Re: [Pki-devel] [PATCH] 0134-Make-sure-only-the-master-keys-and-certs-are-imported
Thanks for info.
Therefore:
ACK
----- Original Message -----
From: "Ade Lee" <alee(a)redhat.com>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-devel(a)redhat.com
Sent: Wednesday, June 26, 2013 6:06:44 PM
Subject: Re: [Pki-devel] [PATCH]
0134-Make-sure-only-the-master-keys-and-certs-are-imported
On Wed, 2013-06-26 at 19:03 -0400, John Magne wrote:
Ade:
This looks good but I have a question.
Looking at the function you added:
private static boolean importRequired(ArrayList<String> masterList, String
nickname) {
+ if (masterList.contains(nickname))
+ return true;
+ try {
+ X500Name xname = new X500Name(nickname);
+ for (String key: masterList) {
+ try {
+ X500Name xkey = new X500Name(key);
+ if (xkey.equals(xname)) return true;
+ } catch (IOException e) {
+ // xkey not an X500Name
+ }
+ }
+
+ } catch (IOException e) {
+ // nickname is not a x500Name
+ return false;
+ }
+ return false;
+ }
It looks like the top of this function does a String comparison just like the code you
had in there but commented out already:
if (masterList.contains(nickname))
+ return true;
As I understand the List contains method calls the equals method of the objects
involved.
Subsequently it looks like you rifle through the whole list and do a comparison between
X500Name objects, which represent distinguished names.
Why is this done? There are cases where the DN's are equivalent but their raw Strings
may differ?
The list of names consists of two types of strings - nicknames like
"auditSigningCert pki-tomcat CA" and subject names like
"CN= CA Audit Singing Cert, O=redhat domain". The masterList also
contains similar names.
The first call of the contains() method does a string comparison and so
handles the cases where the nicknames are the same. For the subject
names, I found that this was insufficient because the strings were not
exactly the same.
In particular, the masterList contained entries like:
"cn= CA Audit Singing Cert, o=redhat domain", while the list of names
from the pk12 file contained the following:
"CN= CA Audit Singing Cert, O=redhat domain"
Notice the difference in case for the field names. Parsing the name as
an X500Name and using the equals() method for those objects eliminates
those discrepancies.
Ade
thanks,
jack
----- Original Message -----
> From: "Ade Lee" <alee(a)redhat.com>
> To: pki-devel(a)redhat.com
> Sent: Wednesday, June 26, 2013 11:28:42 AM
> Subject: [Pki-devel]
[PATCH] 0134-Make-sure-only-the-master-keys-and-certs-are-imported
>
> Make sure only the master keys and certs are imported.
>
> The key import code was written for when there was only one
> subsystem per tomcat instance, and only one subsystems certs
> and keys per p12 file. We need to ensure that only the master's
> subsystem keys and certs are imported. Otherwise, unpredictable
> behavior happens, like in Ticket 665.
>
> Please review,
>
> Thanks,
> Ade
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel