You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Dan Burkert (Code Review)" <ge...@cloudera.org> on 2016/11/01 00:25:28 UTC
[kudu-CR] [util/crypto] certificate management (part 1)
Dan Burkert has posted comments on this change.
Change subject: [util/crypto] certificate management (part 1)
......................................................................
Patch Set 7:
(8 comments)
http://gerrit.cloudera.org:8080/#/c/4799/7/src/kudu/security/crypto/cert_management-test.cc
File src/kudu/security/crypto/cert_management-test.cc:
PS7, Line 45: Substitute
Use JoinPathSegments from path_util.h here and below.
PS7, Line 84: generatation
generation
http://gerrit.cloudera.org:8080/#/c/4799/6/src/kudu/security/crypto/cert_management.cc
File src/kudu/security/crypto/cert_management.cc:
Line 100: return Status::IllegalState("Not initialized");
> Good observation.
> Also, it makes sense to transfer ownership to the parent key: calling lesser number of RSA_free() functions for the success path.
Using set1 instead of assign would mean you could get rid of the rsa.release() call, right?
Line 203: }
> Nope, but that's implied -- but it's a good idea to add it for better prote
Yah I think it would be prudent to check explicitly in order to ensure forwards compatibility.
PS6, Line 326: ptr<ASN1_INTEGER> serial;
> This is what it is: you can see it in apps/ca.c, line 2096.
My confusion was that you copied into the pub_key scope local variable, and then never used that variable. I agree it's better to remove if it's not doing anything.
http://gerrit.cloudera.org:8080/#/c/4799/7/src/kudu/security/crypto/cert_management.cc
File src/kudu/security/crypto/cert_management.cc:
PS7, Line 79: https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
This URL doesn't resolve. Perhaps https://www.openssl.org/docs/man1.0.1/apps/x509v3_config.html
Line 85: const_cast<char*>("critical,serverAuth,clientAuth")));
> Yep, I removed keyAgreement and dataEncipherment since it's better to use s
It looks like those weren't actually removed? There are now two calls to AddExtensions.
Line 318: if (!ret) {
I think this would be simpler as a CHECK_NOTNULL. Having a return statement following a LOG(DFATAL) is misleading.
--
To view, visit http://gerrit.cloudera.org:8080/4799
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I69c1da97e6d013a034aefda59988b593ae1d6304
Gerrit-PatchSet: 7
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Tidy Bot
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes