From 41760e4b6587ee4c7c727599fa0a619d6af4467b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrien=20B=C3=A9raud?= <adrien.beraud@savoirfairelinux.com>
Date: Thu, 25 Mar 2021 00:02:51 -0400
Subject: [PATCH] ocsp response: improve exception message

---
 src/crypto.cpp | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/crypto.cpp b/src/crypto.cpp
index 11a75478..cf36bc6d 100644
--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@@ -1392,8 +1392,23 @@ OcspResponse::verifyDirect(const Certificate& crt, const Blob& nonce)
     ret = gnutls_ocsp_resp_verify_direct(response, crt.issuer->cert, &verify, 0);
     if (ret < 0)
         throw CryptoException(gnutls_strerror(ret));
-    if (verify != 0)
-        throw CryptoException("Error verifying response signature " + std::to_string(verify));
+    if (verify) {
+        if (verify & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
+            throw CryptoException("Signer cert not found");
+        if (verify & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
+            throw CryptoException("Signer cert keyusage error");
+        if (verify & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
+            throw CryptoException("Signer cert is not trusted");
+        if (verify & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
+            throw CryptoException("Insecure algorithm");
+        if (verify & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
+            throw CryptoException("Signature failure");
+        if (verify & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
+            throw CryptoException("Signer cert not yet activated");
+        if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
+            throw CryptoException("Signer cert expired");
+        throw CryptoException(gnutls_strerror(GNUTLS_E_OCSP_RESPONSE_ERROR));
+    }
 
     // Check whether the OCSP response is about the provided certificate.
     if ((ret = gnutls_ocsp_resp_check_crt(response, 0, crt.cert)) < 0)
-- 
GitLab