[openssl-dev] CNG support for OpenSSL CAPI Engine
Matt Hart
matt.hart at hotmail.co.uk
Fri Jun 10 09:00:02 UTC 2016
Hi,
I took the CAPI engine and extended it to give preference to NCrypt,
otherwise to revert to Crypto API. Implemented for RSA so far (no DSA or ECC
support though BoringSSL have done some ECC work for Windows I could look
at). Tested with RSA, on CNG and on Crypto API based systems. I tried to
make unintrusive changes in CAPI:
a) Extended CAPI_KEY struct to include NCrypt handle support.
b) capi_get_pkey - NCrypt support for reading an RSA public key blob and
extracting algorithm ids.
c) capi_rsa_sign - NCrypt support. Easier for NCrypt, just one call as
NCrypt signature is big endian.
d) capi_get_key_CNG: new function that prefers to acquire a CNG style handle
via CryptAcquireCertificatePrivateKey.
e) capi_get_key_cert: Invokes capi_get_key_CNG(). If that fails reverts to
original code to acquire a Crypto handle.
[Note: NCrypt calls are only invoked if CryptAcquireCertificatePrivateKey
returned an NCrypt handle which can never happen on Windows XP or Windows
Srver 2003. So no need to wrap NCrypt calls in
GetModuleHandle/GetProcAddress helper code aka BoringSSL style].
Apologies for my ignorance but what's the process submitting code to OpenSSL
for consideration?
Matt
--
View this message in context: http://openssl.6102.n7.nabble.com/CNG-support-for-OpenSSL-CAPI-Engine-tp66193p66604.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
More information about the openssl-dev
mailing list