[kudu-CR] PROTOTYPE: Support certificates signed with RSASSA-PSS for channel bindings

Mon, 19 May 2025 08:41:39 -0700 

Jason Fehr has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/22910 )

Change subject: PROTOTYPE: Support certificates signed with RSASSA-PSS for 
channel bindings
......................................................................


Patch Set 2:

(5 comments)

http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert-test.cc
File src/kudu/security/cert-test.cc:

http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert-test.cc@20
PS2, Line 20: #include <openssl/crypto.h>
Is this include needed?


http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.cc
File src/kudu/security/cert.cc:

http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.cc@28
PS2, Line 28: #include <cstddef>
Is this include needed?


http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.cc@200
PS2, Line 200:   OBJ_find_sigid_algs(signature_nid, &digest_nid, NULL);
I would like to see a better error message returned here if digest_nid is 
NID_undef and signature is RSASSA-PSS NID_rsassaPss.  Something to the effect 
of "signature type unsupported on OpenSSL versions less than 1.1.1).  That way, 
the issue is easily determined.


http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.cc@210
PS2, Line 210:   if (digest_nid == NID_undef) {
Since we are making changed here, we should wrap this if condition with 
UNLIKELY().


http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.cc@213
PS2, Line 213:         "server certificate using $0 has no signature digest 
(hash) algorithm",
Nit: this error would be clearer if the string said "server certificate using 
'$0' signature algorithm has no signature digest (hash) algorithm"



--
To view, visit http://gerrit.cloudera.org:8080/22910
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I26a25a43d778fd2f2fcf293ecb199133c675212b
Gerrit-Change-Number: 22910
Gerrit-PatchSet: 2
Gerrit-Owner: Joe McDonnell <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Jason Fehr <[email protected]>
Gerrit-Reviewer: Joe McDonnell <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Mon, 19 May 2025 15:26:00 +0000
Gerrit-HasComments: Yes

Reply via email to