mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-03-07 00:54:02 +01:00
Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages
This commit is contained in:
gojimmypi
@@ -39,6 +39,7 @@ CRL Options:
|
||||
|
||||
#include <wolfssl/internal.h>
|
||||
#include <wolfssl/error-ssl.h>
|
||||
#include <wolfssl/wolfcrypt/logging.h>
|
||||
|
||||
#ifndef WOLFSSL_LINUXKM
|
||||
#include <string.h>
|
||||
@@ -791,7 +792,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
|
||||
|
||||
crl->currentEntry = CRL_Entry_new(crl->heap);
|
||||
if (crl->currentEntry == NULL) {
|
||||
WOLFSSL_MSG("alloc CRL Entry failed");
|
||||
WOLFSSL_MSG_CERT_LOG("alloc CRL Entry failed");
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
#endif
|
||||
@@ -802,9 +803,11 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
|
||||
InitDecodedCRL(dcrl, crl->heap);
|
||||
ret = ParseCRL(crl->currentEntry->certs, dcrl, myBuffer, (word32)sz,
|
||||
verify, crl->cm);
|
||||
|
||||
if (ret != 0 && !(ret == WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E)
|
||||
&& verify == NO_VERIFY)) {
|
||||
WOLFSSL_MSG("ParseCRL error");
|
||||
WOLFSSL_MSG_CERT_LOG("ParseCRL error");
|
||||
WOLFSSL_MSG_CERT_EX("ParseCRL verify = %d, ret = %d", verify, ret);
|
||||
CRL_Entry_free(crl->currentEntry, crl->heap);
|
||||
crl->currentEntry = NULL;
|
||||
}
|
||||
@@ -812,7 +815,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
|
||||
ret = AddCRL(crl, dcrl, myBuffer,
|
||||
ret != WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E));
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("AddCRL error");
|
||||
WOLFSSL_MSG_CERT_LOG("AddCRL error");
|
||||
crl->currentEntry = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -8025,7 +8025,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
|
||||
ssl->secLevel = ctx->secLevel;
|
||||
#endif /* WOLFSSL_SYS_CRYPTO_POLICY */
|
||||
/* Returns 0 on success, not WOLFSSL_SUCCESS (1) */
|
||||
WOLFSSL_MSG_EX("InitSSL done. return 0 (success)");
|
||||
WOLFSSL_MSG("InitSSL done. return 0 (success)");
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -15776,7 +15776,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
if (ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E) ||
|
||||
ret == WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)) {
|
||||
if (!ssl->options.usingAltCertChain) {
|
||||
WOLFSSL_MSG("Trying alternate cert chain");
|
||||
WOLFSSL_MSG_CERT_LOG(
|
||||
"Trying alternate cert chain");
|
||||
ssl->options.usingAltCertChain = 1;
|
||||
}
|
||||
|
||||
@@ -15788,8 +15789,25 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
|
||||
/* do not add to certificate manager */
|
||||
skipAddCA = 1;
|
||||
} /* ASN_NO_SIGNER_E || ASN_SELF_SIGNED_E */
|
||||
} /* ret != 0 && isCA */
|
||||
#else
|
||||
/* Not defined: WOLFSSL_ALT_CERT_CHAINS
|
||||
* When WOLFSSL_DEBUG_CERTS enabled, suggest solution */
|
||||
#ifdef WOLFSSL_DEBUG_CERTS
|
||||
if (ret != 0 && args->dCert->isCA) {
|
||||
if (ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) {
|
||||
WOLFSSL_MSG_CERT(
|
||||
"Consider enabling WOLFSSL_ALT_CERT_CHAINS"
|
||||
" to resolve ASN_NO_SIGNER_E");
|
||||
}
|
||||
}
|
||||
if (ret == WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)) {
|
||||
WOLFSSL_MSG_CERT(
|
||||
"Consider enabling WOLFSSL_ALT_CERT_CHAINS"
|
||||
