Skip to content

Commit

Permalink
Address CodeQL warnings
Browse files Browse the repository at this point in the history
  • Loading branch information
AlCutter committed Nov 14, 2022
1 parent 6208136 commit ef86be0
Show file tree
Hide file tree
Showing 5 changed files with 12 additions and 7 deletions.
1 change: 1 addition & 0 deletions ctutil/sctcheck/sctcheck.go
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ func getAndCheckSiteChain(ctx context.Context, lf logInfoFactory, target string,

klog.Infof("Retrieve certificate chain from TLS connection to %q", host)
dialer := net.Dialer{Timeout: hc.Timeout}
// Insecure TLS connection here so we can always proceed.
conn, err := tls.DialWithDialer(&dialer, "tcp", host, &tls.Config{InsecureSkipVerify: true})
if err != nil {
return nil, 0, 0, fmt.Errorf("failed to dial %q: %v", host, err)
Expand Down
4 changes: 2 additions & 2 deletions tls/signature.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ func VerifySignature(pubKey crypto.PublicKey, data []byte, sig DigitallySigned)
return fmt.Errorf("failed to unmarshal DSA signature: %v", err)
}
if len(rest) != 0 {
log.Printf("Garbage following signature %v", rest)
log.Printf("Garbage following signature %q", rest)
}
if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 {
return errors.New("DSA signature contained zero or negative values")
Expand All @@ -108,7 +108,7 @@ func VerifySignature(pubKey crypto.PublicKey, data []byte, sig DigitallySigned)
return fmt.Errorf("failed to unmarshal ECDSA signature: %v", err)
}
if len(rest) != 0 {
log.Printf("Garbage following signature %v", rest)
log.Printf("Garbage following signature %q", rest)
}
if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
return errors.New("ECDSA signature contained zero or negative values")
Expand Down
6 changes: 3 additions & 3 deletions trillian/ctfe/handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,7 @@ func ParseBodyAsJSONChain(r *http.Request) (ct.AddChainRequest, error) {

// The cert chain is not allowed to be empty. We'll defer other validation for later
if len(req.Chain) == 0 {
klog.V(1).Infof("Request chain is empty: %s", body)
klog.V(1).Infof("Request chain is empty: %q", body)
return ct.AddChainRequest{}, errors.New("cert chain was empty")
}

Expand Down Expand Up @@ -891,9 +891,9 @@ func verifyAddChain(li *logInfo, req ct.AddChainRequest, expectingPrecert bool)
// The type of the leaf must match the one the handler expects
if isPrecert != expectingPrecert {
if expectingPrecert {
klog.Warningf("%s: Cert (or precert with invalid CT ext) submitted as precert chain: %x", li.LogPrefix, req.Chain)
klog.Warningf("%s: Cert (or precert with invalid CT ext) submitted as precert chain: %q", li.LogPrefix, req.Chain)
} else {
klog.Warningf("%s: Precert (or cert with invalid CT ext) submitted as cert chain: %x", li.LogPrefix, req.Chain)
klog.Warningf("%s: Precert (or cert with invalid CT ext) submitted as cert chain: %q", li.LogPrefix, req.Chain)
}
return nil, fmt.Errorf("cert / precert mismatch: %T", expectingPrecert)
}
Expand Down
7 changes: 5 additions & 2 deletions trillian/ctfe/requestlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package ctfe

import (
"context"
"encoding/hex"
"time"

"github.com/google/certificate-transparency-go/x509"
Expand Down Expand Up @@ -92,7 +93,8 @@ func (dlr *DefaultRequestLog) LogPrefix(_ context.Context, p string) {

// AddDERToChain logs the raw bytes of a submitted certificate.
func (dlr *DefaultRequestLog) AddDERToChain(_ context.Context, d []byte) {
klog.V(vLevel).Infof("RL: Cert DER: %x", d)
// Explicit hex encoding below to satisfy CodeQL:
klog.V(vLevel).Infof("RL: Cert DER: %s", hex.EncodeToString(d))
}

// AddCertToChain logs some issuer / subject / timing fields from a
Expand Down Expand Up @@ -127,7 +129,8 @@ func (dlr *DefaultRequestLog) TreeSize(_ context.Context, ts int64) {

// LeafHash logs request parameters.
func (dlr *DefaultRequestLog) LeafHash(_ context.Context, lh []byte) {
klog.V(vLevel).Infof("RL: LeafHash: %x", lh)
// Explicit hex encoding below to satisfy CodeQL:
klog.V(vLevel).Infof("RL: LeafHash: %s", hex.EncodeToString(lh))
}

// IssueSCT logs an SCT that will be issued to a client.
Expand Down
1 change: 1 addition & 0 deletions x509util/certcheck/certcheck.go
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ func chainFromSite(target string) ([]*x509.Certificate, error) {
host += ":443"
}

// Insecure TLS connection here so we can always proceed.
conn, err := tls.Dial("tcp", host, &tls.Config{InsecureSkipVerify: true})
if err != nil {
return nil, fmt.Errorf("%s: failed to dial %q: %v", target, host, err)
Expand Down

0 comments on commit ef86be0

Please sign in to comment.