From 6d19259c7eb9277c12a7f2eec9aa80563b4c5acc Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 8 May 2012 03:04:15 +0000 Subject: [PATCH] Improve traced error messages from PKINIT client If we have no configured PKINIT client identity, or if we fail to create a certificate chain, set a reasonable error code (not EINVAL or ENOMEM) and a useful error message to appear in trace log output. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 8 ++++++-- src/plugins/preauth/pkinit/pkinit_identity.c | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index ad86ba4e3..0136d4f47 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -1030,10 +1030,14 @@ cms_signeddata_create(krb5_context context, id_cryptoctx->intermediateCAs); X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs); if (!X509_verify_cert(&certctx)) { - pkiDebug("failed to create a certificate chain: %s\n", - X509_verify_cert_error_string(X509_STORE_CTX_get_error(&certctx))); + int code = X509_STORE_CTX_get_error(&certctx); + const char *msg = X509_verify_cert_error_string(code); + pkiDebug("failed to create a certificate chain: %s\n", msg); if (!sk_X509_num(id_cryptoctx->trustedCAs)) pkiDebug("No trusted CAs found. Check your X509_anchors\n"); + retval = KRB5_PREAUTH_FAILED; + krb5_set_error_message(context, retval, + _("Cannot create cert chain: %s"), msg); goto cleanup; } certstack = X509_STORE_CTX_get1_chain(&certctx); diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index 39d2a0ed4..cdee8417e 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -548,6 +548,9 @@ pkinit_identity_initialize(krb5_context context, idopts->identity_alt[i]); } } else { + retval = KRB5_PREAUTH_FAILED; + krb5_set_error_message(context, retval, + _("No user identity options specified")); pkiDebug("%s: no user identity options specified\n", __FUNCTION__); goto errout; } -- 2.26.2