sssd/0048-p11_child-add-descriptions-for-error-codes-to-debug-.patch

From 5b0dacffcf33837390f46b6f25146fd0e3e17f3a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 30 Oct 2017 10:22:33 +0100
Subject: [PATCH 48/79] p11_child: add descriptions for error codes to debug
 messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Additionally to the NSS erro code a text message describing the error is
added. This will help to see why p11_child ignores specific
certificates. For example it would be more obvious why the certificate
is not valid (expired, missing CA cert, failed OCSP etc).

Related to https://pagure.io/SSSD/sssd/issue/3560

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Tested-by: Scott Poore <spoore@redhat.com>
---
 src/p11_child/p11_child_nss.c | 91 ++++++++++++++++++++++++-------------------
 1 file changed, 50 insertions(+), 41 deletions(-)

diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index c676375cf7f6677a1d7f38f09b9bb5fd820d60c5..5f289688e41f4ea610292b907036e05cf95eb29d 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -75,15 +75,16 @@ static char *get_key_id_str(PK11SlotInfo *slot, CERTCertificate *cert)
     key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);
     if (key_id == NULL) {
         DEBUG(SSSDBG_OP_FAILURE,
-              "PK11_GetLowLevelKeyIDForCert failed [%d].\n",
-              PR_GetError());
+              "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
         return NULL;
     }
 
     key_id_str = CERT_Hexify(key_id, PR_FALSE);
     SECITEM_FreeItem(key_id, PR_TRUE);
     if (key_id_str == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d].\n", PR_GetError());
+        DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d][%s].\n",
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
         return NULL;
     }
 
@@ -138,8 +139,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
 
     nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);
     if (nss_ctx == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d].\n",
-                                 PR_GetError());
+        DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
         return EIO;
     }
 
@@ -232,8 +233,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
         if (pin != NULL) {
             rv = PK11_Authenticate(slot, PR_FALSE, discard_const(pin));
             if (rv !=  SECSuccess) {
-                DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d].\n",
-                                         PR_GetError());
+                DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d][%s].\n",
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
                 return EIO;
             }
         } else {
@@ -246,8 +247,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
 
     cert_list = PK11_ListCertsInSlot(slot);
     if (cert_list == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d].\n",
-                                 PR_GetError());
+        DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d][%s].\n",
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
         return EIO;
     }
 
@@ -265,31 +266,33 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
 
     rv = CERT_FilterCertListByUsage(cert_list, certUsageSSLClient, PR_FALSE);
     if (rv != SECSuccess) {
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d].\n",
-                                 PR_GetError());
+        DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d][%s].\n",
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
         return EIO;
     }
 
     rv = CERT_FilterCertListForUserCerts(cert_list);
     if (rv != SECSuccess) {
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListForUserCerts failed: [%d].\n",
-                                 PR_GetError());
+        DEBUG(SSSDBG_OP_FAILURE,
+              "CERT_FilterCertListForUserCerts failed: [%d][%s].\n",
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
         return EIO;
     }
 
 
     handle = CERT_GetDefaultCertDB();
     if (handle == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d].\n",
-                                 PR_GetError());
+        DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d][%s].\n",
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
         return EIO;
     }
 
     if (cert_verify_opts->do_ocsp) {
         rv = CERT_EnableOCSPChecking(handle);
         if (rv != SECSuccess) {
-            DEBUG(SSSDBG_OP_FAILURE, "CERT_EnableOCSPChecking failed: [%d].\n",
-                                     PR_GetError());
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "CERT_EnableOCSPChecking failed: [%d][%s].\n",
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
             return EIO;
         }
 
