<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="comment searchable"> <p>forgot to mention...Pushed to master.<br> </p> <p>commit <a href="https://fedorahosted.org/pki/changeset/5bbd06e6e77729c63d65b77445f71f63ea0cdd1f/" title="Bug1151147 issuerDN encoding correction" class="changeset">5bbd06e6e77729c63d65b77445f71f63ea0cdd1f</a> Author: Christina Fu <cfu@…> Date: Wed Oct 15 10:30:31 2014 -0700 </p> <blockquote> <p> Bug1151147 issuerDN encoding correction </p> </blockquote> <br> </div> <div class="moz-cite-prefix">On 10/24/2014 11:25 AM, John Magne wrote:<br> </div> <blockquote cite="mid:757966153.46693648.1414175141101.JavaMail.zimbra@redhat.com" type="cite"> <pre wrap=""> OK, all this sounds reasonable. If the common cases have been tested to work. ACK ----- Original Message ----- </pre> <blockquote type="cite"> <pre wrap="">From: "Christina Fu" <a class="moz-txt-link-rfc2396E" href="mailto:cfu@redhat.com"><cfu@redhat.com></a> To: "John Magne" <a class="moz-txt-link-rfc2396E" href="mailto:jmagne@redhat.com"><jmagne@redhat.com></a> Cc: <a class="moz-txt-link-abbreviated" href="mailto:pki-devel@redhat.com">pki-devel@redhat.com</a> Sent: Friday, October 24, 2014 11:11:33 AM Subject: Re: [Pki-devel] [PATCH] pki-core-issuerDN-encoding.patch Jack, thanks for the review. Please see response below. On 10/24/2014 11:02 AM, John Magne wrote: </pre> <blockquote type="cite"> <pre wrap="">Christina: Looks good and glad to hear its tested to work, which solves a hairy problem. Just a couple of questions about a few places in the code: 1. In diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java We have this block: + String caSigningCertStr = caSigningCfg.getString("cert", ""); + if (caSigningCertStr.equals("")) { + CMS.debug("CertificateAuthority:initSigUnit: ca.signing.cert not found"); + } else { //ca cert found + CMS.debug("CertificateAuthority:initSigUnit: ca cert found"); + mCaCert = new X509CertImpl(CMS.AtoB(caSigningCertStr)); + // this ensures the isserDN and subjectDN have the same encoding + // as that of the CA signing cert + CMS.debug("CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj"); + mSubjectObj = mCaCert.getSubjectObj(); + // this mIssuerObj is the "issuerDN" obj for the certs this CA + // issues, NOT necessarily the isserDN obj of the CA signing cert + mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); + } + Looks like you create a member variable mSubjectObj and an associated getter method. It seems that perhaps this is only used locally in this method to help create mIssuerObj, which is accessed later. Do we need this or did I miss something? </pre> </blockquote> <pre wrap="">I decided to make it available though you are right that it is not needed at this point. I just figured since it's there, I will make it available for future references. </pre> <blockquote type="cite"> <pre wrap=""> Also, what is supposed to happen when caSigningCertStr == "" ?? Later on we have this in the same method: + mSubjectObj = mCaCert.getSubjectObj(); + if (mSubjectObj != null) { + // this ensures the isserDN and subjectDN have the same encoding + // as that of the CA signing cert + CMS.debug("CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj"); + // this mIssuerObj is the "issuerDN" obj for the certs this CA + // issues, NOT necessarily the isserDN obj of the CA signing cert + // unless the CA is self-signed + mIssuerObj = + new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); + } Question about this and other similar NULL checks for mSubjectObj. Can this really be null if everything was set up during the initialization phase of the CertificateAuthority? Also here if it is NULL, what happens, or is the intent to just keep going? </pre> </blockquote> <pre wrap="">The code took different passes during installation and startup. At very early stage of the installation, the value is not expected to be there, so we do want it to pass, and at later times, it will become available. That is why we don't want to do anything if it's null. I was being extra careful not to change the code path behavior and only focus on getting the subject DN setup for later use. </pre> <blockquote type="cite"> <pre wrap=""> I was curious about those two since this appears to be pretty invasive to the system. thanks, jack ----- Original Message ----- </pre> <blockquote type="cite"> <pre wrap="">From: "Christina Fu" <a class="moz-txt-link-rfc2396E" href="mailto:cfu@redhat.com"><cfu@redhat.com></a> To: <a class="moz-txt-link-abbreviated" href="mailto:pki-devel@redhat.com">pki-devel@redhat.com</a> Sent: Friday, October 24, 2014 9:25:22 AM Subject: [Pki-devel] [PATCH] pki-core-issuerDN-encoding.patch Attached please find the fix for the following ticket: <a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/1190">https://fedorahosted.org/pki/ticket/1190</a> CA: issuer DN encoding not preserved at issuance with signing cert signed by an external CA thanks in advance for a review. Christina _______________________________________________ Pki-devel mailing list <a class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a> </pre> </blockquote> </blockquote> <pre wrap=""> </pre> </blockquote> </blockquote> <br> </body> </html>