[Pki-devel] [PATCH] resteasy drm client patches

Ade Lee alee at redhat.com
Thu Jan 26 15:32:05 UTC 2012 

The following feedback came from discussions with Endi on #dogtag-pki.
I will submit revised patches with the relevant changes (changes to be
addressed now).

Endi, please let me know if I missed anything.

Ade
***********************************************************************
***** To be addressed now:
* i think we can define it as int, then we use this @DefaultValue(""+DEFAULT_MAXRESULTS)
* should we add a setTransWrappedSessionKey() that takes a byte[] and convert it internally to base64?
* in DRMTest there's a variable called IV, i think it should be lower case
* remove quote on clientID

***** To be addressed in a separate discussion about changes to the interface/separate patch: 
* <seems to be possible: http://blog.bdoughan.com/2011/05/schema-to-java-xmlmimetype.html (use byte[] for some values)
* i think it would be better if the getTransportCert() returns a decoded cert in byte[]
* naming of xml attributes

***** To be addressed in osutil cleanup:
* is OSUtil.BtoA() a base64 encoder? should we replace it with http://commons.apache.org/codec/apidocs/org/apache/commons/codec/binary/Base64.html ?

***** To be addressed by jmagne in his patch:
* question about DRMTest.wrapPassphrase()
    line 486: String wrappedS = new String(wrappedPassphrase, "ISO-8859-1");
    line 487: byte[] pPhrase = wrappedS.getBytes("ISO-8859-1");
    are these lines redundant because pPhrase would be the same as wrappedPassphrase?
    also isn't there a possible encoding error? the wrapped passphrase might not conform to ISO-8859-1

* in lines 275 and 365 we call unwrap(token, IV, wrappedRecoveredKey.getBytes("ISO-8859-1"), recoveryKey);
          shouldn't the wrappedRecoveredKey be base-64 decoded instead of using getBytes()?

* Can the client be modified to allow salt generation?  Or should we make iv a constant?

***** To be addressed in patch to junitize the test:
* the next lines try to decrypt the passphrase. should this code be moved into main() as another test?
* some of the tests require manual validation

***** To be addressed in separate injection hardening patch:
* the search filter is constructed by concatenating the param values. is this a security risk? injection attack?

On Tue, 2012-01-24 at 18:35 -0500, John Magne wrote:
> Patch pki-vakwetu-0014-Fix-test-client-errors.patch
> 
> 
> This code implements the simple changes that Ade and I discussed
> when trying to get the proxy client working when running inside Eclipse.
> 
> Since the we've tested the client to work well based on these fixes.
> 
> Ack
> 
> 
> 
> ----- Original Message -----
> From: "Ade Lee" <alee at redhat.com>
> To: pki-devel at redhat.com
> Sent: Monday, January 23, 2012 10:11:19 PM
> Subject: [Pki-devel] [PATCH] resteasy drm client patches
> 
> These patches provide the DRM test client that is currently being used
> to test DRM functionality.  The patches need to be updated sequentially.
> 
> The future plan (next week) is to convert these to junit format.  For
> now, though, my focus is on the Python client code.
> 
> jmagne is already working with these tests, but he will submit his
> corrections in separate patches.
> 
> Please review, 
> Ade
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list