Skip to content

Commit

Permalink
[crypto] Use x509_name() in validator debug messages
Browse files Browse the repository at this point in the history 
Display a human-readable certificate name in validator debug messages
wherever possible.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
@mcb30
mcb30 committed Mar 7, 2019
1 parent eaba1a2 commit 447e5cd
Showing 1 changed file with 68 additions and 37 deletions.
105 changes: 68 additions & 37 deletions src/net/validator.c
View file
Expand Up @@ -72,6 +72,18 @@ struct validator {
size_t len );
};

/**
* Get validator name (for debug messages)
*
* @v validator Certificate validator
* @ret name Validator name
*/
static const char * validator_name ( struct validator *validator ) {

/* Use name of first certificate in chain */
return x509_name ( x509_first ( validator->chain ) );
}

/**
* Free certificate validator
*
Expand All @@ -81,7 +93,8 @@ static void validator_free ( struct refcnt *refcnt ) {
struct validator *validator =
container_of ( refcnt, struct validator, refcnt );

DBGC2 ( validator, "VALIDATOR %p freed\n", validator );
DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",
validator, validator_name ( validator ) );
x509_chain_put ( validator->chain );
ocsp_put ( validator->ocsp );
xferbuf_free ( &validator->buffer );
Expand Down Expand Up @@ -165,8 +178,9 @@ static int validator_append ( struct validator *validator,

/* Enter certificateSet */
if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not enter "
"certificateSet: %s\n", validator, strerror ( rc ) );
DBGC ( validator, "VALIDATOR %p \"%s\" could not enter "
"certificateSet: %s\n", validator,
validator_name ( validator ), strerror ( rc ) );
goto err_certificateset;
}

Expand All @@ -176,15 +190,16 @@ static int validator_append ( struct validator *validator,
/* Add certificate to chain */
if ( ( rc = x509_append_raw ( certs, cursor.data,
cursor.len ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not append "
"certificate: %s\n",
validator, strerror ( rc) );
DBGC ( validator, "VALIDATOR %p \"%s\" could not "
"append certificate: %s\n", validator,
validator_name ( validator ), strerror ( rc) );
DBGC_HDA ( validator, 0, cursor.data, cursor.len );
return rc;
}
cert = x509_last ( certs );
DBGC ( validator, "VALIDATOR %p found certificate %s\n",
validator, x509_name ( cert ) );
DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ",
validator, validator_name ( validator ) );
DBGC ( validator, "%s\n", x509_name ( cert ) );

/* Move to next certificate */
asn1_skip_any ( &cursor );
Expand All @@ -193,15 +208,17 @@ static int validator_append ( struct validator *validator,
/* Append certificates to chain */
last = x509_last ( validator->chain );
if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not append "
"certificates: %s\n", validator, strerror ( rc ) );
DBGC ( validator, "VALIDATOR %p \"%s\" could not append "
"certificates: %s\n", validator,
validator_name ( validator ), strerror ( rc ) );
goto err_auto_append;
}

/* Check that at least one certificate has been added */
if ( last == x509_last ( validator->chain ) ) {
DBGC ( validator, "VALIDATOR %p failed to append any "
"applicable certificates\n", validator );
DBGC ( validator, "VALIDATOR %p \"%s\" failed to append any "
"applicable certificates\n", validator,
validator_name ( validator ) );
rc = -EACCES;
goto err_no_progress;
}
Expand All @@ -223,11 +240,12 @@ static int validator_append ( struct validator *validator,
* Start download of cross-signing certificate
*
* @v validator Certificate validator
* @v issuer Required issuer
* @v cert X.509 certificate
* @ret rc Return status code
*/
static int validator_start_download ( struct validator *validator,
const struct asn1_cursor *issuer ) {
struct x509_certificate *cert ) {
const struct asn1_cursor *issuer = &cert->issuer.raw;
const char *crosscert;
char *crosscert_copy;
char *uri_string;
Expand Down Expand Up @@ -261,17 +279,20 @@ static int validator_start_download ( struct validator *validator,
crosscert, crc );
base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
( uri_string_len - len ) );
DBGC ( validator, "VALIDATOR %p downloading cross-signed certificate "
"from %s\n", validator, uri_string );
DBGC ( validator, "VALIDATOR %p \"%s\" downloading ",
validator, validator_name ( validator ) );
DBGC ( validator, "\"%s\" cross-signature from %s\n",
x509_name ( cert ), uri_string );

/* Set completion handler */
validator->done = validator_append;

