[Pki-devel] Request for review: Bug 928680 - Minor additions to pkisilent (ECC)

Christina Fu cfu at redhat.com
Thu Apr 11 17:02:02 UTC 2013


On 04/11/2013 09:11 AM, Ade Lee wrote:
> Endi brought up an interesting question ..
>
> In this code, you do a string comparison to find the CA cert.
>
> +                if  (ca_certs[i].getSubjectDN().toString().equals(
> +                    cert.getIssuerDN().toString())) {
>
> Is a string comparison valid?  For example, if one uses c=US and the
> other uses C=US, then the string comparison might fail.  Shouldn't some
> DN comparison operation be done instead?
The Issuer DN of a cert and the Subject DN of the issuer's cert have to 
be encoded exactly the same, therefore, the string comparison within the 
same Java VM should result the same.
Ideally, I'd want to compare Authority Key Identifier and Subject Key 
Identifier but due to the lack of JSS exposure for appropriate NSS 
functions, I took an easier route.

This brought up something else.  I originally was going to look through 
PKCS7 instead of searching the DB for efficiency, however, again, due to 
lack of JSS functions, I had to change course yesterday.  I made such 
decision because pkisilent is just a tool that is to be run once during 
installation, so if it does take a little longer it should be fine for now.

I think later when we have time we should refactor JSS and offer richer 
interfaces.

thanks,
Christina

> Ade
>
> On Thu, 2013-04-11 at 11:35 -0400, Ade Lee wrote:
>> ACK
>>
>> On Wed, 2013-04-10 at 21:05 -0700, Christina Fu wrote:
>>> Please review the following patch for
>>> https://bugzilla.redhat.com/show_bug.cgi?id=928680
>>>
>>> https://bugzilla.redhat.com/attachment.cgi?id=733986&action=diff&context=patch&collapsed=&headers=1&format=raw
>>>
>>> Please note that the 1st reported issue regarding trust bits was
>>> pre-existing with RSA, so it is not specific to ECC.
>>>
>>> thanks,
>>> Christina
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>




More information about the Pki-devel mailing list