Oscar Jacobsson wrote: > > Dr S N Henson wrote: > > I'd be reluctant to have multiple APIs handling each case. What we could > > have is flags or profiles saying what a certain kind of database should > > support. > > OpenSSL currently has separate APIs, as opposed to flags or profiles, > for handling EVP_PKEYs, X509s and X509_CRLs because they are > fundamentally different types supporting fundamentally different > operations. The stores they reside in will mirror this disparity: a key > store's (e.g. a smart card's or cryptographic hardware's) very raison > d'�tre is to keep its keys hidden, a PKI repository's (e.g. a directory > server's or RDBMS's) is to make its certificates and CRLs known. > > I'm not saying we *could not* consolidate both of these feature sets > into a single API -- I've stumbled upon private keys in public > directories more than once. I'm merely trying to point out that it might > not necessarily be the optimal approach. >
Yes they all have separate APIs to actually use the things. However they all have the same API to lookup them up namely X509_LOOKUP or they would if it worked properly which it doesn't: it handles certificates and CRLs (badly) and has some partial private key code which doesn't do much at all. What I'm saying is this. All three structure wrt storage can be treated in a similar way. They all have some "properties" which we would want to search a database on. This might be finding the certificate with a given issuer and serial number then finding the corresponding private key based on its key id. What I'm saying is that IMHO it would be a mistake to have completely different APIs for "lookup certificate by I+SN" and "lookup private key by key id". What its returning is a structure, how it gets the structure is not defined at this level: it will be defined by individual databases. Also the "profiles" I'm referring to could include things like "I don't handle private keys" for a public directory. > > I'm not exactly sure how a layered structure would be different from > having separate APIs. Maybe this is just a case of using different > terminology for the same things? Please feel free to elaborate. I'm much > more comfortable discussing class and interface design. :-/ > I'll expand on that when I reply to one of Richard's messages to avoid duplication. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