@@ -300,16 +303,16 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
                          cert_verify_opts->ocsp_default_responder_signing_cert);
             if (rv != SECSuccess) {
                 DEBUG(SSSDBG_OP_FAILURE,
-                      "CERT_SetOCSPDefaultResponder failed: [%d].\n",
-                      PR_GetError());
+                      "CERT_SetOCSPDefaultResponder failed: [%d][%s].\n",
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
                 return EIO;
             }
 
             rv = CERT_EnableOCSPDefaultResponder(handle);
             if (rv != SECSuccess) {
                 DEBUG(SSSDBG_OP_FAILURE,
-                      "CERT_EnableOCSPDefaultResponder failed: [%d].\n",
-                      PR_GetError());
+                      "CERT_EnableOCSPDefaultResponder failed: [%d][%s].\n",
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
                 return EIO;
             }
         }
@@ -318,8 +321,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
     found_cert = NULL;
     valid_certs = CERT_NewCertList();
     if (valid_certs == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d].\n",
-                                 PR_GetError());
+        DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d][%s].\n",
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
         ret = ENOMEM;
         goto done;
     }
@@ -345,9 +348,10 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
                                            NULL, NULL);
             if (rv != SECSuccess) {
                 DEBUG(SSSDBG_OP_FAILURE,
-                      "Certificate [%s][%s] not valid [%d], skipping.\n",
+                      "Certificate [%s][%s] not valid [%d][%s], skipping.\n",
                       cert_list_node->cert->nickname,
-                      cert_list_node->cert->subjectName, PR_GetError());
+                      cert_list_node->cert->subjectName,
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
                 continue;
             }
         }
@@ -386,7 +390,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
             rv = CERT_AddCertToListTail(valid_certs, cert_list_node->cert);
             if (rv != SECSuccess) {
                 DEBUG(SSSDBG_OP_FAILURE,
-                      "CERT_AddCertToListTail failed [%d].\n", PR_GetError());
+                      "CERT_AddCertToListTail failed [%d][%s].\n",
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
                 ret = EIO;
                 goto done;
             }
@@ -400,8 +405,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
         rv = CERT_DisableOCSPDefaultResponder(handle);
         if (rv != SECSuccess) {
             DEBUG(SSSDBG_OP_FAILURE,
-                  "CERT_DisableOCSPDefaultResponder failed: [%d].\n",
-                  PR_GetError());
+                  "CERT_DisableOCSPDefaultResponder failed: [%d][%s].\n",
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
         }
     }
 
@@ -433,15 +438,17 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
         rv = PK11_GenerateRandom(random_value, sizeof(random_value));
         if (rv != SECSuccess) {
             DEBUG(SSSDBG_OP_FAILURE,
-                  "PK11_GenerateRandom failed [%d].\n", PR_GetError());
+                  "PK11_GenerateRandom failed [%d][%s].\n",
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
             return EIO;
         }
 
         priv_key = PK11_FindPrivateKeyFromCert(slot, found_cert, NULL);
         if (priv_key == NULL) {
             DEBUG(SSSDBG_OP_FAILURE,
-                  "PK11_FindPrivateKeyFromCert failed [%d]." \
-                  "Maybe pin is missing.\n", PR_GetError());
+                  "PK11_FindPrivateKeyFromCert failed [%d][%s]."
+                  "Maybe pin is missing.\n",
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
             ret = EIO;
             goto done;
         }
@@ -451,8 +458,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
         if (algtag == SEC_OID_UNKNOWN) {
             SECKEY_DestroyPrivateKey(priv_key);
             DEBUG(SSSDBG_OP_FAILURE,
-                  "SEC_GetSignatureAlgorithmOidTag failed [%d].\n",
-                  PR_GetError());
+                  "SEC_GetSignatureAlgorithmOidTag failed [%d][%s].\n",
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
             ret = EIO;
             goto done;
         }
@@ -462,8 +469,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
                           priv_key, algtag);
         SECKEY_DestroyPrivateKey(priv_key);
         if (rv != SECSuccess) {
-            DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d].\n",
-                                     PR_GetError());
+            DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d][%s].\n",
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
             ret = EIO;
             goto done;
         }
@@ -471,7 +478,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
         pub_key = CERT_ExtractPublicKey(found_cert);
         if (pub_key == NULL) {
             DEBUG(SSSDBG_OP_FAILURE,
-                  "CERT_ExtractPublicKey failed [%d].\n", PR_GetError());
+                  "CERT_ExtractPublicKey failed [%d][%s].\n",
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
             ret = EIO;
             goto done;
         }
@@ -481,8 +489,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
                             NULL);
         SECKEY_DestroyPublicKey(pub_key);
         if (rv != SECSuccess) {
-            DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d].\n",
-                                     PR_GetError());
+            DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d][%s].\n",
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
             ret = EACCES;
             goto done;
         }
@@ -507,7 +515,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
         PORT_Free(key_id_str);
         key_id_str = get_key_id_str(slot, found_cert);
         if (key_id_str == NULL) {
-            DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d].\n", PR_GetError());
+            DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d][%s].\n",
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
             ret = ENOMEM;
             goto done;
         }
@@ -562,8 +571,8 @@ done:
 
