diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-30 09:33:08 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-07-01 10:09:25 +0200 |
commit | e86694058566207950c6d953548cd4e359f1b627 (patch) | |
tree | facb3e888793071dd922312cb3611798f8605d8c | |
parent | 5e3ad5c687bdae8414baf05635708ab063661511 (diff) | |
download | gnutls-e86694058566207950c6d953548cd4e359f1b627.tar.gz |
OCSP: added more verbose debug logging on verification
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/x509/ocsp.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index f7fdddf353..fd71c078ec 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -1922,14 +1922,17 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp) } for (i = 0; i < ncerts; i++) { + _gnutls_cert_log("checking whether signed against", certs[i]); if (keyid.data != NULL) { uint8_t digest[20]; gnutls_datum_t spki; + _gnutls_debug_log("checking key ID\n"); rc = _gnutls_x509_get_raw_field2(certs[i]->cert, &certs[i]->der, "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", &spki); if (rc < 0 || spki.size < 6) { + gnutls_assert(); signercert = NULL; goto quit; } @@ -1951,13 +1954,17 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp) signercert = certs[i]; goto quit; } + gnutls_assert(); } else { + _gnutls_debug_log("checking issuer DN\n"); + assert(riddn.data != NULL); if ((certs[i]->raw_dn.size == riddn.size) && memcmp(riddn.data, certs[i]->raw_dn.data, riddn.size) == 0) { signercert = certs[i]; goto quit; } + gnutls_assert(); } } @@ -2009,6 +2016,8 @@ _ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp, goto done; } + _gnutls_cert_log("ocsp signer", signercert); \ + rc = gnutls_pubkey_import_x509(pubkey, signercert, 0); if (rc != GNUTLS_E_SUCCESS) { gnutls_assert(); @@ -2142,6 +2151,7 @@ gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp, } if (vtmp != 0) { + _gnutls_reason_log("cert verification", vtmp); *verify = vstatus_to_ocsp_status(vtmp); gnutls_assert(); rc = GNUTLS_E_SUCCESS; |