[xmlsec] Mscrypto patch 2, for cvs XMLSEC_MSCRYPTO_083103 branch

Wouter wsh at xs4all.nl
Wed Sep 3 12:50:40 PDT 2003


Attached to this email is a patch for the initial mscrypto support
branch (XMLSEC_MSCRYPTO_083103), and a Readme.txt file that can be added
in src/mscrypto folder. 

The patch includes:
- Fix out-of-box compile error(s)
- Code formatting (wrong identing, etc.) (At least I hope it's better
now :)
- Fixes for signatures (RSA-SHA1) and RSA key wrapping (PKCS1). I've
tested these against OpenSSL generated signatures and encrypted keys
(together with des3-cbc) with success.
- Added mscrypto descriptions to a couple of html files (docs dir). An
interesting issue I encountered: I don't know under what license exactly
MS CryptoAPI libs (crypt32.lib) are distributed. The libraries are part
of the OS, and are also distributed together with MS internet explorer.
I couldn't find any quick info on this, and I didn't dive into details
for this. So I put unknown in the license matrix :)
Another issue on the documentation. It was not completely clear to me
what could be regarded as supported by the mscrypto lib and what not,
since I had the feeling in the support matrix are both core libxmlsec
functionalities and crypto engine specific functionalities. 

Aleksey, could please apply the patch to the cvs branch? This time the
patch is in UNIX format :) 

I also discovered that I wrongly submitted the file mscerstore.c to
src/mscrypto with the initial release of the mscrypto support. This file
is not used, and can safely be removed (also from the cvs tree).

Have fun with the new code :)

Wouter Ketting
wsh at xs4all.nl
-------------- next part --------------
	Apparently there is no native support for RSA OAEP in MS
	Crypto API. MS indicates that they will support this in the
	near future.

	Interoperatibility tests are done with success for 3des,
	RSA-PKCS1 keytransport, SHA1, RSA-SHA1 signning and verifying
	against the OpenSSL library.

	First initiall release for the mscrypto support in xmlsec lib.
	What is in the code sofar:

	- SHA1 hashing (tested, and tested against OpenSSL)
	- Symmetric encryption: 3des-cbc (tested), AES128, AES192, AES256
	- RSA-SHA1 signatures (tested)
	- RSA keys (not direct RSA keys yet, but only through MS
	  Certificatestore) (tested)
	  - x509 certificates (and CRL support), partly, the loading
	    and keyinfo parts are partly done. (partly tested)
	    - x509 certificate verification. Untested, and very
	      limited at this moment.
	- KeyManager implementation. Wrapper for simplekeystore, with
	  backup search facility to the MS Certificate store. Very 
	  limited search capabilities at this time, certificates in
	  MS certificate store can only be found with their 'friendly 
	  name' (which is the CN of the subject dn, as far as I know).
	- RSA-PKCS1 keytransport. Only the creation (encryption) part is

	What will be in the code soon as far as I'm concerned:
	- RSA-OAEP keytransport
	- DSA signatures
	- Better search facilities for finding certificates in the MS
	  certificate store.
	  - ???

	  What is still missing then:
	  - HMAC support
	  - AES/3des key transport
	  - direct keys (without ms certificate store certificates) support.
	  - ???


The xmlsec-mscrypto lib is developed on a windows XP machine with
Visual Studio .NET. The MS Crypto API has been evolving a lot with the
new releases of windows and internet explorer. MS CryptoAPI libraries
are distributed with ie and with the windows OS. Full functionality
will only be achieved on windows XP. AES is for example not supported
on pre XP versions of windows (workarounds for this are possible, I
believe). Direct RSA de/encryption, used by xmlsec-mscrypto, is only
possible from Win 2000 (possibly also with a newer version of ie, with
strong encryption patch installed). It's very likely more of these
issues are lying around, and until it is tested on older windows
systems it is uncertain what will work.

KEYS MANAGER with MS Certificate store support. 

xmlsec-mscrypto keys manager uses a custom keys store. This store is
based upon the simple keys store, found in the xmlsec core library. If
keys are not found in the simple keys store, than MS Certificate store
is used to lookup keys. The certificate store is only used on a
READONLY base, so it is not possible to store keys via the keys store
into the MS certificate store. There are enough other tools that can
do that for you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mscrypto-2.patch.gz
Type: application/x-gzip
Size: 31554 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030903/9b65f435/mscrypto-2.patch.bin

More information about the xmlsec mailing list