diff options
author | Jakub Witczak <kuba@erlang.org> | 2023-03-06 10:18:29 +0100 |
---|---|---|
committer | Jakub Witczak <kuba@erlang.org> | 2023-03-21 17:26:20 +0100 |
commit | d9a0919d74f6f4268bab694f38bb16fa519187e7 (patch) | |
tree | a67c946c993cdc01ed78124b42c81cd87a091493 | |
parent | 5dc1c729ab34f8ba6f14b14c28e3ffc9529200a2 (diff) | |
download | erlang-d9a0919d74f6f4268bab694f38bb16fa519187e7.tar.gz |
ssl, public_key: trace config
-rw-r--r-- | lib/public_key/src/pubkey_ocsp.erl | 35 | ||||
-rw-r--r-- | lib/public_key/src/public_key.erl | 39 | ||||
-rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 7 | ||||
-rw-r--r-- | lib/ssl/src/ssl_trace.erl | 22 | ||||
-rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 4 |
5 files changed, 102 insertions, 5 deletions
diff --git a/lib/public_key/src/pubkey_ocsp.erl b/lib/public_key/src/pubkey_ocsp.erl index b627a74e6a..f923eae78e 100644 --- a/lib/public_key/src/pubkey_ocsp.erl +++ b/lib/public_key/src/pubkey_ocsp.erl @@ -28,6 +28,8 @@ ocsp_status/1, verify_ocsp_response/3, decode_ocsp_response/1]). +%% Tracing +-export([handle_trace/3]). -spec get_ocsp_responder_id(#'Certificate'{}) -> binary(). get_ocsp_responder_id(#'Certificate'{tbsCertificate = TbsCert}) -> @@ -204,3 +206,36 @@ enc_pub_key({DsaInt, #'Dss-Parms'{}}) when is_integer(DsaInt) -> public_key:der_encode('DSAPublicKey', DsaInt); enc_pub_key({#'ECPoint'{point = Key}, _ECParam}) -> Key. + +%%%################################################################ +%%%# +%%%# Tracing +%%%# +handle_trace(csp, + {call, {?MODULE, do_verify_ocsp_response, [BasicOcspResponse | _]}}, Stack) -> + #'BasicOCSPResponse'{ + tbsResponseData = + #'ResponseData'{responderID = ResponderID, + producedAt = ProducedAt}} = BasicOcspResponse, + {io_lib:format("ResponderId = ~W producedAt = ~p", [ResponderID, 5, ProducedAt]), Stack}; +handle_trace(csp, + {call, {?MODULE, match_single_response, + [_IssuerName, _IssuerKey, _SerialNum, + [#'SingleResponse'{thisUpdate = ThisUpdate, + nextUpdate = NextUpdate}]]}}, Stack) -> + {io_lib:format("ThisUpdate = ~p NextUpdate = ~p", [ThisUpdate, NextUpdate]), Stack}; +handle_trace(csp, + {call, {?MODULE, is_responder, [Id, Cert]}}, Stack) -> + {io_lib:format("~nId = ~P~nCert = ~P", [Id, 10, Cert, 10]), Stack}; +handle_trace(csp, + {call, {?MODULE, find_single_response, [Cert, IssuerCert | _]}}, Stack) -> + {io_lib:format("#2 OCSP validation started~nCert = ~W IssuerCert = ~W", + [Cert, 7, IssuerCert, 7]), Stack}; + %% {io_lib:format("#2 OCSP validation started~nCert = ~s IssuerCert = ~s", + %% [ssl_test_lib:format_cert(Cert), + %% ssl_test_lib:format_cert(IssuerCert)]), Stack}; + +handle_trace(csp, + {return_from, {?MODULE, is_responder, 2}, Return}, + Stack) -> + {io_lib:format("Return = ~p", [Return]), Stack}. diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index 50e75dc899..3fa419802c 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -69,6 +69,8 @@ cacerts_load/1, cacerts_clear/0 ]). +%% Tracing +-export([handle_trace/3]). %%---------------- %% Moved to ssh @@ -2060,3 +2062,40 @@ ocsp_responses(OCSPResponseDer, ResponderCerts, Nonce) -> subject_public_key_info(Alg, PubKey) -> #'OTPSubjectPublicKeyInfo'{algorithm = Alg, subjectPublicKey = PubKey}. + +%%%################################################################ +%%%# +%%%# Tracing +%%%# +handle_trace(csp, + {call, {?MODULE, ocsp_responder_id, [Cert]}}, Stack) -> + {io_lib:format("pkix_decode_cert(Cert, plain) = ~W", [Cert, 5]), + %% {io_lib:format("pkix_decode_cert(Cert, plain) = ~s", [ssl_test_lib:format_cert(Cert)]), + Stack}; +handle_trace(csp, + {return_from, {?MODULE, ocsp_responder_id, 1}, Return}, + Stack) -> + {io_lib:format("OCSP Responder ID = ~P", [Return, 10]), Stack}; +handle_trace(csp, + {call, {?MODULE, ocsp_responses, _Args}}, Stack) -> + {io_lib:format("[pkix_decode_cert(C, plain) || C <- ResponderCerts]", []), + Stack}; +handle_trace(crt, + {call, {?MODULE, pkix_decode_cert, [Cert, _Type]}}, Stack) -> + {io_lib:format("Cert = ~W", [Cert, 5]), Stack}; + %% {io_lib:format("Cert = ~s", [ssl_test_lib:format_cert(Cert)]), Stack}; +handle_trace(csp, + {call, {?MODULE, pkix_ocsp_validate, [Cert, IssuerCert | _]}}, Stack) -> + {io_lib:format("#2 OCSP validation started~nCert = ~W IssuerCert = ~W", + [Cert, 7, IssuerCert, 7]), Stack}; + %% {io_lib:format("#2 OCSP validation started~nCert = ~s IssuerCert = ~s", + %% [ssl_test_lib:format_cert(Cert), + %% ssl_test_lib:format_cert(IssuerCert)]), Stack}; +handle_trace(csp, + {call, {?MODULE, otp_cert, [Cert]}}, Stack) -> + {io_lib:format("Cert = ~W", [Cert, 5]), Stack}; + %% {io_lib:format("Cert = ~s", [ssl_test_lib:format_cert(otp_cert(Cert))]), Stack}; +handle_trace(csp, + {return_from, {?MODULE, pkix_ocsp_validate, 5}, Return}, + Stack) -> + {io_lib:format("#2 OCSP validation result = ~p", [Return]), Stack}. diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 0ea7a0ac16..c8b7bb3dde 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -834,11 +834,14 @@ cert_auth_member(ChainSubjects, CertAuths) -> handle_trace(crt, {call, {?MODULE, validate, [Cert, StatusOrExt| _]}}, Stack) -> {io_lib:format("[~W] StatusOrExt = ~W", [Cert, 3, StatusOrExt, 10]), Stack}; + %% {io_lib:format("(~s) StatusOrExt = ~W", + %% [ssl_test_lib:format_cert(Cert), StatusOrExt, 10]), Stack}; handle_trace(crt, {call, {?MODULE, verify_cert_extensions, [Cert, _UserState, [], _Context]}}, Stack) -> {io_lib:format(" no more extensions [~W]", [Cert, 3]), Stack}; + %% {io_lib:format(" no more extensions (~s)", [ssl_test_lib:format_cert(Cert)]), Stack}; handle_trace(crt, {call, {?MODULE, verify_cert_extensions, [Cert, #{ocsp_responder_certs := _ResponderCerts, @@ -849,7 +852,11 @@ handle_trace(crt, {call, {?MODULE, verify_cert_extensions, {io_lib:format("#2 OcspState = ~W Issuer = [~W] OcspResponsDer = ~W [~W]", [OcspState, 10, Issuer, 3, OcspResponsDer, 2, Cert, 3]), Stack}; + %% {io_lib:format("#2 OcspState = ~W Issuer = (~s) OcspResponsDer = ~W (~s)", + %% [OcspState, 10, ssl_test_lib:format_cert(Issuer), + %% OcspResponsDer, 2, ssl_test_lib:format_cert(Cert)]), handle_trace(crt, {return_from, {ssl_certificate, verify_cert_extensions, 4}, {valid, #{issuer := Issuer}}}, Stack) -> {io_lib:format(" extensions valid Issuer = ~W", [Issuer, 3]), Stack}. + %% {io_lib:format(" extensions valid Issuer = ~s", [ssl_test_lib:format_cert(Issuer)]), Stack}. diff --git a/lib/ssl/src/ssl_trace.erl b/lib/ssl/src/ssl_trace.erl index c91297a0b8..80aa2e8283 100644 --- a/lib/ssl/src/ssl_trace.erl +++ b/lib/ssl/src/ssl_trace.erl @@ -431,11 +431,18 @@ trace_profiles() -> [{ssl_handshake, [{maybe_add_certificate_status_request, 4}, {client_hello_extensions, 10}, {cert_status_check, 5}, {get_ocsp_responder_list, 1}, {handle_ocsp_extension, 2}, + {path_validation, 10}, {handle_server_hello_extensions, 10}, {handle_client_hello_extensions, 10}, {cert_status_check, 5}]}, - {public_key, [{ocsp_extensions, 1}, %%{pkix_decode_cert, 2}, - {pkix_ocsp_validate, 5}]}, + {public_key, [{ocsp_extensions, 1}, {ocsp_responses, 3}, + {pkix_ocsp_validate, 5}, {ocsp_responder_id, 1}, + {ocsp_status, 3}, {otp_cert, 1}]}, + {pubkey_ocsp, [{find_responder_cert, 2}, {do_verify_ocsp_signature, 4}, + {verify_ocsp_response, 3}, {verify_ocsp_nonce, 2}, + {verify_ocsp_signature, 5}, {do_verify_ocsp_response, 3}, + {is_responder, 2}, {find_single_response, 3}, + {ocsp_status, 1}, {match_single_response, 4}]}, {ssl, [{opt_ocsp, 3}]}, {ssl_certificate, [{verify_cert_extensions, 4}]}, {ssl_test_lib, [{init_openssl_server, 3}, {openssl_server_loop, 3}]}, @@ -447,11 +454,18 @@ trace_profiles() -> {crt, %% certificates fun(M, F, A) -> dbg:tpl(M, F, A, x) end, fun(M, F, A) -> dbg:ctpl(M, F, A) end, - [{public_key, [{pkix_path_validation, 3}]}, - {ssl_certificate, [{validate, 3}]}, + [{public_key, [{pkix_path_validation, 3}, {path_validation, 2}, + {pkix_decode_cert, 2}]}, + {ssl_certificate, [{validate, 3}, {trusted_cert_and_paths, 4}, + {certificate_chain, 3}, {certificate_chain, 5}, + {issuer, 1}]}, + {ssl_cipher, [{filter, 3}]}, {ssl_gen_statem, [{initial_hello, 3}]}, {ssl_handshake, [{path_validate, 11}, {path_validation, 10}, + {select_hashsign, 5}, {get_cert_params, 1}, + {cert_curve, 3}, {maybe_check_hostname, 3}, {maybe_check_hostname, 3}]}, + {ssl_pkix_db, [{decode_cert, 2}]}, {tls_handshake_1_3, [{path_validation, 10}]}, {tls_server_connection_1_3, [{init,1}]}, {tls_client_connection_1_3, [{init,1}]}, diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 2cda32efde..bf552550a2 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -1464,7 +1464,9 @@ format_cert(#'OTPCertificate'{tbsCertificate = Cert} = OtpCert) -> {error, _} -> io_lib:format("~.3w:~s -> :~s", [Nr, format_subject(Subject), format_subject(Issuer)]) end - end. + end; +format_cert(Cert) -> + io_lib:format("Format failed for ~p", [Cert]). format_subject({rdnSequence, Seq}) -> format_subject(Seq); |