You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have an MbedTLS PR in PicoTLS to finish the second phase of the porting, adding support for a variety of public key operations to the TLS port. Since integration is PicoTLS appears stalled, we should consider adding that code directly into Picoquic, much like we did for the more basic primitives.
That PR provides sufficient support for building a server using MbedTLS, including certificate signing.
The missing step after that is the addition of certificate chain verification processes, which currently are only available for the OpenSSL back-end. (Minicrypto defaults to not checking certificate chains.)
The portable API for loading private keys relies on parsing the PEM file containing the key. In many cases, it is preferable to pass instead a key identifier, leaving the private key itself in a private vault. There are APIs for that in OpenSSL and MbedTLS, as well as N-Crypt on Windows, but it will be very hard to expose those APIs through a portable "least common denominator". These parts of the code may need to be conscious of which back-end they use.
The certificate chain verification procedures are rather tied to specific implementations of crypto, and may also be tied to certificate root files, etc. Developing portable alternatives could be hard and error prone.
The text was updated successfully, but these errors were encountered:
We have an MbedTLS PR in PicoTLS to finish the second phase of the porting, adding support for a variety of public key operations to the TLS port. Since integration is PicoTLS appears stalled, we should consider adding that code directly into Picoquic, much like we did for the more basic primitives.
That PR provides sufficient support for building a server using MbedTLS, including certificate signing.
The missing step after that is the addition of certificate chain verification processes, which currently are only available for the OpenSSL back-end. (Minicrypto defaults to not checking certificate chains.)
The portable API for loading private keys relies on parsing the PEM file containing the key. In many cases, it is preferable to pass instead a key identifier, leaving the private key itself in a private vault. There are APIs for that in OpenSSL and MbedTLS, as well as N-Crypt on Windows, but it will be very hard to expose those APIs through a portable "least common denominator". These parts of the code may need to be conscious of which back-end they use.
The certificate chain verification procedures are rather tied to specific implementations of crypto, and may also be tied to certificate root files, etc. Developing portable alternatives could be hard and error prone.
The text was updated successfully, but these errors were encountered: