Fix missing OID mappings #997
Conversation
|
Sonar does not like the name convention for |
| { 1, 3, 6, 1, 5, 5, 7, 3, 4 }; | ||
| public static final ObjectIdentifier OID_EMAIL_PROTECTION = new | ||
| ObjectIdentifier(OID_EMAIL_PROTECTION_STR); | ||
|
|
||
| public static final int OID_CODE_SIGNING_STR[] = | ||
| { 1, 3, 6, 1, 5, 5, 7, 3, 3 }; | ||
| public static final ObjectIdentifier OID_CODE_SIGNING = new | ||
| ObjectIdentifier(OID_OCSP_SIGNING_STR); |
There was a problem hiding this comment.
This is an existing code, but I think it should be OID_CODE_SIGNING_STR instead of OID_OCSP_SIGNING_STR. I wonder why we never see a problem caused by this bug.
@ladycfu ^^
| public static final int OID_EMAIL_PROTECTION_STR[] = | ||
| { 1, 3, 6, 1, 5, 5, 7, 3, 4 }; | ||
| public static final ObjectIdentifier OID_EMAIL_PROTECTION = new | ||
| ObjectIdentifier(OID_EMAIL_PROTECTION_STR); |
There was a problem hiding this comment.
To avoid similar bugs we probably should not define the OID multiple times. I'm thinking we can just define this object like this:
public static final ObjectIdentifier OID_EMAIL_PROTECTION = \
new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
Then if we need the String OID we can just call OID_EMAIL_PROTECTION.toString() or something like that.
We should also deprecate the existing OID_OCSPSigning and OID_CODESigning.
| @@ -94,9 +96,12 @@ public class OIDMap { | |||
|
|
|||
| public static final String EXT_KEY_USAGE_NAME = "ExtendedKeyUsageExtension"; | |||
| public static final String EXT_INHIBIT_ANY_POLICY_NAME = "InhibitAnyPolicyExtension"; | |||
| private static final String EXT_INHIBIT_ANY_POLICY = ROOT + "." + InhibitAnyPolicyExtension.NAME; | |||
There was a problem hiding this comment.
Just a note that the InhibitAnyPolicyExtension.NAME is actually pointing back to EXT_INHIBIT_ANY_POLICY_NAME. We probably should move EXT_INHIBIT_ANY_POLICY_NAME into InhibitAnyPolicyExtension.NAME later.
| @@ -132,6 +137,8 @@ private static void loadNamesDefault(Properties props) { | |||
| props.put(AUTH_KEY_IDENTIFIER, "2.5.29.35"); | |||
| props.put(SUBJ_DIR_ATTR, "2.5.29.9"); | |||
| props.put(EXT_KEY_USAGE, "2.5.29.37"); | |||
| props.put(EXT_INHIBIT_ANY_POLICY, "2.5.29.54"); | |||
There was a problem hiding this comment.
This OID is already defined in InhibitAnyPolicyExtension.OID. Should we use that instead?
| @@ -132,6 +137,8 @@ private static void loadNamesDefault(Properties props) { | |||
| props.put(AUTH_KEY_IDENTIFIER, "2.5.29.35"); | |||
| props.put(SUBJ_DIR_ATTR, "2.5.29.9"); | |||
| props.put(EXT_KEY_USAGE, "2.5.29.37"); | |||
| props.put(EXT_INHIBIT_ANY_POLICY, "2.5.29.54"); | |||
| props.put(OCSP_NO_CHECK, "1.3.6.1.5.5.7.48.1.5"); | |||
There was a problem hiding this comment.
This is also already defined in OCSPNoCheckExtension.OID. Should we use that one?
| props.put(EXT_INHIBIT_ANY_POLICY, | ||
| "org.mozilla.jss.netscape.security.extensions.InhibitAnyPolicyExtension"); | ||
| props.put(OCSP_NO_CHECK, | ||
| "org.mozilla.jss.netscape.security.extensions.OCSPNoCheckExtension"); |
There was a problem hiding this comment.
To ensure that the class names and packages are correct we probably should use InhibitAnyPolicyExtension.class.getName() and OCSPNoCheckExtension.class.getName().
|
@edewata I have just read in RHCS-4883 about other OIDs which are not printed. I'll incorporate these other OID and reorganise this code for better maintainability. Moving this PR to draft for the moment. Thanks |
Pretty print some additional OID:
OCSP No Check - id-pkix-ocsp-nocheck { 1.3.6.1.5.5.7.48.1.5}
Inhibit Any Policy {2.5.29.54}
Extended Key Usage:
- serverAuth {1 3 6 1 5 5 7 3 1}
- clientAuth {1 3 6 1 5 5 7 3 2}
- codeSigning {1 3 6 1 5 5 7 3 3}
- emailProtection {1 3 6 1 5 5 7 3 4}
- id-kp-ipsecIKE {1 3 6 1 5 5 7 3 17}
- iKEIntermediate {1 3 6 1 5 5 8 2 2}
fmarco76
force-pushed
the
FixMissOIDPrint
branch
4 times, most recently
from
416fe84 to
4854289
Compare
|
@edewata I have reorganised the code and going deeply I found the real reason some of the extension were not shown. There was a static code which was never invoked when used with There is a problem with postgresql but it is also in other PR. We can investigate in a separate PR. |
| if (oid.equals(ExtendedKeyUsageExtension.OID_IKE_INTERMEDIATE)) { | ||
| sb.append(pp.indent(mIndentSize + 8) + "ipsec Intermediate System Usage" + | ||
| " - " + oid.toString() + "\n"); | ||
| } else if (oid.equals(ExtendedKeyUsageExtension.OID_ID_KP_IPSEC_IKE)) { | ||
| sb.append(pp.indent(mIndentSize + 8) + "ipsec Internet Key Exchange" + | ||
| " - " + oid.toString() + "\n"); | ||
| } else if (oid.equals(ExtendedKeyUsageExtension.OID_OCSP_SIGNING)) { | ||
| sb.append(pp.indent(mIndentSize + 8) + "OCSPSigning" + | ||
| " - " + oid.toString() + "\n"); | ||
| } else if (oid.equals(ExtendedKeyUsageExtension.OID_EMAIL_PROTECTION)) { | ||
| sb.append(pp.indent(mIndentSize + 8) + "emailProtection" + | ||
| " - " + oid.toString() + "\n"); | ||
| } else if (oid.equals(ExtendedKeyUsageExtension.OID_CODE_SIGNING)) { | ||
| sb.append(pp.indent(mIndentSize + 8) + "codeSigning" + | ||
| " - " + oid.toString() + "\n"); | ||
| } else if (oid.equals(ExtendedKeyUsageExtension.OID_CLIENT_AUTH)) { | ||
| sb.append(pp.indent(mIndentSize + 8) + "clientAuth" + | ||
| " - " + oid.toString() + "\n"); | ||
| } else if (oid.equals(ExtendedKeyUsageExtension.OID_SERVER_AUTH)) { | ||
| sb.append(pp.indent(mIndentSize + 8) + "serverAuth" + | ||
| " - " + oid.toString() + "\n"); | ||
| } else { | ||
| sb.append(pp.indent(mIndentSize + 8) + oid.toString() + "\n"); | ||
| } |
There was a problem hiding this comment.
The toString() is redundant since it's implicitly called during string concatenation.
| @@ -131,43 +143,28 @@ private static void loadNamesDefault(Properties props) { | |||
| props.put(CERT_POLICIES, "2.5.29.32"); | |||
| props.put(AUTH_KEY_IDENTIFIER, "2.5.29.35"); | |||
| props.put(SUBJ_DIR_ATTR, "2.5.29.9"); | |||
| props.put(EXT_KEY_USAGE, "2.5.29.37"); | |||
There was a problem hiding this comment.
Just to confirm, so the EXT_KEY_USAGE doesn't need to be specified here anymore?
There was a problem hiding this comment.
The ExtendedKeyUsageExtension class was adding itself here. I have not investigated there reason but it is like adding this extension whatever is the map. However, this code was not executed so I moved in the static block of the OIDMap with the addClass() method.
| props.put(EXT_KEY_USAGE, | ||
| "org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension"); |
There was a problem hiding this comment.
Same thing, so the EXT_KEY_USAGE doesn't need to be specified here anymore?
Static code inside the extension is not loaded by PrettyPrintCert because only static final values of the class are referenced and these values are resolved at compile time. The static initialisation has moved from static block in the extension to the OIDMap static block which is the class loaded at runtime. Useless OID string from ExtendedKeyUsageExtension has been removed from previous commit and existing OIDs (ocsp signing and code signing) have been deprecated.
fmarco76
force-pushed
the
FixMissOIDPrint
branch
from
4854289 to
c241928
Compare
|
|
@edewata Thanks! I have just remove the useless |
Pretty print some additional OID:
OCSP No Check - id-pkix-ocsp-nocheck { 1.3.6.1.5.5.7.48.1.5} Inhibit Any Policy {2.5.29.54}
Extended Key Usage: