[xmlsec] OpenSSL Gost support

Dmitry Belyavsky beldmit at gmail.com
Sat Sep 3 01:52:23 PDT 2011


Greetings!

It seems to me I've found a problem but I don't understand how it happens :-(.

According to strace, when using openssl we load the libcrypto.so
first, then we load the openssl config and corresponding egine. But
using the xmlsec cmdline application we first read the engine library,
then the libcrypto.so library.

Both apps are single-threaded, so strace can't mistaken...

On Fri, Sep 2, 2011 at 8:35 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> I guess you need to configure openssl to load gost. From the error you
> describe, it just can't find gost algorithm.
>
> Aleksey
>
> On 9/2/11 9:19 AM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> Here is the incomplete patch to provide minimal support of GOST
> digital signature and digests to OpenSSL-based version of the xmlsec.
> Unfortunately, I didn't understand how to make it complete, though I
> suppose I know what I've missed smth to make the library available to
> sign...
>
> I try to test verifying file tests/aleksey-xmldsig/enveloped-gost.xml
> with the xmlsec cmdline utility but the
> EVP_get_digestbyname("md_gost94") returns NULL, though the gost
> openssl engine is loaded.
>
> Can you show me what I'm missing?
>
> Thank you!
>
> On Fri, Sep 2, 2011 at 12:55 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>
> There is GOST implementation for MS Crypto.
>
> Aleksey
>
>
> On 9/1/11 1:13 PM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> What does the phrase from log
>
> Test: /aleksey-xmldsig-01/enveloped-gost (success)
>
> mean? Has it really been tested? If so, I've just completed my
> mission... If not, how can I enable this test for OpenSSL?
>
> Thank you!
> On Thu, Aug 18, 2011 at 11:11 PM, Aleksey Sanin<aleksey at aleksey.com>
>  wrote:
>
> Sorry, I already forgot file names :) You don't need key transport. You
> need
> actual
> key data implementation: see src/openssl/evp.c
>
> Aleksey
>
>
> On 8/18/11 12:08 PM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> Sorry, I don't understand. The Gost algorithm is DSA-like, not
> RSA-like. Why should I implement the rsa-like transport?..
>
> Thank you!
>
> On Thu, Aug 18, 2011 at 11:05 PM, Aleksey Sanin<aleksey at aleksey.com>
>  wrote:
>
> Yes. You don't need to do X509 certs but you need to define a key to
> use
> with the gost algorithm :)
>
> Aleksey
>
>
> On 8/18/11 12:03 PM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> Do you mean smth similar to src/openssl/kt_rsa.c?
> I hope I don't need it using the X509 cert format. Am I wrong?
>
> On Thu, Aug 18, 2011 at 10:43 PM, Aleksey Sanin<aleksey at aleksey.com>
>  wrote:
>
> You also need to implement key type for gost keys. Take a look at how
> RSA keys are done.
>
> Aleksey
>
>
> On 8/18/11 11:39 AM, Dmitry Belyavsky wrote:
>
> Greetings!
>
> I'm implementing the Russian GOST support to OpenSSL-builded XMLSec.
> I
> have some questions.
>
> 1. The support is expected to be in X.509 format only. I hope that
> linking against OpenSSL 1.0 will work good enough after I implement
> the necessary transforms. When I run make check, I get the
> following:
>
>
> Test: /aleksey-xmldsig-01/enveloped-gost (success)
> /home/beldmit/xmlsec1-1.2.18/apps/xmlsec1 check-transforms  --crypto
> openssl --crypto-config /tmp/xmlsec-crypto-config
> enveloped-signature
> gostr34102001-gostr3411 gostr3411
> Transforms "enveloped-signature" found
> Transforms "gostr34102001-gostr3411" found
> Transforms "gostr3411" found
> /home/beldmit/xmlsec1-1.2.18/apps/xmlsec1 check-key-data  --crypto
> openssl --crypto-config /tmp/xmlsec-crypto-config gost
> Error: key data "gost" not found
>
> How can I fix it?
>
> 2. I configure XMLSec with
>
> ./configure --with-openssl=/usr --with-pic=yes --enable-gost
> But it seems to use static linking instead of using dynamic. How can
> I
> fix
> it?
>
> Thank you!
>
>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>



-- 
SY, Dmitry Belyavsky


More information about the xmlsec mailing list