You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2013/07/10 22:40:55 UTC
svn commit: r1501976 - /subversion/trunk/subversion/svnauth/svnauth.c
Author: stsp
Date: Wed Jul 10 20:40:54 2013
New Revision: 1501976
URL: http://svn.apache.org/r1501976
Log:
Make svnauth show certificate verification failures in human-readable form.
Since the certificates are already cached, they've been permanently
accepted. The information displayed shows why the certificate could
not be verified automatically.
* subversion/svnauth/svnauth.c
(AUTHN_FAILURES_KEY): New macro, copied from ssl_server_trust_providers.c.
(show_cert_failures): New helper function.
(list_credentials): Use new helper function to display cert failures.
Modified:
subversion/trunk/subversion/svnauth/svnauth.c
Modified: subversion/trunk/subversion/svnauth/svnauth.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/svnauth/svnauth.c?rev=1501976&r1=1501975&r2=1501976&view=diff
==============================================================================
--- subversion/trunk/subversion/svnauth/svnauth.c (original)
+++ subversion/trunk/subversion/svnauth/svnauth.c Wed Jul 10 20:40:54 2013
@@ -300,6 +300,7 @@ split_ascii_cert(const char *ascii_cert,
/* ### from libsvn_subr/ssl_server_trust_providers.c */
#define AUTHN_ASCII_CERT_KEY "ascii_cert"
+#define AUTHN_FAILURES_KEY "failures"
/* Display the base64-encoded DER certificate ASCII_CERT. */
static svn_error_t *
@@ -380,6 +381,47 @@ show_ascii_cert(const char *ascii_cert,
return SVN_NO_ERROR;
}
+static svn_error_t *
+show_cert_failures(const char *failure_string,
+ apr_pool_t *scratch_pool)
+{
+ unsigned int failures;
+
+ SVN_ERR(svn_cstring_atoui(&failures, failure_string));
+
+ if (0 == (failures & (SVN_AUTH_SSL_NOTYETVALID | SVN_AUTH_SSL_EXPIRED |
+ SVN_AUTH_SSL_CNMISMATCH | SVN_AUTH_SSL_UNKNOWNCA |
+ SVN_AUTH_SSL_OTHER)))
+ return SVN_NO_ERROR;
+
+ SVN_ERR(svn_cmdline_printf(
+ scratch_pool, _("Automatic certificate validity check failed "
+ "because:\n")));
+
+ if (failures & SVN_AUTH_SSL_NOTYETVALID)
+ SVN_ERR(svn_cmdline_printf(
+ scratch_pool, _(" The certificate is not yet valid.\n")));
+
+ if (failures & SVN_AUTH_SSL_EXPIRED)
+ SVN_ERR(svn_cmdline_printf(
+ scratch_pool, _(" The certificate has expired.\n")));
+
+ if (failures & SVN_AUTH_SSL_CNMISMATCH)
+ SVN_ERR(svn_cmdline_printf(
+ scratch_pool, _(" The certificate's Common Name (hostname) "
+ "does not match the remote hostname.\n")));
+
+ if (failures & SVN_AUTH_SSL_UNKNOWNCA)
+ SVN_ERR(svn_cmdline_printf(
+ scratch_pool, _(" The certificate issuer is unknown.\n")));
+
+ if (failures & SVN_AUTH_SSL_OTHER)
+ SVN_ERR(svn_cmdline_printf(
+ scratch_pool, _(" Unknown verification failure.\n")));
+
+ return SVN_NO_ERROR;
+}
+
/* This implements `svn_config_auth_walk_func_t` */
static svn_error_t *
list_credentials(svn_boolean_t *delete_cred,
@@ -421,6 +463,8 @@ list_credentials(svn_boolean_t *delete_c
continue; /* realm string was already shown above */
else if (strcmp(key, AUTHN_ASCII_CERT_KEY) == 0)
SVN_ERR(show_ascii_cert(value->data, iterpool));
+ else if (strcmp(key, AUTHN_FAILURES_KEY) == 0)
+ SVN_ERR(show_cert_failures(value->data, iterpool));
else
SVN_ERR(svn_cmdline_printf(iterpool, "%s: %s\n", key, value->data));
}