Using PKINIT with ECC
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Nov 20 14:09:07 EST 2023
>I would be happy to have more trace logging to diagnose PKINIT errors,
>but converting every pkiDebug() call probably wouldn't meet the criteria
>for good trace logging. We've already made a few passes in this area,
>most recently one from you which went into release 1.20 (commit
>34625d594c339a077899fa01fc4b5c331a1647d0).
I guess what I was thinking was maybe not EVERY pkiDebug() call, but
more all of the ones that report errors. E.g:
> if ((r = id_cryptoctx->p11->C_SignInit(id_cryptoctx->session, &mech,
> obj)) != CKR_OK) {
> pkiDebug("C_SignInit: %s\n", pkcs11err(r));
> return KRB5KDC_ERR_PREAUTH_FAILED;
> }
There are others than the PKCS#11 calls, of course. I guess what I'd like
(if possible) was that anytime the plugin returned PREAUTH_FAILED, the
debug trace will explain why.
--Ken
More information about the Kerberos
mailing list