Add additional KRB5_TRACE points

Add additional tracing points to the PKINIT plugin for use with the
KRB5_TRACE facility, replacing many (but not all) of the existing
pkiDebug() trace points.

Fix a memory leak of an errinfo structure when loading a PKCS11 module
fails.

Rename pkinit_pkcs11_code_to_text() to pkcs11err() for brevity, and
modify it for thread safety.

[ghudson@mit.edu: added certificate index to regexp match trace
points; renamed various identifiers; edited commit message]

ticket: 8999 (new)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 2639104802964882a17ca6df5f92558506cdb63b..2f2dec599ddb6d07351483b2623b7e66651d788e 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -32,6 +32,7 @@
 #include "k5-int.h"
 #include "pkinit_crypto_openssl.h"
 #include "k5-buf.h"
+#include "k5-err.h"
 #include "k5-hex.h"
 #include <unistd.h>
 #include <dirent.h>
@@ -101,8 +102,6 @@ static krb5_error_code pkinit_login
  CK_TOKEN_INFO *tip, const char *password);
 static krb5_error_code pkinit_open_session
 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx);
-static struct plugin_file_handle *pkinit_C_LoadModule
-(const char *modname, CK_FUNCTION_LIST_PTR_PTR p11p);
 #ifdef SILLYDECRYPT
 CK_RV pkinit_C_Decrypt
 (pkinit_identity_crypto_context id_cryptoctx,
@@ -143,8 +142,8 @@ static int
 wrap_signeddata(unsigned char *data, unsigned int data_len,
                 unsigned char **out, unsigned int *out_len);
 
-static char *
-pkinit_pkcs11_code_to_text(int err);
+static const char *
+pkcs11err(int err);
 
 
 #ifdef HAVE_OPENSSL_CMS
@@ -1195,11 +1194,10 @@ cms_signeddata_create(krb5_context context,
             }
             certstack = X509_STORE_CTX_get1_chain(certctx);
             size = sk_X509_num(certstack);
-            pkiDebug("size of certificate chain = %d\n", size);
             for(i = 0; i < size - 1; i++) {
                 X509 *x = sk_X509_value(certstack, i);
                 X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf));
-                pkiDebug("cert #%d: %s\n", i, buf);
+                TRACE_PKINIT_CERT_CHAIN_NAME(context, (int)i, buf);
                 sk_X509_push(cert_stack, X509_dup(x));
             }
             X509_STORE_CTX_free(certctx);
@@ -1988,21 +1986,17 @@ crypto_retrieve_X509_sans(krb5_context context,
 
     X509_NAME_oneline(X509_get_subject_name(cert),
                       buf, sizeof(buf));
-    pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
 
     l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
     if (l < 0)
         return 0;
 
     if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
-        pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
+        TRACE_PKINIT_SAN_CERT_NONE(context, buf);
         goto cleanup;
     }
     num_sans = sk_GENERAL_NAME_num(ialt);
 
-    pkiDebug("%s: found %d subject alt name extension(s)\n", __FUNCTION__,
-             num_sans);
-
     /* OK, we're likely returning something. Allocate return values */
     if (princs_ret != NULL) {
         princs = calloc(num_sans + 1, sizeof(krb5_principal));
@@ -2089,6 +2083,8 @@ crypto_retrieve_X509_sans(krb5_context context,
     }
     sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
 
+    TRACE_PKINIT_SAN_CERT_COUNT(context, (int)num_sans, p, u, d, buf);
+
     retval = 0;
     if (princs != NULL && *princs != NULL) {
         *princs_ret = princs;
@@ -3547,34 +3543,47 @@ prepare_enc_data(const uint8_t *indata, int indata_len, uint8_t **outdata,
 