     rv = NSS_ShutdownContext(nss_ctx);
     if (rv != SECSuccess) {
-        DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d].\n",
-                                 PR_GetError());
+        DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
     }
 
     return ret;
-- 
2.15.1
Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system Backport few upstream features from 1.16.1 2017-12-04 20:33:29 +00:00			`From 5b0dacffcf33837390f46b6f25146fd0e3e17f3a Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Mon, 30 Oct 2017 10:22:33 +0100`
			`Subject: [PATCH 48/79] p11_child: add descriptions for error codes to debug`
			`messages`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Additionally to the NSS erro code a text message describing the error is`
			`added. This will help to see why p11_child ignores specific`
			`certificates. For example it would be more obvious why the certificate`
			`is not valid (expired, missing CA cert, failed OCSP etc).`

			`Related to https://pagure.io/SSSD/sssd/issue/3560`

			`Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>`
			`Tested-by: Scott Poore <spoore@redhat.com>`
			`---`
			`src/p11_child/p11_child_nss.c \| 91 ++++++++++++++++++++++++-------------------`
			`1 file changed, 50 insertions(+), 41 deletions(-)`

			`diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c`
			`index c676375cf7f6677a1d7f38f09b9bb5fd820d60c5..5f289688e41f4ea610292b907036e05cf95eb29d 100644`
			`--- a/src/p11_child/p11_child_nss.c`
			`+++ b/src/p11_child/p11_child_nss.c`
			`@@ -75,15 +75,16 @@ static char get_key_id_str(PK11SlotInfo slot, CERTCertificate *cert)`
			`key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);`
			`if (key_id == NULL) {`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "PK11_GetLowLevelKeyIDForCert failed [%d].\n",`
			`- PR_GetError());`
			`+ "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return NULL;`
			`}`

			`key_id_str = CERT_Hexify(key_id, PR_FALSE);`
			`SECITEM_FreeItem(key_id, PR_TRUE);`
			`if (key_id_str == NULL) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d].\n", PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return NULL;`
			`}`

			`@@ -138,8 +139,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`

			`nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);`
			`if (nss_ctx == NULL) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`

			`@@ -232,8 +233,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`if (pin != NULL) {`
			`rv = PK11_Authenticate(slot, PR_FALSE, discard_const(pin));`
			`if (rv != SECSuccess) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`
			`} else {`
			`@@ -246,8 +247,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`

			`cert_list = PK11_ListCertsInSlot(slot);`
			`if (cert_list == NULL) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`

			`@@ -265,31 +266,33 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`

			`rv = CERT_FilterCertListByUsage(cert_list, certUsageSSLClient, PR_FALSE);`
			`if (rv != SECSuccess) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`

			`rv = CERT_FilterCertListForUserCerts(cert_list);`
			`if (rv != SECSuccess) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListForUserCerts failed: [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE,`
			`+ "CERT_FilterCertListForUserCerts failed: [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`


			`handle = CERT_GetDefaultCertDB();`
			`if (handle == NULL) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`

			`if (cert_verify_opts->do_ocsp) {`
			`rv = CERT_EnableOCSPChecking(handle);`
			`if (rv != SECSuccess) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "CERT_EnableOCSPChecking failed: [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE,`
			`+ "CERT_EnableOCSPChecking failed: [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`

			`@@ -300,16 +303,16 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`cert_verify_opts->ocsp_default_responder_signing_cert);`
			`if (rv != SECSuccess) {`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "CERT_SetOCSPDefaultResponder failed: [%d].\n",`
			`- PR_GetError());`
			`+ "CERT_SetOCSPDefaultResponder failed: [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`

