On Fri, 2016-09-02 at 20:20 +0000, Salz, Rich wrote: > > I've started collecting a certificate torture test suite at > > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/Makefile.am > > I think this is cool, and splitting it off is a good idea. I think > some IETF folks would be interested, too.
I'm tempted to split off the code with it. There's no way that applications should have to have *hundreds* of lines of their own code just to persuade the crypto library to use a cert/key pair specified by the user. Basically everything between http://git.infradead.org/users/dwmw2/openconnect.git/blob/e048030f8:/openssl.c#l278 and http://git.infradead.org/users/dwmw2/openconnect.git/blob/e048030f8:/openssl.c#l1012 ... and the *whole* of openssl-pkcs11.c, is code I just don't want to have in the *application*. I could just BSD-license it and put it out there for people to use in the short term. In the (slightly) longer term, of course, OpenSSL should do it all. Including PKCS#11. FWIW, the torture test is now causing OpenSSL to crash because it assumes all EC *private* keys will also have the public key available, which isn't necessarily true when the key is in a hardware engine. https://github.com/openssl/openssl/issues/1532 -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev