Address CodeQL warnings

ctutil/sctcheck/sctcheck.go

@@ -163,6 +163,7 @@ func getAndCheckSiteChain(ctx context.Context, lf logInfoFactory, target string,
 
 	klog.Infof("Retrieve certificate chain from TLS connection to %q", host)
 	dialer := net.Dialer{Timeout: hc.Timeout}
+	// Insecure TLS connection here so we can always proceed.
 	conn, err := tls.DialWithDialer(&dialer, "tcp", host, &tls.Config{InsecureSkipVerify: true})
 	if err != nil {
 		return nil, 0, 0, fmt.Errorf("failed to dial %q: %v", host, err)

tls/signature.go

@@ -89,7 +89,7 @@ func VerifySignature(pubKey crypto.PublicKey, data []byte, sig DigitallySigned)
 			return fmt.Errorf("failed to unmarshal DSA signature: %v", err)
 		}
 		if len(rest) != 0 {
-			log.Printf("Garbage following signature %v", rest)
+			log.Printf("Garbage following signature %q", rest)
 		}
 		if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 {
 			return errors.New("DSA signature contained zero or negative values")
@@ -108,7 +108,7 @@ func VerifySignature(pubKey crypto.PublicKey, data []byte, sig DigitallySigned)
 			return fmt.Errorf("failed to unmarshal ECDSA signature: %v", err)
 		}
 		if len(rest) != 0 {
-			log.Printf("Garbage following signature %v", rest)
+			log.Printf("Garbage following signature %q", rest)
 		}
 		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
 			return errors.New("ECDSA signature contained zero or negative values")

trillian/ctfe/handlers.go

@@ -389,7 +389,7 @@ func ParseBodyAsJSONChain(r *http.Request) (ct.AddChainRequest, error) {
 
 	// The cert chain is not allowed to be empty. We'll defer other validation for later
 	if len(req.Chain) == 0 {
-		klog.V(1).Infof("Request chain is empty: %s", body)
+		klog.V(1).Infof("Request chain is empty: %q", body)
 		return ct.AddChainRequest{}, errors.New("cert chain was empty")
 	}
 
@@ -891,9 +891,9 @@ func verifyAddChain(li *logInfo, req ct.AddChainRequest, expectingPrecert bool)
 	// The type of the leaf must match the one the handler expects
 	if isPrecert != expectingPrecert {
 		if expectingPrecert {
-			klog.Warningf("%s: Cert (or precert with invalid CT ext) submitted as precert chain: %x", li.LogPrefix, req.Chain)
+			klog.Warningf("%s: Cert (or precert with invalid CT ext) submitted as precert chain: %q", li.LogPrefix, req.Chain)
 		} else {
-			klog.Warningf("%s: Precert (or cert with invalid CT ext) submitted as cert chain: %x", li.LogPrefix, req.Chain)
+			klog.Warningf("%s: Precert (or cert with invalid CT ext) submitted as cert chain: %q", li.LogPrefix, req.Chain)
 		}
 		return nil, fmt.Errorf("cert / precert mismatch: %T", expectingPrecert)
 	}

trillian/ctfe/requestlog.go

@@ -16,6 +16,7 @@ package ctfe
 
 import (
 	"context"
+	"encoding/hex"
 	"time"
 
 	"github.com/google/certificate-transparency-go/x509"
@@ -92,7 +93,8 @@ func (dlr *DefaultRequestLog) LogPrefix(_ context.Context, p string) {
 
 // AddDERToChain logs the raw bytes of a submitted certificate.
 func (dlr *DefaultRequestLog) AddDERToChain(_ context.Context, d []byte) {
-	klog.V(vLevel).Infof("RL: Cert DER: %x", d)
+	// Explicit hex encoding below to satisfy CodeQL:
+	klog.V(vLevel).Infof("RL: Cert DER: %s", hex.EncodeToString(d))
 }
 
 // AddCertToChain logs some issuer / subject / timing fields from a
@@ -127,7 +129,8 @@ func (dlr *DefaultRequestLog) TreeSize(_ context.Context, ts int64) {
 
 // LeafHash logs request parameters.
 func (dlr *DefaultRequestLog) LeafHash(_ context.Context, lh []byte) {
-	klog.V(vLevel).Infof("RL: LeafHash: %x", lh)
+	// Explicit hex encoding below to satisfy CodeQL:
+	klog.V(vLevel).Infof("RL: LeafHash: %s", hex.EncodeToString(lh))
 }
 
 // IssueSCT logs an SCT that will be issued to a client.

x509util/certcheck/certcheck.go

@@ -132,6 +132,7 @@ func chainFromSite(target string) ([]*x509.Certificate, error) {
 		host += ":443"
 	}
 
+	// Insecure TLS connection here so we can always proceed.
 	conn, err := tls.Dial("tcp", host, &tls.Config{InsecureSkipVerify: true})
 	if err != nil {
 		return nil, fmt.Errorf("%s: failed to dial %q: %v", target, host, err)