Improve error handling in CAPI KMS.

joshdrake · joshdrake · commit 1947ee1ec1d6 · 2025-05-01T11:21:29.000-04:00
diff --git a/kms/capi/capi.go b/kms/capi/capi.go
@@ -441,7 +441,7 @@ func (k *CAPIKMS) getCertContext(req *apiv1.LoadCertificateRequest) (*windows.Ce
 			prevCert = handle
 		}
 	default:
-		return nil, fmt.Errorf("%q, %q, or %q and %q is required to find a certificate", HashArg, KeyIDArg, IssuerNameArg, SerialNumberArg)
+		return nil, fmt.Errorf("%q, %q, or %q and one of %q or %q is required to find a certificate", HashArg, KeyIDArg, IssuerNameArg, SerialNumberArg, SubjectCNArg)
 	}
 
 	return handle, err
@@ -461,6 +461,9 @@ func (k *CAPIKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
 	)
 	if containerName = u.Get(ContainerNameArg); containerName != "" {
 		kh, err = nCryptOpenKey(k.providerHandle, containerName, 0, 0)
+		if err != nil {
+			return nil, fmt.Errorf("unable to open key using %q=%q: %w", ContainerNameArg, containerName, err)
+		}
 	} else {
 		// check if a certificate can be located using the URI
 		certHandle, err = k.getCertContext(&apiv1.LoadCertificateRequest{
@@ -471,10 +474,9 @@ func (k *CAPIKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
 		}
 
 		kh, err = cryptFindCertificatePrivateKey(certHandle)
-	}
-
-	if err != nil {
-		return nil, fmt.Errorf("unable to open key: %w", err)
+		if err != nil {
+			return nil, fmt.Errorf("unable to open key: %w", err)
+		}
 	}
 
 	pinOrPass := u.Pin()

Original file line number	Diff line number	Diff line change
`@@ -441,7 +441,7 @@ func (k CAPIKMS) getCertContext(req apiv1.LoadCertificateRequest) (*windows.Ce`
`441`	`441`	`prevCert = handle`
`442`	`442`	`}`
`443`	`443`	`default:`
`444`		`- return nil, fmt.Errorf("%q, %q, or %q and %q is required to find a certificate", HashArg, KeyIDArg, IssuerNameArg, SerialNumberArg)`
	`444`	`+ return nil, fmt.Errorf("%q, %q, or %q and one of %q or %q is required to find a certificate", HashArg, KeyIDArg, IssuerNameArg, SerialNumberArg, SubjectCNArg)`
`445`	`445`	`}`
`446`	`446`
`447`	`447`	`return handle, err`
`@@ -461,6 +461,9 @@ func (k CAPIKMS) CreateSigner(req apiv1.CreateSignerRequest) (crypto.Signer, e`
`461`	`461`	`)`
`462`	`462`	`if containerName = u.Get(ContainerNameArg); containerName != "" {`
`463`	`463`	`kh, err = nCryptOpenKey(k.providerHandle, containerName, 0, 0)`
	`464`	`+ if err != nil {`
	`465`	`+ return nil, fmt.Errorf("unable to open key using %q=%q: %w", ContainerNameArg, containerName, err)`
	`466`	`+ }`
`464`	`467`	`} else {`
`465`	`468`	`// check if a certificate can be located using the URI`
`466`	`469`	`certHandle, err = k.getCertContext(&apiv1.LoadCertificateRequest{`
`@@ -471,10 +474,9 @@ func (k CAPIKMS) CreateSigner(req apiv1.CreateSignerRequest) (crypto.Signer, e`
`471`	`474`	`}`
`472`	`475`
`473`	`476`	`kh, err = cryptFindCertificatePrivateKey(certHandle)`
`474`		`- }`
`475`		`-`
`476`		`- if err != nil {`
`477`		`- return nil, fmt.Errorf("unable to open key: %w", err)`
	`477`	`+ if err != nil {`
	`478`	`+ return nil, fmt.Errorf("unable to open key: %w", err)`
	`479`	`+ }`
`478`	`480`	`}`
`479`	`481`
`480`	`482`	`pinOrPass := u.Pin()`