From aa476a78b67a60d4ca2433091268a7790b4d62f7 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 30 Oct 2017 10:22:33 +0100 Subject: [PATCH 42/46] p11_child: add descriptions for error codes to debug messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Additionally to the NSS erro code a text message describing the error is added. This will help to see why p11_child ignores specific certificates. For example it would be more obvious why the certificate is not valid (expired, missing CA cert, failed OCSP etc). Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano FidĂȘncio Tested-by: Scott Poore (cherry picked from commit 08d1f8c0d6eece6a48201d7f8824b282eac3458d) --- src/p11_child/p11_child_nss.c | 91 ++++++++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 41 deletions(-) diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index c676375cf7f6677a1d7f38f09b9bb5fd820d60c5..5f289688e41f4ea610292b907036e05cf95eb29d 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -75,15 +75,16 @@ static char *get_key_id_str(PK11SlotInfo *slot, CERTCertificate *cert) key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL); if (key_id == NULL) { DEBUG(SSSDBG_OP_FAILURE, - "PK11_GetLowLevelKeyIDForCert failed [%d].\n", - PR_GetError()); + "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return NULL; } key_id_str = CERT_Hexify(key_id, PR_FALSE); SECITEM_FreeItem(key_id, PR_TRUE); if (key_id_str == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d].\n", PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return NULL; } @@ -138,8 +139,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, flags); if (nss_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } @@ -232,8 +233,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, if (pin != NULL) { rv = PK11_Authenticate(slot, PR_FALSE, discard_const(pin)); if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } } else { @@ -246,8 +247,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, cert_list = PK11_ListCertsInSlot(slot); if (cert_list == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } @@ -265,31 +266,33 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, rv = CERT_FilterCertListByUsage(cert_list, certUsageSSLClient, PR_FALSE); if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } rv = CERT_FilterCertListForUserCerts(cert_list); if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListForUserCerts failed: [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, + "CERT_FilterCertListForUserCerts failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } handle = CERT_GetDefaultCertDB(); if (handle == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } if (cert_verify_opts->do_ocsp) { rv = CERT_EnableOCSPChecking(handle); if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, "CERT_EnableOCSPChecking failed: [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, + "CERT_EnableOCSPChecking failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } @@ -300,16 +303,16 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, cert_verify_opts->ocsp_default_responder_signing_cert); if (rv != SECSuccess) { DEBUG(SSSDBG_OP_FAILURE, - "CERT_SetOCSPDefaultResponder failed: [%d].\n", - PR_GetError()); + "CERT_SetOCSPDefaultResponder failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } rv = CERT_EnableOCSPDefaultResponder(handle); if (rv != SECSuccess) { DEBUG(SSSDBG_OP_FAILURE, - "CERT_EnableOCSPDefaultResponder failed: [%d].\n", - PR_GetError()); + "CERT_EnableOCSPDefaultResponder failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } } @@ -318,8 +321,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, found_cert = NULL; valid_certs = CERT_NewCertList(); if (valid_certs == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); ret = ENOMEM; goto done; } @@ -345,9 +348,10 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, NULL, NULL); if (rv != SECSuccess) { DEBUG(SSSDBG_OP_FAILURE, - "Certificate [%s][%s] not valid [%d], skipping.\n", + "Certificate [%s][%s] not valid [%d][%s], skipping.\n", cert_list_node->cert->nickname, - cert_list_node->cert->subjectName, PR_GetError()); + cert_list_node->cert->subjectName, + PR_GetError(), PORT_ErrorToString(PR_GetError())); continue; } } @@ -386,7 +390,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, rv = CERT_AddCertToListTail(valid_certs, cert_list_node->cert); if (rv != SECSuccess) { DEBUG(SSSDBG_OP_FAILURE, - "CERT_AddCertToListTail failed [%d].\n", PR_GetError()); + "CERT_AddCertToListTail failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); ret = EIO; goto done; } @@ -400,8 +405,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, rv = CERT_DisableOCSPDefaultResponder(handle); if (rv != SECSuccess) { DEBUG(SSSDBG_OP_FAILURE, - "CERT_DisableOCSPDefaultResponder failed: [%d].\n", - PR_GetError()); + "CERT_DisableOCSPDefaultResponder failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); } } @@ -433,15 +438,17 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, rv = PK11_GenerateRandom(random_value, sizeof(random_value)); if (rv != SECSuccess) { DEBUG(SSSDBG_OP_FAILURE, - "PK11_GenerateRandom failed [%d].\n", PR_GetError()); + "PK11_GenerateRandom failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); return EIO; } priv_key = PK11_FindPrivateKeyFromCert(slot, found_cert, NULL); if (priv_key == NULL) { DEBUG(SSSDBG_OP_FAILURE, - "PK11_FindPrivateKeyFromCert failed [%d]." \ - "Maybe pin is missing.\n", PR_GetError()); + "PK11_FindPrivateKeyFromCert failed [%d][%s]." + "Maybe pin is missing.\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); ret = EIO; goto done; } @@ -451,8 +458,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, if (algtag == SEC_OID_UNKNOWN) { SECKEY_DestroyPrivateKey(priv_key); DEBUG(SSSDBG_OP_FAILURE, - "SEC_GetSignatureAlgorithmOidTag failed [%d].\n", - PR_GetError()); + "SEC_GetSignatureAlgorithmOidTag failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); ret = EIO; goto done; } @@ -462,8 +469,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, priv_key, algtag); SECKEY_DestroyPrivateKey(priv_key); if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); ret = EIO; goto done; } @@ -471,7 +478,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, pub_key = CERT_ExtractPublicKey(found_cert); if (pub_key == NULL) { DEBUG(SSSDBG_OP_FAILURE, - "CERT_ExtractPublicKey failed [%d].\n", PR_GetError()); + "CERT_ExtractPublicKey failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); ret = EIO; goto done; } @@ -481,8 +489,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, NULL); SECKEY_DestroyPublicKey(pub_key); if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); ret = EACCES; goto done; } @@ -507,7 +515,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, PORT_Free(key_id_str); key_id_str = get_key_id_str(slot, found_cert); if (key_id_str == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d].\n", PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); ret = ENOMEM; goto done; } @@ -562,8 +571,8 @@ done: rv = NSS_ShutdownContext(nss_ctx); if (rv != SECSuccess) { - DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d].\n", - PR_GetError()); + DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); } return ret; -- 2.13.6