Review feedback for original trust-pinning debug log PR

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
notaryproject · Jul 20, 2016 · 84115c6 · 84115c6
1 parent 4970538
commit 84115c6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/trustpinning/certs.go b/trustpinning/certs.go
@@ -104,7 +104,7 @@ func ValidateRoot(prevRoot *data.SignedRoot, root *data.Signed, gun string, trus
 		return nil, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"}
 	}
 
-	logrus.Debugf("Found %d leaf certs, of which %d are valid leaf certs for %s", len(allLeafCerts), len(certsFromRoot), gun)
+	logrus.Debugf("found %d leaf certs, of which %d are valid leaf certs for %s", len(allLeafCerts), len(certsFromRoot), gun)
 
 	// If we have a previous root, let's try to use it to validate that this new root is valid.
 	if prevRoot != nil {
@@ -139,9 +139,9 @@ func ValidateRoot(prevRoot *data.SignedRoot, root *data.Signed, gun string, trus
 
 		validPinnedCerts := map[string]*x509.Certificate{}
 		for id, cert := range certsFromRoot {
-			logrus.Debugf("Checking trust-pinning for cert: %s", id)
+			logrus.Debugf("checking trust-pinning for cert: %s", id)
 			if ok := trustPinCheckFunc(cert, allIntCerts[id]); !ok {
-				logrus.Debugf("Trust-pinning check failed for cert: %s", id)
+				logrus.Debugf("trust-pinning check failed for cert: %s", id)
 				continue
 			}
 			validPinnedCerts[id] = cert
@@ -162,7 +162,7 @@ func ValidateRoot(prevRoot *data.SignedRoot, root *data.Signed, gun string, trus
 		return nil, &ErrValidationFail{Reason: "failed to validate integrity of roots"}
 	}
 
-	logrus.Debugf("Root validation succeeded for %s", gun)
+	logrus.Debugf("root validation succeeded for %s", gun)
 	return signedRoot, nil
 }
 

diff --git a/trustpinning/trustpin.go b/trustpinning/trustpin.go
@@ -31,12 +31,13 @@ func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun string) (CertChecker,
 	t := trustPinChecker{gun: gun, config: trustPinConfig}
 	// Determine the mode, and if it's even valid
 	if pinnedCerts, ok := trustPinConfig.Certs[gun]; ok {
+		logrus.Debugf("trust-pinning using Cert IDs")
 		t.pinnedCertIDs = pinnedCerts
 		return t.certsCheck, nil
 	}
 
 	if caFilepath, err := getPinnedCAFilepathByPrefix(gun, trustPinConfig); err == nil {
-		logrus.Debugf("Trust-pinning using root CA bundle at: %s", caFilepath)
+		logrus.Debugf("trust-pinning using root CA bundle at: %s", caFilepath)
 
 		// Try to add the CA certs from its bundle file to our certificate store,
 		// and use it to validate certs in the root.json later
@@ -48,7 +49,7 @@ func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun string) (CertChecker,
 		caRootPool := x509.NewCertPool()
 		for _, caCert := range caCerts {
 			if err = utils.ValidateCertificate(caCert); err != nil {
-				logrus.Debugf("Trust-pinning validation for child cert failed: %s", err)
+				logrus.Debugf("ignoring root CA certificate with CN %s in bundle: %s", caCert.Subject.CommonName, err)
 				continue
 			}
 			caRootPool.AddCert(caCert)
@@ -62,10 +63,10 @@ func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun string) (CertChecker,
 	}
 
 	if !trustPinConfig.DisableTOFU {
-		logrus.Debugf("Trust-pinning: allowing TOFU")
+		logrus.Debugf("trust-pinning: using TOFU")
 		return t.tofusCheck, nil
 	}
-	return nil, fmt.Errorf("invalid trust pinning specified")
+	return nil, fmt.Errorf("invalid trust-pinning specified")
 }
 
 func (t trustPinChecker) certsCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool {
@@ -91,7 +92,7 @@ func (t trustPinChecker) caCheck(leafCert *x509.Certificate, intCerts []*x509.Ce
 	if _, err = leafCert.Verify(x509.VerifyOptions{Roots: t.pinnedCAPool, Intermediates: caIntPool}); err == nil {
 		return true
 	}
-	logrus.Debugf("Unable to find a valid certificate chain from leaf cert to CA root: %s", err)
+	logrus.Debugf("unable to find a valid certificate chain from leaf cert to CA root: %s", err)
 	return false
 }