István Fajth created HDDS-11029:
-----------------------------------
Summary: Replace PKCS10CertificationRequest usage in
DefaultCAServer
Key: HDDS-11029
URL: https://issues.apache.org/jira/browse/HDDS-11029
Project: Apache Ozone
Issue Type: Sub-task
Reporter: István Fajth
Currently, we serialize the PEM encoded String represenation of a certificate
sign request to send it over the wire to be signed by our CA server
implementation.
On the server side, the SCMSecurityProtocolServer class right away turns this
transferred string representation back to a PKCS10CertificationRequest object,
and then passes it on to the DefaultCAServer object. This DefaultCAServer then
passes it on to the approver implementation to inspect if the CSR conforms with
our predefined profiles, then to sign it.
Instead of this, we should only convert the PEM encoded String back to a
PKCS10CertificationRequest instance within the approver, with that limiting the
scope of BouncyCastle usage for this purpose.
Note:
One idea to do so, is to create a separate approver for all the CSR-s that are
arriving, as it is a lightweight to create object, and during the instance
initialization we can do the conversion from String to
PKCS10CertificationRequest.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
