From aa476a78b67a60d4ca2433091268a7790b4d62f7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 30 Oct 2017 10:22:33 +0100
Subject: [PATCH 42/46] p11_child: add descriptions for error codes to debug
messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Additionally to the NSS erro code a text message describing the error is
added. This will help to see why p11_child ignores specific
certificates. For example it would be more obvious why the certificate
is not valid (expired, missing CA cert, failed OCSP etc).
Related to https://pagure.io/SSSD/sssd/issue/3560
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Tested-by: Scott Poore <spoore@redhat.com>
(cherry picked from commit 08d1f8c0d6eece6a48201d7f8824b282eac3458d)
---
src/p11_child/p11_child_nss.c | 91 ++++++++++++++++++++++++-------------------
1 file changed, 50 insertions(+), 41 deletions(-)
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index c676375cf7f6677a1d7f38f09b9bb5fd820d60c5..5f289688e41f4ea610292b907036e05cf95eb29d 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -75,15 +75,16 @@ static char *get_key_id_str(PK11SlotInfo *slot, CERTCertificate *cert)
key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);
if (key_id == NULL) {
DEBUG(SSSDBG_OP_FAILURE,
- "PK11_GetLowLevelKeyIDForCert failed [%d].\n",
- PR_GetError());
+ "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return NULL;
}
key_id_str = CERT_Hexify(key_id, PR_FALSE);
SECITEM_FreeItem(key_id, PR_TRUE);
if (key_id_str == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d].\n", PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return NULL;
}
@@ -138,8 +139,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, flags);
if (nss_ctx == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
@@ -232,8 +233,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
if (pin != NULL) {
rv = PK11_Authenticate(slot, PR_FALSE, discard_const(pin));
if (rv != SECSuccess) {
- DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
} else {
@@ -246,8 +247,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
cert_list = PK11_ListCertsInSlot(slot);
if (cert_list == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
@@ -265,31 +266,33 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
rv = CERT_FilterCertListByUsage(cert_list, certUsageSSLClient, PR_FALSE);
if (rv != SECSuccess) {
- DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
rv = CERT_FilterCertListForUserCerts(cert_list);
if (rv != SECSuccess) {
- DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListForUserCerts failed: [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE,
+ "CERT_FilterCertListForUserCerts failed: [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
handle = CERT_GetDefaultCertDB();
if (handle == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
if (cert_verify_opts->do_ocsp) {
rv = CERT_EnableOCSPChecking(handle);
if (rv != SECSuccess) {
- DEBUG(SSSDBG_OP_FAILURE, "CERT_EnableOCSPChecking failed: [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE,
+ "CERT_EnableOCSPChecking failed: [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
@@ -300,16 +303,16 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
cert_verify_opts->ocsp_default_responder_signing_cert);
if (rv != SECSuccess) {
DEBUG(SSSDBG_OP_FAILURE,
- "CERT_SetOCSPDefaultResponder failed: [%d].\n",
- PR_GetError());
+ "CERT_SetOCSPDefaultResponder failed: [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
rv = CERT_EnableOCSPDefaultResponder(handle);
if (rv != SECSuccess) {
DEBUG(SSSDBG_OP_FAILURE,
- "CERT_EnableOCSPDefaultResponder failed: [%d].\n",
- PR_GetError());
+ "CERT_EnableOCSPDefaultResponder failed: [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
}
@@ -318,8 +321,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
found_cert = NULL;
valid_certs = CERT_NewCertList();
if (valid_certs == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
ret = ENOMEM;
goto done;
}
@@ -345,9 +348,10 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
NULL, NULL);
if (rv != SECSuccess) {
DEBUG(SSSDBG_OP_FAILURE,
- "Certificate [%s][%s] not valid [%d], skipping.\n",
+ "Certificate [%s][%s] not valid [%d][%s], skipping.\n",
cert_list_node->cert->nickname,
- cert_list_node->cert->subjectName, PR_GetError());
+ cert_list_node->cert->subjectName,
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
continue;
}
}
@@ -386,7 +390,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
rv = CERT_AddCertToListTail(valid_certs, cert_list_node->cert);
if (rv != SECSuccess) {
DEBUG(SSSDBG_OP_FAILURE,
- "CERT_AddCertToListTail failed [%d].\n", PR_GetError());
+ "CERT_AddCertToListTail failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
ret = EIO;
goto done;
}
@@ -400,8 +405,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
rv = CERT_DisableOCSPDefaultResponder(handle);
if (rv != SECSuccess) {
DEBUG(SSSDBG_OP_FAILURE,
- "CERT_DisableOCSPDefaultResponder failed: [%d].\n",
- PR_GetError());
+ "CERT_DisableOCSPDefaultResponder failed: [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
}
}
@@ -433,15 +438,17 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
rv = PK11_GenerateRandom(random_value, sizeof(random_value));
if (rv != SECSuccess) {
DEBUG(SSSDBG_OP_FAILURE,
- "PK11_GenerateRandom failed [%d].\n", PR_GetError());
+ "PK11_GenerateRandom failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
return EIO;
}
priv_key = PK11_FindPrivateKeyFromCert(slot, found_cert, NULL);
if (priv_key == NULL) {
DEBUG(SSSDBG_OP_FAILURE,
- "PK11_FindPrivateKeyFromCert failed [%d]." \
- "Maybe pin is missing.\n", PR_GetError());
+ "PK11_FindPrivateKeyFromCert failed [%d][%s]."
+ "Maybe pin is missing.\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
ret = EIO;
goto done;
}
@@ -451,8 +458,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
if (algtag == SEC_OID_UNKNOWN) {
SECKEY_DestroyPrivateKey(priv_key);
DEBUG(SSSDBG_OP_FAILURE,
- "SEC_GetSignatureAlgorithmOidTag failed [%d].\n",
- PR_GetError());
+ "SEC_GetSignatureAlgorithmOidTag failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
ret = EIO;
goto done;
}
@@ -462,8 +469,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
priv_key, algtag);
SECKEY_DestroyPrivateKey(priv_key);
if (rv != SECSuccess) {
- DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
ret = EIO;
goto done;
}
@@ -471,7 +478,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
pub_key = CERT_ExtractPublicKey(found_cert);
if (pub_key == NULL) {
DEBUG(SSSDBG_OP_FAILURE,
- "CERT_ExtractPublicKey failed [%d].\n", PR_GetError());
+ "CERT_ExtractPublicKey failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
ret = EIO;
goto done;
}
@@ -481,8 +489,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
NULL);
SECKEY_DestroyPublicKey(pub_key);
if (rv != SECSuccess) {
- DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
ret = EACCES;
goto done;
}
@@ -507,7 +515,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
PORT_Free(key_id_str);
key_id_str = get_key_id_str(slot, found_cert);
if (key_id_str == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d].\n", PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
ret = ENOMEM;
goto done;
}
@@ -562,8 +571,8 @@ done:
rv = NSS_ShutdownContext(nss_ctx);
if (rv != SECSuccess) {
- DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d].\n",
- PR_GetError());
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
}
return ret;
--
2.13.6