|
|
ced1f5 |
From aa476a78b67a60d4ca2433091268a7790b4d62f7 Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ced1f5 |
Date: Mon, 30 Oct 2017 10:22:33 +0100
|
|
|
ced1f5 |
Subject: [PATCH 42/46] p11_child: add descriptions for error codes to debug
|
|
|
ced1f5 |
messages
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Additionally to the NSS erro code a text message describing the error is
|
|
|
ced1f5 |
added. This will help to see why p11_child ignores specific
|
|
|
ced1f5 |
certificates. For example it would be more obvious why the certificate
|
|
|
ced1f5 |
is not valid (expired, missing CA cert, failed OCSP etc).
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Related to https://pagure.io/SSSD/sssd/issue/3560
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ced1f5 |
Tested-by: Scott Poore <spoore@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit 08d1f8c0d6eece6a48201d7f8824b282eac3458d)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/p11_child/p11_child_nss.c | 91 ++++++++++++++++++++++++-------------------
|
|
|
ced1f5 |
1 file changed, 50 insertions(+), 41 deletions(-)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
|
|
ced1f5 |
index c676375cf7f6677a1d7f38f09b9bb5fd820d60c5..5f289688e41f4ea610292b907036e05cf95eb29d 100644
|
|
|
ced1f5 |
--- a/src/p11_child/p11_child_nss.c
|
|
|
ced1f5 |
+++ b/src/p11_child/p11_child_nss.c
|
|
|
ced1f5 |
@@ -75,15 +75,16 @@ static char *get_key_id_str(PK11SlotInfo *slot, CERTCertificate *cert)
|
|
|
ced1f5 |
key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);
|
|
|
ced1f5 |
if (key_id == NULL) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "PK11_GetLowLevelKeyIDForCert failed [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return NULL;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
key_id_str = CERT_Hexify(key_id, PR_FALSE);
|
|
|
ced1f5 |
SECITEM_FreeItem(key_id, PR_TRUE);
|
|
|
ced1f5 |
if (key_id_str == NULL) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d].\n", PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return NULL;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
@@ -138,8 +139,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
|
|
|
ced1f5 |
nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, flags);
|
|
|
ced1f5 |
if (nss_ctx == NULL) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
@@ -232,8 +233,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
if (pin != NULL) {
|
|
|
ced1f5 |
rv = PK11_Authenticate(slot, PR_FALSE, discard_const(pin));
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
} else {
|
|
|
ced1f5 |
@@ -246,8 +247,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
|
|
|
ced1f5 |
cert_list = PK11_ListCertsInSlot(slot);
|
|
|
ced1f5 |
if (cert_list == NULL) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
@@ -265,31 +266,33 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
|
|
|
ced1f5 |
rv = CERT_FilterCertListByUsage(cert_list, certUsageSSLClient, PR_FALSE);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
rv = CERT_FilterCertListForUserCerts(cert_list);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListForUserCerts failed: [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
+ "CERT_FilterCertListForUserCerts failed: [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
|
|
|
ced1f5 |
handle = CERT_GetDefaultCertDB();
|
|
|
ced1f5 |
if (handle == NULL) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
if (cert_verify_opts->do_ocsp) {
|
|
|
ced1f5 |
rv = CERT_EnableOCSPChecking(handle);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "CERT_EnableOCSPChecking failed: [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
+ "CERT_EnableOCSPChecking failed: [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
@@ -300,16 +303,16 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
cert_verify_opts->ocsp_default_responder_signing_cert);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "CERT_SetOCSPDefaultResponder failed: [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ "CERT_SetOCSPDefaultResponder failed: [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
rv = CERT_EnableOCSPDefaultResponder(handle);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "CERT_EnableOCSPDefaultResponder failed: [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ "CERT_EnableOCSPDefaultResponder failed: [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -318,8 +321,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
found_cert = NULL;
|
|
|
ced1f5 |
valid_certs = CERT_NewCertList();
|
|
|
ced1f5 |
if (valid_certs == NULL) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
ret = ENOMEM;
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -345,9 +348,10 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
NULL, NULL);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "Certificate [%s][%s] not valid [%d], skipping.\n",
|
|
|
ced1f5 |
+ "Certificate [%s][%s] not valid [%d][%s], skipping.\n",
|
|
|
ced1f5 |
cert_list_node->cert->nickname,
|
|
|
ced1f5 |
- cert_list_node->cert->subjectName, PR_GetError());
|
|
|
ced1f5 |
+ cert_list_node->cert->subjectName,
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
continue;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -386,7 +390,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
rv = CERT_AddCertToListTail(valid_certs, cert_list_node->cert);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "CERT_AddCertToListTail failed [%d].\n", PR_GetError());
|
|
|
ced1f5 |
+ "CERT_AddCertToListTail failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
ret = EIO;
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -400,8 +405,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
rv = CERT_DisableOCSPDefaultResponder(handle);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "CERT_DisableOCSPDefaultResponder failed: [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ "CERT_DisableOCSPDefaultResponder failed: [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
@@ -433,15 +438,17 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
rv = PK11_GenerateRandom(random_value, sizeof(random_value));
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "PK11_GenerateRandom failed [%d].\n", PR_GetError());
|
|
|
ced1f5 |
+ "PK11_GenerateRandom failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
return EIO;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
priv_key = PK11_FindPrivateKeyFromCert(slot, found_cert, NULL);
|
|
|
ced1f5 |
if (priv_key == NULL) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "PK11_FindPrivateKeyFromCert failed [%d]." \
|
|
|
ced1f5 |
- "Maybe pin is missing.\n", PR_GetError());
|
|
|
ced1f5 |
+ "PK11_FindPrivateKeyFromCert failed [%d][%s]."
|
|
|
ced1f5 |
+ "Maybe pin is missing.\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
ret = EIO;
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -451,8 +458,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
if (algtag == SEC_OID_UNKNOWN) {
|
|
|
ced1f5 |
SECKEY_DestroyPrivateKey(priv_key);
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "SEC_GetSignatureAlgorithmOidTag failed [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ "SEC_GetSignatureAlgorithmOidTag failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
ret = EIO;
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -462,8 +469,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
priv_key, algtag);
|
|
|
ced1f5 |
SECKEY_DestroyPrivateKey(priv_key);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
ret = EIO;
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -471,7 +478,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
pub_key = CERT_ExtractPublicKey(found_cert);
|
|
|
ced1f5 |
if (pub_key == NULL) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
- "CERT_ExtractPublicKey failed [%d].\n", PR_GetError());
|
|
|
ced1f5 |
+ "CERT_ExtractPublicKey failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
ret = EIO;
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -481,8 +489,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
NULL);
|
|
|
ced1f5 |
SECKEY_DestroyPublicKey(pub_key);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
ret = EACCES;
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -507,7 +515,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
PORT_Free(key_id_str);
|
|
|
ced1f5 |
key_id_str = get_key_id_str(slot, found_cert);
|
|
|
ced1f5 |
if (key_id_str == NULL) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d].\n", PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
ret = ENOMEM;
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
@@ -562,8 +571,8 @@ done:
|
|
|
ced1f5 |
|
|
|
ced1f5 |
rv = NSS_ShutdownContext(nss_ctx);
|
|
|
ced1f5 |
if (rv != SECSuccess) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d].\n",
|
|
|
ced1f5 |
- PR_GetError());
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",
|
|
|
ced1f5 |
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
return ret;
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.13.6
|
|
|
ced1f5 |
|