CDRIVER-3408 add to TLS errors on secure transport

kevinAlbs · kevinAlbs · commit 542a330aef5d · 2020-03-17T12:35:13.000-04:00
diff --git a/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-transport.c b/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-transport.c
@@ -438,6 +438,82 @@ _set_error_from_osstatus (OSStatus status,
    CFRelease (err);
 }
 
+/* Always returns a string that must be freed. */
+static char *
+explain_trust_result (SecTrustRef trust, SecTrustResultType trust_result)
+{
+   bson_string_t *reason;
+   CFArrayRef cfprops = NULL;
+   CFIndex count, i;
+
+   reason = bson_string_new ("");
+   switch (trust_result) {
+   case kSecTrustResultDeny:
+      bson_string_append (reason, "Certificate trust denied");
+      break;
+   case kSecTrustResultRecoverableTrustFailure:
+      bson_string_append (reason, "Certificate trust failure");
+      break;
+   case kSecTrustResultFatalTrustFailure:
+      bson_string_append (reason, "Certificate trust fatal failure");
+      break;
+   case kSecTrustResultInvalid:
+      bson_string_append (reason, "Certificate trust evaluation failure");
+      break;
+   default:
+      bson_string_append_printf (
+         reason, "Certificate trust failure #%d", (int) trust_result);
+      break;
+   }
+   bson_string_append (reason, ": ");
+
+   cfprops = SecTrustCopyProperties (trust);
+   /* This contains an array of dictionaries, each representing a cert in the
+    * chain. Append the first failure reason found. */
+   if (!cfprops) {
+      bson_string_append (reason, "Unable to retreive cause for trust failure");
+      goto done;
+   }
+
+   count = CFArrayGetCount (cfprops);
+   for (i = 0; i < count; ++i) {
+      const void *elem = NULL;
+      const void *reason_elem = NULL;
+      char *reason_str;
+      CFDictionaryRef dict;
+
+      elem = CFArrayGetValueAtIndex (cfprops, i);
+      if (CFGetTypeID (elem) != CFDictionaryGetTypeID ()) {
+         bson_string_append (reason, "Unable to parse cause for trust failure");
+         goto done;
+      }
+
+      dict = (CFDictionaryRef) elem;
+      reason_elem = CFDictionaryGetValue (dict, kSecPropertyTypeError);
+      if (!reason_elem) {
+         continue;
+      }
+      if (CFGetTypeID (reason_elem) != CFStringGetTypeID ()) {
+         bson_string_append (reason, "Unable to parse trust failure error");
+         goto done;
+      }
+      reason_str = _mongoc_cfstringref_to_cstring (reason_elem);
+      if (reason_str) {
+         bson_string_append (reason, reason_str);
+         bson_free (reason_str);
+         goto done;
+      } else {
+         bson_string_append (reason, "Unable to express trust failure error");
+         goto done;
+      }
+   }
+
+   bson_string_append (reason, "No trust failure reason available");
+done:
+   CFReleaseSafe (cfprops);
+   return bson_string_free (reason, false);
+}
+
 /* Returns a boolean indicating success. If false is returned, then an error is
  * set.
  */
@@ -499,11 +575,13 @@ _verify_peer (mongoc_stream_t *stream, bson_error_t *error)
 
    if (trust_result != kSecTrustResultProceed &&
        trust_result != kSecTrustResultUnspecified) {
+      char *reason = explain_trust_result (trust, trust_result);
       bson_set_error (error,
                       MONGOC_ERROR_STREAM,
                       MONGOC_ERROR_STREAM_SOCKET,
-                      "TLS handshake failed (%d)",
-                      trust_result);
+                      "TLS handshake failed (%s)",
+                      reason);
+      bson_free (reason);
       goto fail;
    }
 
