[Pki-devel] [PATCH] pki-core-issuerDN-encoding.patch

Christina Fu cfu at redhat.com
Mon Oct 27 21:21:47 UTC 2014 

forgot to mention...Pushed to master.

commit 5bbd06e6e77729c63d65b77445f71f63ea0cdd1f 
<https://fedorahosted.org/pki/changeset/5bbd06e6e77729c63d65b77445f71f63ea0cdd1f/> 
Author: Christina Fu <cfu@…> Date: Wed Oct 15 10:30:31 2014 -0700

    Bug1151147 issuerDN encoding correction


On 10/24/2014 11:25 AM, John Magne wrote:
> OK, all this sounds reasonable.
>
> If the common cases have been tested to work.
>
> ACK
>
>
> ----- Original Message -----
>> From: "Christina Fu" <cfu at redhat.com>
>> To: "John Magne" <jmagne at redhat.com>
>> Cc: pki-devel at redhat.com
>> Sent: Friday, October 24, 2014 11:11:33 AM
>> Subject: Re: [Pki-devel] [PATCH] pki-core-issuerDN-encoding.patch
>>
>> Jack,
>> thanks for the review.  Please see response below.
>>
>> On 10/24/2014 11:02 AM, John Magne wrote:
>>> Christina:
>>>
>>> Looks good and glad to hear its tested to work, which solves a hairy
>>> problem.
>>>
>>> Just a couple of questions about a few places in the code:
>>>
>>>
>>> 1. In diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java
>>> b/base/ca/src/com/netscape/ca/CertificateAuthority.java
>>>
>>> We have this block:
>>>
>>> +            String caSigningCertStr = caSigningCfg.getString("cert", "");
>>> +            if (caSigningCertStr.equals("")) {
>>> +                CMS.debug("CertificateAuthority:initSigUnit:
>>> ca.signing.cert not found");
>>> +            } else { //ca cert found
>>> +                CMS.debug("CertificateAuthority:initSigUnit: ca cert
>>> found");
>>> +                mCaCert = new X509CertImpl(CMS.AtoB(caSigningCertStr));
>>> +                // this ensures the isserDN and subjectDN have the same
>>> encoding
>>> +                // as that of the CA signing cert
>>> +                CMS.debug("CertificateAuthority: initSigUnit 1- setting
>>> mIssuerObj and mSubjectObj");
>>> +                mSubjectObj = mCaCert.getSubjectObj();
>>> +                // this mIssuerObj is the "issuerDN" obj for the certs
>>> this CA
>>> +                // issues, NOT necessarily the isserDN obj of the CA
>>> signing cert
>>> +                mIssuerObj = new
>>> CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
>>> +            }
>>> +
>>>
>>> Looks like you create a member variable mSubjectObj and an associated
>>> getter method.
>>> It seems that perhaps this is only used locally in this method to help
>>> create mIssuerObj, which is accessed later.
>>> Do we need this or did I miss something?
>> I decided to make it available though you are right that it is not
>> needed at this point.  I just figured since it's there, I will make it
>> available for future references.
>>> Also, what is supposed to happen when caSigningCertStr == "" ??
>>>
>>> Later on we have this in the same method:
>>>
>>> +            mSubjectObj = mCaCert.getSubjectObj();
>>> +            if (mSubjectObj != null) {
>>> +                // this ensures the isserDN and subjectDN have the same
>>> encoding
>>> +                // as that of the CA signing cert
>>> +                CMS.debug("CertificateAuthority: initSigUnit - setting
>>> mIssuerObj and mSubjectObj");
>>> +                // this mIssuerObj is the "issuerDN" obj for the certs
>>> this CA
>>> +                // issues, NOT necessarily the isserDN obj of the CA
>>> signing cert
>>> +                // unless the CA is self-signed
>>> +                mIssuerObj =
>>> +                        new
>>> CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
>>> +            }
>>>
>>> Question about this and other similar NULL checks for mSubjectObj. Can this
>>> really be null if everything was set up
>>> during the initialization phase of the CertificateAuthority?
>>>
>>> Also here if it is NULL, what happens, or is the intent to just keep going?
>> The code took different passes during installation and startup.  At very
>> early stage of the installation, the value is not expected to be there,
>> so we do want it to pass, and at later times, it will become available.
>> That is why we don't want to do anything if it's null.
>> I was being extra careful not to change the code path behavior and only
>> focus on getting the subject DN setup for later use.
>>>
>>> I was curious about those two since this appears to be pretty invasive to
>>> the system.
>>>
>>>
>>> thanks,
>>> jack
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Christina Fu" <cfu at redhat.com>
>>>> To: pki-devel at redhat.com
>>>> Sent: Friday, October 24, 2014 9:25:22 AM
>>>> Subject: [Pki-devel] [PATCH] pki-core-issuerDN-encoding.patch
>>>>
>>>> Attached please find the fix for the following ticket:
>>>>
>>>> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not
>>>> preserved at issuance with signing cert signed by an external CA
>>>>
>>>> thanks in advance for a review.
>>>> Christina
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Pki-devel mailing list
>>>> Pki-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20141027/bb086f1d/attachment.htm>

More information about the Pki-devel mailing list