You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2013/07/10 22:40:55 UTC

svn commit: r1501976 - /subversion/trunk/subversion/svnauth/svnauth.c

Author: stsp
Date: Wed Jul 10 20:40:54 2013
New Revision: 1501976

URL: http://svn.apache.org/r1501976
Log:
Make svnauth show certificate verification failures in human-readable form.

Since the certificates are already cached, they've been permanently
accepted. The information displayed shows why the certificate could
not be verified automatically.

* subversion/svnauth/svnauth.c
  (AUTHN_FAILURES_KEY): New macro, copied from ssl_server_trust_providers.c.
  (show_cert_failures): New helper function.
  (list_credentials): Use new helper function to display cert failures.

Modified:
    subversion/trunk/subversion/svnauth/svnauth.c

Modified: subversion/trunk/subversion/svnauth/svnauth.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/svnauth/svnauth.c?rev=1501976&r1=1501975&r2=1501976&view=diff
==============================================================================
--- subversion/trunk/subversion/svnauth/svnauth.c (original)
+++ subversion/trunk/subversion/svnauth/svnauth.c Wed Jul 10 20:40:54 2013
@@ -300,6 +300,7 @@ split_ascii_cert(const char *ascii_cert,
 
 /* ### from libsvn_subr/ssl_server_trust_providers.c */
 #define AUTHN_ASCII_CERT_KEY            "ascii_cert"
+#define AUTHN_FAILURES_KEY              "failures"
 
 /* Display the base64-encoded DER certificate ASCII_CERT. */
 static svn_error_t *
@@ -380,6 +381,47 @@ show_ascii_cert(const char *ascii_cert,
   return SVN_NO_ERROR;
 }
                 
+static svn_error_t *
+show_cert_failures(const char *failure_string,
+                   apr_pool_t *scratch_pool)
+{
+  unsigned int failures;
+
+  SVN_ERR(svn_cstring_atoui(&failures, failure_string));
+
+  if (0 == (failures & (SVN_AUTH_SSL_NOTYETVALID | SVN_AUTH_SSL_EXPIRED |
+                        SVN_AUTH_SSL_CNMISMATCH | SVN_AUTH_SSL_UNKNOWNCA |
+                        SVN_AUTH_SSL_OTHER)))
+    return SVN_NO_ERROR;
+
+  SVN_ERR(svn_cmdline_printf(
+            scratch_pool, _("Automatic certificate validity check failed "
+                            "because:\n")));
+
+  if (failures & SVN_AUTH_SSL_NOTYETVALID)
+    SVN_ERR(svn_cmdline_printf(
+              scratch_pool, _("  The certificate is not yet valid.\n")));
+
+  if (failures & SVN_AUTH_SSL_EXPIRED)
+    SVN_ERR(svn_cmdline_printf(
+              scratch_pool, _("  The certificate has expired.\n")));
+
+  if (failures & SVN_AUTH_SSL_CNMISMATCH)
+    SVN_ERR(svn_cmdline_printf(
+              scratch_pool, _("  The certificate's Common Name (hostname) "
+                              "does not match the remote hostname.\n")));
+
+  if (failures & SVN_AUTH_SSL_UNKNOWNCA)
+    SVN_ERR(svn_cmdline_printf(
+              scratch_pool, _("  The certificate issuer is unknown.\n")));
+
+  if (failures & SVN_AUTH_SSL_OTHER)
+    SVN_ERR(svn_cmdline_printf(
+              scratch_pool, _("  Unknown verification failure.\n")));
+
+  return SVN_NO_ERROR;
+}
+
 /* This implements `svn_config_auth_walk_func_t` */
 static svn_error_t *
 list_credentials(svn_boolean_t *delete_cred,
@@ -421,6 +463,8 @@ list_credentials(svn_boolean_t *delete_c
         continue; /* realm string was already shown above */
       else if (strcmp(key, AUTHN_ASCII_CERT_KEY) == 0)
         SVN_ERR(show_ascii_cert(value->data, iterpool));
+      else if (strcmp(key, AUTHN_FAILURES_KEY) == 0)
+        SVN_ERR(show_cert_failures(value->data, iterpool));
       else
         SVN_ERR(svn_cmdline_printf(iterpool, "%s: %s\n", key, value->data));
     }