lördag 14 februari 2009

Support for ECDSA and ECDH in PK-INIT

Heimdal now support support for ECDSA (Elliptic curve, signature mode) and ECDH (Elliptic curve, key exchange mode) when compiled with OpenSSL, no hcrypto support yet. Using ECDSA is turned on when using EC certificates, both the signature verification and CMS is done using EC certificate.

ECDH is turned used when using ECDSA, so also its also used when using EC certificates on the client. There is missing negotiation of EC curves, so the code is not future safe, but its something that we'll add in the future.  Part of the regression test now uses the EC certificate. hxtool needs support for generating EC keys and exporting the SubjectPublicKeyInfo before its can sign certificates, neither of them too hard.

Too much of the OpenSSL EC implementation is hidden, so right now its not possible to load plugins. So no support for PKCS11 or Keychain based private keys.

Inga kommentarer:

Skicka en kommentar