/* Open URI */
if ( ( rc = xfer_open_uri_string ( &validator->xfer,
uri_string ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
validator, uri_string, strerror ( rc ) );
DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
"%s\n", validator, validator_name ( validator ),
uri_string, strerror ( rc ) );
goto err_open_uri_string;
}

Expand Down Expand Up @@ -307,16 +328,18 @@ static int validator_ocsp_validate ( struct validator *validator,

/* Record OCSP response */
if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not record OCSP "
"response: %s\n", validator, strerror ( rc ) );
DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP "
"response: %s\n", validator,
validator_name ( validator ),strerror ( rc ) );
return rc;
}

/* Validate OCSP response */
now = time ( NULL );
if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not validate OCSP "
"response: %s\n", validator, strerror ( rc ) );
DBGC ( validator, "VALIDATOR %p \"%s\" could not validate "
"OCSP response: %s\n", validator,
validator_name ( validator ), strerror ( rc ) );
return rc;
}

Expand Down Expand Up @@ -344,8 +367,9 @@ static int validator_start_ocsp ( struct validator *validator,
/* Create OCSP check */
assert ( validator->ocsp == NULL );
if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not create OCSP check: "
"%s\n", validator, strerror ( rc ) );
DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP "
"check: %s\n", validator, validator_name ( validator ),
strerror ( rc ) );
return rc;
}

Expand All @@ -354,12 +378,15 @@ static int validator_start_ocsp ( struct validator *validator,

/* Open URI */
uri_string = validator->ocsp->uri_string;
DBGC ( validator, "VALIDATOR %p performing OCSP check at %s\n",
validator, uri_string );
DBGC ( validator, "VALIDATOR %p \"%s\" checking ",
validator, validator_name ( validator ) );
DBGC ( validator, "\"%s\" via %s\n",
x509_name ( cert ), uri_string );
if ( ( rc = xfer_open_uri_string ( &validator->xfer,
uri_string ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
validator, uri_string, strerror ( rc ) );
DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
"%s\n", validator, validator_name ( validator ),
uri_string, strerror ( rc ) );
return rc;
}

Expand All @@ -385,11 +412,13 @@ static void validator_xfer_close ( struct validator *validator, int rc ) {

/* Check for errors */
if ( rc != 0 ) {
DBGC ( validator, "VALIDATOR %p transfer failed: %s\n",
validator, strerror ( rc ) );
DBGC ( validator, "VALIDATOR %p \"%s\" transfer failed: %s\n",
validator, validator_name ( validator ),
strerror ( rc ) );
goto err_transfer;
}
DBGC2 ( validator, "VALIDATOR %p transfer complete\n", validator );
DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n",
validator, validator_name ( validator ) );

/* Process completed download */
assert ( validator->done != NULL );
Expand Down Expand Up @@ -426,8 +455,9 @@ static int validator_xfer_deliver ( struct validator *validator,
/* Add data to buffer */
if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
meta ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not receive data: %s\n",
validator, strerror ( rc ) );
DBGC ( validator, "VALIDATOR %p \"%s\" could not receive "
"data: %s\n", validator, validator_name ( validator ),
strerror ( rc ) );
validator_finished ( validator, rc );
return rc;
}
Expand Down Expand Up @@ -471,6 +501,8 @@ static void validator_step ( struct validator *validator ) {
now = time ( NULL );
if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
NULL ) ) == 0 ) {
DBGC ( validator, "VALIDATOR %p \"%s\" validated\n",
validator, validator_name ( validator ) );
validator_finished ( validator, 0 );
return;
}
Expand Down Expand Up @@ -514,8 +546,7 @@ static void validator_step ( struct validator *validator ) {
/* Otherwise, try to download a suitable cross-signing
* certificate.
*/
if ( ( rc = validator_start_download ( validator,
&last->issuer.raw ) ) != 0 ) {
if ( ( rc = validator_start_download ( validator, last ) ) != 0 ) {
validator_finished ( validator, rc );
return;
}
Expand Down Expand Up @@ -567,8 +598,8 @@ int create_validator ( struct interface *job, struct x509_chain *chain ) {
/* Attach parent interface, mortalise self, and return */
intf_plug_plug ( &validator->job, job );
ref_put ( &validator->refcnt );
DBGC2 ( validator, "VALIDATOR %p validating X509 chain %p\n",
validator, validator->chain );
DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n",
validator, validator_name ( validator ), validator->chain );
return 0;

validator_finished ( validator, rc );
Expand Down

0 comments on commit 447e5cd

Please sign in to comment.