[Pki-devel] [PATCH] 0010..0013 DNP3/IECUserRoles extension support

Christina Fu cfu at redhat.com
Mon Sep 8 23:00:16 UTC 2014 

Hi Fraser,

My apology for getting back to you this late due to Dogtag release.
(I think there may be a major issue there, so you might want to jump to 
the "hmmm" part first)

General:
* It would help if in the review request email, you could put a link to 
the spec you are coding against.  I had to search around and every place 
I looked it requires me to sign in or purchase.

IECUserRolesExtension.java
* It would help if you could put the relevant ASN1 in the extension code 
IECUserRolesExtension.java
* the getName() method returns the OID string instead of the 
conventional name of the class
* by convention, other existing extension classes use the JAVA class 
Boolean instead of the native boolean for criticality.  Please try to 
stick to it.
* hmmm... Shouldn't this extension be a "SEQUENCE of" "UserRoleInfo"?  
This code seems to implement only the "UserRoleInfo" part.
This would be a major problem.
You might want to take a look of how 
SubjectAlternativeNameExtension.java is done where it is a "SEQUENCE of" 
GeneralName
See: http://tools.ietf.org/html/rfc5280#section-4.2.1.6 scroll down a 
bit to see the ASN1 definition.
Search in our code for the following:
- SubjectAlternativeNameExtension.java
- GeneralNames
- GeneralName

Again, since I don't have the spec that you code against so I might be 
wrong, please supply the ASN1 spec to this extension before I continue.

I think I will stop here and let you work on / respond to the above 
first as it seems like a deal breaker if I was right.

regards,
Christina





On 08/18/2014 12:03 AM, Fraser Tweedale wrote:
> On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:
>> On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
>>> Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
>>> extension support and a DNP3 profile that makes use of it.  This is
>>> to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
>>> Authentication v5 (SAv5) standard.
>>>
>>> In brief, the SN and all the IECUserRoles params will be given in
>>> profile inputs, and the key is taken from a CertReqInput.
>>>
>>> There's still a bit of work to go - notably, some of the
>>> IECUserRoles fields are unimplemented, and some of those that *are*
>>> implemented are not yet read out of the profile input but rather are
>>> hardcoded.  The extension *does* appear on the certificate, so I
>>> should get that all completed tomorrow.
>>>
>>> Cheers,
>>>
>>> Fraser
>>>
> These patches have been completed and are ready for review.  New
> versions are attached.
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20140908/13c89519/attachment.htm>

More information about the Pki-devel mailing list