 #ifndef WITHOUT_PKCS11
 static struct plugin_file_handle *
-pkinit_C_LoadModule(const char *modname, CK_FUNCTION_LIST_PTR_PTR p11p)
+load_pkcs11_module(krb5_context context, const char *modname,
+                   CK_FUNCTION_LIST_PTR_PTR p11p)
 {
-    struct plugin_file_handle *handle;
+    struct plugin_file_handle *handle = NULL;
     CK_RV (*getflist)(CK_FUNCTION_LIST_PTR_PTR);
     struct errinfo einfo = EMPTY_ERRINFO;
+    const char *errmsg = NULL;
     void (*sym)();
     long err;
     CK_RV rv;
 
-    pkiDebug("loading module \"%s\"... ", modname);
-    if (krb5int_open_plugin(modname, &handle, &einfo) != 0) {
-        pkiDebug("not found\n");
-        return NULL;
+    TRACE_PKINIT_PKCS11_OPEN(context, modname);
+    err = krb5int_open_plugin(modname, &handle, &einfo);
+    if (err) {
+        errmsg = k5_get_error(&einfo, err);
+        TRACE_PKINIT_PKCS11_OPEN_FAILED(context, errmsg);
+        goto error;
     }
 
     err = krb5int_get_plugin_func(handle, "C_GetFunctionList", &sym, &einfo);
-    k5_clear_error(&einfo);
-    if (!err) {
-        getflist = (CK_RV (*)())sym;
-        rv = (*getflist)(p11p);
+    if (err) {
+        errmsg = k5_get_error(&einfo, err);
+        TRACE_PKINIT_PKCS11_GETSYM_FAILED(context, errmsg);
+        goto error;
     }
-    if (err || rv != CKR_OK) {
-        krb5int_close_plugin(handle);
-        pkiDebug("failed\n");
-        return NULL;
+
+    getflist = (CK_RV (*)())sym;
+    rv = (*getflist)(p11p);
+    if (rv != CKR_OK) {
+        TRACE_PKINIT_PKCS11_GETFLIST_FAILED(context, pkcs11err(rv));
+        goto error;
     }
-    pkiDebug("ok\n");
+
     return handle;
+
+error:
+    k5_free_error(&einfo, errmsg);
+    k5_clear_error(&einfo);
+    if (handle != NULL)
+        krb5int_close_plugin(handle);
+    return NULL;
 }
 
 static krb5_error_code
@@ -3631,7 +3640,7 @@ pkinit_login(krb5_context context,
                                        (u_char *) rdat.data, rdat.length);
 
         if (r != CKR_OK) {
-            pkiDebug("C_Login: %s\n", pkinit_pkcs11_code_to_text(r));
+            TRACE_PKINIT_PKCS11_LOGIN_FAILED(context, pkcs11err(r));
             r = KRB5KDC_ERR_PREAUTH_FAILED;
         }
     }
@@ -3657,22 +3666,24 @@ pkinit_open_session(krb5_context context,
         return 0; /* session already open */
 
     /* Load module */
-    cctx->p11_module =
-        pkinit_C_LoadModule(cctx->p11_module_name, &cctx->p11);
+    cctx->p11_module = load_pkcs11_module(context, cctx->p11_module_name,
+                                          &cctx->p11);
     if (cctx->p11_module == NULL)
         return KRB5KDC_ERR_PREAUTH_FAILED;
 
     /* Init */
     if ((r = cctx->p11->C_Initialize(NULL)) != CKR_OK) {
-        pkiDebug("C_Initialize: %s\n", pkinit_pkcs11_code_to_text(r));
+        pkiDebug("C_Initialize: %s\n", pkcs11err(r));
         return KRB5KDC_ERR_PREAUTH_FAILED;
     }
 
