>I would be happy to have more trace logging to diagnose PKINIT errors,
>but converting every pkiDebug() call probably wouldn't meet the criteria
>for good trace logging. We've already made a few passes in this area,
>most recently one from you which went into release 1.20 (commit
>34625d594c339a077899fa01fc4b5c331a1647d0).
I guess what I was thinking was maybe not EVERY pkiDebug() call, but
more all of the ones that report errors. E.g:
> if ((r = id_cryptoctx->p11->C_SignInit(id_cryptoctx->session, &mech,
> obj)) != CKR_OK) {
> pkiDebug("C_SignInit: %s\n", pkcs11err(r));
> return KRB5KDC_ERR_PREAUTH_FAILED;
> }
There are others than the PKCS#11 calls, of course. I guess what I'd like
(if possible) was that anytime the plugin returned PREAUTH_FAILED, the
debug trace will explain why.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
