[39319] in Kerberos
Re: Using PKINIT with ECC
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Mon Nov 20 14:10:00 2023
Message-ID: <202311201909.3AKJ96j2009434@hedwig.cmf.nrl.navy.mil>
To: kerberos@mit.edu
In-Reply-To: <51e3d01f-4c52-490b-a0c0-f1ebbbe436e3@mit.edu>
MIME-Version: 1.0
Date: Mon, 20 Nov 2023 14:09:07 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>I would be happy to have more trace logging to diagnose PKINIT errors,
>but converting every pkiDebug() call probably wouldn't meet the criteria
>for good trace logging. We've already made a few passes in this area,
>most recently one from you which went into release 1.20 (commit
>34625d594c339a077899fa01fc4b5c331a1647d0).
I guess what I was thinking was maybe not EVERY pkiDebug() call, but
more all of the ones that report errors. E.g:
> if ((r = id_cryptoctx->p11->C_SignInit(id_cryptoctx->session, &mech,
> obj)) != CKR_OK) {
> pkiDebug("C_SignInit: %s\n", pkcs11err(r));
> return KRB5KDC_ERR_PREAUTH_FAILED;
> }
There are others than the PKCS#11 calls, of course. I guess what I'd like
(if possible) was that anytime the plugin returned PREAUTH_FAILED, the
debug trace will explain why.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