     /* Get the list of available slots */
     if (cctx->p11->C_GetSlotList(TRUE, NULL, &count) != CKR_OK)
         return KRB5KDC_ERR_PREAUTH_FAILED;
-    if (count == 0)
+    if (count == 0) {
+        TRACE_PKINIT_PKCS11_NO_TOKEN(context);
         return KRB5KDC_ERR_PREAUTH_FAILED;
+    }
     slotlist = calloc(count, sizeof(CK_SLOT_ID));
     if (slotlist == NULL)
         return ENOMEM;
@@ -3688,13 +3699,13 @@ pkinit_open_session(krb5_context context,
         /* Open session */
         if ((r = cctx->p11->C_OpenSession(slotlist[i], CKF_SERIAL_SESSION,
                                           NULL, NULL, &cctx->session)) != CKR_OK) {
-            pkiDebug("C_OpenSession: %s\n", pkinit_pkcs11_code_to_text(r));
+            pkiDebug("C_OpenSession: %s\n", pkcs11err(r));
             return KRB5KDC_ERR_PREAUTH_FAILED;
         }
 
         /* Get token info */
         if ((r = cctx->p11->C_GetTokenInfo(slotlist[i], &tinfo)) != CKR_OK) {
-            pkiDebug("C_GetTokenInfo: %s\n", pkinit_pkcs11_code_to_text(r));
+            pkiDebug("C_GetTokenInfo: %s\n", pkcs11err(r));
             return KRB5KDC_ERR_PREAUTH_FAILED;
         }
 
@@ -3706,8 +3717,8 @@ pkinit_open_session(krb5_context context,
         }
         label_len = cp - tinfo.label;
 
-        pkiDebug("open_session: slotid %d token \"%.*s\"\n",
-                 (int)slotlist[i], (int)label_len, tinfo.label);
+        TRACE_PKINIT_PKCS11_SLOT(context, (int)slotlist[i], (int)label_len,
+                                 tinfo.label);
         if (cctx->token_label == NULL ||
             (strlen(cctx->token_label) == label_len &&
              memcmp(cctx->token_label, tinfo.label, label_len) == 0))
@@ -3716,7 +3727,7 @@ pkinit_open_session(krb5_context context,
     }
     if (i >= count) {
         free(slotlist);
-        pkiDebug("open_session: no matching token found\n");
+        TRACE_PKINIT_PKCS11_NO_MATCH_TOKEN(context);
         return KRB5KDC_ERR_PREAUTH_FAILED;
     }
     cctx->slotid = slotlist[i];
@@ -3825,13 +3836,13 @@ pkinit_find_private_key(pkinit_identity_crypto_context id_cryptoctx,
     r = id_cryptoctx->p11->C_FindObjectsInit(id_cryptoctx->session, attrs, nattrs);
     if (r != CKR_OK) {
         pkiDebug("krb5_pkinit_sign_data: C_FindObjectsInit: %s\n",
-                 pkinit_pkcs11_code_to_text(r));
+                 pkcs11err(r));
         return KRB5KDC_ERR_PREAUTH_FAILED;
     }
 
     r = id_cryptoctx->p11->C_FindObjects(id_cryptoctx->session, objp, 1, &count);
     id_cryptoctx->p11->C_FindObjectsFinal(id_cryptoctx->session);
-    pkiDebug("found %d private keys (%s)\n", (int) count, pkinit_pkcs11_code_to_text(r));
+    pkiDebug("found %d private keys (%s)\n", (int)count, pkcs11err(r));
     if (r != CKR_OK || count < 1)
         return KRB5KDC_ERR_PREAUTH_FAILED;
     return 0;
@@ -3944,7 +3955,7 @@ pkinit_decode_data_pkcs11(krb5_context context,
     r = pkinit_C_Decrypt(id_cryptoctx, (CK_BYTE_PTR) data, (CK_ULONG) data_len,
                          cp, &len);
     if (r != CKR_OK) {
-        pkiDebug("C_Decrypt: %s\n", pkinit_pkcs11_code_to_text(r));
+        pkiDebug("C_Decrypt: %s\n", pkcs11err(r));
         if (r == CKR_BUFFER_TOO_SMALL)
             pkiDebug("decrypt %d needs %d\n", (int) data_len, (int) len);
         return KRB5KDC_ERR_PREAUTH_FAILED;
@@ -4024,7 +4035,7 @@ pkinit_sign_data_pkcs11(krb5_context context,
 
     if ((r = id_cryptoctx->p11->C_SignInit(id_cryptoctx->session, &mech,
                                            obj)) != CKR_OK) {
-        pkiDebug("C_SignInit: %s\n", pkinit_pkcs11_code_to_text(r));
+        pkiDebug("C_SignInit: %s\n", pkcs11err(r));
         return KRB5KDC_ERR_PREAUTH_FAILED;
     }
 
@@ -4047,7 +4058,7 @@ pkinit_sign_data_pkcs11(krb5_context context,
                                       (CK_ULONG) data_len, cp, &len);
     }
     if (r != CKR_OK) {
-        pkiDebug("C_Sign: %s\n", pkinit_pkcs11_code_to_text(r));
+        pkiDebug("C_Sign: %s\n", pkcs11err(r));
         return KRB5KDC_ERR_PREAUTH_FAILED;
     }
     pkiDebug("sign %d -> %d\n", (int) data_len, (int) len);
@@ -4578,7 +4589,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
 #else
     if ((r = id_cryptoctx->p11->C_GetMechanismList(id_cryptoctx->slotid, NULL,
                                                    &count)) != CKR_OK || count <= 0) {
-        pkiDebug("C_GetMechanismList: %s\n", pkinit_pkcs11_code_to_text(r));
+        pkiDebug("C_GetMechanismList: %s\n", pkcs11err(r));
         return KRB5KDC_ERR_PREAUTH_FAILED;
     }
     mechp = malloc(count * sizeof (CK_MECHANISM_TYPE));
@@ -4635,7 +4646,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
 
     r = id_cryptoctx->p11->C_FindObjectsInit(id_cryptoctx->session, attrs, nattrs);
     if (r != CKR_OK) {
-        pkiDebug("C_FindObjectsInit: %s\n", pkinit_pkcs11_code_to_text(r));
+        pkiDebug("C_FindObjectsInit: %s\n", pkcs11err(r));
         return KRB5KDC_ERR_PREAUTH_FAILED;
     }
 
@@ -4661,7 +4672,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
 
         if ((r = id_cryptoctx->p11->C_GetAttributeValue(id_cryptoctx->session,
                                                         obj, attrs, 2)) != CKR_OK && r != CKR_BUFFER_TOO_SMALL) {
-            pkiDebug("C_GetAttributeValue: %s\n", pkinit_pkcs11_code_to_text(r));
+            pkiDebug("C_GetAttributeValue: %s\n", pkcs11err(r));
             return KRB5KDC_ERR_PREAUTH_FAILED;
         }
         cert = (CK_BYTE_PTR) malloc((size_t) attrs[0].ulValueLen + 1);
@@ -4679,7 +4690,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
 
         if ((r = id_cryptoctx->p11->C_GetAttributeValue(id_cryptoctx->session,
                                                         obj, attrs, 2)) != CKR_OK) {
-            pkiDebug("C_GetAttributeValue: %s\n", pkinit_pkcs11_code_to_text(r));
+            pkiDebug("C_GetAttributeValue: %s\n", pkcs11err(r));
             return KRB5KDC_ERR_PREAUTH_FAILED;
         }
 
@@ -5348,12 +5359,12 @@ crypto_load_cas_and_crls(krb5_context context,
 {
     switch (idtype) {
     case IDTYPE_FILE:
-        TRACE_PKINIT_LOAD_FROM_FILE(context);
+        TRACE_PKINIT_LOAD_FROM_FILE(context, id);
         return load_cas_and_crls(context, plg_cryptoctx, req_cryptoctx,
                                  id_cryptoctx, catype, id);
         break;
     case IDTYPE_DIR:
-        TRACE_PKINIT_LOAD_FROM_DIR(context);
+        TRACE_PKINIT_LOAD_FROM_DIR(context, id);
         return load_cas_and_crls_dir(context, plg_cryptoctx, req_cryptoctx,
                                      id_cryptoctx, catype, id);
         break;
@@ -5784,19 +5795,18 @@ print_pubkey(BIGNUM * key, char *msg)
 }
 #endif
 
