[Pki-devel] [PATCH] 198-203 patches to address multiple issues in KeyResource server and client code.
John Magne
jmagne at redhat.com
Mon Feb 24 22:33:41 UTC 2014
ACK #200, comment below:
----- Original Message -----
> From: "Endi Sukma Dewata" <edewata at redhat.com>
> To: alee at redhat.com, pki-devel at redhat.com
> Sent: Monday, February 24, 2014 12:58:08 PM
> Subject: Re: [Pki-devel] [PATCH] 198-203 patches to address multiple issues in KeyResource server and client code.
>
> On 2/21/2014 11:52 PM, Ade Lee wrote:
> > Endi, Jack and I met to discuss various improvements to the
> > Key/KeyResource client/server parts. Some of these are addressed in the
> > attached patches. Some will be handled in separate tickets.
> >
> > Separate Tickets to be filed:
> > 1. Add nonce mechanism for approvals.
> > 2. Add openssl subclass for CryptoUtil
> > 3. Extend generate_session_key() to return key in same call
> > 4. Allow CLI to call python? (to be filed as separate ticket)
> >
> > Done in attached patches:
> > 5. Change kraclient.generate_sym_key -> kraclient.generate_symmetric_key
> > and extend to allow addition of trans_wrapped_session_key.
> > 6. Add getActiveKey() to python client.
> > 7. client_id -> client_key_id
> > 8. constants in python API for key status
> > 9. Add sanity checks to python client code
> > 10. Move functions out of KRAClient.py and into key.py
> > 11. from_dict() -> from)json()
> > 12. Add methods to create nss certdb and import transport cert
> > 13. All inputs/outputs from CryptoUtil are unencoded.
> > 14. Fix usages in main function of SymKeyGenerationRequest
> > 15. Fix bugs when retrieving invalid keyId.
> > 16. Fix bugs when generating key with only clientID provided.
> >
> > To be done in next patch:
> > 17. Rewrite cryptoutil.generate_symmetric_key() to be more generic and
> > provide a more restricted convenience function generate_session_key()
> >
> > To be considered further:
> > 1. rename session_key -> encryption_key/ wrapping_key?
> > 2. revamp archival to not require client to generate PkiArchiveOptions
> > object.
> > 3. should retrieve functions return unwrapped key?
> >
> > Please review attached patches.
> >
> > Ade
>
> ACK for patch #200. Just one comment, get_key_info() throws
> KeyNotFoundException and get_active_key_info() throws
> ResourceNotFoundException. I think they should be consistent. Also
> consider removing the resource-specific *NotFoundExceptions.
But do the resource specific exceptions reveal more info as to what has not been found.
Will the generic one be able to convey that info? Just a question.
>
> --
> Endi S. Dewata
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>
More information about the Pki-devel
mailing list