> On Dec 22, 2021, at 2:18 PM, Jordan Brown <openssl@xxxxxxxxxxxxxxxxxxxx> wrote: > > On 12/22/2021 11:45 AM, David von Oheimb wrote: >> Yet beware that a general-purpose library function that has (at least) the flexibility offered by that app would need a non-trivial set of parameters. >> > > I suspect that it would end up looking a lot like the existing API. There might be a few shortcuts possible, but fundamentally you need to set a significant (and variable) number of parameters. The straightforward way to do that is with a "create object" function and "set parameter into object" functions - and some of those parameters themselves need a similar set of functions. > > The existing API isn't bad, once you figure out how to use it. It's been several years since I wrote a CSR generator and so I don't remember how I figured it out, but I think I might have had to look at req.c rather than finding documentation. > Should supporting openssl.cnf be part of the library API, or externally handled in the command-line utility where it then passes in the values extracted from that file? I'm inclined to KISS and going with the latter. -Philip