-static char *
-pkinit_pkcs11_code_to_text(int err)
+static const char *
+pkcs11err(int err)
 {
     int i;
-    static char uc[32];
 
     for (i = 0; pkcs11_errstrings[i].text != NULL; i++)
         if (pkcs11_errstrings[i].code == err)
             break;
     if (pkcs11_errstrings[i].text != NULL)
         return (pkcs11_errstrings[i].text);
-    snprintf(uc, sizeof(uc), _("unknown code 0x%x"), err);
-    return (uc);
+
+    return "unknown PKCS11 error";
 }
 
 /*

diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index 62b2cf7a1147f539b0ea4e02dab78e7d56eb4a38..3c1778a3b975cd673a48a65e8ebb010b9575f750 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -387,8 +387,7 @@ process_option_identity(krb5_context context,
     int idtype;
     krb5_error_code retval = 0;
 
-    pkiDebug("%s: processing value '%s'\n",
-             __FUNCTION__, value ? value : "NULL");
+    TRACE_PKINIT_IDENTITY_OPTION(context, value);
     if (value == NULL)
         return EINVAL;
 

diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index b042c74d34323c3a674c5bfd6958aae40f5f474d..b42485a50a79b40c804bfe36804aef4725122011 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -448,25 +448,26 @@ cleanup:
 }
 
 static int
-regexp_match(krb5_context context, rule_component *rc, char *value)
+regexp_match(krb5_context context, rule_component *rc, char *value, int idx)
 {
     int code;
 
-    pkiDebug("%s: checking %s rule '%s' with value '%s'\n",
-             __FUNCTION__, keyword2string(rc->kw_type), rc->regsrc, value);
-
     code = regexec(&rc->regexp, value, 0, NULL, 0);
 
-    pkiDebug("%s: the result is%s a match\n", __FUNCTION__,
-             code == REG_NOMATCH ? " NOT" : "");
+    if (code == 0) {
+        TRACE_PKINIT_REGEXP_MATCH(context, keyword2string(rc->kw_type),
+                                  rc->regsrc, value, idx);
+    } else {
+        TRACE_PKINIT_REGEXP_NOMATCH(context, keyword2string(rc->kw_type),
+                                    rc->regsrc, value, idx);
+    }
 
     return (code == 0 ? 1: 0);
 }
 
 static int
-component_match(krb5_context context,
-                rule_component *rc,
-                pkinit_cert_matching_data *md)
+component_match(krb5_context context, rule_component *rc,
+                pkinit_cert_matching_data *md, int idx)
 {
     int match = 0;
     int i;
@@ -476,21 +477,21 @@ component_match(krb5_context context,
     case kwvaltype_regexp:
         switch (rc->kw_type) {
         case kw_subject:
-            match = regexp_match(context, rc, md->subject_dn);
+            match = regexp_match(context, rc, md->subject_dn, idx);
             break;
         case kw_issuer:
-            match = regexp_match(context, rc, md->issuer_dn);
+            match = regexp_match(context, rc, md->issuer_dn, idx);
             break;
         case kw_san:
             for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) {
                 krb5_unparse_name(context, md->sans[i], &princ_string);
-                match = regexp_match(context, rc, princ_string);
+                match = regexp_match(context, rc, princ_string, idx);
                 krb5_free_unparsed_name(context, princ_string);
                 if (match)
                     break;
             }
             for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) {
-                match = regexp_match(context, rc, md->upns[i]);
+                match = regexp_match(context, rc, md->upns[i], idx);
                 if (match)
                     break;
             }
@@ -574,7 +575,7 @@ check_all_certs(krb5_context context,
         pkiDebug("%s: subject: '%s'\n", __FUNCTION__, md->subject_dn);
         certs_checked++;
         for (rc = rs->crs; rc != NULL; rc = rc->next) {
-            comp_match = component_match(context, rc, md);
+            comp_match = component_match(context, rc, md, i);
             if (comp_match) {
                 pkiDebug("%s: match for keyword type %s\n",
                          __FUNCTION__, keyword2string(rc->kw_type));
@@ -600,8 +601,7 @@ check_all_certs(krb5_context context,
     nextcert:
         continue;
     }
-    pkiDebug("%s: After checking %d certs, we found %d matches\n",
-             __FUNCTION__, certs_checked, total_cert_matches);
+    TRACE_PKINIT_CERT_NUM_MATCHING(context, certs_checked, total_cert_matches);
     if (total_cert_matches == 1) {
         *match_found = 1;
         *match_index = save_index;
@@ -642,7 +642,7 @@ pkinit_cert_matching(krb5_context context,
 
