summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Brown2019-03-07 14:47:30 +0100
committerMichael Brown2019-03-07 14:47:30 +0100
commit447e5cd4474084eda5db28b467cf407c014ebe33 (patch)
tree0aebb22e66f039af3346f7b7be14cfbfa0448cbb
parent[tls] Support stateless session resumption (diff)
downloadipxe-447e5cd4474084eda5db28b467cf407c014ebe33.tar.gz
ipxe-447e5cd4474084eda5db28b467cf407c014ebe33.tar.xz
ipxe-447e5cd4474084eda5db28b467cf407c014ebe33.zip
[crypto] Use x509_name() in validator debug messages
Display a human-readable certificate name in validator debug messages wherever possible. Signed-off-by: Michael Brown <mcb30@ipxe.org>
-rw-r--r--src/net/validator.c105
1 files changed, 68 insertions, 37 deletions
diff --git a/src/net/validator.c b/src/net/validator.c
index 40f778c7..25d81bd2 100644
--- a/src/net/validator.c
+++ b/src/net/validator.c
@@ -73,6 +73,18 @@ struct validator {
};
/**
+ * Get validator name (for debug messages)
+ *
+ * @v validator Certificate validator
+ * @ret name Validator name
+ */
+static const char * validator_name ( struct validator *validator ) {
+
+ /* Use name of first certificate in chain */
+ return x509_name ( x509_first ( validator->chain ) );
+}
+
+/**
* Free certificate validator
*
* @v refcnt Reference count
@@ -81,7 +93,8 @@ static void validator_free ( struct refcnt *refcnt ) {
struct validator *validator =
container_of ( refcnt, struct validator, refcnt );
- DBGC2 ( validator, "VALIDATOR %p freed\n", validator );
+ DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",
+ validator, validator_name ( validator ) );
x509_chain_put ( validator->chain );
ocsp_put ( validator->ocsp );
xferbuf_free ( &validator->buffer );
@@ -165,8 +178,9 @@ static int validator_append ( struct validator *validator,
/* Enter certificateSet */
if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not enter "
- "certificateSet: %s\n", validator, strerror ( rc ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not enter "
+ "certificateSet: %s\n", validator,
+ validator_name ( validator ), strerror ( rc ) );
goto err_certificateset;
}
@@ -176,15 +190,16 @@ static int validator_append ( struct validator *validator,
/* Add certificate to chain */
if ( ( rc = x509_append_raw ( certs, cursor.data,
cursor.len ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not append "
- "certificate: %s\n",
- validator, strerror ( rc) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not "
+ "append certificate: %s\n", validator,
+ validator_name ( validator ), strerror ( rc) );
DBGC_HDA ( validator, 0, cursor.data, cursor.len );
return rc;
}
cert = x509_last ( certs );
- DBGC ( validator, "VALIDATOR %p found certificate %s\n",
- validator, x509_name ( cert ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ",
+ validator, validator_name ( validator ) );
+ DBGC ( validator, "%s\n", x509_name ( cert ) );
/* Move to next certificate */
asn1_skip_any ( &cursor );
@@ -193,15 +208,17 @@ static int validator_append ( struct validator *validator,
/* Append certificates to chain */
last = x509_last ( validator->chain );
if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not append "
- "certificates: %s\n", validator, strerror ( rc ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not append "
+ "certificates: %s\n", validator,
+ validator_name ( validator ), strerror ( rc ) );
goto err_auto_append;
}
/* Check that at least one certificate has been added */
if ( last == x509_last ( validator->chain ) ) {
- DBGC ( validator, "VALIDATOR %p failed to append any "
- "applicable certificates\n", validator );
+ DBGC ( validator, "VALIDATOR %p \"%s\" failed to append any "
+ "applicable certificates\n", validator,
+ validator_name ( validator ) );
rc = -EACCES;
goto err_no_progress;
}
@@ -223,11 +240,12 @@ static int validator_append ( struct validator *validator,
* Start download of cross-signing certificate
*
* @v validator Certificate validator
- * @v issuer Required issuer
+ * @v cert X.509 certificate
* @ret rc Return status code
*/
static int validator_start_download ( struct validator *validator,
- const struct asn1_cursor *issuer ) {
+ struct x509_certificate *cert ) {
+ const struct asn1_cursor *issuer = &cert->issuer.raw;
const char *crosscert;
char *crosscert_copy;
char *uri_string;
@@ -261,8 +279,10 @@ static int validator_start_download ( struct validator *validator,
crosscert, crc );
base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
( uri_string_len - len ) );
- DBGC ( validator, "VALIDATOR %p downloading cross-signed certificate "
- "from %s\n", validator, uri_string );
+ DBGC ( validator, "VALIDATOR %p \"%s\" downloading ",
+ validator, validator_name ( validator ) );
