Hi Fraser,

My apology for getting back to you this late due to Dogtag release.
(I think there may be a major issue there, so you might want to jump to the "hmmm" part first)

General:
* It would help if in the review request email, you could put a link to the spec you are coding against.  I had to search around and every place I looked it requires me to sign in or purchase.

IECUserRolesExtension.java
* It would help if you could put the relevant ASN1 in the extension code IECUserRolesExtension.java
* the getName() method returns the OID string instead of the conventional name of the class
* by convention, other existing extension classes use the JAVA class Boolean instead of the native boolean for criticality.  Please try to stick to it.
* hmmm... Shouldn't this extension be a "SEQUENCE of" "UserRoleInfo"?  This code seems to implement only the "UserRoleInfo" part.
This would be a major problem.
You might want to take a look of how SubjectAlternativeNameExtension.java is done where it is a "SEQUENCE of" GeneralName
See: http://tools.ietf.org/html/rfc5280#section-4.2.1.6 scroll down a bit to see the ASN1 definition.
Search in our code for the following:
- SubjectAlternativeNameExtension.java
- GeneralNames
- GeneralName

Again, since I don't have the spec that you code against so I might be wrong, please supply the ASN1 spec to this extension before I continue.

I think I will stop here and let you work on / respond to the above first as it seems like a deal breaker if I was right.

regards,
Christina


    

    

    

    

    
On 08/18/2014 12:03 AM, Fraser Tweedale
      wrote:

    

    

      
On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:


      

        
On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:


        

          
Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
extension support and a DNP3 profile that makes use of it.  This is
to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
Authentication v5 (SAv5) standard.

In brief, the SN and all the IECUserRoles params will be given in
profile inputs, and the key is taken from a CertReqInput.

There's still a bit of work to go - notably, some of the
IECUserRoles fields are unimplemented, and some of those that *are*
implemented are not yet read out of the profile input but rather are
hardcoded.  The extension *does* appear on the certificate, so I
should get that all completed tomorrow.

Cheers,

Fraser



        

      

      
These patches have been completed and are ready for review.  New
versions are attached.


      

      

      

      
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel