Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WinCrypt and Friends SSL Implementation #1135

Draft
wants to merge 54 commits into
base: master
Choose a base branch
from
Draft

WinCrypt and Friends SSL Implementation #1135

wants to merge 54 commits into from

Conversation

Aidan63
Copy link
Contributor

@Aidan63 Aidan63 commented Jul 28, 2024
edited
Loading

(Builds on top of the mbedtls3 branch, hence the large diff)

This is an attempt at providing a SSL implementation using the build in Windows cryptographic libraries, WinCrypt, CNG (Cryptographic Next Generation), and SChannel. Benefits of this being,

  • Reduces maintenance burden, security updates and new standards are provided as OS updates instead of needing any hxcpp changes.
  • The recent mbedtls xml changes means its now including the networking module which hxcpp makes zero use of. So size and number of dependencies for hxcpp on Windows will go down.
  • I've used SChannel for the asys secure socket so it would be nice if the synchronous and asynchronous API could share some internals where it makes sense (e.g. certificates).

With that all said there are some unknowns here, these APIs are much lower lever than mbedtls and example usage is very limited. There is also no definitive list of what key and cert formats are supported by these APIs and what haxe expects to be supported. These haxe APIs also seem to have very little to no use in some cases, so I've not got much to go on for whats actually expected.

Below are some general questions / points I'd like some help on.

I've added some new tests to this repo since the haxe test suite only has a hand full of very basic ssl api tests, might make more sense for them to be move to the haxe repo instead.

These APIs have no support for RIPEMD160, so this algorithm will never work.

The cert tests I've added are failing on mbedtls! Tests like cert.subject('O'). Maybe these have been broken for a long time, the only use of them on github I can find is openfl (https://github.com/openfl/openfl/blob/b1bb7052f1a3d0403be6d79e4e9edd17e160cfb1/src/openfl/net/SecureSocket.hx#L166).

What is supported with these subject and issuer functions, just the short character codes or the long names as well?

You can't load a DER encrypted private key as that function doesn't let you specify a password.

What is the certificate add and addDER supposed to do and be used for?

You can go back to using the mbedtls implementation by using HXCPP_USE_MBEDTLS.

Aidan63 and others added 30 commits June 15, 2024 23:13
@Aidan63
mbedtls3 migration
fbf3eb0
@Aidan63 @Apprentice-Alchemist
Update src/hx/libs/ssl/SSL.cpp
b1b53da 
Co-authored-by: Zeta <[email protected]>
@Aidan63 @Apprentice-Alchemist
Update src/hx/libs/ssl/SSL.cpp
be8cdf4 
Co-authored-by: Zeta <[email protected]>
@Aidan63 @Apprentice-Alchemist
Update src/hx/libs/ssl/SSL.cpp
b4ee945 
Co-authored-by: Zeta <[email protected]>
@Aidan63
try compiling mbedtls in its own files tag against a c std version
fe6ec81
@Aidan63
try setting the c flag on the ssl file group
f2fe638
@Aidan63
It was worth a try
7a28b88 
Revert "try compiling mbedtls in its own files tag against a c std version"

This reverts commit fe6ec81.
@Aidan63
patch crypto headers
27bdee8
@Aidan63
unmask mysql service before starting
d23c320
@Aidan63
Merge branch 'master' into mbedtls3
17e6116
@Aidan63
add c99 flag
fc1541c
@Aidan63
Merge branch 'master' into mbedtls3
d52a7c8
@Aidan63
Merge branch 'master' into mbedtls3
8b2ffea
@Aidan63
schannel based cert
2d36f87
@Aidan63
digest function using CNG
3848a54
@Aidan63
loading private key
cccbe07
@Aidan63
signing function
c2fdd7e
@Aidan63
public key loading
787aa58
@Aidan63
digest verify
4378def
@Aidan63
MBEDTLS_USER_CONFIG_FILE
be45fff
@Aidan63
key decryption
6aea878
@Aidan63
start to split things into different files
ac50c71
@Aidan63
move lean and mean define
098ba88
@Aidan63
more splitting and gc free zones
211380f
@Aidan63
don't duplicate key decoding logic
388bd37
@Aidan63
cert loading from string and more cert attribute string support
96861cf
@Aidan63
correctly load rsa public keys
d754a34
@Aidan63
initial next cert function
218bd99
@Aidan63
Opt into mbedtls with HXCPP_USE_MBEDTLS
3117d75
@Aidan63
some cleanup
180b488
@Aidan63 Aidan63 marked this pull request as draft July 28, 2024 11:43
@skial skial mentioned this pull request Aug 7, 2024
Closed
1 task
@Aidan63 Aidan63 mentioned this pull request Aug 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Aidan63