diff options
author | Greg Hudson <ghudson@mit.edu> | 2012-05-08 03:04:15 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2012-05-08 03:04:15 +0000 |
commit | 6d19259c7eb9277c12a7f2eec9aa80563b4c5acc (patch) | |
tree | 8f50b856f15952b285c473c183987ffe67821fde /src/plugins | |
parent | faeacc69b5c9e386ea2977506b24dea055bf926b (diff) | |
download | krb5-6d19259c7eb9277c12a7f2eec9aa80563b4c5acc.tar.gz krb5-6d19259c7eb9277c12a7f2eec9aa80563b4c5acc.tar.xz krb5-6d19259c7eb9277c12a7f2eec9aa80563b4c5acc.zip |
Improve traced error messages from PKINIT client
If we have no configured PKINIT client identity, or if we fail to
create a certificate chain, set a reasonable error code (not EINVAL or
ENOMEM) and a useful error message to appear in trace log output.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 8 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_identity.c | 3 |
2 files changed, 9 insertions, 2 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index ad86ba4e36..0136d4f470 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -1030,10 +1030,14 @@ cms_signeddata_create(krb5_context context, id_cryptoctx->intermediateCAs); X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs); if (!X509_verify_cert(&certctx)) { - pkiDebug("failed to create a certificate chain: %s\n", - X509_verify_cert_error_string(X509_STORE_CTX_get_error(&certctx))); + int code = X509_STORE_CTX_get_error(&certctx); + const char *msg = X509_verify_cert_error_string(code); + pkiDebug("failed to create a certificate chain: %s\n", msg); if (!sk_X509_num(id_cryptoctx->trustedCAs)) pkiDebug("No trusted CAs found. Check your X509_anchors\n"); + retval = KRB5_PREAUTH_FAILED; + krb5_set_error_message(context, retval, + _("Cannot create cert chain: %s"), msg); goto cleanup; } certstack = X509_STORE_CTX_get1_chain(&certctx); diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index 39d2a0ed4e..cdee8417e1 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -548,6 +548,9 @@ pkinit_identity_initialize(krb5_context context, idopts->identity_alt[i]); } } else { + retval = KRB5_PREAUTH_FAILED; + krb5_set_error_message(context, retval, + _("No user identity options specified")); pkiDebug("%s: no user identity options specified\n", __FUNCTION__); goto errout; } |