[openssl-dev] Certificate torture test
David Woodhouse
dwmw2 at infradead.org
Mon Sep 5 10:22:45 UTC 2016
On Fri, 2016-09-02 at 20:20 +0000, Salz, Rich wrote:
> > I've started collecting a certificate torture test suite at
> > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/Makefile.am
>
> I think this is cool, and splitting it off is a good idea. I think
> some IETF folks would be interested, too.
I'm tempted to split off the code with it. There's no way that
applications should have to have *hundreds* of lines of their own code
just to persuade the crypto library to use a cert/key pair specified by
the user.
Basically everything between
http://git.infradead.org/users/dwmw2/openconnect.git/blob/e048030f8:/openssl.c#l278
and
http://git.infradead.org/users/dwmw2/openconnect.git/blob/e048030f8:/openssl.c#l1012
... and the *whole* of openssl-pkcs11.c, is code I just don't want to
have in the *application*. I could just BSD-license it and put it out
there for people to use in the short term. In the (slightly) longer
term, of course, OpenSSL should do it all. Including PKCS#11.
FWIW, the torture test is now causing OpenSSL to crash because it
assumes all EC *private* keys will also have the public key available,
which isn't necessarily true when the key is in a hardware engine.
https://github.com/openssl/openssl/issues/1532
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160905/1c9514ae/attachment.bin>
More information about the openssl-dev
mailing list