" to resolve ASN_SELF_SIGNED_E");
|
||||
}
|
||||
} /* check alt-cert possible fixable error codes */
|
||||
#endif
|
||||
#endif /* WOLFSSL_ALT_CERT_CHAINS */
|
||||
|
||||
#if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
|
||||
|
||||
40
src/ssl.c
40
src/ssl.c
@@ -5869,7 +5869,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
|
||||
#endif
|
||||
DerBuffer* der = *pDer;
|
||||
|
||||
WOLFSSL_MSG("Adding a CA");
|
||||
WOLFSSL_MSG_CERT_LOG("Adding a CA");
|
||||
|
||||
if (cm == NULL) {
|
||||
FreeDer(pDer);
|
||||
@@ -5893,8 +5893,34 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
|
||||
}
|
||||
#endif
|
||||
|
||||
WOLFSSL_MSG_CERT("\tParsing new CA");
|
||||
ret = ParseCert(cert, CA_TYPE, verify, cm);
|
||||
|
||||
WOLFSSL_MSG("\tParsed new CA");
|
||||
#ifdef WOLFSSL_DEBUG_CERTS
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
if (cert == NULL) {
|
||||
WOLFSSL_MSG_CERT(WOLFSSL_MSG_CERT_INDENT "Failed; cert is NULL");
|
||||
}
|
||||
else
|
||||
#endif
|
||||
{
|
||||
const char* err_msg;
|
||||
if (ret == 0) {
|
||||
WOLFSSL_MSG_CERT_EX(WOLFSSL_MSG_CERT_INDENT "issuer: '%s'",
|
||||
cert->issuer);
|
||||
WOLFSSL_MSG_CERT_EX(WOLFSSL_MSG_CERT_INDENT "subject: '%s'",
|
||||
cert->subject);
|
||||
}
|
||||
else {
|
||||
WOLFSSL_MSG_CERT(
|
||||
WOLFSSL_MSG_CERT_INDENT "Failed during parse of new CA");
|
||||
err_msg = wc_GetErrorString(ret);
|
||||
WOLFSSL_MSG_CERT_EX(WOLFSSL_MSG_CERT_INDENT "error ret: %d; %s",
|
||||
ret, err_msg);
|
||||
}
|
||||
}
|
||||
#endif /* WOLFSSL_DEBUG_CERTS */
|
||||
|
||||
#ifndef NO_SKID
|
||||
subjectHash = cert->extSubjKeyId;
|
||||
@@ -5903,7 +5929,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
|
||||
#endif
|
||||
|
||||
/* check CA key size */
|
||||
if (verify) {
|
||||
if (verify && (ret == 0 )) {
|
||||
switch (cert->keyOID) {
|
||||
#ifndef NO_RSA
|
||||
#ifdef WC_RSA_PSS
|
||||
@@ -5913,7 +5939,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
|
||||
if (cm->minRsaKeySz < 0 ||
|
||||
cert->pubKeySize < (word16)cm->minRsaKeySz) {
|
||||
ret = RSA_KEY_SIZE_E;
|
||||
WOLFSSL_MSG("\tCA RSA key size error");
|
||||
WOLFSSL_MSG_CERT_LOG("\tCA RSA key size error");
|
||||
WOLFSSL_MSG_CERT_EX("\tCA RSA pubKeySize = %d; "
|
||||
"minRsaKeySz = %d",
|
||||
cert->pubKeySize, cm->minRsaKeySz);
|
||||
}
|
||||
break;
|
||||
#endif /* !NO_RSA */
|
||||
@@ -5922,7 +5951,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
|
||||
if (cm->minEccKeySz < 0 ||
|
||||
cert->pubKeySize < (word16)cm->minEccKeySz) {
|
||||
ret = ECC_KEY_SIZE_E;
|
||||
WOLFSSL_MSG("\tCA ECC key size error");
|
||||
WOLFSSL_MSG_CERT_LOG("\tCA ECC key size error");
|
||||
WOLFSSL_MSG_CERT_EX("\tCA ECC pubKeySize = %d; "
|
||||
"minEccKeySz = %d",
|
||||
cert->pubKeySize, cm->minEccKeySz);
|
||||
}
|
||||
break;
|
||||
#endif /* HAVE_ECC */
|
||||
|
||||
@@ -28,6 +28,7 @@
|
||||
*/
|
||||
|
||||
#ifdef WOLFSSL_SYS_CA_CERTS
|
||||
/* Will be turned off automatically when NO_FILESYSTEM is defined */
|
||||
|
||||
#ifdef _WIN32
|
||||
#define _WINSOCKAPI_ /* block inclusion of winsock.h header file */
|
||||
@@ -59,6 +60,8 @@
|
||||
#endif
|
||||
#else
|
||||
|
||||
#include <wolfssl/wolfcrypt/logging.h>
|
||||
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
/* PSK field of context when it exists. */
|
||||
#define CTX_HAVE_PSK(ctx) (ctx)->havePSK
|
||||
@@ -2721,7 +2724,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
|
||||
&sz);
|
||||
if ((ret == 0) && (type == DETECT_CERT_TYPE) &&
|
||||
(format != WOLFSSL_FILETYPE_PEM)) {
|
||||
WOLFSSL_MSG("Cannot detect certificate type when not PEM");
|
||||
WOLFSSL_MSG_CERT_LOG("Cannot detect certificate type when not PEM");
|
||||
ret = WOLFSSL_BAD_CERTTYPE;
|
||||
}
|
||||
/* Try to detect type by parsing cert header and footer. */
|
||||
@@ -2729,17 +2732,24 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
|
||||
#if !defined(NO_CODING) && !defined(WOLFSSL_NO_PEM)
|
||||
const char* header = NULL;
|
||||
const char* footer = NULL;
|
||||
#ifdef HAVE_CRL
|
||||
WOLFSSL_MSG_CERT("Detecting cert type... (including CRL_TYPE)");
|
||||
#else
|
||||
WOLFSSL_MSG_CERT("Detecting cert type... (HAVE_CRL not defined)");
|
||||
#endif
|
||||
|
||||
/* Look for CA header and footer - same as CERT_TYPE. */
|
||||
if (wc_PemGetHeaderFooter(CA_TYPE, &header, &footer) == 0 &&
|
||||
(XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) {
|
||||
type = CA_TYPE;
|
||||
WOLFSSL_DEBUG_PRINTF("Detected cert type CA_TYPE = %d:", type);
|
||||
}
|
||||
#ifdef HAVE_CRL
|
||||
/* Look for CRL header and footer. */
|
||||
else if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 &&
|
||||
(XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) {
|
||||
type = CRL_TYPE;
|
||||
WOLFSSL_DEBUG_PRINTF("Detected cert type CRL_TYPE = %d:", type);
|
||||
}
|
||||
#endif
|
||||
/* Look for cert header and footer - same as CA_TYPE. */
|
||||
@@ -2747,12 +2757,13 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
|
||||
(XSTRNSTR((char*)content.buffer, header, (word32)sz) !=
|
||||
NULL)) {
|
||||
type = CERT_TYPE;
|
||||
WOLFSSL_DEBUG_PRINTF("Detected cert type CERT_TYPE = %d:", type);
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#endif /* !NO_CODING && !WOLFSSL_NO_PEM */
|
||||
{
|
||||
/* Not a header that we support. */
|
||||
WOLFSSL_MSG("Failed to detect certificate type");
|
||||
WOLFSSL_MSG_CERT_LOG("Failed to detect certificate type");
|
||||
#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS
|
||||
WOLFSSL_DEBUG_PRINTF(
|
||||
"ERROR: ProcessFile: Failed to detect certificate type"
|
||||
@@ -2761,17 +2772,19 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
|
||||
#endif
|
||||
ret = WOLFSSL_BAD_CERTTYPE;
|
||||
}
|
||||
}
|
||||
} /* (ret == 0) && (type == DETECT_CERT_TYPE) */
|
||||
|
||||
if (ret == 0) {
|
||||
/* When CA or trusted peer and PEM - process as a chain buffer. */
|
||||
if (((type == CA_TYPE) || (type == TRUSTED_PEER_TYPE)) &&
|
||||
(format == WOLFSSL_FILETYPE_PEM)) {
|
||||
WOLFSSL_MSG_CERT("Processing cert chain buffer...");
|
||||
ret = ProcessChainBuffer(ctx, ssl, content.buffer, sz, type,
|
||||
verify, fname);
|
||||
}
|
||||
#ifdef HAVE_CRL
|
||||
else if (type == CRL_TYPE) {
|
||||
/* Load the CRL. */
|
||||
WOLFSSL_MSG_CERT("Loading CRL...");
|
||||
ret = BufferLoadCRL(crl, content.buffer, sz, format, verify);
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <wolfssl/internal.h>
|
||||
#include <wolfssl/error-ssl.h>
|
||||
#include <wolfssl/wolfio.h>
|
||||
#include <wolfssl/wolfcrypt/logging.h>
|
||||
|
||||
#ifdef NUCLEUS_PLUS_2_3
|
||||
/* Holds last Nucleus networking error number */
|
||||
|
||||
Reference in New Issue
Block a user