]> git.ipfire.org Git - thirdparty/FORT-validator.git/commitdiff
Misc log review
authorAlberto Leiva Popper <ydahhrk@gmail.com>
Thu, 5 Sep 2024 20:39:11 +0000 (14:39 -0600)
committerAlberto Leiva Popper <ydahhrk@gmail.com>
Thu, 5 Sep 2024 20:39:11 +0000 (14:39 -0600)
- Print dependency versions during startup
- Print date ranges for certificates and CRLs

src/config.c
src/libcrypto_util.c
src/libcrypto_util.h
src/object/certificate.c

index 68b74b8753fc9cee6d1f917edb8b94d78009abea..5290308c098483cdf914e963f4417cf3dde0b296 100644 (file)
@@ -1,7 +1,11 @@
 #include "config.h"
 
+#include <curl/curl.h>
 #include <errno.h>
 #include <getopt.h>
+#include <libxml/xmlversion.h>
+#include <jansson.h>
+#include <openssl/opensslv.h>
 #include <syslog.h>
 
 #include "common.h"
@@ -895,6 +899,11 @@ print_config(void)
        struct option_field const *opt;
 
        pr_op_info(PACKAGE_STRING);
+       pr_op_info("  libcrypto: " OPENSSL_VERSION_TEXT);
+       pr_op_info("  jansson:   " JANSSON_VERSION);
+       pr_op_info("  libcurl:   " LIBCURL_VERSION);
+       pr_op_info("  libxml:    " LIBXML_DOTTED_VERSION);
+
        pr_op_info("Configuration {");
 
        FOREACH_OPTION(options, opt, 0xFFFF)
index f6ab8efe4c67a5b138c4dd63686d2516af427fba..74437c55711aecefbbd8971c349c497507d068da 100644 (file)
@@ -7,9 +7,39 @@
 #include <openssl/pem.h>
 #include <time.h>
 
+#include "alloc.h"
 #include "asn1/asn1c/OBJECT_IDENTIFIER.h"
 #include "extension.h"
 #include "json_util.h"
+#include "log.h"
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define BIO_PR_TIME(bio, tm) ASN1_TIME_print_ex(bio, tm, ASN1_DTFLGS_ISO8601)
+#else
+#define BIO_PR_TIME(bio, tm) ASN1_TIME_print(bio, tm)
+#endif
+
+char *
+asn1time2str(ASN1_TIME const *tm)
+{
+       BIO *bio;
+       BUF_MEM *buf;
+       char *res;
+
+       bio = BIO_new(BIO_s_mem());
+       if (bio == NULL)
+               enomem_panic();
+
+       if (BIO_PR_TIME(bio, tm) <= 0)
+               return NULL;
+
+       BIO_flush(bio);
+       BIO_get_mem_ptr(bio, &buf);
+       res = pstrndup(buf->data, buf->length);
+
+       BIO_free_all(bio);
+       return res;
+}
 
 /* Swallows @bio. */
 static json_t *
@@ -83,7 +113,6 @@ json_t *
 asn1time2json(ASN1_TIME const *time)
 {
        BIO *bio;
-       int success;
 
        if (time == NULL)
                return json_null();
@@ -92,12 +121,7 @@ asn1time2json(ASN1_TIME const *time)
        if (bio == NULL)
                return NULL;
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-       success = ASN1_TIME_print_ex(bio, time, ASN1_DTFLGS_ISO8601);
-#else
-       success = ASN1_TIME_print(bio, time); /* Kill me */
-#endif
-       if (!success) {
+       if (BIO_PR_TIME(bio, time) <= 0) {
                BIO_free_all(bio);
                return NULL;
        }
index 493640c80dbf4ffef08c29d76a492a193cfd8642..e942bcca551f2109e83da04d46ca92da566a9f15 100644 (file)
@@ -8,6 +8,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+char *asn1time2str(ASN1_TIME const *);
+
 json_t *oid2json(ASN1_OBJECT const *);
 json_t *asn1int2json(ASN1_INTEGER const *);
 json_t *asn1str2json(ASN1_STRING const *); /* octet string, bit string, etc */
index b91aed5137c964009c05b4fddbab547acd48d5a4..d361978033cdd8714b2b46cc015defc4d8974181 100644 (file)
@@ -19,6 +19,7 @@
 #include "common.h"
 #include "config.h"
 #include "extension.h"
+#include "libcrypto_util.h"
 #include "log.h"
 #include "nid.h"
 #include "object/manifest.h"
@@ -901,6 +902,20 @@ update_crl_time(STACK_OF(X509_CRL) *crls, X509_CRL *original_crl)
        return 0;
 }
 
+static void
+pr_debug_x509_dates(X509 *x509)
+{
+       char *nb, *na;
+
+       nb = asn1time2str(X509_get0_notBefore(x509));
+       na = asn1time2str(X509_get0_notAfter(x509));
+
+       pr_val_debug("Valid range: [%s, %s]", nb, na);
+
+       free(nb);
+       free(na);
+}
+
 /*
  * Retry certificate validation without CRL time validation.
  */
@@ -948,6 +963,9 @@ verify_cert_crl_stale(struct validation *state, X509 *cert,
        else
                error = val_crypto_err("Certificate validation failed: %d", ok);
 
+       if (error && log_val_enabled(LOG_DEBUG))
+               pr_debug_x509_dates(cert);
+
 pop_clone:
        clone = sk_X509_CRL_pop(crls);
        if (clone == NULL)
@@ -965,6 +983,31 @@ release_ctx:
 
 }
 
+static int
+complain_crl_stale(STACK_OF(X509_CRL) *crls)
+{
+       X509_CRL *crl;
+       char *lu;
+       char *nu;
+       int ret;
+
+       if (sk_X509_CRL_num(crls) < 1)
+               pr_crit("Empty CRL stack despite validations.");
+       crl = sk_X509_CRL_value(crls, 0);
+       if (crl == NULL)
+               pr_crit("Unable to pop CRL from nonempty stack.");
+
+       lu = asn1time2str(X509_CRL_get0_lastUpdate(crl));
+       nu = asn1time2str(X509_CRL_get0_nextUpdate(crl));
+
+       ret = incidence(INID_CRL_STALE,
+           "CRL is stale/expired. (lastUpdate:%s, nextUpdate:%s)", lu, nu);
+
+       free(lu);
+       free(nu);
+       return ret;
+}
+
 int
 certificate_validate_chain(X509 *cert, STACK_OF(X509_CRL) *crls)
 {
@@ -1019,9 +1062,9 @@ certificate_validate_chain(X509 *cert, STACK_OF(X509_CRL) *crls)
                                    X509_verify_cert_error_string(error));
                                goto abort;
                        }
-                       if (incidence(INID_CRL_STALE, "CRL is stale/expired"))
-                               goto abort;
 
+                       if (complain_crl_stale(crls))
+                               goto abort;
                        X509_STORE_CTX_free(ctx);
                        if (incidence_get_action(INID_CRL_STALE) == INAC_WARN)
                                pr_val_info("Re-validating avoiding CRL time check");