-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support loading identities from key/cert files #31
Conversation
let cert = CertContext::new(cert).unwrap(); | ||
|
||
let mut options = AcquireOptions::new(); | ||
options.container("schannel-test"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand CryptAcquireContext correctly, if you don't use CRYPT_VERIFYCONTEXT
, the key is stored permanently on disk, is that right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead, either prevent key storage by passing the CRYPT_VERIFYCONTEXT flag in the dwFlags parameter, or use an application-specific container that is unlikely to be used by another application. [...] For performance reasons, we recommend that you set the pszContainer parameter to NULL and the dwFlags parameter to CRYPT_VERIFYCONTEXT in all situations where you do not require a persisted key.
That sounds to me like we want verify_context()
here.
You can't decrypt data with a key in a verify context. Those are used for
things like signature verification but won't work for TLS.
…On Fri, Jun 23, 2017 at 1:20 AM Steffen Butzer ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In src/test.rs
<#31 (comment)>:
> + let mut stream = tls_stream::Builder::new()
+ .domain("foobar.com")
+ .cert_store(store)
+ .connect(creds, stream)
+ .unwrap();
+ stream.write_all(&[1, 2, 3, 4]).unwrap();
+ stream.flush().unwrap();
+ assert_eq!(stream.read(&mut [0; 1024]).unwrap(), 4);
+ stream.shutdown().unwrap();
+ });
+
+ let cert = include_bytes!("../test/cert.der");
+ let cert = CertContext::new(cert).unwrap();
+
+ let mut options = AcquireOptions::new();
+ options.container("schannel-test");
MSDN/CryptAcquireContext
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa379886(v=vs.85).aspx>
:
Instead, either prevent key storage by passing the CRYPT_VERIFYCONTEXT
flag in the dwFlags parameter, or use an application-specific container
that is unlikely to be used by another application. [...] For performance
reasons, we recommend that you set the pszContainer parameter to NULL and
the dwFlags parameter to CRYPT_VERIFYCONTEXT in all situations where you do
not require a persisted key.
That sounds to me like we want verify_context() here.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#31 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABY2UTHD11L6GXj0mEegT1rgdrE0SDdqks5sG3UwgaJpZM4ODIAy>
.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh right.
Other than that I generally don't like type_
(aesthetically),
which we unfortunately need, LGTM.
This unblocks sfackler/rust-native-tls#27!