Re: [Pki-devel] [PATCH] 657 Refactored CA certificate generation.
Sounds fine. Like I said ACK, and my comments were optional,
and with your explanation, sounds good.
----- Original Message -----
From: "Endi Sukma Dewata" <edewata(a)redhat.com>
To: "John Magne" <jmagne(a)redhat.com>, "Christina Fu"
<cfu(a)redhat.com>
Cc: pki-devel(a)redhat.com
Sent: Tuesday, 24 November, 2015 6:20:54 AM
Subject: Re: [Pki-devel] [PATCH] 657 Refactored CA certificate generation.
On 11/23/2015 6:43 PM, John Magne wrote:
Looks ok to me, ACK but will defer more strongly to cfu on this one.
One quick thing:
The routine that creates the cert request doesn't appear to massage the
key related params much. For instance if someone would give the RSA key sizes
and an ECC curve name, the responsibility to check this would move down to the system
call.
Not sure this is worth fixing so just making it optional.
Yes, the code is intentionally doing just the minimal checking for
key-related parameters such that if NSS introduces a new behavior (e.g.
supporting new curve) PKI will automatically pick it up without any
modification. They key size & curve name are passed directly to certutil
assuming that NSS will do the validation and will fail if the values
aren't valid. It's doing a little bit more checking on the key algorithm
because it needs to parse the hash algorithm out of it, but the hash
algorithm itself is passed directly to certutil, PKI doesn't validate it.
Is this ok?
--
Endi S. Dewata