Fix for bug 94413 - OCSP needs more fine tuned error messages. r=wtc

3 files changed, 8 insertions, 2 deletions

diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/cmd/lib/SECerrs.h
index e566e3983..218d43be1 100644
--- a/security/nss/cmd/lib/SECerrs.h
+++ b/security/nss/cmd/lib/SECerrs.h
@@ -474,3 +474,6 @@ ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM,	(SEC_ERROR_BASE + 142),
 
 ER3(SEC_ERROR_UNRECOGNIZED_OID,			(SEC_ERROR_BASE + 143),
 "Unrecognized Object IDentifier.")
+
+ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT,	(SEC_ERROR_BASE + 144),
+"Invalid OCSP signing certificate in OCSP response.")
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index 909b0ad5d..a705b26aa 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -2478,8 +2478,10 @@ ocsp_CheckSignature(ocspSignature *signature, void *tbs,
      */
     rv = CERT_VerifyCert(handle, signerCert, PR_TRUE, certUsage, checkTime,
 			 pwArg, NULL);
-    if (rv != SECSuccess)
+    if (rv != SECSuccess) {
+        PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
 	goto finish;
+    }
 
     /*
      * Now get the public key from the signer's certificate; we need
diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h
index e69449e7f..d1bb335fc 100644
--- a/security/nss/lib/util/secerr.h
+++ b/security/nss/lib/util/secerr.h
@@ -189,7 +189,8 @@ SEC_ERROR_EXTRA_INPUT                       =   (SEC_ERROR_BASE + 140),
 /* error codes used by elliptic curve code */
 SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE	    =	(SEC_ERROR_BASE + 141),
 SEC_ERROR_UNSUPPORTED_EC_POINT_FORM	    =	(SEC_ERROR_BASE + 142),
-SEC_ERROR_UNRECOGNIZED_OID		    =	(SEC_ERROR_BASE + 143)
+SEC_ERROR_UNRECOGNIZED_OID		    =	(SEC_ERROR_BASE + 143),
+SEC_ERROR_OCSP_INVALID_SIGNING_CERT	    =   (SEC_ERROR_BASE + 144)
 
 } SECErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */