Adding cryptographic primitives

QNX SDP8.0QNX OS System Security GuideAPIConfiguration

The libqcrypto_pluginS.a plugin library and qcrypto/qcrypto_plugin.h header file allow you to create a custom plugin to use with the qcrypto library.

For detailed information on the plugin API, see qcrypto_plugin.h.

For information about the plugins that ship with the qcrypto library, see Certicom plugin, TomCrypt plugin, and OpenSSL plugin.

Linking to libqcrypto_pluginS.a

In your makefile, use -Wl,--whole-archive to link to libqcrypto_pluginS.a.

Plugin binding and release

The qcrypto library binds and loads a plugin either when it is initialized (using qcrypto_init()) or when a user requests an algorithm from the plugin.

When a plugin is loaded, its global initialization function is called, which allows the plugin to initialize its internals and support for the third-party cryptography library (or libraries) that it wraps.

When a plugin is unbound or unloaded, its global finalization function is called, which allows the plugin to release resources and perform the required cleanup.

Algorithm handling

Registration

During global plugin initialization (part of the plugin loading process), one of the plugin tasks is to register which algorithms it supports. This registration task allows the QNX cryptography library to query the plugin when a user requests a particular algorithm function.

Requesting an algorithm

When a user requests an algorithm, the qcrypto library calls the algorithm's initialization function, which causes the plugin to allocate resources, perform other initialization tasks related to providing support for the algorithm (for example, loading a shared object library or allocating memory), or both.

Release

When the qcrypto library user no longer requires a specific algorithm, it calls a release function that in turn calls the algorithm's un-initialization function. This activity allows the plugin to release resources related to the algorithm, perform cleanup, or both.

Re-use

Algorithm interfaces that support initialization, update, and finalization functions must be re-usable. This requirement means that initializing an algorithm that has already been used restores it to a clean state and it can be used to perform another operation. It minimizes resource shuffling and allows an algorithm context to be used as many times as possible.

Naming

Where possible, algorithm names should be in lowercase letters and follow the NID naming scheme for standard algorithm names. If the name to use is not clear, use the OpenSSL naming convention, which is the one that is most commonly used. Names need to be standardized across implementations to maximize the interoperability of the various plugins. See OpenSSL plugin to see which names are currently used and supported.

Plugin key handling and formats

Key handling and formats are the cornerstone of the qcrypto library. To ensure interoperability among all the supported plugins, keys and their parameters need to be stored in a standard format internally so that a key generated by one plugin can be used in another plugin algorithm, in a process that is transparent to the user. Plugins should provide full support for generating, exporting, and importing keys to and from any of the standard formats.

The following table describes how plugins should internally store each type of key. When a key is passed to an algorithm's initialization function, the plugin can make a copy of the key. It can convert the copy into whatever internal format the algorithm requires.

Key type Import format Export format Internal key format
RSA
Private keys PKCS#8 PEM/DER PKCS#8 PEM/DER PKCS#8 DER
Public keys X.509 PEM/DER X.509 PEM/DER X.509 DER
Elliptic-curve cryptography
Private keys PKCS#8 PEM/DER PKCS#8 PEM/DER PKCS#8 DER
Public key X.509 PEM/DER X.509 PEM/DER X.509 DER
Digital Signature Algorithm
Private keys PKCS#8 PEM/DER PKCS#8 PEM/DER PKCS#8 DER
Public key X.509 PEM/DER X.509 PEM/DER X.509 DER
Edwards Elliptic Curve (25519/448)
Private keys PKCS#8 PEM/DER PKCS#8 PEM/DER PKCS#8 DER
Public key X.509 PEM/DER X.509 PEM/DER X.509 DER
Symmetric keys
All keys Raw byte sequence
Page updated: