robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[crypto] Use x509_name() in validator debug messages 

Display a human-readable certificate name in validator debug messages
wherever possible.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 5 years ago
parent
eaba1a22b8
commit
447e5cd447
1 changed files with 68 additions and 37 deletions
Unified View Show Diff Stats
  1. 68
    37
      src/net/validator.c

+ 68
- 37
src/net/validator.c View File

72 
 			 size_t len );
 72 
 			 size_t len );
73 
 };
 73 
 };
74
74
75 
+/**
76 
+ * Get validator name (for debug messages)
77 
+ *
78 
+ * @v validator		Certificate validator
79 
+ * @ret name		Validator name
80 
+ */
81 
+static const char * validator_name ( struct validator *validator ) {
82 
+
83 
+	/* Use name of first certificate in chain */
84 
+	return x509_name ( x509_first ( validator->chain ) );
85 
+}
86 
+
75 
 /**
 87 
 /**
76 
  * Free certificate validator
 88 
  * Free certificate validator
77 
  *
 89 
  *
81 
 	struct validator *validator =
 93 
 	struct validator *validator =
82 
 		container_of ( refcnt, struct validator, refcnt );
 94 
 		container_of ( refcnt, struct validator, refcnt );
83
95
84 
-	DBGC2 ( validator, "VALIDATOR %p freed\n", validator );
96 
+	DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",
97 
+		validator, validator_name ( validator ) );
85 
 	x509_chain_put ( validator->chain );
 98 
 	x509_chain_put ( validator->chain );
86 
 	ocsp_put ( validator->ocsp );
 99 
 	ocsp_put ( validator->ocsp );
87 
 	xferbuf_free ( &validator->buffer );
 100 
 	xferbuf_free ( &validator->buffer );
165
178
166 
 	/* Enter certificateSet */
 179 
 	/* Enter certificateSet */
167 
 	if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
 180 
 	if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
168 
-		DBGC ( validator, "VALIDATOR %p could not enter "
169 
-		       "certificateSet: %s\n", validator, strerror ( rc ) );
181 
+		DBGC ( validator, "VALIDATOR %p \"%s\" could not enter "
182 
+		       "certificateSet: %s\n", validator,
183 
+		       validator_name ( validator ), strerror ( rc ) );
170 
 		goto err_certificateset;
 184 
 		goto err_certificateset;
171 
 	}
 185 
 	}
172
186
176 
 		/* Add certificate to chain */
 190 
 		/* Add certificate to chain */
177 
 		if ( ( rc = x509_append_raw ( certs, cursor.data,
 191 
 		if ( ( rc = x509_append_raw ( certs, cursor.data,
178 
 					      cursor.len ) ) != 0 ) {
 192 
 					      cursor.len ) ) != 0 ) {
179 
-			DBGC ( validator, "VALIDATOR %p could not append "
180 
-			       "certificate: %s\n",
181 
-			       validator, strerror ( rc) );
193 
+			DBGC ( validator, "VALIDATOR %p \"%s\" could not "
194 
+			       "append certificate: %s\n", validator,
195 
+			       validator_name ( validator ), strerror ( rc) );
182 
 			DBGC_HDA ( validator, 0, cursor.data, cursor.len );
 196 
 			DBGC_HDA ( validator, 0, cursor.data, cursor.len );
183 
 			return rc;
 197 
 			return rc;
184 
 		}
 198 
 		}
185 
 		cert = x509_last ( certs );
 199 
 		cert = x509_last ( certs );
186 
-		DBGC ( validator, "VALIDATOR %p found certificate %s\n",
187 
-		       validator, x509_name ( cert ) );
200 
+		DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ",
201 
+		       validator, validator_name ( validator ) );
202 
+		DBGC ( validator, "%s\n", x509_name ( cert ) );
188
203
189 
 		/* Move to next certificate */
 204 
 		/* Move to next certificate */
190 
 		asn1_skip_any ( &cursor );
 205 
 		asn1_skip_any ( &cursor );
193 
 	/* Append certificates to chain */
 208 
 	/* Append certificates to chain */
194 
 	last = x509_last ( validator->chain );
 209 
 	last = x509_last ( validator->chain );
195 
 	if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
 210 
 	if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
196 
-		DBGC ( validator, "VALIDATOR %p could not append "
197 
-		       "certificates: %s\n", validator, strerror ( rc ) );
211 
+		DBGC ( validator, "VALIDATOR %p \"%s\" could not append "
212 
+		       "certificates: %s\n", validator,
213 
+		       validator_name ( validator ), strerror ( rc ) );
198 
 		goto err_auto_append;
 214 
 		goto err_auto_append;
199 
 	}
 215 
 	}
200
216
201 
 	/* Check that at least one certificate has been added */
 217 
 	/* Check that at least one certificate has been added */
202 
 	if ( last == x509_last ( validator->chain ) ) {
 218 
