[Pki-devel] [PATCH] 657 Refactored CA certificate generation.

John Magne jmagne at redhat.com
Tue Nov 24 17:45:06 UTC 2015


Sounds fine. Like I said ACK, and my comments were optional,
and with your explanation, sounds good.

----- Original Message -----
From: "Endi Sukma Dewata" <edewata at redhat.com>
To: "John Magne" <jmagne at redhat.com>, "Christina Fu" <cfu at redhat.com>
Cc: pki-devel at redhat.com
Sent: Tuesday, 24 November, 2015 6:20:54 AM
Subject: Re: [Pki-devel] [PATCH] 657 Refactored CA certificate generation.

On 11/23/2015 6:43 PM, John Magne wrote:
> Looks ok to me, ACK but will defer more strongly to cfu on this one.
>
> One quick thing:
>
> The routine that creates the cert request doesn't appear to massage the
> key related params much. For instance if someone would give the RSA key sizes
> and an ECC curve name, the responsibility to check this would move down to the system
> call.
>
> Not sure this is worth fixing so just making it optional.

Yes, the code is intentionally doing just the minimal checking for 
key-related parameters such that if NSS introduces a new behavior (e.g. 
supporting new curve) PKI will automatically pick it up without any 
modification. They key size & curve name are passed directly to certutil 
assuming that NSS will do the validation and will fail if the values 
aren't valid. It's doing a little bit more checking on the key algorithm 
because it needs to parse the hash algorithm out of it, but the hash 
algorithm itself is passed directly to certutil, PKI doesn't validate it.

Is this ok?

-- 
Endi S. Dewata




More information about the Pki-devel mailing list