From: Dan Fuhry <dan@fuhry.com>
Date: Sat, 22 Mar 2025 01:28:13 +0000 (-0400)
Subject: mtls: add more logging to pkcs11 and tpm2 code
X-Git-Url: https://go.fuhry.dev/?a=commitdiff_plain;h=689fbfffd22381470f1ed80006fb2d1ac53b798a;p=runtime.git

mtls: add more logging to pkcs11 and tpm2 code
---

diff --git a/mtls/pkcs11.go b/mtls/pkcs11.go
index 4a8a047..1e40ab4 100644
--- a/mtls/pkcs11.go
+++ b/mtls/pkcs11.go
@@ -12,12 +12,15 @@ import (
 
 	"github.com/ThalesIgnite/crypto11"
 	"go.fuhry.dev/runtime/constants"
+	"go.fuhry.dev/runtime/utils/log"
 )
 
 const (
 	deviceTrustObjectLabel = "Device Identity"
 )
 
+var pkcs11Logger = log.WithPrefix("mtls.provider_tpm2_pkcs11")
+
 var pkcs11ModulePaths = []string{
 	"/usr/lib/pkcs11/libtpm2_pkcs11.so",
 	"/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so",
@@ -48,14 +51,18 @@ func getGlobalP11() (*p11, error) {
 
 func NewP11() (*p11, error) {
 	for _, p := range pkcs11ModulePaths {
+		pkcs11Logger.V(1).Debugf("trying to load pkcs11 module from path: %s", p)
 		if _, err := os.Stat(p); err == nil {
+			pkcs11Logger.V(1).Infof("found pkcs11 module at path: %s", p)
 			crypto11Config.Path = p
+			break
 		}
 	}
 	if crypto11Config.Path == "" {
 		return nil, fmt.Errorf("unable to stat tpm2 pkcs11 module at any known path: %v", pkcs11ModulePaths)
 	}
 
+	pkcs11Logger.V(1).Infof("configuring crypt11 with TokenLabel=%s", constants.DeviceTrustTokenName)
 	ctx, err := crypto11.Configure(crypto11Config)
 	if err != nil {
 		return nil, err
@@ -73,13 +80,16 @@ func (p *p11) Close() {
 }
 
 func (p *p11) GetCertificate() (*tls.Certificate, error) {
+	pkcs11Logger.V(1).Infof("trying to find device trust certificate with object label %s", deviceTrustObjectLabel)
 	cert, err := p.cHandle.FindCertificate(nil, []byte(deviceTrustObjectLabel), nil)
 	if err != nil {
+		pkcs11Logger.V(1).Errorf("find devicetrust certificate filed: %v", err)
 		return nil, err
 	}
 
 	privateKey, err := p.GetPrivateKey()
 	if err != nil {
+		pkcs11Logger.V(1).Errorf("find devicetrust private key filed: %v", err)
 		return nil, err
 	}
 
diff --git a/mtls/provider_tpm2_pkcs11.go b/mtls/provider_tpm2_pkcs11.go
index edc2b90..67d0636 100644
--- a/mtls/provider_tpm2_pkcs11.go
+++ b/mtls/provider_tpm2_pkcs11.go
@@ -12,8 +12,11 @@ import (
 	"path"
 
 	"go.fuhry.dev/runtime/mtls/certutil"
+	"go.fuhry.dev/runtime/utils/log"
 )
 
+var tpmLogger = log.WithPrefix("mtls.provider_tpm2_pkcs11")
+
 type TPMBackedCertificate struct {
 	certificatePrimitive