From c06a36c92b4dd153529b4f997b678ae63d871547 Mon Sep 17 00:00:00 2001
From: Jozef Kralik <jojo.lwin@gmail.com>
Date: Thu, 17 Aug 2023 06:53:00 +0000
Subject: [PATCH] print proper logs messages

---
 security/oc_certs.c |  6 ++++--
 security/oc_tls.c   | 49 +++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/security/oc_certs.c b/security/oc_certs.c
index 6d99e5b33d..a575c341e0 100644
--- a/security/oc_certs.c
+++ b/security/oc_certs.c
@@ -396,10 +396,12 @@ oc_certs_parse_CN_buffer_for_UUID(mbedtls_asn1_buf val, char *buffer,
   if (uuid_prefix_len == 0 ||
       val.len - uuid_prefix_len <
         OC_UUID_LEN - 1) { // -1 because val is not nul-terminated
-#if OC_ERR_IS_ENABLED
+#if OC_DBG_IS_ENABLED
     oc_string_t cn;
     oc_new_string(&cn, uuid_CN, val.len);
-    OC_ERR("invalid Common Name field (tag:%d val:%s)", val.tag, oc_string(cn));
+    OC_DBG("Common Name field (tag:%d val:%s) is not in format " UUID_PREFIX
+           ":<UUID string>",
+           val.tag, oc_string(cn));
     oc_free_string(&cn);
 #endif /* OC_ERR_IS_ENABLED */
     return false;
diff --git a/security/oc_tls.c b/security/oc_tls.c
index 3c68c3590c..f80b5e52cd 100644
--- a/security/oc_tls.c
+++ b/security/oc_tls.c
@@ -69,7 +69,14 @@
 #include <mbedtls/debug.h>
 #include <mbedtls/error.h>
 #include <mbedtls/platform.h>
-#endif /* OC_DEBUG */
+#else  /* OC_DEBUG */
+static const char *
+mbedtls_strerror(int ret, char *buf, size_t buflen)
+{
+  snprintf(buf, buflen, "MBEDTLS_ERR(%d)", ret);
+  return 0;
+}
+#endif /* !OC_DEBUG */
 
 #include <stdarg.h>
 #include <stdint.h>
@@ -1347,9 +1354,38 @@ oc_tls_configure_end_entity_cert_chain(mbedtls_ssl_config *conf, size_t device,
     }
     cert = cert->next;
   }
-
-  if (!cert || mbedtls_ssl_conf_own_cert(conf, &cert->cert, &cert->pk) != 0) {
-    OC_WRN("error configuring identity cert");
+  if (!cert) {
+#if OC_WRN_IS_ENABLED
+    char credid_str[16];
+    memset(credid_str, 0, sizeof(credid_str));
+    if (credid == -1) {
+      strncpy(credid_str, "any", sizeof(credid_str));
+    } else {
+      snprintf(credid_str, sizeof(credid_str), "%d", credid);
+    }
+    OC_WRN(
+      "cannot set client %s certificate(selected %s): certificate not found",
+      credusage == OC_CREDUSAGE_MFG_CERT ? "manufacturer" : "identity",
+      credid_str);
+#endif /* OC_WRN_IS_ENABLED */
+    return -1;
+  }
+  int err = mbedtls_ssl_conf_own_cert(conf, &cert->cert, &cert->pk);
+  if (err != 0) {
+#if OC_WRN_IS_ENABLED
+    char credid_str[16];
+    memset(credid_str, 0, sizeof(credid_str));
+    if (credid == -1) {
+      strncpy(credid_str, "any", sizeof(credid_str));
+    } else {
+      snprintf(credid_str, sizeof(credid_str), "%d", credid);
+    }
+    char buf[128];
+    memset(buf, 0, sizeof(buf));
+    OC_WRN("cannot set client %s certificate(selected %s): %s",
+           credusage == OC_CREDUSAGE_MFG_CERT ? "manufacturer" : "identity",
+           credid_str, mbedtls_strerror(err, buf, sizeof(buf)));
+#endif /* OC_WRN_IS_ENABLED */
     return -1;
   }
 
@@ -1368,6 +1404,11 @@ static int
 oc_tls_load_identity_cert_chain(mbedtls_ssl_config *conf, size_t device,
                                 int credid)
 {
+  if (credid < -1) {
+    // could be set when the application wants to use manufacturer certificate
+    // instead of identity certificate
+    return -1;
+  }
   OC_DBG("loading identity cert chain");
   return oc_tls_configure_end_entity_cert_chain(
     conf, device, OC_CREDUSAGE_IDENTITY_CERT, credid);