dirmngr: Print certificates on failed TLS verification.

* dirmngr/ks-engine-hkp.c (cert_log_cb): New.
(send_request): Set callback.
--

We use the KSBA functions here because we have them anyway in Dirmngr.

1 files changed, 35 insertions, 0 deletions

diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 3c25953d2..0f0baab6b 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -873,6 +873,40 @@ ks_hkp_housekeeping (time_t curtime)
 }
 
 
+/* Callback to print infos about the TLS certificates.  */
+static void
+cert_log_cb (http_session_t sess, gpg_error_t err,
+             const char *hostname, const void **certs, size_t *certlens)
+{
+  ksba_cert_t cert;
+  size_t n;
+
+  (void)sess;
+
+  if (!err)
+    return; /* No error - no need to log anything  */
+
+  log_debug ("expected hostname: %s\n", hostname);
+  for (n=0; certs[n]; n++)
+    {
+      err = ksba_cert_new (&cert);
+      if (!err)
+        err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
+      if (err)
+        log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
+      else
+        {
+          char textbuf[20];
+          snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
+          dump_cert (textbuf, cert);
+        }
+
+      ksba_cert_release (cert);
+    }
+}
+
+
+
 /* Send an HTTP request.  On success returns an estream object at
    R_FP.  HOSTPORTSTR is only used for diagnostics.  If HTTPHOST is
    not NULL it will be used as HTTP "Host" header.  If POST_CB is not
@@ -896,6 +930,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
   err = http_session_new (&session, NULL);
   if (err)
     goto leave;
+  http_session_set_log_cb (session, cert_log_cb);
 
  once_more:
   err = http_open (&http,