Conversation
Updated signed_video_set_private_key to work with ONVIF. Added getter functions for the private key and certificate chain. Included a test to verify the signing functionality.
mithydolphin
requested review from
Caroline-Holmstrom,
bjornvolcker and
lusikamalo2
as code owners
bjornvolcker
left a comment
bjornvolcker
left a comment
There was a problem hiding this comment.
Some initial comments
lib/vendors/axis-communications/sv_vendor_axis_communications.c
Outdated
Show resolved
Hide resolved
bjornvolcker
left a comment
bjornvolcker
left a comment
There was a problem hiding this comment.
There are still a bunch of unanswered review questions.
Also, have you verified that it works to use the reconstructed key on a device?
lib/vendors/axis-communications/sv_vendor_axis_communications.c
Outdated
Show resolved
Hide resolved
lib/vendors/axis-communications/sv_vendor_axis_communications_internal.h
Show resolved
Hide resolved
bjornvolcker
left a comment
bjornvolcker
left a comment
There was a problem hiding this comment.
Still a few old review comments to address. And a few new ones.
lib/vendors/axis-communications/sv_vendor_axis_communications.c
Outdated
Show resolved
Hide resolved
lib/vendors/axis-communications/sv_vendor_axis_communications.c
Outdated
Show resolved
Hide resolved
lib/vendors/axis-communications/sv_vendor_axis_communications_internal.h
Outdated
Show resolved
Hide resolved
lib/vendors/axis-communications/sv_vendor_axis_communications.c
Outdated
Show resolved
Hide resolved
lib/vendors/axis-communications/sv_vendor_axis_communications.c
Outdated
Show resolved
Hide resolved
|
This PR is quite large. Is it possible to split it into a series of 5-10 separate PRs. It will make reviewing much easier. |
lusikamalo2
left a comment
lusikamalo2
left a comment
There was a problem hiding this comment.
No extra comments from my side so far.
lib/vendors/axis-communications/sv_vendor_axis_communications.c
Outdated
Show resolved
Hide resolved
lib/vendors/axis-communications/sv_vendor_axis_communications.c
Outdated
Show resolved
Hide resolved
lib/vendors/axis-communications/sv_vendor_axis_communications.c
Outdated
Show resolved
Hide resolved
| * retrieving the private key and certificate chain from the signed video object, | ||
| * and setting the ONVIF signing key pair. | ||
| * and setting the ONVIF signing key pair. The function will free the ONVIF object | ||
| * on failure, allowing the framework to continue with the signed video. |
There was a problem hiding this comment.
Yes, this is the desired behavior, but is that really what happens with your implementation?
Have you tested/verified that?
| // Try to initialize ONVIF; if it is not available or cannot be initialized, | ||
| // fallback to Signed Video signing plugin. | ||
| initialize_onvif(self); | ||
| if (!self->onvif) { |
There was a problem hiding this comment.
Now when ONVIF signing plugin is called through the Axis signing plugin (see other PR) you need to remove the if-statement
|
|
||
| return status; | ||
| self->private_key = NULL; | ||
| if (status != SV_OK && self->onvif != NULL) assert(true); |
There was a problem hiding this comment.
Well, you should also check the opposite. I only gave you an example. And also shouldn't it be false in assert?
assert((status == SV_OK && !self->onvif) || (status != SV_OK && self->onvif));
| // Sanity check ONVIF object. | ||
| if(!self->onvif) { | ||
| return SV_INVALID_PARAMETER; | ||
| if (!self->onvif) { |
There was a problem hiding this comment.
You should also check if private_key exists
| // Temporally turn the PEM |private_key| into an EVP_PKEY and allocate memory for signatures. | ||
| SV_THROW(openssl_private_key_malloc(self->sign_data, private_key, private_key_size)); | ||
| SV_THROW(openssl_read_pubkey_from_private_key(self->sign_data, &self->pem_public_key)); | ||
| self->private_key = private_key; |
There was a problem hiding this comment.
You forgot to set private_key_size
| if (status == SV_OK) { | ||
| return status; | ||
| } | ||
| if (sv->sign_data && sv->sign_data->key && sv->onvif) { |
There was a problem hiding this comment.
No need for if-statement. The check should be inside initilaize_onvif()
| // For signing plugin | ||
| void *plugin_handle; | ||
| sign_or_verify_data_t *sign_data; // Pointer to all necessary information to sign in a plugin. | ||
| const char *private_key; |
There was a problem hiding this comment.
Add comment what this is used for. A reader might assume that this is the signing key used during the session, but it is not.
| self->private_key = private_key; | ||
|
|
||
| // Try to initialize ONVIF; if it is not available or cannot be initialized, | ||
| // fallback to Signed Video signing plugin. |
There was a problem hiding this comment.
The comment about "fallback" should be inside initialize_onvif since you do not take any actions regarding that out here.
|
|
||
| sv_vendor_axis_communications_t *self = (sv_vendor_axis_communications_t *)handle; | ||
|
|
||
| // Return the certificate chain |
There was a problem hiding this comment.
Redundant comment. I think the reader is clever enough to understand that from the line below.
3 participants
Updated signed_video_set_private_key to work with ONVIF. Added getter
functions for the private key and certificate chain. Included a test
to verify the signing functionality.
Describe your changes
Please include a summary of the change, a relevant motivation and context.
Issue ticket number and link
Checklist before requesting a review