[xmlsec] OpenSSL Gost support

Dmitry Belyavsky beldmit at gmail.com
Fri Sep 2 09:52:19 PDT 2011


Greetings!

The openssl gost engine is loaded, openssl uses it successfully.

OPENSSL_CONF=./apps/openssl.cnf ./apps/openssl dgst -md_gost94 file
works correctly.

OPENSSL_CONF=../openssl-1.0.0d/apps/openssl.cnf
LD_LIBRARY_PATH=./src/openssl/.libs:./src/.libs ./apps/.libs/xmlsec1
--verify tests/aleksey-xmldsig-01/enveloped-gost.xml

prints call trace:
-----------
func=xmlSecOpenSSLEvpSignatureInitialize:file=signatures.c:line=225:obj=gostr34102001-gostr3411:subj=unknown:error=31:invalid
transform:
func=xmlSecTransformCreate:file=transforms.c:line=1436:obj=gostr34102001-gostr3411:subj=id-initialize:error=1:xmlsec
library function failed:
func=xmlSecTransformNodeRead:file=transforms.c:line=1568:obj=unknown:subj=xmlSecTransformCreate:error=1:xmlsec
library function failed:transform=gostr34102001-gostr3411
func=xmlSecTransformCtxNodeRead:file=transforms.c:line=694:obj=unknown:subj=xmlSecTransformNodeRead:error=1:xmlsec
library function failed:name=SignatureMethod
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=742:obj=unknown:subj=xmlSecTransformCtxNodeRead:error=1:xmlsec
library function failed:node=SignatureMethod
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "tests/aleksey-xmldsig-01/enveloped-gost.xml"
----------

On Fri, Sep 2, 2011 at 8:35 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> I guess you need to configure openssl to load gost. From the error you
> describe, it just can't find gost algorithm.
>
> Aleksey
>
> On 9/2/11 9:19 AM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> Here is the incomplete patch to provide minimal support of GOST
> digital signature and digests to OpenSSL-based version of the xmlsec.
> Unfortunately, I didn't understand how to make it complete, though I
> suppose I know what I've missed smth to make the library available to
> sign...
>
> I try to test verifying file tests/aleksey-xmldsig/enveloped-gost.xml
> with the xmlsec cmdline utility but the
> EVP_get_digestbyname("md_gost94") returns NULL, though the gost
> openssl engine is loaded.
>
> Can you show me what I'm missing?
>
> Thank you!
>
> On Fri, Sep 2, 2011 at 12:55 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>
> There is GOST implementation for MS Crypto.
>
> Aleksey
>
>
> On 9/1/11 1:13 PM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> What does the phrase from log
>
> Test: /aleksey-xmldsig-01/enveloped-gost (success)
>
> mean? Has it really been tested? If so, I've just completed my
> mission... If not, how can I enable this test for OpenSSL?
>
> Thank you!
> On Thu, Aug 18, 2011 at 11:11 PM, Aleksey Sanin<aleksey at aleksey.com>
>  wrote:
>
> Sorry, I already forgot file names :) You don't need key transport. You
> need
> actual
> key data implementation: see src/openssl/evp.c
>
> Aleksey
>
>
> On 8/18/11 12:08 PM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> Sorry, I don't understand. The Gost algorithm is DSA-like, not
> RSA-like. Why should I implement the rsa-like transport?..
>
> Thank you!
>
> On Thu, Aug 18, 2011 at 11:05 PM, Aleksey Sanin<aleksey at aleksey.com>
>  wrote:
>
> Yes. You don't need to do X509 certs but you need to define a key to
> use
> with the gost algorithm :)
>
> Aleksey
>
>
> On 8/18/11 12:03 PM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> Do you mean smth similar to src/openssl/kt_rsa.c?
> I hope I don't need it using the X509 cert format. Am I wrong?
>
> On Thu, Aug 18, 2011 at 10:43 PM, Aleksey Sanin<aleksey at aleksey.com>
>  wrote:
>
> You also need to implement key type for gost keys. Take a look at how
> RSA keys are done.
>
> Aleksey
>
>
> On 8/18/11 11:39 AM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> I'm implementing the Russian GOST support to OpenSSL-builded XMLSec.
> I
> have some questions.
>
> 1. The support is expected to be in X.509 format only. I hope that
> linking against OpenSSL 1.0 will work good enough after I implement
> the necessary transforms. When I run make check, I get the
> following:
>
>
> Test: /aleksey-xmldsig-01/enveloped-gost (success)
> /home/beldmit/xmlsec1-1.2.18/apps/xmlsec1 check-transforms  --crypto
> openssl --crypto-config /tmp/xmlsec-crypto-config
> enveloped-signature
> gostr34102001-gostr3411 gostr3411
> Transforms "enveloped-signature" found
> Transforms "gostr34102001-gostr3411" found
> Transforms "gostr3411" found
> /home/beldmit/xmlsec1-1.2.18/apps/xmlsec1 check-key-data  --crypto
> openssl --crypto-config /tmp/xmlsec-crypto-config gost
> Error: key data "gost" not found
>
> How can I fix it?
>
> 2. I configure XMLSec with
>
> ./configure --with-openssl=/usr --with-pic=yes --enable-gost
> But it seems to use static linking instead of using dynamic. How can
> I
> fix
> it?
>
> Thank you!
>
>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>



-- 
SY, Dmitry Belyavsky


More information about the xmlsec mailing list