Support for Apple OSX/iOS Cryptographic Services about softhsmv2 HOT 6 OPEN

Francis Dupont added a comment - 2013-10-25 17:14
Thanks for the URL.
I have no objection: it seems a good idea if we can get asym crypto support too (doesn't seem to be the case BTW).
When I said I have no objection I was not fully right: I am reluctant to use any crypto which will be never FIPS 140-2 (or national equivalent) certified…

from softhsmv2.

Francis Dupont added a comment - 2013-10-27 09:27 - edited
Two notes:

• the Common Crypto (the low level API) documentation is very poor and incomplete (fortunately the sources are freely available). So in fact it provides far more than described in the man.
• Apple announced the crypto part (what exactly?) of OX X and iOS will be FIPS 140-2 certified.

from softhsmv2.

Francis Dupont added a comment - 2013-10-28 15:41
Commenting again: we have three choices:

• give up, i.e., support only hash, mac and symmetric ciphers. BTW I have the code and it is just enough for running a HSM.
• import includes from Apple open source site so we have the defines to use the Common Crypto library for undocumented entries. I have a mixed opinion about this because I don't know the reason Apple provides only one part of the API mans/includes.
• retro engineer the real implementation (corecrypto) but without any doc and only some includes (with the kernel (aka xnu) sources). I don't believe to fuzz a crypto API is the best thing to do, even it is the library which is the target of the FIPS 140-2 certification. It is better to stay to the official API (i.e., Common Crypto) which exports corecrypto crypto protocol implementations.

PS: the other APIs are either too high level (keychain stuff) or officially no longer supported (CDSA/CSSM).

from softhsmv2.

Francis Dupont added a comment - 2013-10-28 19:45
BTW I checked for the second option (i.e., use undocumented but present entries of Common Crypto): a trivial RSA key pair create, get components (primes, not the CRT coefficients) and rebuild the key pairs failed on my dev box (last 10.8.5) but succeeded on another box I upgraded to 10.9 (last OS X)… Did you say undocumented == unsupported?

from softhsmv2.

Let's revisit the impact of this for 2.5.0, but it seems like it might be a lot of work. Would be nice to support this on OS X though. I think it would be helpful to open a similar issue for using core crypto services on Windows (rather than OpenSSL or Botan).

from softhsmv2.

Hint for potential implementer: pvpkcs11 implements PKCS#11 API on top of CommonCrypto.

from softhsmv2.