+ DBGC ( validator, "\"%s\" cross-signature from %s\n",
+ x509_name ( cert ), uri_string );
/* Set completion handler */
validator->done = validator_append;
@@ -270,8 +290,9 @@ static int validator_start_download ( struct validator *validator,
/* Open URI */
if ( ( rc = xfer_open_uri_string ( &validator->xfer,
uri_string ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
- validator, uri_string, strerror ( rc ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
+ "%s\n", validator, validator_name ( validator ),
+ uri_string, strerror ( rc ) );
goto err_open_uri_string;
}
@@ -307,16 +328,18 @@ static int validator_ocsp_validate ( struct validator *validator,
/* Record OCSP response */
if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not record OCSP "
- "response: %s\n", validator, strerror ( rc ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP "
+ "response: %s\n", validator,
+ validator_name ( validator ),strerror ( rc ) );
return rc;
}
/* Validate OCSP response */
now = time ( NULL );
if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not validate OCSP "
- "response: %s\n", validator, strerror ( rc ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not validate "
+ "OCSP response: %s\n", validator,
+ validator_name ( validator ), strerror ( rc ) );
return rc;
}
@@ -344,8 +367,9 @@ static int validator_start_ocsp ( struct validator *validator,
/* Create OCSP check */
assert ( validator->ocsp == NULL );
if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not create OCSP check: "
- "%s\n", validator, strerror ( rc ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP "
+ "check: %s\n", validator, validator_name ( validator ),
+ strerror ( rc ) );
return rc;
}
@@ -354,12 +378,15 @@ static int validator_start_ocsp ( struct validator *validator,
/* Open URI */
uri_string = validator->ocsp->uri_string;
- DBGC ( validator, "VALIDATOR %p performing OCSP check at %s\n",
- validator, uri_string );
+ DBGC ( validator, "VALIDATOR %p \"%s\" checking ",
+ validator, validator_name ( validator ) );
+ DBGC ( validator, "\"%s\" via %s\n",
+ x509_name ( cert ), uri_string );
if ( ( rc = xfer_open_uri_string ( &validator->xfer,
uri_string ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
- validator, uri_string, strerror ( rc ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
+ "%s\n", validator, validator_name ( validator ),
+ uri_string, strerror ( rc ) );
return rc;
}
@@ -385,11 +412,13 @@ static void validator_xfer_close ( struct validator *validator, int rc ) {
/* Check for errors */
if ( rc != 0 ) {
- DBGC ( validator, "VALIDATOR %p transfer failed: %s\n",
- validator, strerror ( rc ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" transfer failed: %s\n",
+ validator, validator_name ( validator ),
+ strerror ( rc ) );
goto err_transfer;
}
- DBGC2 ( validator, "VALIDATOR %p transfer complete\n", validator );
+ DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n",
+ validator, validator_name ( validator ) );
/* Process completed download */
assert ( validator->done != NULL );
@@ -426,8 +455,9 @@ static int validator_xfer_deliver ( struct validator *validator,
/* Add data to buffer */
if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
meta ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not receive data: %s\n",
- validator, strerror ( rc ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not receive "
+ "data: %s\n", validator, validator_name ( validator ),
+ strerror ( rc ) );
validator_finished ( validator, rc );
return rc;
}
@@ -471,6 +501,8 @@ static void validator_step ( struct validator *validator ) {
now = time ( NULL );
if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
NULL ) ) == 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" validated\n",
+ validator, validator_name ( validator ) );
validator_finished ( validator, 0 );
return;
}
@@ -514,8 +546,7 @@ static void validator_step ( struct validator *validator ) {
/* Otherwise, try to download a suitable cross-signing
* certificate.
*/
- if ( ( rc = validator_start_download ( validator,
- &last->issuer.raw ) ) != 0 ) {
+ if ( ( rc = validator_start_download ( validator, last ) ) != 0 ) {
validator_finished ( validator, rc );
return;
}
@@ -567,8 +598,8 @@ int create_validator ( struct interface *job, struct x509_chain *chain ) {
/* Attach parent interface, mortalise self, and return */
intf_plug_plug ( &validator->job, job );
ref_put ( &validator->refcnt );
- DBGC2 ( validator, "VALIDATOR %p validating X509 chain %p\n",
- validator, validator->chain );
+ DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n",
+ validator, validator_name ( validator ), validator->chain );
return 0;
validator_finished ( validator, rc );