[openssl-dev] CNG support for OpenSSL CAPI Engine
Matt Caswell
matt at openssl.org
Fri Jun 10 10:12:28 UTC 2016
On 10/06/16 10:00, Matt Hart wrote:
> Hi,
>
> I took the CAPI engine and extended it to give preference to NCrypt,
> otherwise to revert to Crypto API. Implemented for RSA so far (no DSA or ECC
> support though BoringSSL have done some ECC work for Windows I could look
> at). Tested with RSA, on CNG and on Crypto API based systems. I tried to
> make unintrusive changes in CAPI:
>
> a) Extended CAPI_KEY struct to include NCrypt handle support.
> b) capi_get_pkey - NCrypt support for reading an RSA public key blob and
> extracting algorithm ids.
> c) capi_rsa_sign - NCrypt support. Easier for NCrypt, just one call as
> NCrypt signature is big endian.
> d) capi_get_key_CNG: new function that prefers to acquire a CNG style handle
> via CryptAcquireCertificatePrivateKey.
> e) capi_get_key_cert: Invokes capi_get_key_CNG(). If that fails reverts to
> original code to acquire a Crypto handle.
>
> [Note: NCrypt calls are only invoked if CryptAcquireCertificatePrivateKey
> returned an NCrypt handle which can never happen on Windows XP or Windows
> Srver 2003. So no need to wrap NCrypt calls in
> GetModuleHandle/GetProcAddress helper code aka BoringSSL style].
>
> Apologies for my ignorance but what's the process submitting code to OpenSSL
> for consideration?
Sounds interesting!
The process is documented here:
https://github.com/openssl/openssl/blob/master/CONTRIBUTING
Note that this file has been updated recently, so use the very latest
master version above.
A small word of warning: the team is fully focussed on the 1.1.0 release
at the moment. That release is in feature freeze so your patch won't be
considered for that. It's unlikely your patch will receive much
attention until we're passed the 1.1.0 release.
Matt
More information about the openssl-dev
mailing list