[Pki-devel] 0001-Provide-CA-EE-Restful-interface-and-test-client.patch
Endi Sukma Dewata
edewata at redhat.com
Thu May 3 16:38:30 UTC 2012
On 5/2/2012 7:05 PM, John Magne wrote:
> Revised patch as per the suggestions below:
>
> All the suggestions made sense and I implemented them as suggested.
> Tests ran fine.
Thanks for the changes.
> Questions from below:
>
> 5. Also in CertDAO.getCertChainData() after the initialization loop it
> looks like the certsInChain may contain a null value if x509cert exists
> in mCACerts but not the last element. Is that case possible?
>
> I could not see this scenario. What the code is doing is checking to see if
> you are trying to get the cert chain of a cert that is already a member of the CA's
> cert chain. In that case, the size of the array will be the size of the CA's cert chain.
> If this is not the case, the size of the array will be that value plus one.
The code also moves the cert into the beginning of the array. Here's the
scenario I was asking, suppose the cert chain is:
c0 c1 c2 c3 c4
Suppose c4 is the cert being requested. The code will generate this
result without any problem:
c4 c0 c1 c2 c3
However, suppose the requested cert is c2. The code will move c2 to
first and shift the rest back by one position:
c2 c0 c1 null c3
c4 can't be moved into the result since there isn't enough space.
If the scenario is possible, the code would include a null in the result
and possibly generate an index-out-of-bound error when moving c4.
If the scenario is not possible, the code could be optimized to check
the requested cert only against the last cert in the CA chain.
--
Endi S. Dewata
More information about the Pki-devel
mailing list