From 6976e9cf4438343f8ed166e8deee990cf494510c Mon Sep 17 00:00:00 2001
From: Ying Li <ying.li@docker.com>
Date: Mon, 12 Sep 2016 13:56:50 -0700
Subject: [PATCH] Update cert pinning code with a little more debugging

Signed-off-by: Ying Li <ying.li@docker.com>
---
 trustpinning/certs.go      | 1 +
 trustpinning/certs_test.go | 7 ++-----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/trustpinning/certs.go b/trustpinning/certs.go
index 94ead8810..40041203e 100644
--- a/trustpinning/certs.go
+++ b/trustpinning/certs.go
@@ -186,6 +186,7 @@ func validRootLeafCerts(allLeafCerts map[string]*x509.Certificate, gun string, c
 		// Make sure the certificate is not expired if checkExpiry is true
 		// and warn if it hasn't expired yet but is within 6 months of expiry
 		if err := utils.ValidateCertificate(cert, checkExpiry); err != nil {
+			logrus.Debugf("%s is invalid: %s", id, err.Error())
 			continue
 		}
 
diff --git a/trustpinning/certs_test.go b/trustpinning/certs_test.go
index 4bea4c002..4e22f5a81 100644
--- a/trustpinning/certs_test.go
+++ b/trustpinning/certs_test.go
@@ -451,13 +451,10 @@ func TestValidateRootWithPinnedCA(t *testing.T) {
 	require.Error(t, err)
 
 	// Now construct a new root with a valid cert chain, such that signatures are correct over the 'notary-signer' GUN.  Pin the root-ca and validate
-	leafCert, err := utils.LoadCertFromFile("../fixtures/notary-signer.crt")
+	certChain, err := utils.LoadCertBundleFromFile("../fixtures/notary-signer.crt")
 	require.NoError(t, err)
 
-	intermediateCert, err := utils.LoadCertFromFile("../fixtures/intermediate-ca.crt")
-	require.NoError(t, err)
-
-	pemChainBytes, err := utils.CertChainToPEM([]*x509.Certificate{leafCert, intermediateCert})
+	pemChainBytes, err := utils.CertChainToPEM(certChain)
 	require.NoError(t, err)
 
 	newRootKey := data.NewPublicKey(data.RSAx509Key, pemChainBytes)