Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WinCrypt and Friends SSL Implementation #1135

Draft
wants to merge 66 commits into
base: master
Choose a base branch
from

Conversation

Aidan63
Copy link
Contributor

@Aidan63 Aidan63 commented Jul 28, 2024

(Builds on top of the mbedtls3 branch, hence the large diff)

This is an attempt at providing a SSL implementation using the build in Windows cryptographic libraries, WinCrypt, CNG (Cryptographic Next Generation), and SChannel. Benefits of this being,

  • Reduces maintenance burden, security updates and new standards are provided as OS updates instead of needing any hxcpp changes.
  • The recent mbedtls xml changes means its now including the networking module which hxcpp makes zero use of. So size and number of dependencies for hxcpp on Windows will go down.
  • I've used SChannel for the asys secure socket so it would be nice if the synchronous and asynchronous API could share some internals where it makes sense (e.g. certificates).

With that all said there are some unknowns here, these APIs are much lower lever than mbedtls and example usage is very limited. There is also no definitive list of what key and cert formats are supported by these APIs and what haxe expects to be supported. These haxe APIs also seem to have very little to no use in some cases, so I've not got much to go on for whats actually expected.

Below are some general questions / points I'd like some help on.


I've added some new tests to this repo since the haxe test suite only has a hand full of very basic ssl api tests, might make more sense for them to be move to the haxe repo instead.

These APIs have no support for RIPEMD160, so this algorithm will never work.

The cert tests I've added are failing on mbedtls! Tests like cert.subject('O'). Maybe these have been broken for a long time, the only use of them on github I can find is openfl (https://github.com/openfl/openfl/blob/b1bb7052f1a3d0403be6d79e4e9edd17e160cfb1/src/openfl/net/SecureSocket.hx#L166).

What is supported with these subject and issuer functions, just the short character codes or the long names as well?

You can't load a DER encrypted private key as that function doesn't let you specify a password.

What is the certificate add and addDER supposed to do and be used for?

You can go back to using the mbedtls implementation by using HXCPP_USE_MBEDTLS.

Aidan63 and others added 30 commits June 15, 2024 23:13
Co-authored-by: Zeta <53486764+Apprentice-Alchemist@users.noreply.github.com>
Co-authored-by: Zeta <53486764+Apprentice-Alchemist@users.noreply.github.com>
Co-authored-by: Zeta <53486764+Apprentice-Alchemist@users.noreply.github.com>
Revert "try compiling mbedtls in its own files tag against a c std version"

This reverts commit fe6ec81.
@skial skial mentioned this pull request Aug 7, 2024
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant