From 45c922376ac6e3decea026494818b96ba480325e Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Tue, 12 Oct 2010 18:00:14 -0400
Subject: [PATCH 049/150] - add some debug messages - temporarily lift the
 error when we have more than one cert at the KDC

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   25 ++++++++++++++++++++++++
 1 files changed, 25 insertions(+), 0 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 1de17d4..cbd83e6 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -39,6 +39,7 @@
 #include "pkinit_crypto.h"
 #include "krb5.h"
 
+#include <prerror.h>
 #include <prmem.h>
 #include <nss.h>
 #include <pk11pub.h>
@@ -1737,6 +1738,8 @@ crypto_cert_get_count(krb5_context context,
 			(*cert_count)++;
 		}
 	}
+	pkiDebug("%s: %d candidate key/certificate pairs found\n",
+		 __FUNCTION__, *cert_count);
 	return 0;
 }
 
@@ -2112,9 +2115,12 @@ crypto_cert_select_default(krb5_context context,
 	if (result != 0) {
 		return result;
 	}
+#if 0
+	/* FIXME */
 	if (count != 1) {
 		return ENOENT;
 	}
+#endif
 	if (id_cryptoctx->id_cert != NULL) {
 		CERT_DestroyCertificate(id_cryptoctx->id_cert);
 	}
@@ -3259,34 +3265,50 @@ crypto_signeddata_common_verify(krb5_context context,
 	 * and fish out the signer information. */
 	if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) !=
 	    SEC_OID_PKCS7_SIGNED_DATA) {
+		pkiDebug("%s: content type mismatch\n", __FUNCTION__);
 		return ENOMEM; /* FIXME: better error? */
 	}
 	sdata = NSS_CMSContentInfo_GetContent(cinfo);
 	if ((sdata == NULL) ||
 	    (NSS_CMSSignedData_SignerInfoCount(sdata) != 1)) {
+		pkiDebug("%s: wrong number of signers\n", __FUNCTION__);
 		return ENOMEM; /* FIXME: better error? */
 	}
 	signer = NSS_CMSSignedData_GetSignerInfo(sdata, 0);
 	if (signer == NULL) {
+		pkiDebug("%s: no signers?\n", __FUNCTION__);
 		return ENOMEM; /* FIXME: better error? */
 	}
 	/* Verify the signer's certificate. */
+	if (!NSS_CMSSignedData_HasDigests(sdata)) {
+		pkiDebug("%s: no digests?\n", __FUNCTION__);
+		return ENOMEM; /* FIXME: better error? */
+	}
 	status = NSS_CMSSignedData_VerifySignerInfo(sdata, 0, certdb,
 						    usage);
 	if (status != SECSuccess) {
+		pkiDebug("%s: signer verify failed: %s\n", __FUNCTION__,
+			 PR_ErrorToString(status == SECFailure ?
+					  PORT_GetError() : status,
+					  PR_LANGUAGE_I_DEFAULT));
 		return ENOMEM; /* FIXME: better error? */
 	}
 	/* Pull out the payload. */
 	ecinfo = NSS_CMSSignedData_GetContentInfo(sdata);
 	if (ecinfo == NULL) {
+		pkiDebug("%s: error getting encapsulated content\n",
+			 __FUNCTION__);
 		return ENOMEM;
 	}
 	encapsulated_tag = NSS_CMSContentInfo_GetContentTypeTag(ecinfo);
 	if (encapsulated_tag != expected_type) {
+		pkiDebug("%s: wrong encapsulated content type\n",
+			 __FUNCTION__);
 		return ENOMEM; /* FIXME: better error? */
 	}
 	*plain = NSS_CMSContentInfo_GetContent(ecinfo);
 	/* Save the peer cert -- we'll need it later. */
+	pkiDebug("%s: saving peer certificate\n", __FUNCTION__);
 	if (req_cryptoctx->peer_cert != NULL) {
 		CERT_DestroyCertificate(req_cryptoctx->peer_cert);
 	}
@@ -3587,6 +3609,8 @@ cms_signeddata_verify(krb5_context context,
 	switch (NSS_CMSContentInfo_GetContentTypeTag(info)) {
 	case SEC_OID_PKCS7_SIGNED_DATA:
 		/* It's signed: try to verify the signature. */
+		pkiDebug("%s: data is probably signed, checking\n",
+			 __FUNCTION__);
 		plain = NULL;
 		if ((crypto_signeddata_common_verify(context,
 						     plg_cryptoctx,
@@ -3608,6 +3632,7 @@ cms_signeddata_verify(krb5_context context,
 		break;
 	case SEC_OID_PKCS7_DATA:
 		/* It's not signed: try to pull out the payload. */
+		pkiDebug("%s: data is not signed\n", __FUNCTION__);
 		*is_signed = 0;
 		plain = NSS_CMSContentInfo_GetContent(info);
 		break;
-- 
1.7.6.4