svn rev #25854: trunk/src/plugins/preauth/pkinit/

ghudson@MIT.EDU ghudson at MIT.EDU
Mon May 7 23:04:15 EDT 2012 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25854
Commit By: ghudson
Log Message:
Improve traced error messages from PKINIT client

If we have no configured PKINIT client identity, or if we fail to
create a certificate chain, set a reasonable error code (not EINVAL or
ENOMEM) and a useful error message to appear in trace log output.


Changed Files:
U   trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
U   trunk/src/plugins/preauth/pkinit/pkinit_identity.c
Modified: trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2012-05-08 03:04:12 UTC (rev 25853)
+++ trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2012-05-08 03:04:15 UTC (rev 25854)
@@ -1030,10 +1030,14 @@
                                 id_cryptoctx->intermediateCAs);
             X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs);
             if (!X509_verify_cert(&certctx)) {
-                pkiDebug("failed to create a certificate chain: %s\n",
-                         X509_verify_cert_error_string(X509_STORE_CTX_get_error(&certctx)));
+                int code = X509_STORE_CTX_get_error(&certctx);
+                const char *msg = X509_verify_cert_error_string(code);
+                pkiDebug("failed to create a certificate chain: %s\n", msg);
                 if (!sk_X509_num(id_cryptoctx->trustedCAs))
                     pkiDebug("No trusted CAs found. Check your X509_anchors\n");
+                retval = KRB5_PREAUTH_FAILED;
+                krb5_set_error_message(context, retval,
+                                       _("Cannot create cert chain: %s"), msg);
                 goto cleanup;
             }
             certstack = X509_STORE_CTX_get1_chain(&certctx);

Modified: trunk/src/plugins/preauth/pkinit/pkinit_identity.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_identity.c	2012-05-08 03:04:12 UTC (rev 25853)
+++ trunk/src/plugins/preauth/pkinit/pkinit_identity.c	2012-05-08 03:04:15 UTC (rev 25854)
@@ -548,6 +548,9 @@
                                                  idopts->identity_alt[i]);
             }
         } else {
+            retval = KRB5_PREAUTH_FAILED;
+            krb5_set_error_message(context, retval,
+                                   _("No user identity options specified"));
             pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
             goto errout;
         }

More information about the cvs-krb5 mailing list