diff options
| -rw-r--r-- | openssl/README | 37 | ||||
| -rw-r--r-- | rcynic/README | 12 |
2 files changed, 24 insertions, 25 deletions
diff --git a/openssl/README b/openssl/README index 31c66e16..e555852f 100644 --- a/openssl/README +++ b/openssl/README @@ -2,16 +2,21 @@ $Id$ -*- Text -*- OpenSSL hacked to add support for the RFC 3779 X.509 v3 extensions. -Current status: +There are two ways to build this: -- Not (yet) for distribution outside the RIRs. +- Apply patch-rpki-openssl-0.9.8 against a stock OpenSSL 0.9.8 + distribution, eg, drop this patch into + /usr/ports/security/openssl/files-beta/ on a FreeBSD machine. -- Reads and writes RFC 3779 extensions but does not (yet) perform the - additional validation described in RFC 3779 2.3 & 3.3. +- Build the code in trunk/. You will need to enable the RFC 3779 + extensions in order for this to do anything interesting. If you + just want to run it, do: -- Not (yet) tested extensively. + ./config enable-rfc3779 -Please report any problems to me (sra) or the rescert mailing list. + If you think you might need debugging, you'd be better off with: + + ./Configure debug-sra enable-rfc3779 @@ -25,11 +30,9 @@ like the existing OpenSSL support for "multi-valued" extensions. RFC Notes: * Ranges are denoted with a hyphen, prefix lengths with a slash. - I could tag ranges differently from the atomic types, but this - seemed easier for the user to understand. * The "@" syntax indicating indirection through a separate section - is lifted from the stock OpenSSL multi-valued extension support. + is part of the stock OpenSSL multi-valued extension support. * I didn't attempt to guess which addresses are IPv4 and which are IPv6 from the syntax, since the opensssl.conf multi-value syntax @@ -40,8 +43,7 @@ Notes: keywords for specific SAFIs if there were a reason to do so. * The "sbgp-" names were already present in OpenSSL's table of known - extension OIDs. We can talk to the folks at the OpenSSL project - about changing the names if there's a reason to do so. + extension OIDs, so we just used them. ### @@ -212,11 +214,6 @@ Random reminders and notes to myself: that the authoritative definition of RDIs is ISO 10747, available as http://www.acm.org/sigs/sigcomm/standards/iso_stds/IDRP/10747.TXT. -- "openssl verify" only accepts PEM, not DER, which is annoying. - An -inform switch would be nice, but the library routines - don't know how to read a CAfile full of DER anyway. Pity -CApath - doesn't seem to work for us. Oh well, live with PEM for now. - - OpenSSL already checks for duplicate extensions: more precisely, unless we explicitly tell X509_get_ext_d2i() that we allow multiple extensions (by providing the idx parameter), it returns NULL if it @@ -387,12 +384,12 @@ Notes: Final code cleanups before submitting patch to OpenSSL project. -- Ben requested compile-time conditionals. [done] +- Ben requested compile-time conditionals. [done, waiting to hear if + done "right" according to OpenSSL project standards] - Ben requested Configure support for the compile-time conditionals. - Do we need anything beyond -DOPENSSL_RFC3779 ? Need to read - existing Configure code to see if there's a preferred way of doing - this. + [done, waiting to hear if done "right" according to OpenSSL project + standards] - Copyright/license adjustments per discusion with ARIN and OpenSSL project. [done] diff --git a/rcynic/README b/rcynic/README index 940bd1e0..bd51a85b 100644 --- a/rcynic/README +++ b/rcynic/README @@ -7,11 +7,13 @@ appears to work, and at least for the current test data available from APNIC and RIPE it produces the same results as my Perl prototype did. To build this you will need to link it against an OpenSSL libcrypto -that has support for the RFC 3779 extensions. I developed this code -on FreeBSD 6-STABLE and have not (yet) tested it on any other -platform; as far as I know I have not used any seriously non-portable -features, but neither have I done a POSIX reference manual lookup for -every function call. Please report any portability problems. +that has support for the RFC 3779 extensions. See ../openssl/README. + +I developed this code on FreeBSD 6-STABLE and have not (yet) tested it +on any other platform; as far as I know I have not used any seriously +non-portable features, but neither have I done a POSIX reference +manual lookup for every function call. Please report any portability +problems. All certificates and CRLs are in DER format, with filenames derived from the RPKI rsync URIs at which the data are published. At some |