Improve traced error messages from PKINIT client

author Greg Hudson <ghudson@mit.edu>

Tue, 8 May 2012 03:04:15 +0000 (03:04 +0000)

committer Greg Hudson <ghudson@mit.edu>

Tue, 8 May 2012 03:04:15 +0000 (03:04 +0000)
author Greg Hudson <ghudson@mit.edu>
Tue, 8 May 2012 03:04:15 +0000 (03:04 +0000)
committer Greg Hudson <ghudson@mit.edu>
Tue, 8 May 2012 03:04:15 +0000 (03:04 +0000)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

index ad86ba4e36cd6b37eae0e8cbbb02ebe41f90c5c3..0136d4f47094d0b4466ac2c110897a59979fdf44 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1030,10 +1030,14 @@ cms_signeddata_create(krb5_context context,
                                  id_cryptoctx->intermediateCAs);
              X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs);
              if (!X509_verify_cert(&certctx)) {
-                pkiDebug("failed to create a certificate chain: %s\n",
-                         X509_verify_cert_error_string(X509_STORE_CTX_get_error(&certctx)));
+                int code = X509_STORE_CTX_get_error(&certctx);
+                const char *msg = X509_verify_cert_error_string(code);
+                pkiDebug("failed to create a certificate chain: %s\n", msg);
                  if (!sk_X509_num(id_cryptoctx->trustedCAs))
                      pkiDebug("No trusted CAs found. Check your X509_anchors\n");
+                retval = KRB5_PREAUTH_FAILED;
+                krb5_set_error_message(context, retval,
+                                       _("Cannot create cert chain: %s"), msg);
                  goto cleanup;
              }
              certstack = X509_STORE_CTX_get1_chain(&certctx);
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c

index 39d2a0ed4eb959701bf29b377fd1031549351000..cdee8417e163a103d76230d3460f47126eb784e9 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -548,6 +548,9 @@ pkinit_identity_initialize(krb5_context context,
                                                   idopts->identity_alt[i]);
              }
          } else {
+            retval = KRB5_PREAUTH_FAILED;
+            krb5_set_error_message(context, retval,
+                                   _("No user identity options specified"));
              pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
              goto errout;
          }
author	Greg Hudson <ghudson@mit.edu>
	Tue, 8 May 2012 03:04:15 +0000 (03:04 +0000)
committer	Greg Hudson <ghudson@mit.edu>
	Tue, 8 May 2012 03:04:15 +0000 (03:04 +0000)
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c		patch \| blob \| history
src/plugins/preauth/pkinit/pkinit_identity.c		patch \| blob \| history