     /* parse each rule line one at a time and check all the certs against it */
     for (x = 0; rules[x] != NULL; x++) {
-        pkiDebug("%s: Processing rule '%s'\n", __FUNCTION__, rules[x]);
+        TRACE_PKINIT_CERT_RULE(context, rules[x]);
 
         /* Free rules from previous time through... */
         if (rs != NULL) {
@@ -652,8 +652,7 @@ pkinit_cert_matching(krb5_context context,
         retval = parse_rule_set(context, rules[x], &rs);
         if (retval) {
             if (retval == EINVAL) {
-                pkiDebug("%s: Ignoring invalid rule pkinit_cert_match = '%s'\n",
-                         __FUNCTION__, rules[x]);
+                TRACE_PKINIT_CERT_RULE_INVALID(context, rules[x]);
                 continue;
             }
             goto cleanup;
@@ -737,7 +736,7 @@ pkinit_client_cert_match(krb5_context context,
         goto cleanup;
 
     for (rc = rs->crs; rc != NULL; rc = rc->next) {
-        comp_match = component_match(context, rc, md);
+        comp_match = component_match(context, rc, md, 0);
         if ((comp_match && rs->relation == relation_or) ||
             (!comp_match && rs->relation == relation_and)) {
             break;

diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
index bba3226bda728096a4f98d99b9a5c7e4372ee3a1..259e95c6c2c27aabd50f4155b7f3d180acc3e0e6 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
@@ -93,6 +93,25 @@
 #define TRACE_PKINIT_OPENSSL_ERROR(c, msg)              \
     TRACE(c, "PKINIT OpenSSL error: {str}", msg)
 
+#define TRACE_PKINIT_PKCS11_GETFLIST_FAILED(c, errstr)                  \
+    TRACE(c, "PKINIT PKCS11 C_GetFunctionList failed: {str}", errstr)
+#define TRACE_PKINIT_PKCS11_GETSYM_FAILED(c, errstr)                    \
+    TRACE(c, "PKINIT unable to find PKCS11 plugin symbol "              \
+          "C_GetFunctionList: {str}", errstr)
+#define TRACE_PKINIT_PKCS11_LOGIN_FAILED(c, errstr)             \
+    TRACE(c, "PKINIT PKCS11 C_Login failed: {str}", errstr)
+#define TRACE_PKINIT_PKCS11_NO_MATCH_TOKEN(c)                   \
+    TRACE(c, "PKINIT PKCS#11 module has no matching tokens")
+#define TRACE_PKINIT_PKCS11_NO_TOKEN(c)                                 \
+    TRACE(c, "PKINIT PKCS#11 module shows no slots with tokens")
+#define TRACE_PKINIT_PKCS11_OPEN(c, name)                       \
+    TRACE(c, "PKINIT opening PKCS#11 module \"{str}\"", name)
+#define TRACE_PKINIT_PKCS11_OPEN_FAILED(c, errstr)                      \
+    TRACE(c, "PKINIT PKCS#11 module open failed: {str}", errstr)
+#define TRACE_PKINIT_PKCS11_SLOT(c, slot, len, label)            \
+    TRACE(c, "PKINIT PKCS#11 slotid {int} token {lenstr}",       \
+          slot, len, label)
+
 #define TRACE_PKINIT_SERVER_CERT_AUTH(c, modname)                       \
     TRACE(c, "PKINIT server authorizing cert with module {str}",        \
           modname)
@@ -123,16 +142,28 @@
     TRACE(c, "PKINIT server could not parse UPN \"{str}\": {kerr}",     \
           upn, ret)
 
