Re: Creating Certificates Via The SSL/Crypto Api's

2006-09-21 Thread Goetz Babin-Ebell 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Jason,
edf green schrieb:
> Very straight forward and well documented?  You gotta be kidding. 
> Perhaps for a long time openssl developer, but not for your run of the
> mill C developer.  I spent all last night going through the example
> provided, and yeah beyond being painfully inhibiting for a developer in
> its complexity, its also hideously ugly code.

The code is *not* intentionally complicated,
but on the one side it is grown code (and a rework could be helpfull)
and on the other side is issuing a certificate *the* single point
of failure in the X509 security model.

Most of the important decisions are made at that point.
So a deeper understanding of the X509 security model and
the OpenSSL framework is a requirement for anybody who wants
to work on this code.

It is definitively not the right place to start working with
the OpenSSL framework.

> What im talking about is functions like a2i_ASN1_INTEGER.  When i check
> the crypto library documentation on openssl.org  for
> usage or such, there is no man page available,  actually.. the entire
> asn1 section is blacked out.

The OpenSSL documentation is still incomplete and it is started
with the functions that a newbee needs to start working with OpenSSL.

In some areas it is in the state
"if you need a man page for this function,
you should better keep away from it"...

OpenSSL started as a big and complicated library with still needed
functionality to add and NO documentation.
So you had to find your way by wading through application code,
headers and library code (naturally with help from the list)

> You guys are making me think that i should just provide my client a
> wrapper around the openssl tool itself, considering how frustrating it
> is to use this portion of the library.

I don't want to put you down, but if you don't know what is happening
there it is in deed better to just use the OpenSSL tool itself than
to give you a set of functions that you need...

> You'd think an industry standard library such as this wouldn't be
> so letdownish in terms of support and documentation.

The problem here is that the development time available for OpenSSL is
finite. It is mostly driven by the guys in the core team with input
from the community.
Documentation is just one of the many things that needs to be written.

> I mean, this should be a 2 function ordeal. I shouldn't
> have to be investing so much time into such a largely trivial portion of
> the solution.

As I said: issuing a cert is *the* single point of failure in
the X509 security model and there are so many decisions to make
that it is _not_ a 2 function ordeal.

To rephrase David:
If you have the background  knowledge that you need to issue
a certificate, the source becomes straightforward.

Bye

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFEw922iGqZUF3qPYRAvKpAJ9N3LjopvlEctAzSj86aQCWyqeFzgCeL95G
P37Ixx47ySKfwBDfYzWLhYI=
=obmA
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Creating Certificates Via The SSL/Crypto Api's

2006-09-21 Thread David Schwartz 


> What im talking about is functions like a2i_ASN1_INTEGER.
> When i check the crypto library documentation on openssl.org
> for usage or such, there is no man page available,
> actually.. the entire asn1 section is blacked out.

There's no reason you need to use that function. The load_serial/save_serial
functions happen to work in a very weird way, but there's really no reason
anyone needs to understand them. Just pick a serial number any way that you
want to.

> You guys are making me think that i should just
> provide my client a wrapper around the openssl
> tool itself, considering how frustrating it is
> to use this portion of the library.  I dont know,
> using this library is making me jaded towards it.

> You'd think an industry standard library such as
> this wouldn't be so letdownish in terms of support
> and documentation.  I mean, this should be a 2
> function ordeal.  I shouldn't have to be investing
> so much time into such a largely trivial portion of
> the solution.  Regardless im having to do it anyway,
> so im going to figure out wtf is going on and maybee
> post a wrapper somewhere so another balding twentysomething
> wont have to suffer the same as i am.

Egad, no!

You really have no business issuing a certificate if you don't understand
the nitty-gritty details of what you are doing. Issuing a certificate is
like signing a contract, and it is a serious mistake to invent ways not to
have to read the fine print.

You cannot sprinkle in a function call or two and wind up with secure
software. You have to understand exactly what you are doing and exactly what
your functions make the system do under the hook.

The OpenSSL function calls are at precisely the right level of detail,
hiding under the hood only the things you don't need to know and making sure
you have to face the important issues.

(Your point about the documentation is reasonable though. There are
definitely some important functions that are not very well documented.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Creating Certificates Via The SSL/Crypto Api's

2006-09-21 Thread edf green 
Very straight forward and well documented?  You gotta be kidding.  Perhaps for a long time openssl developer, but not for your run of the mill C developer.  I spent all last night going through the example provided, and yeah beyond being painfully inhibiting for a developer in its complexity, its also hideously ugly code.
What im talking about is functions like a2i_ASN1_INTEGER.  When i check the crypto library documentation on openssl.org for usage or such, there is no man page available,  actually.. the entire asn1 section is blacked out.  
You guys are making me think that i should just provide my client a wrapper around the openssl tool itself, considering how frustrating it is to use this portion of the library.  I dont know, using this library is making me jaded towards it.  You'd think an industry standard library such as this wouldn't be so letdownish in terms of support and documentation.  I mean, this should be a 2 function ordeal.  I shouldn't have to be investing so much time into such a largely trivial portion of the solution.  Regardless im having to do it anyway, so im going to figure out wtf is going on and maybee post a wrapper somewhere so another balding twentysomething wont have to suffer the same as i am.
love;~jason

Re: Creating Certificates Via The SSL/Crypto Api's

2006-09-21 Thread Richard Salz 
Looks at the source for the command-line tool that you're using.

/r$

--
STSM, Senior Security Architect
SOA Appliances
Application Integration Middleware

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Creating Certificates Via The SSL/Crypto Api's

2006-09-20 Thread David Schwartz 

Please don't top post.

>> Look at apps/x509.c function x509_certify().

> you're kidding right?  That has to be some of the most atrocious
> and confusing code i have ever seen.  I dont suppose anyone has
> anything more practical as an example?
> Perhaps some documentation on the process or such.

I just took a look at that code, and it seems very straightforward and well
documented.

It very clearly: grabs the public key from the CA; initializes the X509
structure; creates a serial number for the certificate; verifies that the CA
private key is correct; sets the issuer name, serial number, and validity
times; sets the version and any extensions, and then signs the certificate.

I honestly can't imagine what more you could want.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Creating Certificates Via The SSL/Crypto Api's

2006-09-20 Thread edf green 
you're kidding right?  That has to be some of the most atrocious and confusing code i have ever seen.  I dont suppose anyone has anything more practical as an example?  Perhaps some documentation on the process or such.
On 9/20/06, Marek Marcola <[EMAIL PROTECTED]> wrote:
Hello,> Long time reader, first time poster. I have a problem> currently with the generation of a SSL cert using the libssl/crypto> apis.  I can generate keys fine, but i cannot find any documentation
> on how to actually create a cert file via anything other then the> openssl command line tool.  If anyone has any example code, or maybee> a tutorial on the subject i'd very much so appreciate it.
Look at apps/x509.c function x509_certify().Best regards,--Marek Marcola <[EMAIL PROTECTED]>__
OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Creating Certificates Via The SSL/Crypto Api's

2006-09-20 Thread Marek Marcola 
Hello,
> Long time reader, first time poster. I have a problem
> currently with the generation of a SSL cert using the libssl/crypto
> apis.  I can generate keys fine, but i cannot find any documentation
> on how to actually create a cert file via anything other then the
> openssl command line tool.  If anyone has any example code, or maybee
> a tutorial on the subject i'd very much so appreciate it. 
Look at apps/x509.c function x509_certify().

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]