diff options
Diffstat (limited to 'cast/common/certificate/cast_cert_validator_internal.cc')
-rw-r--r-- | cast/common/certificate/cast_cert_validator_internal.cc | 50 |
1 files changed, 26 insertions, 24 deletions
diff --git a/cast/common/certificate/cast_cert_validator_internal.cc b/cast/common/certificate/cast_cert_validator_internal.cc index 764ac3e4..073b76ac 100644 --- a/cast/common/certificate/cast_cert_validator_internal.cc +++ b/cast/common/certificate/cast_cert_validator_internal.cc @@ -18,6 +18,7 @@ #include <utility> #include <vector> +#include "absl/strings/str_cat.h" #include "cast/common/certificate/types.h" #include "util/crypto/pem_helpers.h" #include "util/osp_logging.h" @@ -407,29 +408,30 @@ Error FindCertificatePath(const std::vector<std::string>& der_certs, result_path->intermediate_certs; target_cert.reset(ParseX509Der(der_certs[0])); if (!target_cert) { - OSP_DVLOG << "FindCertificatePath: Invalid target certificate"; - return Error::Code::kErrCertsParse; + return Error(Error::Code::kErrCertsParse, + "FindCertificatePath: Invalid target certificate"); } for (size_t i = 1; i < der_certs.size(); ++i) { intermediate_certs.emplace_back(ParseX509Der(der_certs[i])); if (!intermediate_certs.back()) { - OSP_DVLOG - << "FindCertificatePath: Failed to parse intermediate certificate " - << i << " of " << der_certs.size(); - return Error::Code::kErrCertsParse; + return Error( + Error::Code::kErrCertsParse, + absl::StrCat( + "FindCertificatePath: Failed to parse intermediate certificate ", + i, " of ", der_certs.size())); } } // Basic checks on the target certificate. - Error::Code error = VerifyCertTime(target_cert.get(), time); - if (error != Error::Code::kNone) { - OSP_DVLOG << "FindCertificatePath: Failed to verify certificate time"; - return error; + Error::Code valid_time = VerifyCertTime(target_cert.get(), time); + if (valid_time != Error::Code::kNone) { + return Error(valid_time, + "FindCertificatePath: Failed to verify certificate time"); } bssl::UniquePtr<EVP_PKEY> public_key{X509_get_pubkey(target_cert.get())}; if (!VerifyPublicKeyLength(public_key.get())) { - OSP_DVLOG << "FindCertificatePath: Failed with invalid public key length"; - return Error::Code::kErrCertsVerifyGeneric; + return Error(Error::Code::kErrCertsVerifyGeneric, + "FindCertificatePath: Failed with invalid public key length"); } const X509_ALGOR* sig_alg; X509_get0_signature(nullptr, &sig_alg, target_cert.get()); @@ -438,14 +440,14 @@ Error FindCertificatePath(const std::vector<std::string>& der_certs, } bssl::UniquePtr<ASN1_BIT_STRING> key_usage = GetKeyUsage(target_cert.get()); if (!key_usage) { - OSP_DVLOG << "FindCertificatePath: Failed with no key usage"; - return Error::Code::kErrCertsRestrictions; + return Error(Error::Code::kErrCertsRestrictions, + "FindCertificatePath: Failed with no key usage"); } int bit = ASN1_BIT_STRING_get_bit(key_usage.get(), KeyUsageBits::kDigitalSignature); if (bit == 0) { - OSP_DVLOG << "FindCertificatePath: Failed to get digital signature"; - return Error::Code::kErrCertsRestrictions; + return Error(Error::Code::kErrCertsRestrictions, + "FindCertificatePath: Failed to get digital signature"); } X509* path_head = target_cert.get(); @@ -478,8 +480,8 @@ Error FindCertificatePath(const std::vector<std::string>& der_certs, Error::Code last_error = Error::Code::kNone; for (;;) { X509_NAME* target_issuer_name = X509_get_issuer_name(path_head); - OSP_DVLOG << "FindCertificatePath: Target certificate issuer name: " - << X509_NAME_oneline(target_issuer_name, 0, 0); + OSP_VLOG << "FindCertificatePath: Target certificate issuer name: " + << X509_NAME_oneline(target_issuer_name, 0, 0); // The next issuer certificate to add to the current path. X509* next_issuer = nullptr; @@ -488,8 +490,8 @@ Error FindCertificatePath(const std::vector<std::string>& der_certs, X509* trust_store_cert = trust_store->certs[i].get(); X509_NAME* trust_store_cert_name = X509_get_subject_name(trust_store_cert); - OSP_DVLOG << "FindCertificatePath: Trust store certificate issuer name: " - << X509_NAME_oneline(trust_store_cert_name, 0, 0); + OSP_VLOG << "FindCertificatePath: Trust store certificate issuer name: " + << X509_NAME_oneline(trust_store_cert_name, 0, 0); if (X509_NAME_cmp(trust_store_cert_name, target_issuer_name) == 0) { CertPathStep& next_step = path[--path_index]; next_step.cert = trust_store_cert; @@ -524,9 +526,9 @@ Error FindCertificatePath(const std::vector<std::string>& der_certs, if (path_index == first_index) { // There are no more paths to try. Ensure an error is returned. if (last_error == Error::Code::kNone) { - OSP_DVLOG << "FindCertificatePath: Failed after trying all " - "certificate paths, no matches"; - return Error::Code::kErrCertsVerifyUntrustedCert; + return Error(Error::Code::kErrCertsVerifyUntrustedCert, + "FindCertificatePath: Failed after trying all " + "certificate paths, no matches"); } return last_error; } else { @@ -556,7 +558,7 @@ Error FindCertificatePath(const std::vector<std::string>& der_certs, result_path->path.push_back(path[i].cert); } - OSP_DVLOG + OSP_VLOG << "FindCertificatePath: Succeeded at validating receiver certificates"; return Error::Code::kNone; } |