			`rv = CERT_EnableOCSPDefaultResponder(handle);`
			`if (rv != SECSuccess) {`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "CERT_EnableOCSPDefaultResponder failed: [%d].\n",`
			`- PR_GetError());`
			`+ "CERT_EnableOCSPDefaultResponder failed: [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`
			`}`
			`@@ -318,8 +321,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`found_cert = NULL;`
			`valid_certs = CERT_NewCertList();`
			`if (valid_certs == NULL) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`ret = ENOMEM;`
			`goto done;`
			`}`
			`@@ -345,9 +348,10 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`NULL, NULL);`
			`if (rv != SECSuccess) {`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "Certificate [%s][%s] not valid [%d], skipping.\n",`
			`+ "Certificate [%s][%s] not valid [%d][%s], skipping.\n",`
			`cert_list_node->cert->nickname,`
			`- cert_list_node->cert->subjectName, PR_GetError());`
			`+ cert_list_node->cert->subjectName,`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`continue;`
			`}`
			`}`
			`@@ -386,7 +390,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`rv = CERT_AddCertToListTail(valid_certs, cert_list_node->cert);`
			`if (rv != SECSuccess) {`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "CERT_AddCertToListTail failed [%d].\n", PR_GetError());`
			`+ "CERT_AddCertToListTail failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`ret = EIO;`
			`goto done;`
			`}`
			`@@ -400,8 +405,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`rv = CERT_DisableOCSPDefaultResponder(handle);`
			`if (rv != SECSuccess) {`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "CERT_DisableOCSPDefaultResponder failed: [%d].\n",`
			`- PR_GetError());`
			`+ "CERT_DisableOCSPDefaultResponder failed: [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`}`
			`}`

			`@@ -433,15 +438,17 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`rv = PK11_GenerateRandom(random_value, sizeof(random_value));`
			`if (rv != SECSuccess) {`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "PK11_GenerateRandom failed [%d].\n", PR_GetError());`
			`+ "PK11_GenerateRandom failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`return EIO;`
			`}`

			`priv_key = PK11_FindPrivateKeyFromCert(slot, found_cert, NULL);`
			`if (priv_key == NULL) {`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "PK11_FindPrivateKeyFromCert failed [%d]." \`
			`- "Maybe pin is missing.\n", PR_GetError());`
			`+ "PK11_FindPrivateKeyFromCert failed [%d][%s]."`
			`+ "Maybe pin is missing.\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`ret = EIO;`
			`goto done;`
			`}`
			`@@ -451,8 +458,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`if (algtag == SEC_OID_UNKNOWN) {`
			`SECKEY_DestroyPrivateKey(priv_key);`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "SEC_GetSignatureAlgorithmOidTag failed [%d].\n",`
			`- PR_GetError());`
			`+ "SEC_GetSignatureAlgorithmOidTag failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`ret = EIO;`
			`goto done;`
			`}`
			`@@ -462,8 +469,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`priv_key, algtag);`
			`SECKEY_DestroyPrivateKey(priv_key);`
			`if (rv != SECSuccess) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`ret = EIO;`
			`goto done;`
			`}`
			`@@ -471,7 +478,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`pub_key = CERT_ExtractPublicKey(found_cert);`
			`if (pub_key == NULL) {`
			`DEBUG(SSSDBG_OP_FAILURE,`
			`- "CERT_ExtractPublicKey failed [%d].\n", PR_GetError());`
			`+ "CERT_ExtractPublicKey failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`ret = EIO;`
			`goto done;`
			`}`
			`@@ -481,8 +489,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`NULL);`
			`SECKEY_DestroyPublicKey(pub_key);`
			`if (rv != SECSuccess) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`ret = EACCES;`
			`goto done;`
			`}`
			`@@ -507,7 +515,8 @@ int do_work(TALLOC_CTX mem_ctx, const char nss_db,`
			`PORT_Free(key_id_str);`
			`key_id_str = get_key_id_str(slot, found_cert);`
			`if (key_id_str == NULL) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d].\n", PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`ret = ENOMEM;`
			`goto done;`
			`}`
			`@@ -562,8 +571,8 @@ done:`

			`rv = NSS_ShutdownContext(nss_ctx);`
			`if (rv != SECSuccess) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d].\n",`
			`- PR_GetError());`
			`+ DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",`
			`+ PR_GetError(), PORT_ErrorToString(PR_GetError()));`
			`}`

			`return ret;`
			`--`
			`2.15.1`