(Builds on top of the mbedtls3 branch, hence the large diff)
This is an attempt at providing a SSL implementation using the build in Windows cryptographic libraries, WinCrypt, CNG (Cryptographic Next Generation), and SChannel. Benefits of this being,
Reduces maintenance burden, security updates and new standards are provided as OS updates instead of needing any hxcpp changes.
The recent mbedtls xml changes means its now including the networking module which hxcpp makes zero use of. So size and number of dependencies for hxcpp on Windows will go down.
I've used SChannel for the asys secure socket so it would be nice if the synchronous and asynchronous API could share some internals where it makes sense (e.g. certificates).
With that all said there are some unknowns here, these APIs are much lower lever than mbedtls and example usage is very limited. There is also no definitive list of what key and cert formats are supported by these APIs and what haxe expects to be supported. These haxe APIs also seem to have very little to no use in some cases, so I've not got much to go on for whats actually expected.
Below are some general questions / points I'd like some help on.
I've added some new tests to this repo since the haxe test suite only has a hand full of very basic ssl api tests, might make more sense for them to be move to the haxe repo instead.
These APIs have no support for RIPEMD160, so this algorithm will never work.
(Builds on top of the mbedtls3 branch, hence the large diff)
This is an attempt at providing a SSL implementation using the build in Windows cryptographic libraries, WinCrypt, CNG (Cryptographic Next Generation), and SChannel. Benefits of this being,
With that all said there are some unknowns here, these APIs are much lower lever than mbedtls and example usage is very limited. There is also no definitive list of what key and cert formats are supported by these APIs and what haxe expects to be supported. These haxe APIs also seem to have very little to no use in some cases, so I've not got much to go on for whats actually expected.
Below are some general questions / points I'd like some help on.
I've added some new tests to this repo since the haxe test suite only has a hand full of very basic ssl api tests, might make more sense for them to be move to the haxe repo instead.
These APIs have no support for
RIPEMD160, so this algorithm will never work.The cert tests I've added are failing on mbedtls! Tests like
cert.subject('O'). Maybe these have been broken for a long time, the only use of them on github I can find is openfl (https://github.com/openfl/openfl/blob/b1bb7052f1a3d0403be6d79e4e9edd17e160cfb1/src/openfl/net/SecureSocket.hx#L166).What is supported with these
subjectandissuerfunctions, just the short character codes or the long names as well?You can't load a DER encrypted private key as that function doesn't let you specify a password.
What is the certificate
addandaddDERsupposed to do and be used for?You can go back to using the mbedtls implementation by using
HXCPP_USE_MBEDTLS.