The right thing to do is change opt_format to be generic, and specify exactly
which types of formats are supported.
Done and pushed. Some of the bit-settings are probably more loose than I'd
like, but it works.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
On Wed, Jul 16, 2014 at 10:56:03PM -0400, Salz, Rich wrote:
I have a branch that adds pretty comprehensive option-checking to all the
openssl commands:
; ./openssl x509 --CA /no/such/file
x509: Cannot open input file /no/such/file, No such file or directory
x509: Use -help
You've declared -days to take only positive numbers, it should allow
negative numbers.
Pushed, thanks.
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz
__
OpenSSL
On Thu, Jul 17, 2014 at 12:09:29AM -0400, Salz, Rich wrote:
You've declared -days to take only positive numbers, it should allow
negative numbers.
Pushed, thanks.
Also the keyform option definition string looks wrong:
keyform, OPT_KEYFORM, 'f', Private key file format (PEM or ENGINE)
keyform, OPT_KEYFORM, 'f', Private key file format (PEM or ENGINE)
while the valid choices seem to be PEM or DER, not PEM or ENGINE:
No, it depends on the command. Some, for example, expect keys to be stored in
the ENGINE (presumably an HSM).
The docs are often outdated. But pem/der is
On 07/17/2014 12:03 AM, Viktor Dukhovni wrote:
You've declared -days to take only positive numbers, it should
allow negative numbers.
why? Or at least: why accept these generally unacceptable options by
default? I can understand wanting to be able to create perverse
certificates to test
On Thu, Jul 17, 2014 at 12:56:40AM -0400, Daniel Kahn Gillmor wrote:
You've declared -days to take only positive numbers, it should
allow negative numbers.
why? Or at least: why accept these generally unacceptable options by
default? I can understand wanting to be able to create
On Thu, Jul 17, 2014 at 05:06:07AM +, Viktor Dukhovni wrote:
Higher-level tools can check the days argument before invoking
the openssl apps layer. It should not be necessary to write C code
to generate well-formed if corner-case certificates.
Also there is far more risk in generating a