From 5d273cdefa956dbb41a42b2b3ce43129dc86ab6e Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Jun 20 2015 14:56:48 +0000
Subject: Log more about what's going on in SCEP


When the scep helper decides whether to use a rekeying message or to use
a fresh enrollment message, log that.  Also, log which keys the SCEP
message generation module uses when signing messages.

---

diff --git a/src/scep.c b/src/scep.c
index 5edfc44..c16c478 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -532,6 +532,13 @@ main(int argc, const char **argv)
 		if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
 			printf(_("Error reading request, expected PKCS7 data.\n"));
 			return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+		} else
+		if (verbose > 0) {
+			if (tmp2 == rekey_message) {
+				fprintf(stderr, "Using rekeying message.\n");
+			} else {
+				fprintf(stderr, "Using non-rekeying message.\n");
+			}
 		}
 		tmp1 = cm_submit_u_base64_from_text(tmp2);
 		tmp2 = cm_submit_u_url_encode(tmp1);
@@ -550,6 +557,13 @@ main(int argc, const char **argv)
 		if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
 			printf(_("Error reading request, expected PKCS7 data.\n"));
 			return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+		} else
+		if (verbose > 0) {
+			if (tmp2 == rekey_message) {
+				fprintf(stderr, "Using rekeying message.\n");
+			} else {
+				fprintf(stderr, "Using non-rekeying message.\n");
+			}
 		}
 		tmp1 = cm_submit_u_base64_from_text(tmp2);
 		tmp2 = cm_submit_u_url_encode(tmp1);
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index f37761b..4a4dc4c 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -245,22 +245,22 @@ retry_gen:
 
 	/* Re-sign using the proper keys. */
 	if (csr_old != NULL) {
-		cm_log(1, "Re-signing PKCSREQ message with proper key.\n");
+		cm_log(1, "Re-signing PKCSREQ message with old key.\n");
 		cm_scepgen_n_resign(csr_old, keys->privkey);
 	}
 	if (ias_old != NULL) {
-		cm_log(1, "Re-signing GetCertInitial message with proper key.\n");
+		cm_log(1, "Re-signing GetCertInitial message with old key.\n");
 		cm_scepgen_n_resign(ias_old, keys->privkey);
 	}
 	if (keys->privkey_next != NULL) {
 		if (csr_new != NULL) {
 			cm_log(1, "Re-signing PKCSREQ rekeying message with "
-			       "proper key.\n");
+			       "new key.\n");
 			cm_scepgen_n_resign(csr_new, keys->privkey_next);
 		}
 		if (ias_new != NULL) {
 			cm_log(1, "Re-signing GetCertInitial rekeying message "
-			       "with proper key.\n");
+			       "with new key.\n");
 			cm_scepgen_n_resign(ias_new, keys->privkey_next);
 		}
 	}
diff --git a/src/scepgen-o.c b/src/scepgen-o.c
index 74d73b7..d11e3de 100644
--- a/src/scepgen-o.c
+++ b/src/scepgen-o.c
@@ -528,6 +528,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 					    NULL, NULL,
 					    nonce, nonce_length,
 					    NULL, 0);
+		cm_log(1, "Signing using previously-issued key and cert.\n");
 		X509_PUBKEY_set(&old_cert->cert_info->key, pubkey);
 		X509_free(old_cert);
 	} else {
@@ -553,6 +554,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 						    NULL, NULL,
 						    nonce, nonce_length,
 						    NULL, 0);
+			cm_log(1, "Signing using old key.\n");
 			X509_PUBKEY_set(&new_cert->cert_info->key, pubkey);
 		} else {
 			/* No cert, and the minicert matches the new key. */
@@ -581,6 +583,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
 					    NULL, NULL,
 					    nonce, nonce_length,
 					    NULL, 0);
+		cm_log(1, "Signing using new key.\n");
 		X509_PUBKEY_set(&new_cert->cert_info->key, pubkey);
 	} else {
 		*csr_new = NULL;