Adding cryptographic primitives
The libqcrypto_pluginS.a plugin library and qcrypto/qcrypto_plugin.h header file allow you to create a custom plugin to use with the qcrypto library.
For detailed information on the plugin API, see qcrypto_plugin.h
.
For information about the plugins that ship with the qcrypto library,
see Certicom plugin
, TomCrypt plugin
, and OpenSSL plugin
.
Linking to libqcrypto_pluginS.a
In your makefile, use -Wl,--whole-archive to link to libqcrypto_pluginS.a.
Plugin binding and release
The qcrypto library binds and loads a plugin either when it is initialized (using qcrypto_init()) or when a user requests an algorithm from the plugin.When a plugin is loaded, its global initialization function is called, which allows the plugin to initialize its internals and support for the third-party cryptography library (or libraries) that it wraps.
When a plugin is unbound or unloaded, its global finalization function is called, which allows the plugin to release resources and perform the required cleanup.
Algorithm handling
Registration
During global plugin initialization (part of the plugin loading process), one of the plugin tasks is to register which algorithms it supports. This registration task allows the QNX cryptography library to query the plugin when a user requests a particular algorithm function.
Requesting an algorithm
When a user requests an algorithm, the qcrypto library calls the algorithm's initialization function, which causes the plugin to allocate resources, perform other initialization tasks related to providing support for the algorithm (for example, loading a shared object library or allocating memory), or both.
Release
When the qcrypto library user no longer requires a specific algorithm, it calls a release function that in turn calls the algorithm's un-initialization function. This activity allows the plugin to release resources related to the algorithm, perform cleanup, or both.
Re-use
Algorithm interfaces that support initialization, update, and finalization functions must be re-usable. This requirement means that initializing an algorithm that has already been used restores it to a clean state and it can be used to perform another operation. It minimizes resource shuffling and allows an algorithm context to be used as many times as possible.
Naming
Where possible, algorithm names should be in lowercase letters and follow the NID naming
scheme for standard algorithm names. If the name to use is not clear, use the OpenSSL naming
convention, which is the one that is most commonly used. Names need to be standardized
across implementations to maximize the interoperability of the various plugins. See OpenSSL plugin
to see which names are currently used and
supported.
Plugin key handling and formats
Key handling and formats are the cornerstone of the qcrypto library. To ensure interoperability among all the supported plugins, keys and their parameters need to be stored in a standard format internally so that a key generated by one plugin can be used in another plugin algorithm, in a process that is transparent to the user. Plugins should provide full support for generating, exporting, and importing keys to and from any of the standard formats.
The following table describes how plugins should internally store each type of key. When a key is passed to an algorithm's initialization function, the plugin can make a copy of the key. It can convert the copy into whatever internal format the algorithm requires.
Key type | Import format | Export format | Internal key format |
---|---|---|---|
RSA | |||
Private keys | PKCS#8 PEM/DER | PKCS#8 PEM/DER | PKCS#8 DER |
Public keys | X.509 PEM/DER | X.509 PEM/DER | X.509 DER |
Elliptic-curve cryptography | |||
Private keys | PKCS#8 PEM/DER | PKCS#8 PEM/DER | PKCS#8 DER |
Public key | X.509 PEM/DER | X.509 PEM/DER | X.509 DER |
Digital Signature Algorithm | |||
Private keys | PKCS#8 PEM/DER | PKCS#8 PEM/DER | PKCS#8 DER |
Public key | X.509 PEM/DER | X.509 PEM/DER | X.509 DER |
Edwards Elliptic Curve (25519/448) | |||
Private keys | PKCS#8 PEM/DER | PKCS#8 PEM/DER | PKCS#8 DER |
Public key | X.509 PEM/DER | X.509 PEM/DER | X.509 DER |
Symmetric keys | |||
All keys | Raw byte sequence |