Using PKINIT with ECC

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Nov 20 14:09:07 EST 2023


>I would be happy to have more trace logging to diagnose PKINIT errors, 
>but converting every pkiDebug() call probably wouldn't meet the criteria 
>for good trace logging.  We've already made a few passes in this area, 
>most recently one from you which went into release 1.20 (commit 
>34625d594c339a077899fa01fc4b5c331a1647d0).

I guess what I was thinking was maybe not EVERY pkiDebug() call, but
more all of the ones that report errors.  E.g:

>     if ((r = id_cryptoctx->p11->C_SignInit(id_cryptoctx->session, &mech,
>                                            obj)) != CKR_OK) {
>         pkiDebug("C_SignInit: %s\n", pkcs11err(r));
>         return KRB5KDC_ERR_PREAUTH_FAILED;
>     }

There are others than the PKCS#11 calls, of course.  I guess what I'd like
(if possible) was that anytime the plugin returned PREAUTH_FAILED, the
debug trace will explain why.

--Ken


More information about the Kerberos mailing list