From: "Christina Fu" <cfu@redhat.com>
To: "John Magne" <jmagne@redhat.com>
Cc: pki-devel@redhat.com
Sent: Friday, October 24, 2014 11:11:33 AM
Subject: Re: [Pki-devel] [PATCH] pki-core-issuerDN-encoding.patch
Jack,
thanks for the review. Please see response below.
On 10/24/2014 11:02 AM, John Magne wrote:
Christina:
Looks good and glad to hear its tested to work, which solves a hairy
problem.
Just a couple of questions about a few places in the code:
1. In diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
We have this block:
+ String caSigningCertStr = caSigningCfg.getString("cert", "");
+ if (caSigningCertStr.equals("")) {
+ CMS.debug("CertificateAuthority:initSigUnit:
ca.signing.cert not found");
+ } else { //ca cert found
+ CMS.debug("CertificateAuthority:initSigUnit: ca cert
found");
+ mCaCert = new X509CertImpl(CMS.AtoB(caSigningCertStr));
+ // this ensures the isserDN and subjectDN have the same
encoding
+ // as that of the CA signing cert
+ CMS.debug("CertificateAuthority: initSigUnit 1- setting
mIssuerObj and mSubjectObj");
+ mSubjectObj = mCaCert.getSubjectObj();
+ // this mIssuerObj is the "issuerDN" obj for the certs
this CA
+ // issues, NOT necessarily the isserDN obj of the CA
signing cert
+ mIssuerObj = new
CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
+ }
+
Looks like you create a member variable mSubjectObj and an associated
getter method.
It seems that perhaps this is only used locally in this method to help
create mIssuerObj, which is accessed later.
Do we need this or did I miss something?
I decided to make it available though you are right that it is not
needed at this point. I just figured since it's there, I will make it
available for future references.
Also, what is supposed to happen when caSigningCertStr == "" ??
Later on we have this in the same method:
+ mSubjectObj = mCaCert.getSubjectObj();
+ if (mSubjectObj != null) {
+ // this ensures the isserDN and subjectDN have the same
encoding
+ // as that of the CA signing cert
+ CMS.debug("CertificateAuthority: initSigUnit - setting
mIssuerObj and mSubjectObj");
+ // this mIssuerObj is the "issuerDN" obj for the certs
this CA
+ // issues, NOT necessarily the isserDN obj of the CA
signing cert
+ // unless the CA is self-signed
+ mIssuerObj =
+ new
CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
+ }
Question about this and other similar NULL checks for mSubjectObj. Can this
really be null if everything was set up
during the initialization phase of the CertificateAuthority?
Also here if it is NULL, what happens, or is the intent to just keep going?
The code took different passes during installation and startup. At very
early stage of the installation, the value is not expected to be there,
so we do want it to pass, and at later times, it will become available.
That is why we don't want to do anything if it's null.
I was being extra careful not to change the code path behavior and only
focus on getting the subject DN setup for later use.
I was curious about those two since this appears to be pretty invasive to
the system.
thanks,
jack
----- Original Message -----
From: "Christina Fu" <cfu@redhat.com>
To: pki-devel@redhat.com
Sent: Friday, October 24, 2014 9:25:22 AM
Subject: [Pki-devel] [PATCH] pki-core-issuerDN-encoding.patch
Attached please find the fix for the following ticket:
https://fedorahosted.org/pki/ticket/1190 CA: issuer DN encoding not
preserved at issuance with signing cert signed by an external CA
thanks in advance for a review.
Christina
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
forgot to mention...Pushed to master.
commit 5bbd06e6e77729c63d65b77445f71f63ea0cdd1f Author: Christina Fu <cfu@…> Date: Wed Oct 15 10:30:31 2014 -0700