[xmlsec] mscrypto api support, initial (alpha) release

Wouter wsh at xs4all.nl
Sun Aug 31 13:09:01 PDT 2003


Hi,

Here is a first attempt to include MS CryptoAPI support into the
xmlsec lib. Because officially the code is written by me as an
employee of Cordys R&D BV, they own this code. However Cordys
has given permission to donate the code that is attached to this
email to the xmlsec library. The code may be added to the xmlsec
library code tree having the same licensing scheme the xmlsec library
is now using.

OK, sofar this 'official' statement :) There are three attachments here:
a patch file, to be applied in the xmlsec main directory (although I
wouldn't know how to apply the patch in a windows environment without
cygwin, so I haven't tested if the patch was ok), and 2 zip
files. The mscryptoinclude.zip should be extracted in the
xmlsec/include/xmlsec/mscrypto folder, and the mscryptosrc.zip should
be extracted in the xmlsec/src/mscrypto folder.

The state of the code is very alpha. It is developed and only tested
on MS Win XP Pro, with the .NET compiler. It's very likely that the
code does not work (correctly) at older systems (especially (pre) win98
I think), since the MS Crypto API has been evolving a lot lately. Not
all code is tested. There haven't been done any interoperatibility
tests with other crypto libs yet.

What is in the code sofar:

- SHA1 hashing (tested, and tested against OpenSSL)
- Symmetric encryption: 3des-cbc (tested), AES128, AES192, AES256
  (untested).
- RSA-SHA1 signatures (tested)
- RSA keys (not direct RSA keys yet, but only through MS
  Certificatestore) (tested)
- x509 certificates (and CRL support), partly, the loading and keyinfo
  parts are partly done. (partly tested)
- x509 certificate verification. Untested, and very limited at this
  moment.
- KeyManager implementation. Wrapper for simplekeystore, with backup
  search facility to the MS Certificate store. Very limited search
  capabilities at this time, certificates in the MS certificate store
  can only be found with their 'friendly name' (which is the CN of the
  subject dn, as far as I know).
- RSA-PKCS1 keytransport. Only the creation (encryption) part is
  tested.

What will be in the code soon as far as I'm concerned:
- RSA-OAEP keytransport
- DSA signatures
- Better search facilities for finding certificates in the MS
  certificate store.
- ???

What is still missing then:
- HMAC support
- AES/3des key transport
- direct keys (without ms certificate store certificates) support.
- ???

And what really needs to be done as well is thorough
interoperatibility testing (imho).

ok, plz take a look at this, and try it out. Hopefully this will leed
to a nice and stable ms crypto api support lib for the xmlsec
library.

Wouter Ketting
wsh at xs4all.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mscrypto.diff
Type: application/octet-stream
Size: 4933 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030831/9daf9d6c/mscrypto.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mscryptoinclude.zip
Type: application/zip
Size: 4716 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030831/9daf9d6c/mscryptoinclude.zip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mscryptosrc.zip
Type: application/zip
Size: 45235 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030831/9daf9d6c/mscryptosrc.zip


More information about the xmlsec mailing list