-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Jason, edf green schrieb: > Very straight forward and well documented? You gotta be kidding. > Perhaps for a long time openssl developer, but not for your run of the > mill C developer. I spent all last night going through the example > provided, and yeah beyond being painfully inhibiting for a developer in > its complexity, its also hideously ugly code.
The code is *not* intentionally complicated, but on the one side it is grown code (and a rework could be helpfull) and on the other side is issuing a certificate *the* single point of failure in the X509 security model. Most of the important decisions are made at that point. So a deeper understanding of the X509 security model and the OpenSSL framework is a requirement for anybody who wants to work on this code. It is definitively not the right place to start working with the OpenSSL framework. > What im talking about is functions like a2i_ASN1_INTEGER. When i check > the crypto library documentation on openssl.org <http://openssl.org> for > usage or such, there is no man page available, actually.. the entire > asn1 section is blacked out. The OpenSSL documentation is still incomplete and it is started with the functions that a newbee needs to start working with OpenSSL. In some areas it is in the state "if you need a man page for this function, you should better keep away from it"... OpenSSL started as a big and complicated library with still needed functionality to add and NO documentation. So you had to find your way by wading through application code, headers and library code (naturally with help from the list) > You guys are making me think that i should just provide my client a > wrapper around the openssl tool itself, considering how frustrating it > is to use this portion of the library. I don't want to put you down, but if you don't know what is happening there it is in deed better to just use the OpenSSL tool itself than to give you a set of functions that you need... > You'd think an industry standard library such as this wouldn't be > so letdownish in terms of support and documentation. The problem here is that the development time available for OpenSSL is finite. It is mostly driven by the guys in the core team with input from the community. Documentation is just one of the many things that needs to be written. > I mean, this should be a 2 function ordeal. I shouldn't > have to be investing so much time into such a largely trivial portion of > the solution. As I said: issuing a cert is *the* single point of failure in the X509 security model and there are so many decisions to make that it is _not_ a 2 function ordeal. To rephrase David: If you have the background knowledge that you need to issue a certificate, the source becomes straightforward. Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFEw922iGqZUF3qPYRAvKpAJ9N3LjopvlEctAzSj86aQCWyqeFzgCeL95G P37Ixx47ySKfwBDfYzWLhYI= =obmA -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
