[Pki-devel] [PATCH] 86-2 Addressed comments for patch 86

Ade Lee alee at redhat.com
Thu Mar 13 17:03:26 UTC 2014 

In KeyClient:
1.  setTransportCert() should have a javadoc explaining exactly what is
in this variable (the base64 cert sans header and footer?)

2. Do we have something specifying the valid status values to be set in 
   modifyKeyStatus()?  If so, we should probably add a check for that in
   modifyKeyStatus()

3. retrieveKey() can be simplified.  Unlike python, where we cannot
   overload methods, we can do so on the Java side.  Separate into
   retrieveKey(keyId) and retrieveKey(keyId, transWrappedSessionKey)

   This will simplify the documentation too.

4. A similar simplification can be done for retrieveKeyByPassphrase()

5.  Fix algorithm OID.

6.  NSSCryptoProvider:
   * In initialize(), remove TODO comment.

   * generateSessionKey(algorithm?).  The purpose of this method is
     to return a symmetric key that is valid for wrapping/ unwrapping
     the DRM.  Right now, we support only one algorithm -- 168 bit
     DES3 keys.  So this method should not include an algorithm as
     a parameter.  The whole point of this method is that the user
     need not know what the algorithm is.

   * generateSymmetricKey() has no length parameters.
     This is not generic enough - some algorithms require length
     parameters.  See the python code.
  
   * the methods should have a check for whether the object is 
     initialized and if not - initialize.  This will prevent
     null pointer exceptions in case someone fails to initialize first.

   * getKeyGenAlgorithm() and getEncryptionAlgorithm() should not 
     return defaults if the argument passed in is wrong.  They should 
     throw an exception.  You return the default if the value passed in
     is null.

7.  There was code added to the Python side to set up an NSS database
     for the user if one did not already exist, and import the
     transport cert.  Much of that is pretty useful, but has not been 
     added to the Java side.

8.  Please confirm that all the new functions in KeyClient are   
    exercised in the DRMTest.


On Wed, 2014-03-12 at 13:54 -0400, Abhishek Koneru wrote:
> Please ignore the previous patch. Removed some unnecessary code.
> 
> --Abhishek
> 
> ----- Original Message -----
> From: "Abhishek Koneru" <akoneru at redhat.com>
> To: alee at redhat.com
> Cc: "pki-devel" <pki-devel at redhat.com>
> Sent: Wednesday, March 12, 2014 12:11:27 PM
> Subject: Re: [Pki-devel] [PATCH] 86 Update KeyClient and DRMTest on the Java side similar to the python side
> 
> Please review the patch which addresses the comments below.
> > CryptoOperationStore():
> > On the python side, we created an abstract class CryptoUtil to
> > encapsulate the crypto operations we wanted to provide.  The idea here
> > was that the client might want to use some crypto library other than
> > JSS.  In the main program for the client then - in the python case, its
> > drmtest.py, the client would elect to instantiate the relevant subclass
> > of CryptoUtil.
> > 
> > The way you have it now, the KeyClient is hardcoded to use NSS.  This is
> > not what we want.  Instead do this:
> > 
> > Create a new abstract class - CryptoProvider.  This will contain methods
> > that we will call in KeyClient.  Note that the CryptoProvider cannot
> > contain static methods.  Then create a NSSCryptoUtil class that
> > implements the required methods, does init() etc.
> > 
> > DRMTest should instantiate and pass the NSSCryptoUtil class into the
> > KeyClient constructor.
> > 
> Created classes CryptoProvider and NSSCryptoProvider in
> base/common/src/com/netscape/certsrv/util. An NSSCrypto provider object
> is passed in PKIClient object that stores information about
> configuration and connection. Since PKIClient is passed to KeyClient it
> can access the CryptoProvider object from there. The reason for adding
> CryptoProvider in PKIClient is that it can be used in future for all
> kinds of crypto operations to be done in any client.
> > KeyClient:
> > 1. Extra S in param_id description in getKeyInfo() - instead of KeyId
> > object - something more descriptive like - key id for secret.  This
> > applies in many cases.
> > 2. Many comments do not specify what the return is.
> > 3. In generateKey(), you do not use transWrappedSession key - you should
> >    at least pass that parameter if it is provided.
> > 4. archiveKey()  - typo in comment clinetKeyId
> >    There is a sentence fragment -- To be implemented ... ?
> > 5. archiveKey() - there are Java classes to deal with OIDs - and in
> > fact, this particular OID is defined within JSS.  You should use those
> > classes, rather than :
> >         String algorithmOID = "{1 2 840 113549 3 7}";
> > 6. 
> >     
> > KeyRequestResponse
> > 1. Needs a XMLAccessType(None)
> 
> Addressed all the comments except for 5. Did not find a way to get the
> OID from the algorithm name in the JSS packages. Added it as a static
> final variable in KeyRequestResource.
> > 
> > I may have further comments when the patch is resubmitted.
> > 
> > Ade
> > 
> > On Tue, 2014-03-04 at 20:13 -0500, Abhishek Koneru wrote:
> > > Please review the attached patch which replicates the new python client's KeyClient class
> > > on the Java side.
> > > 
> > > --Abhishek.
> > > _______________________________________________
> > > Pki-devel mailing list
> > > Pki-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-devel
> > 
> > 
> > 
> 
> --Abhishek
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list