Skip to content

Commit

Permalink
Review feedback for original trust-pinning debug log PR
Browse files Browse the repository at this point in the history
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
  • Loading branch information
riyazdf committed Jul 20, 2016
1 parent 4970538 commit 3c96ba0
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 9 deletions.
8 changes: 4 additions & 4 deletions trustpinning/certs.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ func ValidateRoot(prevRoot *data.SignedRoot, root *data.Signed, gun string, trus
return nil, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"}
}

logrus.Debugf("Found %d leaf certs, of which %d are valid leaf certs for %s", len(allLeafCerts), len(certsFromRoot), gun)
logrus.Debugf("found %d leaf certs, of which %d are valid leaf certs for %s", len(allLeafCerts), len(certsFromRoot), gun)

// If we have a previous root, let's try to use it to validate that this new root is valid.
if prevRoot != nil {
Expand Down Expand Up @@ -139,9 +139,9 @@ func ValidateRoot(prevRoot *data.SignedRoot, root *data.Signed, gun string, trus

validPinnedCerts := map[string]*x509.Certificate{}
for id, cert := range certsFromRoot {
logrus.Debugf("Checking trust-pinning for cert: %s", id)
logrus.Debugf("checking trust-pinning for cert: %s", id)
if ok := trustPinCheckFunc(cert, allIntCerts[id]); !ok {
logrus.Debugf("Trust-pinning check failed for cert: %s", id)
logrus.Debugf("trust-pinning check failed for cert: %s", id)
continue
}
validPinnedCerts[id] = cert
Expand All @@ -162,7 +162,7 @@ func ValidateRoot(prevRoot *data.SignedRoot, root *data.Signed, gun string, trus
return nil, &ErrValidationFail{Reason: "failed to validate integrity of roots"}
}

logrus.Debugf("Root validation succeeded for %s", gun)
logrus.Debugf("root validation succeeded for %s", gun)
return signedRoot, nil
}

Expand Down
11 changes: 6 additions & 5 deletions trustpinning/trustpin.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,13 @@ func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun string) (CertChecker,
t := trustPinChecker{gun: gun, config: trustPinConfig}
// Determine the mode, and if it's even valid
if pinnedCerts, ok := trustPinConfig.Certs[gun]; ok {
logrus.Debugf("trust-pinning using Cert IDs")
t.pinnedCertIDs = pinnedCerts
return t.certsCheck, nil
}

if caFilepath, err := getPinnedCAFilepathByPrefix(gun, trustPinConfig); err == nil {
logrus.Debugf("Trust-pinning using root CA bundle at: %s", caFilepath)
logrus.Debugf("trust-pinning using root CA bundle at: %s", caFilepath)

// Try to add the CA certs from its bundle file to our certificate store,
// and use it to validate certs in the root.json later
Expand All @@ -48,7 +49,7 @@ func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun string) (CertChecker,
caRootPool := x509.NewCertPool()
for _, caCert := range caCerts {
if err = utils.ValidateCertificate(caCert); err != nil {
logrus.Debugf("Trust-pinning validation for child cert failed: %s", err)
logrus.Debugf("ignoring root CA certificate with CN %s in bundle: %s", caCert.Subject.CN, err)
continue
}
caRootPool.AddCert(caCert)
Expand All @@ -62,10 +63,10 @@ func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun string) (CertChecker,
}

if !trustPinConfig.DisableTOFU {
logrus.Debugf("Trust-pinning: allowing TOFU")
logrus.Debugf("trust-pinning: using TOFU")
return t.tofusCheck, nil
}
return nil, fmt.Errorf("invalid trust pinning specified")
return nil, fmt.Errorf("invalid trust-pinning specified")
}

func (t trustPinChecker) certsCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool {
Expand All @@ -91,7 +92,7 @@ func (t trustPinChecker) caCheck(leafCert *x509.Certificate, intCerts []*x509.Ce
if _, err = leafCert.Verify(x509.VerifyOptions{Roots: t.pinnedCAPool, Intermediates: caIntPool}); err == nil {
return true
}
logrus.Debugf("Unable to find a valid certificate chain from leaf cert to CA root: %s", err)
logrus.Debugf("unable to find a valid certificate chain from leaf cert to CA root: %s", err)
return false
}

Expand Down

0 comments on commit 3c96ba0

Please sign in to comment.