Sailesh Mukil has posted comments on this change. ( http://gerrit.cloudera.org:8080/8595 )
Change subject: KUDU-2220: GetEndOfChainX509 does not return end-user cert ...................................................................... Patch Set 2: (1 comment) http://gerrit.cloudera.org:8080/#/c/8595/2/src/kudu/security/test/test_certs.cc File src/kudu/security/test/test_certs.cc: http://gerrit.cloudera.org:8080/#/c/8595/2/src/kudu/security/test/test_certs.cc@506 PS2, Line 506: CreateTestSSLCertSignedByChain > Which cert do we want do use, actually? Could we drop the old one? I basically added the intermediate cert (from 'kCaChainCert' below) to the 'kCert' variable. The reason is that if there is only one cert in the server/client certificate, then GetTopofChainX509() and GetEndOfChainX509() would both return the correct cert, since there's only one. But for all PEM files, if they're a chain of certs and not a CA, the sender certificate must come first, followed by a chain of certs that each trust the previous one in the chain. So, if we leave the function as GetEndOfChainX509() and add this intermediate cert to 'kCert', the test using these certs would fail. I think validation already happens now here at CheckPrivateKey(): https://github.com/apache/kudu/blob/master/src/kudu/security/cert.cc#L154-L159 If the cert we get back from GetTopOfChainX509() is incorrect, then this function would return an error. -- To view, visit http://gerrit.cloudera.org:8080/8595 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I0e3f913259ec4c855ff211726fa6ecea94d328e7 Gerrit-Change-Number: 8595 Gerrit-PatchSet: 2 Gerrit-Owner: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Comment-Date: Mon, 20 Nov 2017 18:21:59 +0000 Gerrit-HasComments: Yes
