* Instrument the certificate chain code.
gcr_pkcs11_set_trust_lookup_uris
gcr_pkcs11_get_trust_store_uri
gcr_pkcs11_set_trust_store_uri
+<SUBSECTION Private>
+GcrDebugFlags
</SECTION>
<SECTION>
<SUBSECTION Standard>
gcr_data_error_get_domain
GCK_API_SUBJECT_TO_CHANGE
-</SECTION>
\ No newline at end of file
+</SECTION>
gcr-certificate-chain.c gcr-certificate-chain.h \
gcr-certificate-renderer.c gcr-certificate-renderer.h \
gcr-certificate-widget.c gcr-certificate-widget.h \
+ gcr-debug.c gcr-debug.h \
gcr-display-scrolled.c gcr-display-scrolled.h \
gcr-display-view.c gcr-display-view.h \
gcr-icons.c gcr-icons.h \
$(pkgconfig_DATA)
DISTCLEANFILES = \
- $(pkgconfig_DATA)
\ No newline at end of file
+ $(pkgconfig_DATA)
#include "gcr-certificate-chain.h"
#include "gcr-certificate.h"
+#define DEBUG_FLAG GCR_DEBUG_CERTIFICATE_CHAIN
+#include "gcr-debug.h"
#include "gcr-pkcs11-certificate.h"
#include "gcr-simple-certificate.h"
-
#include "gcr-trust.h"
+#include "egg/egg-error.h"
+
/**
* SECTION:gcr-certificate-chain
* @title: GcrCertificateChain
g_return_val_if_fail (der, NULL);
safe = gcr_simple_certificate_new (der, n_der);
+ _gcr_debug ("copying certificate so it's thread safe");
+
/* Always set the original certificate onto the safe one */
g_object_set_qdata_full (G_OBJECT (safe), Q_ORIGINAL_CERT,
g_object_ref (certificate), g_object_unref);
gboolean lookups;
gboolean ret;
guint length;
+ gchar *subject;
g_assert (pv);
g_assert (pv->certificates);
lookups = !((pv->flags & GCR_CERTIFICATE_CHAIN_FLAG_NO_LOOKUPS) == GCR_CERTIFICATE_CHAIN_FLAG_NO_LOOKUPS);
/* This chain is built */
- if (!pv->certificates->len)
+ if (!pv->certificates->len) {
+ _gcr_debug ("empty certificate chain");
return TRUE;
+ }
/* First check for pinned certificates */
certificate = g_ptr_array_index (pv->certificates, 0);
+ if (_gcr_debugging) {
+ subject = gcr_certificate_get_subject_dn (certificate);
+ _gcr_debug ("first certificate: %s", subject);
+ g_free (subject);
+ }
+
if (lookups && pv->peer) {
ret = gcr_trust_is_certificate_pinned (certificate, pv->purpose,
pv->peer, cancellable, &error);
if (!ret && error) {
+ _gcr_debug ("failed to lookup pinned certificate: %s",
+ egg_error_message (error));
g_propagate_error (rerror, error);
return FALSE;
}
* is irrelevant, so truncate chain and consider built.
*/
if (ret) {
+ _gcr_debug ("found pinned certificate for peer '%s', truncating chain",
+ pv->peer);
+
g_ptr_array_set_size (pv->certificates, 1);
pv->status = GCR_CERTIFICATE_CHAIN_PINNED;
return TRUE;
/* Stop the chain if previous was self-signed */
if (gcr_certificate_is_issuer (certificate, certificate)) {
+ _gcr_debug ("found self-signed certificate");
pv->status = GCR_CERTIFICATE_CHAIN_SELFSIGNED;
break;
}
/* Try the next certificate in the chain */
if (length < pv->certificates->len) {
certificate = g_ptr_array_index (pv->certificates, length);
+ if (_gcr_debugging) {
+ subject = gcr_certificate_get_subject_dn (certificate);
+ _gcr_debug ("next certificate: %s", subject);
+ g_free (subject);
+ }
/* No more in chain, try to lookup */
} else if (lookups) {
certificate = gcr_pkcs11_certificate_lookup_issuer (certificate,
cancellable, &error);
if (error != NULL) {
+ _gcr_debug ("failed to lookup issuer: %s", error->message);
g_propagate_error (rerror, error);
return FALSE;
+
} else if (certificate) {
g_ptr_array_add (pv->certificates, certificate);
+ if (_gcr_debugging) {
+ subject = gcr_certificate_get_subject_dn (certificate);
+ _gcr_debug ("found issuer certificate: %s", subject);
+ g_free (subject);
+ }
+
+ } else {
+ _gcr_debug ("no issuer found");
}
/* No more in chain, and can't lookup */
} else {
+ _gcr_debug ("no more certificates available, and no lookups");
certificate = NULL;
}
/* Stop the chain if nothing found */
if (certificate == NULL) {
+ _gcr_debug ("chain is incomplete");
pv->status = GCR_CERTIFICATE_CHAIN_INCOMPLETE;
break;
}
cancellable, &error);
if (!ret && error) {
+ _gcr_debug ("failed to lookup anchored certificate: %s",
+ egg_error_message (error));
g_propagate_error (rerror, error);
return FALSE;
/* Stop the chain at the first anchor */
} else if (ret) {
+ _gcr_debug ("found anchored certificate");
pv->status = GCR_CERTIFICATE_CHAIN_ANCHORED;
break;
}
pv = g_object_get_qdata (G_OBJECT (result), Q_OPERATION_DATA);
g_assert (pv);
+ _gcr_debug ("building asynchronously in another thread");
+
if (!perform_build_chain (pv, cancellable, &error)) {
g_simple_async_result_set_from_error (result, error);
g_clear_error (&error);
--- /dev/null
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2; -*- */
+/*
+ * Copyright (C) 2007 Collabora Ltd.
+ * Copyright (C) 2007 Nokia Corporation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "config.h"
+
+#include "gcr-debug.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <glib.h>
+#include <glib/gstdio.h>
+
+#ifdef WITH_DEBUG
+
+static GcrDebugFlags current_flags = 0;
+
+static GDebugKey keys[] = {
+ { "certificate-chain", GCR_DEBUG_CERTIFICATE_CHAIN },
+ { 0, }
+};
+
+static void
+debug_set_flags (GcrDebugFlags new_flags)
+{
+ current_flags |= new_flags;
+}
+
+void
+_gcr_debug_set_flags (const gchar *flags_string)
+{
+ guint nkeys;
+
+ for (nkeys = 0; keys[nkeys].value; nkeys++);
+
+ if (flags_string)
+ debug_set_flags (g_parse_debug_string (flags_string, keys, nkeys));
+}
+
+gboolean
+_gcr_debug_flag_is_set (GcrDebugFlags flag)
+{
+ return (flag & current_flags) != 0;
+}
+
+void
+_gcr_debug_message (GcrDebugFlags flag, const gchar *format, ...)
+{
+ static gsize initialized_flags = 0;
+ gchar *message;
+ va_list args;
+
+ if (g_once_init_enter (&initialized_flags)) {
+ _gcr_debug_set_flags (g_getenv ("GCR_DEBUG"));
+ g_once_init_leave (&initialized_flags, 1);
+ }
+
+ va_start (args, format);
+ message = g_strdup_vprintf (format, args);
+ va_end (args);
+
+ if (flag & current_flags)
+ g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", message);
+
+ g_free (message);
+}
+
+#else /* !WITH_DEBUG */
+
+gboolean
+_gcr_debug_flag_is_set (GcrDebugFlags flag)
+{
+ return FALSE;
+}
+
+void
+_gcr_debug_message (GcrDebugFlags flag, const gchar *format, ...)