+#define TRACE_PKINIT_CERT_CHAIN_NAME(c, index, name)    \
+    TRACE(c, "PKINIT chain cert #{int}: {str}", index, name)
+#define TRACE_PKINIT_CERT_NUM_MATCHING(c, total, nummatch)              \
+    TRACE(c, "PKINIT client checked {int} certs, found {int} matches",  \
+          total, nummatch)
+#define TRACE_PKINIT_CERT_RULE(c, rule)                                 \
+    TRACE(c, "PKINIT client matching rule '{str}' against certificates", rule)
+#define TRACE_PKINIT_CERT_RULE_INVALID(c, rule)                         \
+    TRACE(c, "PKINIT client ignoring invalid rule '{str}'", rule)
+
 #define TRACE_PKINIT_EKU(c)                                             \
     TRACE(c, "PKINIT found acceptable EKU and digitalSignature KU")
 #define TRACE_PKINIT_EKU_NO_KU(c)                                       \
     TRACE(c, "PKINIT found acceptable EKU but no digitalSignature KU")
+#define TRACE_PKINIT_IDENTITY_OPTION(c, name)           \
+    TRACE(c, "PKINIT loading identity {str}", name)
 #define TRACE_PKINIT_LOADED_CERT(c, name)                       \
     TRACE(c, "PKINIT loaded cert and key for {str}", name)
-#define TRACE_PKINIT_LOAD_FROM_FILE(c)                          \
-    TRACE(c, "PKINIT loading CA certs and CRLs from FILE")
-#define TRACE_PKINIT_LOAD_FROM_DIR(c)                           \
-    TRACE(c, "PKINIT loading CA certs and CRLs from DIR")
+#define TRACE_PKINIT_LOAD_FROM_FILE(c, name)                            \
+    TRACE(c, "PKINIT loading CA certs and CRLs from FILE {str}", name)
+#define TRACE_PKINIT_LOAD_FROM_DIR(c, name)                             \
+    TRACE(c, "PKINIT loading CA certs and CRLs from DIR {str}", name)
 #define TRACE_PKINIT_NO_CA_ANCHOR(c, file)              \
     TRACE(c, "PKINIT no anchor CA in file {str}", file)
 #define TRACE_PKINIT_NO_CA_INTERMEDIATE(c, file)                \
@@ -162,6 +193,18 @@
     TRACE(c, "PKINIT second PKCS12_parse with password failed")
 #define TRACE_PKINIT_PKCS_PROMPT_FAIL(c)                        \
     TRACE(c, "PKINIT failed to prompt for PKCS12 password")
+#define TRACE_PKINIT_REGEXP_MATCH(c, keyword, comp, value, idx)         \
+    TRACE(c, "PKINIT matched {str} rule '{str}' with "                  \
+          "value '{str}' in cert #{int}", keyword, comp, value, (idx) + 1)
+#define TRACE_PKINIT_REGEXP_NOMATCH(c, keyword, comp, value, idx)       \
+    TRACE(c, "PKINIT didn't match {str} rule '{str}' with "             \
+          "value '{str}' in cert #{int}", keyword, comp, value, (idx) + 1)
+#define TRACE_PKINIT_SAN_CERT_COUNT(c, count, princ, upns, dns, cert)   \
+    TRACE(c, "PKINIT client found {int} SANs ({int} princs, {int} "     \
+          "UPNs, {int} DNS names) in certificate {str}", count, princ,   \
+          upns, dns, cert)
+#define TRACE_PKINIT_SAN_CERT_NONE(c, cert)                             \
+    TRACE(c, "PKINIT client found no SANs in certificate {str}", cert)
 
 #define TRACE_CERTAUTH_VTINIT_FAIL(c, ret)                              \
     TRACE(c, "certauth module failed to init vtable: {kerr}", ret)