Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/22910 )
Change subject: PROTOTYPE: Support certificates signed with RSASSA-PSS for channel bindings ...................................................................... Patch Set 2: Code-Review+1 (6 comments) http://gerrit.cloudera.org:8080/#/c/22910/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/22910/2//COMMIT_MSG@7 PS2, Line 7: PROTOTYPE > This should be IMPALA-14038 I guess Joe was going to file a Kudu upstream JIRA for this as he mentioned in his comment for PS1. http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert-test.cc File src/kudu/security/cert-test.cc: http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert-test.cc@20 PS2, Line 20: #include <openssl/crypto.h> > Is this include needed? Yes, it is: https://jenkins.kudu.apache.org/job/build_and_test/8600/console http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.h File src/kudu/security/cert.h: http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.h@79 PS2, Line 79: WARN_UNUSED_RESULT nit: in Kudu this is no longer needed in 1.18 and newer codebase since the 'Status' class now has [[nodiscard]] attribute and any non-handled Status results in compiler error http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.cc File src/kudu/security/cert.cc: http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.cc@28 PS2, Line 28: #include <cstddef> > Is this include needed? Yes, it is: https://jenkins.kudu.apache.org/job/build_and_test/8600/console http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.cc@198 PS2, Line 198: NULL nit for here and below: consider changing to 'nullptr' to match the rest of the code in this file http://gerrit.cloudera.org:8080/#/c/22910/2/src/kudu/security/cert.cc@200 PS2, Line 200: OBJ_find_sigid_algs(signature_nid, &digest_nid, NULL); > I would like to see a better error message returned here if digest_nid is N I'm not sure it's worth it trying to add such better error message: * IIUC, pre-1.1.1 versions of the OpenSSL library do even have a notion of RSASSA-PSS to tell what's going on * at least for Kudu, if the bits are built the standard way with pre-1.1.1 OpenSSL library, that means they are for RHEL/CentOS 7.0 or earlier. RHEL/CentOS 7.4 comes with OpenSSL 1.1.1 already. And RHEL/CentOS 7.4 is EOL already. -- To view, visit http://gerrit.cloudera.org:8080/22910 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I26a25a43d778fd2f2fcf293ecb199133c675212b Gerrit-Change-Number: 22910 Gerrit-PatchSet: 2 Gerrit-Owner: Joe McDonnell <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Jason Fehr <[email protected]> Gerrit-Reviewer: Joe McDonnell <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Mon, 19 May 2025 17:42:23 +0000 Gerrit-HasComments: Yes
