TrueCloudLab/certificates
16
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

Improve error logging

Browse source
This commit is contained in:
Herman Slatman 2021-05-07 00:23:09 +02:00
parent d0a9cbc797
commit 54610e890b
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
2 changed files with 18 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
scep/api/api.go
View file

@ -51,6 +51,7 @@ type SCEPResponse struct {
CACertNum int CACertNum int
Data []byte Data []byte
Certificate *x509.Certificate Certificate *x509.Certificate
Error error
} }
// Handler is the SCEP request handler. // Handler is the SCEP request handler.
@ -75,7 +76,7 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request) {
request, err := decodeSCEPRequest(r) request, err := decodeSCEPRequest(r)
if err != nil { if err != nil {
writeError(w, errors.Wrap(err, "not a scep get request")) writeError(w, errors.Wrap(err, "invalid scep get request"))
return return
} }
@ -94,7 +95,7 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request) {
} }
if err != nil { if err != nil {
writeError(w, errors.Wrap(err, "get request failed")) writeError(w, errors.Wrap(err, "scep get request failed"))
return return
} }
@ -106,7 +107,7 @@ func (h *Handler) Post(w http.ResponseWriter, r *http.Request) {
request, err := decodeSCEPRequest(r) request, err := decodeSCEPRequest(r)
if err != nil { if err != nil {
writeError(w, errors.Wrap(err, "not a scep post request")) writeError(w, errors.Wrap(err, "invalid scep post request"))
return return
} }
@ -121,7 +122,7 @@ func (h *Handler) Post(w http.ResponseWriter, r *http.Request) {
} }
if err != nil { if err != nil {
writeError(w, errors.Wrap(err, "post request failed")) writeError(w, errors.Wrap(err, "scep post request failed"))
return return
} }
@ -193,13 +194,13 @@ func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP {
p, err := h.Auth.LoadProvisionerByID("scep/" + provisionerID) p, err := h.Auth.LoadProvisionerByID("scep/" + provisionerID)
if err != nil { if err != nil {
writeError(w, err) api.WriteError(w, err)
return return
} }
provisioner, ok := p.(*provisioner.SCEP) provisioner, ok := p.(*provisioner.SCEP)
if !ok { if !ok {
writeError(w, errors.New("provisioner must be of type SCEP")) api.WriteError(w, errors.New("provisioner must be of type SCEP"))
return return
} }
@ -293,12 +294,12 @@ func (h *Handler) PKIOperation(ctx context.Context, request SCEPRequest) (SCEPRe
challengeMatches, err := h.Auth.MatchChallengePassword(ctx, msg.CSRReqMessage.ChallengePassword) challengeMatches, err := h.Auth.MatchChallengePassword(ctx, msg.CSRReqMessage.ChallengePassword)
if err != nil { if err != nil {
return h.createFailureResponse(ctx, csr, msg, microscep.BadRequest, "error when checking password") return h.createFailureResponse(ctx, csr, msg, microscep.BadRequest, errors.New("error when checking password"))
} }
if !challengeMatches { if !challengeMatches {
// TODO: can this be returned safely to the client? In the end, if the password was correct, that gains a bit of info too. // TODO: can this be returned safely to the client? In the end, if the password was correct, that gains a bit of info too.
return h.createFailureResponse(ctx, csr, msg, microscep.BadRequest, "wrong password provided") return h.createFailureResponse(ctx, csr, msg, microscep.BadRequest, errors.New("wrong password provided"))
} }
} }
@ -306,7 +307,7 @@ func (h *Handler) PKIOperation(ctx context.Context, request SCEPRequest) (SCEPRe
certRep, err := h.Auth.SignCSR(ctx, csr, msg) certRep, err := h.Auth.SignCSR(ctx, csr, msg)
if err != nil { if err != nil {
return h.createFailureResponse(ctx, csr, msg, microscep.BadRequest, "error when signing new certificate") return h.createFailureResponse(ctx, csr, msg, microscep.BadRequest, errors.Wrap(err, "error when signing new certificate"))
} }
response := SCEPResponse{ response := SCEPResponse{
@ -325,6 +326,10 @@ func formatCapabilities(caps []string) []byte {
// writeSCEPResponse writes a SCEP response back to the SCEP client. // writeSCEPResponse writes a SCEP response back to the SCEP client.
func writeSCEPResponse(w http.ResponseWriter, response SCEPResponse) { func writeSCEPResponse(w http.ResponseWriter, response SCEPResponse) {
if response.Error != nil {
api.LogError(w, response.Error)
}
if response.Certificate != nil { if response.Certificate != nil {
api.LogCertificate(w, response.Certificate) api.LogCertificate(w, response.Certificate)
} }
@ -344,14 +349,15 @@ func writeError(w http.ResponseWriter, err error) {
api.WriteError(w, scepError) api.WriteError(w, scepError)
} }
func (h *Handler) createFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *scep.PKIMessage, info microscep.FailInfo, infoText string) (SCEPResponse, error) { func (h *Handler) createFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *scep.PKIMessage, info microscep.FailInfo, failError error) (SCEPResponse, error) {
certRepMsg, err := h.Auth.CreateFailureResponse(ctx, csr, msg, scep.FailInfoName(info), infoText) certRepMsg, err := h.Auth.CreateFailureResponse(ctx, csr, msg, scep.FailInfoName(info), failError.Error())
if err != nil { if err != nil {
return SCEPResponse{}, err return SCEPResponse{}, err
} }
return SCEPResponse{ return SCEPResponse{
Operation: opnPKIOperation, Operation: opnPKIOperation,
Data: certRepMsg.Raw, Data: certRepMsg.Raw,
Error: failError,
}, nil }, nil
} }

2
scep/authority.go
View file

@ -416,7 +416,7 @@ func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.Certifi
cr := &CertRepMessage{ cr := &CertRepMessage{
PKIStatus: microscep.FAILURE, PKIStatus: microscep.FAILURE,
FailInfo: microscep.BadRequest, FailInfo: microscep.FailInfo(info),
RecipientNonce: microscep.RecipientNonce(msg.SenderNonce), RecipientNonce: microscep.RecipientNonce(msg.SenderNonce),
} }