blob: f7d4563630acc330038f03bb0cff98b3f886a523 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
WHAT VERSION OF WINDOWS?
------------------------------------------------------------------------
The xmlsec-mscrypto lib is developed on a windows XP machine with MS Visual
Studio (6 and .NET). The MS Crypto API has been evolving a lot with the
new releases of windows and internet explorer. MS CryptoAPI libraries
are distributed with ie and with the windows OS. Full functionality will
only be achieved on windows XP. AES is for example not supported on pre
XP versions of Windows (workarounds for this are possible, I believe).
Direct RSA de/encryption, used by xmlsec-mscrypto, is only possible from
Win 2000 (possibly also with a newer version of ie, with strong encryption
patch installed). It's very likely more of these issues are lying around, a
nd until it is tested on older windows systems it is uncertain what will work.
KEYS MANAGER with MS Certificate store support.
------------------------------------------------------------------------
The default xmlsec-mscrypto keys manager is based upon the simple keys
store, found in the xmlsec core library. If keys are not found in the
simple keys store, than MS Certificate store is used to lookup keys.
The certificate store is only used on a READONLY base, so it is not possible
to store keys via the keys store into the MS certificate store. There are enough
other tools that can do that for you.
When the xmlsec application is started, with the config parameter the name of
the (system) keystore can be given. That keystore will be used for certificates
and keys lookup. With the keyname now two types of values can be given:
- simple name (called friendly name with MS);
- full subject name (recommended) of the key's certificate.
KNOWN ISSUES.
------------------------------------------------------------------------
1) Default keys manager don't use trusted certs in MS Crypto Store
(http://bugzilla.gnome.org/show_bug.cgi?id=123668).
2) Missing crypto functionality:
- HMAC (http://bugzilla.gnome.org/show_bug.cgi?id=123670): does not look
like MS would support it soon.
- RSA-OAEP (http://bugzilla.gnome.org/show_bug.cgi?id=123671): MS says
that they will support this in the near future.
- AES KW (http://bugzilla.gnome.org/show_bug.cgi?id=123672): no native
support, might be possible to implement on top of AES cipher itself
- DES KW (http://bugzilla.gnome.org/show_bug.cgi?id=123673): no native
support, might be possible to implement on top of AES cipher itself
3) Actual AES Crypto provider name is different from the "official" one
(http://bugzilla.gnome.org/show_bug.cgi?id=123674).
4) The only supported file formats are PKCS#12 and DER certificates
(http://bugzilla.gnome.org/show_bug.cgi?id=123675).
|
