> The right thing to do is change opt_format to be generic, and specify exactly
> which types of formats are supported.
Done and pushed. Some of the bit-settings are probably more loose than I'd
like, but it works.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
On Thu, Jul 17, 2014 at 05:06:07AM +, Viktor Dukhovni wrote:
> Higher-level tools can check the "days" argument before invoking
> the openssl apps layer. It should not be necessary to write C code
> to generate well-formed if corner-case certificates.
Also there is far more risk in generatin
On Thu, Jul 17, 2014 at 12:56:40AM -0400, Daniel Kahn Gillmor wrote:
> > You've declared "-days" to take only positive numbers, it should
> > allow negative numbers.
>
> why? Or at least: why accept these generally unacceptable options by
> default? I can understand wanting to be able to create
On 07/17/2014 12:03 AM, Viktor Dukhovni wrote:
> You've declared "-days" to take only positive numbers, it should
> allow negative numbers.
why? Or at least: why accept these generally unacceptable options by
default? I can understand wanting to be able to create perverse
certificates to test va
> "keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"
>
> while the valid choices seem to be PEM or DER, not PEM or ENGINE:
No, it depends on the command. Some, for example, expect keys to be stored in
the ENGINE (presumably an HSM).
The docs are often outdated. But pem/
On Thu, Jul 17, 2014 at 12:09:29AM -0400, Salz, Rich wrote:
> > You've declared "-days" to take only positive numbers, it should allow
> > negative numbers.
>
> Pushed, thanks.
Also the keyform option definition string looks wrong:
"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM o
> You've declared "-days" to take only positive numbers, it should allow
> negative numbers.
Pushed, thanks.
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz
__
OpenSSL P
On Wed, Jul 16, 2014 at 10:56:03PM -0400, Salz, Rich wrote:
> I have a branch that adds pretty comprehensive option-checking to all the
> openssl commands:
> ; ./openssl x509 --CA /no/such/file
> x509: Cannot open input file /no/such/file, No such file or directory
> x509: Use -
> I agree with that as well. I did not look at the actual code in openssl so I
> did
> not know that the fractional argument with the current version does not
> error out.
I have a branch that adds pretty comprehensive option-checking to all the
openssl commands:
; ./openssl x509 --CA /n