 	if ( last == x509_last ( validator->chain ) ) {
203 
-		DBGC ( validator, "VALIDATOR %p failed to append any "
204 
-		       "applicable certificates\n", validator );
219 
+		DBGC ( validator, "VALIDATOR %p \"%s\" failed to append any "
220 
+		       "applicable certificates\n", validator,
221 
+		       validator_name ( validator ) );
205 
 		rc = -EACCES;
 222 
 		rc = -EACCES;
206 
 		goto err_no_progress;
 223 
 		goto err_no_progress;
207 
 	}
 224 
 	}
223 
  * Start download of cross-signing certificate
 240 
  * Start download of cross-signing certificate
224 
  *
 241 
  *
225 
  * @v validator		Certificate validator
 242 
  * @v validator		Certificate validator
226 
- * @v issuer		Required issuer
243 
+ * @v cert		X.509 certificate
227 
  * @ret rc		Return status code
 244 
  * @ret rc		Return status code
228 
  */
 245 
  */
229 
 static int validator_start_download ( struct validator *validator,
 246 
 static int validator_start_download ( struct validator *validator,
230 
-				      const struct asn1_cursor *issuer ) {
247 
+				      struct x509_certificate *cert ) {
248 
+	const struct asn1_cursor *issuer = &cert->issuer.raw;
231 
 	const char *crosscert;
 249 
 	const char *crosscert;
232 
 	char *crosscert_copy;
 250 
 	char *crosscert_copy;
233 
 	char *uri_string;
 251 
 	char *uri_string;
261 
 			 crosscert, crc );
 279 
 			 crosscert, crc );
262 
 	base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
 280 
 	base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
263 
 			( uri_string_len - len ) );
 281 
 			( uri_string_len - len ) );
264 
-	DBGC ( validator, "VALIDATOR %p downloading cross-signed certificate "
265 
-	       "from %s\n", validator, uri_string );
282 
+	DBGC ( validator, "VALIDATOR %p \"%s\" downloading ",
283 
+	       validator, validator_name ( validator ) );
284 
+	DBGC ( validator, "\"%s\" cross-signature from %s\n",
285 
+	       x509_name ( cert ), uri_string );
266
286
267 
 	/* Set completion handler */
 287 
 	/* Set completion handler */
268 
 	validator->done = validator_append;
 288 
 	validator->done = validator_append;
270 
 	/* Open URI */
 290 
 	/* Open URI */
271 
 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,
 291 
 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,
272 
 					   uri_string ) ) != 0 ) {
 292 
 					   uri_string ) ) != 0 ) {
273 
-		DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
274 
-		       validator, uri_string, strerror ( rc ) );
293 
+		DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
294 
+		       "%s\n", validator, validator_name ( validator ),
295 
+		       uri_string, strerror ( rc ) );
275 
 		goto err_open_uri_string;
 296 
 		goto err_open_uri_string;
276 
 	}
 297 
 	}
277
298
307
328
308 
 	/* Record OCSP response */
 329 
 	/* Record OCSP response */
309 
 	if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
 330 
 	if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
310 
-		DBGC ( validator, "VALIDATOR %p could not record OCSP "
311 
-		       "response: %s\n", validator, strerror ( rc ) );
331 
+		DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP "
332 
+		       "response: %s\n", validator,
333 
+		       validator_name ( validator ),strerror ( rc ) );
312 
 		return rc;
 334 
 		return rc;
313 
 	}
 335 
 	}
314
336
315 
 	/* Validate OCSP response */
 337 
 	/* Validate OCSP response */
316 
 	now = time ( NULL );
 338 
 	now = time ( NULL );
317 
 	if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
 339 
 	if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
318 
-		DBGC ( validator, "VALIDATOR %p could not validate OCSP "
319 
-		       "response: %s\n", validator, strerror ( rc ) );
340 
+		DBGC ( validator, "VALIDATOR %p \"%s\" could not validate "
341 
+		       "OCSP response: %s\n", validator,
342 
+		       validator_name ( validator ), strerror ( rc ) );
320 
 		return rc;
 343 
 		return rc;
321 
 	}
 344 
 	}
322
345
344 
 	/* Create OCSP check */
 367 
 	/* Create OCSP check */
345 
 	assert ( validator->ocsp == NULL );
 368 
 	assert ( validator->ocsp == NULL );
346 
 	if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
 369 
 	if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
347 
-		DBGC ( validator, "VALIDATOR %p could not create OCSP check: "
348 
-		       "%s\n", validator, strerror ( rc ) );
370 
+		DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP "
371 
+		       "check: %s\n", validator, validator_name ( validator ),
372 
+		       strerror ( rc ) );
349 
 		return rc;
 373 
 		return rc;
350 
 	}
 374 
 	}
351
375
354
378
355 
 	/* Open URI */
 379 
 	/* Open URI */
356 
 	uri_string = validator->ocsp->uri_string;
 380 
 	uri_string = validator->ocsp->uri_string;
357 
-	DBGC ( validator, "VALIDATOR %p performing OCSP check at %s\n",
358 
-	       validator, uri_string );
381 
+	DBGC ( validator, "VALIDATOR %p \"%s\" checking ",
382 
+	       validator, validator_name ( validator ) );
383 
+	DBGC ( validator, "\"%s\" via %s\n",
384 
+	       x509_name ( cert ), uri_string );
359 
 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,
 385 
 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,
360 
 					   uri_string ) ) != 0 ) {
 386 
 					   uri_string ) ) != 0 ) {
361 
-		DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
362 
-		       validator, uri_string, strerror ( rc ) );
387 
+		DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
388 
+		       "%s\n", validator, validator_name ( validator ),
389 
+		       uri_string, strerror ( rc ) );
363 
 		return rc;
 390 
 		return rc;
364 
 	}
 391 
 	}
365
392
385
412
386 
 	/* Check for errors */
 413 
 	/* Check for errors */
387 
 	if ( rc != 0 ) {
 414 
 	if ( rc != 0 ) {
388 
-		DBGC ( validator, "VALIDATOR %p transfer failed: %s\n",
389 
-		       validator, strerror ( rc ) );
415 
+		DBGC ( validator, "VALIDATOR %p \"%s\" transfer failed: %s\n",
416 
+		       validator, validator_name ( validator ),
417 
+		       strerror ( rc ) );
390 
 		goto err_transfer;
 418 
 		goto err_transfer;
391 
 	}
 419 
 	}
392 
-	DBGC2 ( validator, "VALIDATOR %p transfer complete\n", validator );
420 
+	DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n",
421 
+		validator, validator_name ( validator ) );
393
422
394 
 	/* Process completed download */
 423 
 	/* Process completed download */
395 
 	assert ( validator->done != NULL );
 424 
 	assert ( validator->done != NULL );
426 
 	/* Add data to buffer */
 455 
 	/* Add data to buffer */
427 
 	if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
 456 
 	if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
428 
 				      meta ) ) != 0 ) {
 457 
 				      meta ) ) != 0 ) {
429 
-		DBGC ( validator, "VALIDATOR %p could not receive data: %s\n",
430 
-		       validator, strerror ( rc ) );
458 
+		DBGC ( validator, "VALIDATOR %p \"%s\" could not receive "
459 
+		       "data: %s\n", validator, validator_name ( validator ),
460 
+		       strerror ( rc ) );
431 
 		validator_finished ( validator, rc );
 461 
 		validator_finished ( validator, rc );
432 
 		return rc;
 462 
 		return rc;
433 
 	}
 463 
 	}
471 
 	now = time ( NULL );
 501 
 	now = time ( NULL );
472 
 	if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
 502 
 	if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
473 
 					  NULL ) ) == 0 ) {
 503 
 					  NULL ) ) == 0 ) {
504 
+		DBGC ( validator, "VALIDATOR %p \"%s\" validated\n",
505 
+		       validator, validator_name ( validator ) );
474 
 		validator_finished ( validator, 0 );
 506 
 		validator_finished ( validator, 0 );
475 
 		return;
 507 
 		return;
476 
 	}
 508 
 	}
514 
 	/* Otherwise, try to download a suitable cross-signing
 546 
 	/* Otherwise, try to download a suitable cross-signing
515 
 	 * certificate.
 547 
 	 * certificate.
516 
 	 */
 548 
 	 */
517 
-	if ( ( rc = validator_start_download ( validator,
518 
-					       &last->issuer.raw ) ) != 0 ) {
549 
+	if ( ( rc = validator_start_download ( validator, last ) ) != 0 ) {
519 
 		validator_finished ( validator, rc );
 550 
 		validator_finished ( validator, rc );
520 
 		return;
 551 
 		return;
521 
 	}
 552 
 	}
567 
 	/* Attach parent interface, mortalise self, and return */
 598 
 	/* Attach parent interface, mortalise self, and return */
568 
 	intf_plug_plug ( &validator->job, job );
 599 
 	intf_plug_plug ( &validator->job, job );
569 
 	ref_put ( &validator->refcnt );
 600 
 	ref_put ( &validator->refcnt );
570 
-	DBGC2 ( validator, "VALIDATOR %p validating X509 chain %p\n",
571 
-		validator, validator->chain );
601 
+	DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n",
602 
+		validator, validator_name ( validator ), validator->chain );
572 
 	return 0;
 603 
 	return 0;
573
604
574 
 	validator_finished ( validator, rc );
 605 
 	validator_finished ( validator, rc );

Write Preview
Loading…
Cancel
Save