[Pki-devel] [PATCH] pki-cfu-0066 and pki-cfu-0067 for Ticket 1307 [RFE] Support multiple keySets for different cards for ExternalReg

John Magne jmagne at redhat.com
Fri May 22 00:35:48 UTC 2015 

Christina:

Looks like you got the minor issues under control.
We went through a couple of demos and it is tested to work with tpsclient...

ACK



----- Original Message -----
> From: "Christina Fu" <cfu at redhat.com>
> To: pki-devel at redhat.com
> Sent: Thursday, May 21, 2015 4:35:13 PM
> Subject: Re: [Pki-devel] [PATCH] pki-cfu-0066 and pki-cfu-0067 for Ticket 1307 [RFE] Support multiple keySets for
> different cards for ExternalReg
> 
> Thanks for the review Jack.
> Attached please find pki-cfu-0069, which is the revised patch#2.
> 
> Christina
> 
> On 05/20/2015 01:51 PM, John Magne wrote:
> > Looks nice and gives us some good new flexibility with respect to the
> > keySet value.
> >
> >
> > Just a few comments:
> >
> >
> > 1. For each type of "resolver" you have something like:
> >
> > mappingResolver.enrollMappingResolver
> >
> > Previously the whole class name for this was something like
> > "tokenProfileMappingResolver" or some such.
> > This name has been changed to just "mappingResolver". In order to give the
> > user the same info how about
> > something like: "mappingResolver.enollTokenTypeMappingResolver" ??? The
> > same for format and pin reset of course.
> >
> >
> > 2. In MappingResolverManager.java here:
> >
> >    mappingResolvers.put(prInst, resolver);
> >
> >
> > The mappingResolvers property is protected. To make it easier for
> > subclasses to use this,
> > maybe an "addResolver" method for easier use instead of making raw
> > collection calls.
> >
> > 3. In the TKSRemoteRequestHandler.java we have modified a large number of
> > method signatures in order
> > to pass in the newly calculated "keySet" type.
> >
> > Instead of modifying all of the calls inside of TKSRemoteRequestHandler
> > there I suggest this possibility.
> >
> >    1. When we construct the instance of TKSRemoteRequestHandler, we add a
> >    new parameter to the constructor being "keySet",
> > which is invariant per session. Set a private property of the class to it.
> > Also validation can be done in the constructor of this value.
> >
> >     2. IN all the methods where that use the new param, just use the local
> >     property and no need to worry about validation.
> >
> >
> >     3. I see that the TPSEngine methods take the new param as well. It
> >     would be nicer to not have to do that, but I think it might be most
> >     convenient to leave that "keySet" param
> > so it can be used in the constructor to TKSRemoteRequestHandler.
> >
> > 4. In TPSEnrollProcessor I see this block several times in different
> > places.
> >
> > +
> > +            CMS.debug("In TPSEnrollProcessor.enroll isExternalReg: about
> > to process keySet resolver");
> > +            /*
> > +             * Note: externalReg.mappingResolver=none indicates no
> > resolver
> > +             *    plugin used
> > +             */
> > +            try {
> > +            String resolverInstName = getKeySetResolverInstanceName();
> > +
> > +                if (!resolverInstName.equals("none") && (selectedKeySet ==
> > null)) {
> > +                    FilterMappingParams mappingParams =
> > createFilterMappingParams(resolverInstName,
> > +                            appletInfo.getCUIDhexString(),
> > appletInfo.getMSNString(),
> > +                            appletInfo.getMajorVersion(),
> > appletInfo.getMinorVersion());
> > +                    TPSSubsystem subsystem =
> > +                            (TPSSubsystem)
> > CMS.getSubsystem(TPSSubsystem.ID);
> > +                    BaseMappingResolver resolverInst =
> > +
> > subsystem.getMappingResolverManager().getResolverInstance(resolverInstName);
> > +                    String keySet =
> > resolverInst.getResolvedMapping(mappingParams, "keySet");
> > +                    setSelectedKeySet(keySet);
> > +                    CMS.debug(method + " resolved keySet: " + keySet);
> > +                }
> > +            } catch (TPSException e) {
> > +                auditMsg = e.toString();
> > +                tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT,
> > tokenRecord, session.getIpAddress(), auditMsg,
> > +                        "failure");
> > +
> > +                throw new TPSException(auditMsg, TPSS
> >
> >
> > I think this thing can be made a method of TPSProcessor or something and
> > just called everywhere.
> >
> > 5. This method:
> >
> > protected String getKeySetResolverInstanceName() throws TPSException {
> > +        String method = "TPSProcessor.getKeySetResolverInstanceName: ";
> > +        CMS.debug(method + " begins");
> > +        IConfigStore configStore = CMS.getConfigStore();
> > +        ....
> > ..
> > +
> > +        CMS.debug(method + " config: " + config);
> > +        try {
> > +            resolverInstName = configStore.getString(config, "none");
> > +        } catch (EBaseException e) {
> > +            // not finding it is not an error
> > +        }
> > +        if (resolverInstName.equals(""))
> > +            resolverInstName = "none";
> > +
> > +        CMS.debug(method + " returning: " + resolverInstName);
> > +
> > +        return resolverInstName;
> > +    }
> >
> > We've established that swallowing exceptions is not a good thing to do.
> > Just throw a TPSException because here there is some internal error, since
> > you have
> > already established a default.
> >
> >
> > 6. After doing the above, it might be nice to just try a key changeover
> > operation with tpsclient to make sure
> > everything is kosher after changing the behaviour of the
> > TKSRemoteRequestHandler slightly.
> >
> > thanks,
> > jack
> >
> >
> >
> >
> > ----- Original Message -----
> >> From: "Christina Fu" <cfu at redhat.com>
> >> To: pki-devel at redhat.com
> >> Sent: Monday, May 18, 2015 5:52:20 PM
> >> Subject: [Pki-devel] [PATCH] pki-cfu-0066 and pki-cfu-0067 for Ticket 1307
> >> [RFE] Support multiple keySets for
> >> different cards for ExternalReg
> >>
> >> Please find two patches for the ticket:
> >> https://fedorahosted.org/pki/ticket/1307 [RFE] Support multiple keySets
> >> for different cards for ExternalReg
> >>
> >> Patch pki-cfu-0066 involves only renaming of classes/methods/parameters
> >> and the related config parameters for the Mapping Resolver framework.
> >> (note: after the refactoring, I tested it to work before continuing to
> >> the 2nd part)
> >> It is separated out from the actual code logic changes for ease of review.
> >>     The renaming is necessary as the original framework was intended only
> >> to be used to resolve tokenType, and it is now expanded to be used to
> >> resolve keySet.
> >>
> >> Patch pki-cfu-0067 deals with the actual code changes that adds support
> >> for keySet mapping
> >>
> >> Original design of this add-on ExternalReg feature can be found here:
> >> http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS#Supporting_multiple_keySets_for_different_cards_for_ExternalReg
> >>
> >> There is no upgrade supported at this point, as this is technology
> >> preview feature.
> >>
> >> Please review.
> >> thanks,
> >> Christina
> >>
> >> _______________________________________________
> >> Pki-devel mailing list
> >> Pki-devel at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-devel
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list