RE: CML error messages

["Nicholas, Richard" <Richard.Nicholas@xxxxxxxxxxxxxxxx>]

Jim,

I've responded to this message on the CML mail list rather than the SFL.

> Can the CML error messages be made more informative, to 
> include the DN of the certificate that has an error or cannot 
> be found? At present the error messages give no indication of 
> the Certificate in error. For example "CML error - Trusted 
> certificate expired".

Rather than pass trusted certs into to CM_CreateSessionExt(), use
CM_SetTrustedCerts() instead after creating the seession.  The latter
function records all of the errors associated with any of the trusted
certs in the extended error information.  When CM_SetTrustedCerts()
returns CM_TRUSTED_CERT_ERROR, indicating additional error information
is available, the app can CM_GetErrInfo() to retrieve it from the
session.  The extended errors include the subject DN and specific error
of the invalid trusted cert.  [Note that in CML v2.1, the extended
errors are returned directly from CM_SetTrustedCerts().]

> Couldn't the message "CML error - No path found" be more 
> helpful by indicating the DN of the Cert that it couldn't 
> find, or to explicitly state that the root Cert is not 
> trusted? At present it can mean either.
> 
> Jim

I agree that the CM_NO_PATH_FOUND error is not very helpful.  The
problem is that with the complex path building heuristics used in CML
v1.5 and later versions, it is difficult to determine the exact point
when a path cannot be built.  In CML v2.1, we'll try to improve the
error reporting for paths by adding extended errors for path failures.

Thanks for your feedback,

- Rich
---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@xxxxxxxxxxxxxxxx
(301) 939-2722