[xmlsec] Thoughts on a new mscng backend

Miklos Vajna vmiklos at vmiklos.hu
Thu Jan 4 13:50:59 PST 2018


When I was working on ECDSA support for the NSS backend, I noticed that
the mscrypto backend can't have the same support, as Microsoft is not
adding that feature to its CryptoAPI, which seems to be deprecated today

As far as I see the replacement is the CNG API [2], which has relatively
good documentation, so doing similar things with CNG (compared to
CryptoAPI) sounds doable.

Adding CNG support as part of the existing mscrypto backend sounds quite
problematic, though -- since most of that backend is CryptoAPI calls,
while the point would be eliminating those.

So perhaps the best way forward would be a new backend (let's name it
"mscng" e.g.), even if that would mean a little duplication (e.g.
CryptAcquireCertificatePrivateKey() is needed in both contexts,
depending on arguments it either returns a CNG NCRYPT_KEY_HANDLE or a
CryptoAPI HCRYPTPROV). That way also the new backend would be "clean"
from wincrypt.h (and similarly mscrypto would be not polluted by
ncrypt.h and so on).

Does this sounds like a good direction to go? My hope would be that even
with my limited free time I could implement an initial mscng backend
that has one working use-case (e.g. ecdsa/sha256 dsig verification,
something not supported by mscrypto), get that reviewed, and once that
looks good, we can iterate from there. And once (long-term) it's on par
with the mscrypto backend feature-wise, it can be discussed what to do
with the mscrypto backend. But that's a lot of work of course.

I'm asking if adding CNG support in the form of a new mscng backend is
OK as I would like to avoid writing the boilerplate code for a new
backend if that is seen as the wrong approach anyway. :-)



[1] https://msdn.microsoft.com/en-us/library/windows/desktop/aa380252(v=vs.85).aspx
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/aa376210(v=vs.85).aspx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20180104/fdba0771/attachment.sig>

More information about the xmlsec mailing list