Using PKINIT with ECC

Greg Hudson ghudson at mit.edu
Sun Nov 19 15:22:29 EST 2023


On 11/19/23 12:00, Ken Hornstein via Kerberos wrote:
> I have mentioned this before, but ... is there any interest in adding
> additional trace points for every place where the old "pkiDebug" calls
> are made?  Hidden errors when doing PKINIT are the bane of my existence
> and I feel that I'm not the only one.  I understand there are concerns
> about making the trace log too verbose but I think every error could
> generate a trace message and it wouldn't add too much to the trace output
> when everything was working.

I would be happy to have more trace logging to diagnose PKINIT errors, 
but converting every pkiDebug() call probably wouldn't meet the criteria 
for good trace logging.  We've already made a few passes in this area, 
most recently one from you which went into release 1.20 (commit 
34625d594c339a077899fa01fc4b5c331a1647d0).

Based on this thread, it is clear that there is still room for 
improvement in the handling of PKCS11 errors.  While we mostly handle 
OpenSSL errors through the oerr() wrapper which trace logs the OpenSSL 
error queue and sets an extended error message, we don't have any such 
wrapper for PKCS11 errors.  In this case, we now know that C_SignInit() 
failed; here is the handling for that error:

     if ((r = id_cryptoctx->p11->C_SignInit(id_cryptoctx->session, &mech,
                                            obj)) != CKR_OK) {
         pkiDebug("C_SignInit: %s\n", pkcs11err(r));
         return KRB5KDC_ERR_PREAUTH_FAILED;
     }

So only the generic "Preauthentication failed" message shows up in the 
trace log (at the libkrb5 level) while the old debugging would have 
indicated the failed operation and the PKCS11 error string.


More information about the Kerberos mailing list