[Interest] Integrate crypto in Qt project

Konrad Rosenbaum konrad at silmor.de
Mon Jan 8 13:13:23 CET 2018


Hi,

On Mon, January 8, 2018 12:05, Christophe Thomas wrote:
> Thx for your feedback,

you're welcome.

> Don't worry I won't even imagine using some unknown third party code for
> crypto in production code.
>
> Since yesterday I've continued studying my case and my problem is that I'm
> bounded to a specific format: I'm trying to implement some map (S63
> format)
> decryption.

If it is only decryption (or verification) you may be fine. For encryption
you have to know rather more than what is usually documented (there are
some hidden traps in implementing this).

> This format is using
> - blowfish as encryption/decryption method => so no real choice here for
> me, but you are right I will use openssl instead of some other code for
> this

Since this forces you to implement the protocol level yourself, I'd
recommend libgcrypt - it is much easier to use than the OpenSSL low level
functions.

https://www.gnupg.org/software/libgcrypt/index.html

> - DSA keys and signature are provided in plain text format (see below), so
> my main concerne is to build the key or signature with those data in order
> to launch DSA verify command. I'm now thinking of manually building the
> data in DER/ASN.1 format but if I can do things directly it would be
> better.

Don't do DER (or BER, CER, ...) yourself if you can avoid it. It is an
endless source of sorrow...

With libgcrypt you build an S-expression structure directly from the text
values using gcry_sexp_build and use this structure to feed the public key
functions. No need to mock about with ASN.1.

If this is a commercial project and your company can afford it: I'd
recommend to hire a cryptography expert for a few days to either implement
the crypto stuff directly or at least to review the code.


   Konrad




More information about the Interest mailing list