On 11/19/23 12:00, Ken Hornstein via Kerberos wrote:
I have mentioned this before, but ... is there any interest in adding
additional trace points for every place where the old "pkiDebug" calls
are made? Hidden errors when doing PKINIT are the bane of my existence
and I feel that I'm not the only one. I understand there are concerns
about making the trace log too verbose but I think every error could
generate a trace message and it wouldn't add too much to the trace output
when everything was working.
I would be happy to have more trace logging to diagnose PKINIT errors,
but converting every pkiDebug() call probably wouldn't meet the criteria
for good trace logging. We've already made a few passes in this area,
most recently one from you which went into release 1.20 (commit
34625d594c339a077899fa01fc4b5c331a1647d0).
Based on this thread, it is clear that there is still room for
improvement in the handling of PKCS11 errors. While we mostly handle
OpenSSL errors through the oerr() wrapper which trace logs the OpenSSL
error queue and sets an extended error message, we don't have any such
wrapper for PKCS11 errors. In this case, we now know that C_SignInit()
failed; here is the handling for that error:
if ((r = id_cryptoctx->p11->C_SignInit(id_cryptoctx->session, &mech,
obj)) != CKR_OK) {
pkiDebug("C_SignInit: %s\n", pkcs11err(r));
return KRB5KDC_ERR_PREAUTH_FAILED;
}
So only the generic "Preauthentication failed" message shows up in the
trace log (at the libkrb5 level) while the old debugging would have
indicated the failed operation and the PKCS11 error string.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
