Merge branch 'maint-0.3.2'

changes/bug24972

@@ -0,0 +1,4 @@
+  o Minor features (logging, diagnostic):
+    - When logging a failure to check a hidden service's certificate,
+      also log what the problem with the certificate was. Diagnostic
+      for ticket 24972.

src/or/hs_client.c

@@ -1235,10 +1235,12 @@ hs_client_decode_descriptor(const char *desc_str,
   /* Make sure the descriptor signing key cross certifies with the computed
    * blinded key. Without this validation, anyone knowing the subcredential
    * and onion address can forge a descriptor. */
-  if (tor_cert_checksig((*desc)->plaintext_data.signing_key_cert,
+  tor_cert_t *cert = (*desc)->plaintext_data.signing_key_cert;
+  if (tor_cert_checksig(cert,
                         &blinded_pubkey, approx_time()) < 0) {
     log_warn(LD_GENERAL, "Descriptor signing key certificate signature "
-                         "doesn't validate with computed blinded key.");
+             "doesn't validate with computed blinded key: %s",
+             tor_cert_describe_signature_status(cert));
     goto err;
   }
 

src/or/hs_descriptor.c

@@ -1233,7 +1233,8 @@ cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
   /* The following will not only check if the signature matches but also the
    * expiration date and overall validity. */
   if (tor_cert_checksig(cert, &cert->signing_key, approx_time()) < 0) {
-    log_warn(LD_REND, "Invalid signature for %s.", log_obj_type);
+    log_warn(LD_REND, "Invalid signature for %s: %s", log_obj_type,
+             tor_cert_describe_signature_status(cert));
     goto err;
   }
 
@@ -1728,7 +1729,8 @@ decode_introduction_point(const hs_descriptor_t *desc, const char *start)
   /* Validate authentication certificate with descriptor signing key. */
   if (tor_cert_checksig(ip->auth_key_cert,
                         &desc->plaintext_data.signing_pubkey, 0) < 0) {
-    log_warn(LD_REND, "Invalid authentication key signature");
+    log_warn(LD_REND, "Invalid authentication key signature: %s",
+             tor_cert_describe_signature_status(ip->auth_key_cert));
     goto err;
   }
 
@@ -1765,7 +1767,8 @@ decode_introduction_point(const hs_descriptor_t *desc, const char *start)
   }
   if (tor_cert_checksig(ip->enc_key_cert,
                         &desc->plaintext_data.signing_pubkey, 0) < 0) {
-    log_warn(LD_REND, "Invalid encryption key signature");
+    log_warn(LD_REND, "Invalid encryption key signature: %s",
+             tor_cert_describe_signature_status(ip->enc_key_cert));
     goto err;
   }
   /* It is successfully cross certified. Flag the object. */

src/or/routerkeys.c

@@ -536,7 +536,8 @@ ed_key_init_from_file(const char *fname, uint32_t flags,
     bad_cert = 1;
   } else if (signing_key &&
              tor_cert_checksig(cert, &signing_key->pubkey, now) < 0) {
-    tor_log(severity, LD_OR, "Can't check certificate");
+    tor_log(severity, LD_OR, "Can't check certificate: %s",
+            tor_cert_describe_signature_status(cert));
     bad_cert = 1;
   } else if (cert->cert_expired) {
     tor_log(severity, LD_OR, "Certificate is expired");
@@ -872,8 +873,12 @@ load_ed_keys(const or_options_t *options, time_t now)
     if (! ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey))
       FAIL("The signing cert we have was not signed with the master key "
            "we loaded!");
-    if (tor_cert_checksig(sign_cert, &id->pubkey, 0) < 0)
-      FAIL("The signing cert we loaded was not signed correctly!");
+    if (tor_cert_checksig(sign_cert, &id->pubkey, 0) < 0) {
+      log_warn(LD_OR, "The signing cert we loaded was not signed "
+               "correctly: %s!",
+               tor_cert_describe_signature_status(sign_cert));
+      goto err;
+    }
   }
 
   if (want_new_signing_key && sign_signing_key_with_id) {

src/or/torcert.c

@@ -93,7 +93,8 @@ tor_cert_sign_impl(const ed25519_keypair_t *signing_key,
 
   if (tor_cert_checksig(torcert, &signing_key->pubkey, now) < 0) {
     /* LCOV_EXCL_START */
-    log_warn(LD_BUG, "Generated a certificate whose signature we can't check");
+    log_warn(LD_BUG, "Generated a certificate whose signature we can't "
+             "check: %s", tor_cert_describe_signature_status(torcert));
     goto err;
     /* LCOV_EXCL_STOP */
   }
@@ -267,6 +268,24 @@ tor_cert_checksig(tor_cert_t *cert,
   }
 }
 
+/** Return a string describing the status of the signature on <b>cert</b>
+ *
+ * Will always be "unchecked" unless tor_cert_checksig has been called.
+ */
+const char *
+tor_cert_describe_signature_status(const tor_cert_t *cert)
+{
+  if (cert->cert_expired) {
+    return "expired";
+  } else if (cert->sig_bad) {
+    return "mis-signed";
+  } else if (cert->sig_ok) {
+    return "okay";
+  } else {
+    return "unchecked";
+  }
+}
+
 /** Return a new copy of <b>cert</b> */
 tor_cert_t *
 tor_cert_dup(const tor_cert_t *cert)

src/or/torcert.h

@@ -67,6 +67,7 @@ int tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out,
 
 int tor_cert_checksig(tor_cert_t *cert,
                       const ed25519_public_key_t *pubkey, time_t now);
+const char *tor_cert_describe_signature_status(const tor_cert_t *cert);
 
 tor_cert_t *tor_cert_dup(const tor_cert_t *cert);
 int tor_cert_eq(const tor_cert_t *cert1, const tor_cert_t *cert2);