[Pki-devel] [PATCH] 0010..0013 DNP3/IECUserRoles extension support
Christina Fu
cfu at redhat.com
Mon Sep 8 23:00:16 UTC 2014
Hi Fraser,
My apology for getting back to you this late due to Dogtag release.
(I think there may be a major issue there, so you might want to jump to
the "hmmm" part first)
General:
* It would help if in the review request email, you could put a link to
the spec you are coding against. I had to search around and every place
I looked it requires me to sign in or purchase.
IECUserRolesExtension.java
* It would help if you could put the relevant ASN1 in the extension code
IECUserRolesExtension.java
* the getName() method returns the OID string instead of the
conventional name of the class
* by convention, other existing extension classes use the JAVA class
Boolean instead of the native boolean for criticality. Please try to
stick to it.
* hmmm... Shouldn't this extension be a "SEQUENCE of" "UserRoleInfo"?
This code seems to implement only the "UserRoleInfo" part.
This would be a major problem.
You might want to take a look of how
SubjectAlternativeNameExtension.java is done where it is a "SEQUENCE of"
GeneralName
See: http://tools.ietf.org/html/rfc5280#section-4.2.1.6 scroll down a
bit to see the ASN1 definition.
Search in our code for the following:
- SubjectAlternativeNameExtension.java
- GeneralNames
- GeneralName
Again, since I don't have the spec that you code against so I might be
wrong, please supply the ASN1 spec to this extension before I continue.
I think I will stop here and let you work on / respond to the above
first as it seems like a deal breaker if I was right.
regards,
Christina
On 08/18/2014 12:03 AM, Fraser Tweedale wrote:
> On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:
>> On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
>>> Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
>>> extension support and a DNP3 profile that makes use of it. This is
>>> to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
>>> Authentication v5 (SAv5) standard.
>>>
>>> In brief, the SN and all the IECUserRoles params will be given in
>>> profile inputs, and the key is taken from a CertReqInput.
>>>
>>> There's still a bit of work to go - notably, some of the
>>> IECUserRoles fields are unimplemented, and some of those that *are*
>>> implemented are not yet read out of the profile input but rather are
>>> hardcoded. The extension *does* appear on the certificate, so I
>>> should get that all completed tomorrow.
>>>
>>> Cheers,
>>>
>>> Fraser
>>>
> These patches have been completed and are ready for review. New
> versions are attached.
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20140908/13c89519/attachment.htm>
More information about the Pki-devel
mailing list