[cryptography] OpenSSL, X.509, ASN.1 - the bane of my existence

travis+ml-rbcryptography at subspacefield.org travis+ml-rbcryptography at subspacefield.org
Thu Nov 18 20:33:19 EST 2010


Pretty much just that.

Is there any good guide to these?

I tried reading up on ASN.1 and DER... but got bogged down in some
sort of weird abstract data structure syntax that looked a lot like
the SNMP MIBs, which I also never fully understood.  Someone
recommended this to me, which is prolly where I'll start next:

http://luca.ntop.org/Teaching/Appunti/asn1.html

And with OpenSSL, I find that:

1) There's hardly any documentation, just a few bare manpages.
2) There's very few examples.  Just today I was looking for some
   cookbook ways to, say, verify a signature in a PKCS#7 DER-encoded
   file and... very little.
3) There's a few books, but there doesn't seem to be any with good
   overarching structure.  They tend to launch into a
   encyclopedic-like discussion of the functions.  Reading them tends
   to be like reading Microsoft documentation - full of detail, with
   no conceptual framework in which to hang it.
4) It should have been written with an OOD, even if it wasn't
   implemented in a OOPL.
5) Error handling is very weird.

Oh, and don't get me started on X.509.

My hunch is that the OOP bindings to openssl (e.g. in python, ruby)
would make it much simpler, but that they're likely to be poorly
documented, or (worse) buggy.  Buggy is worse because I'd just have to
go back and learn OpenSSL again.  Before I learn the hard way, anyone
have any opinions?

Every time I have to debug C OpenSSL code, I start seeing red.

If we really want people to be cryptographers (and I think we know
we'll need more of them), we should have a gentler slope up into this
stuff.  It's not that it's hard; crypto is hard, I'm okay with that.
My problem is that it's unrewarding.
-- 
Good code works on most inputs; correct code works on all inputs.
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20101118/63eff1a1/attachment.asc>


More information about the cryptography mailing list