[xmlsec] OpenSSL Gost support

Aleksey Sanin aleksey at aleksey.com
Fri Sep 2 09:35:20 PDT 2011


I guess you need to configure openssl to load gost. From the error you
describe, it just can't find gost algorithm.

Aleksey


On 9/2/11 9:19 AM, Dmitry Belyavsky wrote:
> Greetings!
>
> Here is the incomplete patch to provide minimal support of GOST
> digital signature and digests to OpenSSL-based version of the xmlsec.
> Unfortunately, I didn't understand how to make it complete, though I
> suppose I know what I've missed smth to make the library available to
> sign...
>
> I try to test verifying file tests/aleksey-xmldsig/enveloped-gost.xml
> with the xmlsec cmdline utility but the
> EVP_get_digestbyname("md_gost94") returns NULL, though the gost
> openssl engine is loaded.
>
> Can you show me what I'm missing?
>
> Thank you!
>
> On Fri, Sep 2, 2011 at 12:55 AM, Aleksey Sanin<aleksey at aleksey.com>  wrote:
>> There is GOST implementation for MS Crypto.
>>
>> Aleksey
>>
>>
>> On 9/1/11 1:13 PM, Dmitry Belyavsky wrote:
>>> Greetings!
>>>
>>> What does the phrase from log
>>>
>>> Test: /aleksey-xmldsig-01/enveloped-gost (success)
>>>
>>> mean? Has it really been tested? If so, I've just completed my
>>> mission... If not, how can I enable this test for OpenSSL?
>>>
>>> Thank you!
>>> On Thu, Aug 18, 2011 at 11:11 PM, Aleksey Sanin<aleksey at aleksey.com>
>>>   wrote:
>>>> Sorry, I already forgot file names :) You don't need key transport. You
>>>> need
>>>> actual
>>>> key data implementation: see src/openssl/evp.c
>>>>
>>>> Aleksey
>>>>
>>>>
>>>> On 8/18/11 12:08 PM, Dmitry Belyavsky wrote:
>>>>> Greetings!
>>>>>
>>>>> Sorry, I don't understand. The Gost algorithm is DSA-like, not
>>>>> RSA-like. Why should I implement the rsa-like transport?..
>>>>>
>>>>> Thank you!
>>>>>
>>>>> On Thu, Aug 18, 2011 at 11:05 PM, Aleksey Sanin<aleksey at aleksey.com>
>>>>>   wrote:
>>>>>> Yes. You don't need to do X509 certs but you need to define a key to
>>>>>> use
>>>>>> with the gost algorithm :)
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>>
>>>>>> On 8/18/11 12:03 PM, Dmitry Belyavsky wrote:
>>>>>>> Greetings!
>>>>>>>
>>>>>>> Do you mean smth similar to src/openssl/kt_rsa.c?
>>>>>>> I hope I don't need it using the X509 cert format. Am I wrong?
>>>>>>>
>>>>>>> On Thu, Aug 18, 2011 at 10:43 PM, Aleksey Sanin<aleksey at aleksey.com>
>>>>>>>   wrote:
>>>>>>>> You also need to implement key type for gost keys. Take a look at how
>>>>>>>> RSA keys are done.
>>>>>>>>
>>>>>>>> Aleksey
>>>>>>>>
>>>>>>>>
>>>>>>>> On 8/18/11 11:39 AM, Dmitry Belyavsky wrote:
>>>>>>>>> Greetings!
>>>>>>>>>
>>>>>>>>> I'm implementing the Russian GOST support to OpenSSL-builded XMLSec.
>>>>>>>>> I
>>>>>>>>> have some questions.
>>>>>>>>>
>>>>>>>>> 1. The support is expected to be in X.509 format only. I hope that
>>>>>>>>> linking against OpenSSL 1.0 will work good enough after I implement
>>>>>>>>> the necessary transforms. When I run make check, I get the
>>>>>>>>> following:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Test: /aleksey-xmldsig-01/enveloped-gost (success)
>>>>>>>>> /home/beldmit/xmlsec1-1.2.18/apps/xmlsec1 check-transforms  --crypto
>>>>>>>>> openssl --crypto-config /tmp/xmlsec-crypto-config
>>>>>>>>> enveloped-signature
>>>>>>>>> gostr34102001-gostr3411 gostr3411
>>>>>>>>> Transforms "enveloped-signature" found
>>>>>>>>> Transforms "gostr34102001-gostr3411" found
>>>>>>>>> Transforms "gostr3411" found
>>>>>>>>> /home/beldmit/xmlsec1-1.2.18/apps/xmlsec1 check-key-data  --crypto
>>>>>>>>> openssl --crypto-config /tmp/xmlsec-crypto-config gost
>>>>>>>>> Error: key data "gost" not found
>>>>>>>>>
>>>>>>>>> How can I fix it?
>>>>>>>>>
>>>>>>>>> 2. I configure XMLSec with
>>>>>>>>>
>>>>>>>>> ./configure --with-openssl=/usr --with-pic=yes --enable-gost
>>>>>>>>> But it seems to use static linking instead of using dynamic. How can
>>>>>>>>> I
>>>>>>>>> fix
>>>>>>>>> it?
>>>>>>>>>
>>>>>>>>> Thank you!
>>>>>>>>>
>>>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20110902/9245812a/attachment.html>


More information about the xmlsec mailing list