[Pki-devel] [PATCH] pki-core-issuerDN-encoding.patch
Christina Fu
cfu at redhat.com
Fri Oct 24 18:11:33 UTC 2014
Jack,
thanks for the review. Please see response below.
On 10/24/2014 11:02 AM, John Magne wrote:
> Christina:
>
> Looks good and glad to hear its tested to work, which solves a hairy problem.
>
> Just a couple of questions about a few places in the code:
>
>
> 1. In diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
>
> We have this block:
>
> + String caSigningCertStr = caSigningCfg.getString("cert", "");
> + if (caSigningCertStr.equals("")) {
> + CMS.debug("CertificateAuthority:initSigUnit: ca.signing.cert not found");
> + } else { //ca cert found
> + CMS.debug("CertificateAuthority:initSigUnit: ca cert found");
> + mCaCert = new X509CertImpl(CMS.AtoB(caSigningCertStr));
> + // this ensures the isserDN and subjectDN have the same encoding
> + // as that of the CA signing cert
> + CMS.debug("CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj");
> + mSubjectObj = mCaCert.getSubjectObj();
> + // this mIssuerObj is the "issuerDN" obj for the certs this CA
> + // issues, NOT necessarily the isserDN obj of the CA signing cert
> + mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
> + }
> +
>
> Looks like you create a member variable mSubjectObj and an associated getter method.
> It seems that perhaps this is only used locally in this method to help create mIssuerObj, which is accessed later.
> Do we need this or did I miss something?
I decided to make it available though you are right that it is not
needed at this point. I just figured since it's there, I will make it
available for future references.
>
> Also, what is supposed to happen when caSigningCertStr == "" ??
>
> Later on we have this in the same method:
>
> + mSubjectObj = mCaCert.getSubjectObj();
> + if (mSubjectObj != null) {
> + // this ensures the isserDN and subjectDN have the same encoding
> + // as that of the CA signing cert
> + CMS.debug("CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj");
> + // this mIssuerObj is the "issuerDN" obj for the certs this CA
> + // issues, NOT necessarily the isserDN obj of the CA signing cert
> + // unless the CA is self-signed
> + mIssuerObj =
> + new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
> + }
>
> Question about this and other similar NULL checks for mSubjectObj. Can this really be null if everything was set up
> during the initialization phase of the CertificateAuthority?
>
> Also here if it is NULL, what happens, or is the intent to just keep going?
The code took different passes during installation and startup. At very
early stage of the installation, the value is not expected to be there,
so we do want it to pass, and at later times, it will become available.
That is why we don't want to do anything if it's null.
I was being extra careful not to change the code path behavior and only
focus on getting the subject DN setup for later use.
>
>
> I was curious about those two since this appears to be pretty invasive to the system.
>
>
> thanks,
> jack
>
>
> ----- Original Message -----
>> From: "Christina Fu" <cfu at redhat.com>
>> To: pki-devel at redhat.com
>> Sent: Friday, October 24, 2014 9:25:22 AM
>> Subject: [Pki-devel] [PATCH] pki-core-issuerDN-encoding.patch
>>
>> Attached please find the fix for the following ticket:
>>
>> https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not
>> preserved at issuance with signing cert signed by an external CA
>>
>> thanks in advance for a review.
>> Christina
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list