verify & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE) + throw CryptoException("Signature failure"); + if (verify & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED) + throw CryptoException("Signer cert not yet activated"); + if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED) + throw CryptoException("Signer cert expired"); + throw CryptoException(gnutls_strerror(GNUTLS_E_OCSP_RESPONSE_ERROR)); + } // Check whether the OCSP response is about the provided certificate. if ((ret = gnutls_ocsp_resp_check_crt(response, 0, crt.cert)) < 0)