Include attestation object in cert path validation failure logs

emlun · emlun · commit 9de5b723f746 · 2022-09-01T19:48:49.000+02:00
diff --git a/NEWS b/NEWS
@@ -1,5 +1,10 @@
 == Version 2.1.0 (unreleased) ==
 
+Changes:
+
+* Log messages on attestation certificate path validation failure now include
+  the attestation object.
+
 Fixes:
 
 * Fixed various typos and mistakes in JavaDocs.
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java
@@ -543,14 +543,18 @@ public boolean attestationTrusted() {
 
         } catch (CertPathValidatorException e) {
           log.info(
-              "Failed to derive trust in attestation statement: {} at cert index {}: {}",
+              "Failed to derive trust in attestation statement: {} at cert index {}: {}. Attestation object: {}",
+              response.getResponse().getAttestationObject(),
               e.getReason(),
               e.getIndex(),
               e.getMessage());
           return false;
 
         } catch (CertificateException e) {
-          log.warn("Failed to build attestation certificate path.", e);
+          log.warn(
+              "Failed to build attestation certificate path. Attestation object: {}",
+              response.getResponse().getAttestationObject(),
+              e);
           return false;
 
         } catch (NoSuchAlgorithmException e) {