+{
+}
+
+void
+_gcr_debug_set_flags (const gchar *flags_string)
+{
+}
+
+#endif /* !WITH_DEBUG */
--- /dev/null
+/*
+ * Copyright (C) 2007 Nokia Corporation
+ * Copyright (C) 2007-2011 Collabora Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef GCR_DEBUG_H
+#define GCR_DEBUG_H
+
+#include "config.h"
+
+#include <glib.h>
+
+G_BEGIN_DECLS
+
+/* Please keep this enum in sync with #keys in gcr-debug.c */
+typedef enum {
+ GCR_DEBUG_LIBRARY = 1 << 1,
+ GCR_DEBUG_CERTIFICATE_CHAIN = 1 << 2,
+} GcrDebugFlags;
+
+gboolean _gcr_debug_flag_is_set (GcrDebugFlags flag);
+
+void _gcr_debug_set_flags (const gchar *flags_string);
+
+void _gcr_debug_message (GcrDebugFlags flag,
+ const gchar *format,
+ ...) G_GNUC_PRINTF (2, 3);
+
+G_END_DECLS
+
+#endif /* GCR_DEBUG_H */
+
+/* -----------------------------------------------------------------------------
+ * Below this point is outside the GCR_DEBUG_H guard - so it can take effect
+ * more than once. So you can do:
+ *
+ * #define DEBUG_FLAG GCR_DEBUG_ONE_THING
+ * #include "gcr-debug.h"
+ * ...
+ * DEBUG ("if we're debugging one thing");
+ * ...
+ * #undef DEBUG_FLAG
+ * #define DEBUG_FLAG GCR_DEBUG_OTHER_THING
+ * #include "gcr-debug.h"
+ * ...
+ * DEBUG ("if we're debugging the other thing");
+ * ...
+ */
+
+#ifdef DEBUG_FLAG
+#ifdef WITH_DEBUG
+
+#undef _gcr_debug
+#define _gcr_debug(format, ...) \
+ _gcr_debug_message (DEBUG_FLAG, "%s: " format, G_STRFUNC, ##__VA_ARGS__)
+
+#undef _gcr_debugging
+#define _gcr_debugging \
+ _gcr_debug_flag_is_set (DEBUG_FLAG)
+
+#else /* !defined (WITH_DEBUG) */
+
+#undef _gcr_debug
+#define _gcr_debug(format, ...) \
+ do {} while (0)
+
+#undef _gcr_debugging
+#define _gcr_debugging 0
+
+#endif /* !defined (WITH_DEBUG) */
+
+#endif /* defined (DEBUG_FLAG) */
#include "config.h"
#include "gcr-types.h"
+#define DEBUG_FLAG GCR_DEBUG_LIBRARY
+#include "gcr-debug.h"
#include "gcr-internal.h"
#include "gcr-library.h"
g_once_init_leave (&gcr_initialized, 1);
}
+
+ _gcr_debug ("initialized library");
}
/**
main(int argc, char *argv[])
{
gtk_init (&argc, &argv);
+ g_set_prgname ("frob-certificate");
if (argc > 1) {
test_certificate (argv[1]);
main(int argc, char *argv[])
{
gtk_init (&argc, &argv);
+ g_set_prgname ("frob-key");
if (argc > 1) {
test_key (argv[1]);
main(int argc, char *argv[])
{
gtk_init (&argc, &argv);
+ g_set_prgname ("frob-unlock-options");
chdir_base_dir (argv[0]);
test_unlock_options ();
g_type_init ();
g_test_init (&argc, &argv, NULL);
+ g_set_prgname ("test-certificate-chain");
srcdir = g_getenv ("SRCDIR");
if (srcdir && chdir (srcdir) < 0)
g_type_init ();
g_test_init (&argc, &argv, NULL);
+ g_set_prgname ("test-certificate");
srcdir = g_getenv ("SRCDIR");
if (srcdir && chdir (srcdir) < 0)
g_type_init ();
g_test_init (&argc, &argv, NULL);
+ g_set_prgname ("test-parser");
srcdir = g_getenv ("SRCDIR");
if (srcdir && chdir (srcdir) < 0)
g_type_init ();
g_test_init (&argc, &argv, NULL);
+ g_set_prgname ("test-pkcs11-certificate");
srcdir = g_getenv ("SRCDIR");
if (srcdir && chdir (srcdir) < 0)
g_type_init ();
g_test_init (&argc, &argv, NULL);
+ g_set_prgname ("test-simple-certificate");
srcdir = g_getenv ("SRCDIR");
if (srcdir && chdir (srcdir) < 0)
g_type_init ();
g_test_init (&argc, &argv, NULL);
+ g_set_prgname ("test-trust");
srcdir = g_getenv ("SRCDIR");
if (srcdir && chdir (srcdir) < 0)