[xmlsec] OpenSSL Gost support

Dmitry Belyavsky beldmit at gmail.com
Fri Sep 2 09:19:39 PDT 2011


Greetings!

Here is the incomplete patch to provide minimal support of GOST
digital signature and digests to OpenSSL-based version of the xmlsec.
Unfortunately, I didn't understand how to make it complete, though I
suppose I know what I've missed smth to make the library available to
sign...

I try to test verifying file tests/aleksey-xmldsig/enveloped-gost.xml
with the xmlsec cmdline utility but the
EVP_get_digestbyname("md_gost94") returns NULL, though the gost
openssl engine is loaded.

Can you show me what I'm missing?

Thank you!

On Fri, Sep 2, 2011 at 12:55 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> There is GOST implementation for MS Crypto.
>
> Aleksey
>
>
> On 9/1/11 1:13 PM, Dmitry Belyavsky wrote:
>>
>> Greetings!
>>
>> What does the phrase from log
>>
>> Test: /aleksey-xmldsig-01/enveloped-gost (success)
>>
>> mean? Has it really been tested? If so, I've just completed my
>> mission... If not, how can I enable this test for OpenSSL?
>>
>> Thank you!
>> On Thu, Aug 18, 2011 at 11:11 PM, Aleksey Sanin<aleksey at aleksey.com>
>>  wrote:
>>>
>>> Sorry, I already forgot file names :) You don't need key transport. You
>>> need
>>> actual
>>> key data implementation: see src/openssl/evp.c
>>>
>>> Aleksey
>>>
>>>
>>> On 8/18/11 12:08 PM, Dmitry Belyavsky wrote:
>>>>
>>>> Greetings!
>>>>
>>>> Sorry, I don't understand. The Gost algorithm is DSA-like, not
>>>> RSA-like. Why should I implement the rsa-like transport?..
>>>>
>>>> Thank you!
>>>>
>>>> On Thu, Aug 18, 2011 at 11:05 PM, Aleksey Sanin<aleksey at aleksey.com>
>>>>  wrote:
>>>>>
>>>>> Yes. You don't need to do X509 certs but you need to define a key to
>>>>> use
>>>>> with the gost algorithm :)
>>>>>
>>>>> Aleksey
>>>>>
>>>>>
>>>>> On 8/18/11 12:03 PM, Dmitry Belyavsky wrote:
>>>>>>
>>>>>> Greetings!
>>>>>>
>>>>>> Do you mean smth similar to src/openssl/kt_rsa.c?
>>>>>> I hope I don't need it using the X509 cert format. Am I wrong?
>>>>>>
>>>>>> On Thu, Aug 18, 2011 at 10:43 PM, Aleksey Sanin<aleksey at aleksey.com>
>>>>>>  wrote:
>>>>>>>
>>>>>>> You also need to implement key type for gost keys. Take a look at how
>>>>>>> RSA keys are done.
>>>>>>>
>>>>>>> Aleksey
>>>>>>>
>>>>>>>
>>>>>>> On 8/18/11 11:39 AM, Dmitry Belyavsky wrote:
>>>>>>>>
>>>>>>>> Greetings!
>>>>>>>>
>>>>>>>> I'm implementing the Russian GOST support to OpenSSL-builded XMLSec.
>>>>>>>> I
>>>>>>>> have some questions.
>>>>>>>>
>>>>>>>> 1. The support is expected to be in X.509 format only. I hope that
>>>>>>>> linking against OpenSSL 1.0 will work good enough after I implement
>>>>>>>> the necessary transforms. When I run make check, I get the
>>>>>>>> following:
>>>>>>>>
>>>>>>>>
>>>>>>>> Test: /aleksey-xmldsig-01/enveloped-gost (success)
>>>>>>>> /home/beldmit/xmlsec1-1.2.18/apps/xmlsec1 check-transforms  --crypto
>>>>>>>> openssl --crypto-config /tmp/xmlsec-crypto-config
>>>>>>>> enveloped-signature
>>>>>>>> gostr34102001-gostr3411 gostr3411
>>>>>>>> Transforms "enveloped-signature" found
>>>>>>>> Transforms "gostr34102001-gostr3411" found
>>>>>>>> Transforms "gostr3411" found
>>>>>>>> /home/beldmit/xmlsec1-1.2.18/apps/xmlsec1 check-key-data  --crypto
>>>>>>>> openssl --crypto-config /tmp/xmlsec-crypto-config gost
>>>>>>>> Error: key data "gost" not found
>>>>>>>>
>>>>>>>> How can I fix it?
>>>>>>>>
>>>>>>>> 2. I configure XMLSec with
>>>>>>>>
>>>>>>>> ./configure --with-openssl=/usr --with-pic=yes --enable-gost
>>>>>>>> But it seems to use static linking instead of using dynamic. How can
>>>>>>>> I
>>>>>>>> fix
>>>>>>>> it?
>>>>>>>>
>>>>>>>> Thank you!
>>>>>>>>
>>>>
>>
>>
>



-- 
SY, Dmitry Belyavsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ossl_gost.diff
Type: text/x-patch
Size: 17195 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20110902/b55e22ce/attachment-0001.bin>


More information about the xmlsec mailing list