wolfSSL · JacobBarthelmeh · Jul 19, 2024 · Jul 18, 2024
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLInternalVerifyCb.java b/src/java/com/wolfssl/provider/jsse/WolfSSLInternalVerifyCb.java
@@ -119,7 +119,8 @@ else if (this.callingEngine != null) {
             }
         } catch (CertificateException e) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
-                "X509ExtendedTrustManager hostname verification failed");
+                "X509ExtendedTrustManager hostname verification failed: " +
+                e.getMessage());
             return 0;
         }
 
@@ -139,6 +140,17 @@ else if (this.callingEngine != null) {
     private boolean VerifyCertChainWithTrustManager(X509Certificate[] certs,
         String authType) {
 
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            "Verifying peer with X509TrustManager: " + this.tm);
+        if (this.tm instanceof X509ExtendedTrustManager) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                "X509TrustManager of type X509ExtendedTrustManager");
+        }
+        else {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                "X509TrustManager of type X509TrustManager");
+        }
+
         try {
             /* Call TrustManager to do cert verification, should throw
              * CertificateException if verification fails */
@@ -211,7 +223,8 @@ else if (this.callingEngine != null) {
         } catch (Exception e) {
             /* TrustManager rejected certificate, not valid */
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
-                "TrustManager rejected certificates, verification failed");
+                "TrustManager rejected certificates, verification failed: " +
+                e.getMessage());
             return false;
         }
 
@@ -264,7 +277,8 @@ public int verifyCallback(int preverify_ok, long x509StorePtr) {
         } catch (WolfSSLException e) {
             /* failed to get certs from native, give app null array */
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
-                "Failed to get certs from x509StorePtr, certs = null");
+                "Failed to get certs from x509StorePtr, certs = null: " +
+                e.getMessage());
             certs = null;
         }
 
@@ -282,7 +296,7 @@ public int verifyCallback(int preverify_ok, long x509StorePtr) {
                 /* failed to get cert array, give app empty array */
                 WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                     "Failed to get X509Certificate[] array, set to " +
-                    "empty array");
+                    "empty array: " + ce.getMessage());
                 x509certs = new X509Certificate[0];
             }
 

diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLTrustX509.java b/src/java/com/wolfssl/provider/jsse/WolfSSLTrustX509.java
@@ -421,6 +421,10 @@ private List<X509Certificate> certManagerVerify(
                 fullChain.add(rootCA);
             }
         }
+        else {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                "Not returning cert chain from verify, not requested");
+        }
 
         return fullChain;
     }
@@ -695,6 +699,9 @@ public void checkClientTrusted(X509Certificate[] certs, String type)
 
         /* Verify cert chain, throw CertificateException if not valid */
         certManagerVerify(certs, type, false);
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            "leaving checkClientTrusted(), success");
     }
 
     /**
@@ -733,6 +740,9 @@ public void checkClientTrusted(X509Certificate[] certs, String type,
 
         /* Verify hostname if right criteria matches */
         verifyHostname(certs[0], socket, null, false);
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            "leaving checkClientTrusted(Socket), success");
     }
 
     @Override
@@ -755,6 +765,9 @@ public void checkClientTrusted(X509Certificate[] certs, String type,
 
         /* Verify hostname if right criteria matches */
         verifyHostname(certs[0], null, engine, false);
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            "leaving checkClientTrusted(SSLEngine), success");
     }
 
     /**
@@ -787,6 +800,9 @@ public void checkServerTrusted(X509Certificate[] certs, String type)
 
         /* Verify cert chain, throw CertificateException if not valid */
         certManagerVerify(certs, type, false);
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            "leaving checkServerTrusted(certs, type), success");
     }
 
     @Override
@@ -809,6 +825,9 @@ public void checkServerTrusted(X509Certificate[] certs, String type,
 
         /* Verify hostname if right criteria matches */
         verifyHostname(certs[0], socket, null, true);
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            "leaving checkServerTrusted(certs, type, Socket), success");
     }
 
     @Override
@@ -831,6 +850,9 @@ public void checkServerTrusted(X509Certificate[] certs, String type,
 
         /* Verify hostname if right criteria matches */
         verifyHostname(certs[0], null, engine, true);
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            "leaving checkServerTrusted(certs, type, SSLEngine), success");
     }
 
     /**
@@ -851,10 +873,17 @@ public void checkServerTrusted(X509Certificate[] certs, String type,
     public List<X509Certificate> checkServerTrusted(X509Certificate[] certs,
         String type, String host) throws CertificateException {
 
+        List<X509Certificate> certList = null;
+
         WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
-            "entered checkServerTrusted()");
+            "entered checkServerTrusted(cert, type, host)");
+
+        certList = certManagerVerify(certs, type, true);
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            "leaving checkServerTrusted(certs, type, host), success");
 
-        return certManagerVerify(certs, type, true);
+        return certList;
     }
 
     /**