PKCS#10 CSR generation and bulky crypto library - Re: Questions about legacy apps/req.c code
philipp_subx at redfish-solutions.com
Wed Dec 22 21:33:30 UTC 2021
> On Dec 22, 2021, at 2:18 PM, Jordan Brown <openssl at jordan.maileater.net> wrote:
> On 12/22/2021 11:45 AM, David von Oheimb wrote:
>> Yet beware that a general-purpose library function that has (at least) the flexibility offered by that app would need a non-trivial set of parameters.
> I suspect that it would end up looking a lot like the existing API. There might be a few shortcuts possible, but fundamentally you need to set a significant (and variable) number of parameters. The straightforward way to do that is with a "create object" function and "set parameter into object" functions - and some of those parameters themselves need a similar set of functions.
> The existing API isn't bad, once you figure out how to use it. It's been several years since I wrote a CSR generator and so I don't remember how I figured it out, but I think I might have had to look at req.c rather than finding documentation.
Should supporting openssl.cnf be part of the library API, or externally handled in the command-line utility where it then passes in the values extracted from that file?
I'm inclined to KISS and going with the latter.
More information about the openssl-users