[xmlsec] OpenSSL Gost support - final patch

Dmitry Belyavsky beldmit at gmail.com
Fri Sep 9 01:50:53 PDT 2011


Greetings!

On Fri, Sep 9, 2011 at 12:39 PM, Roumen Petrov <xmlsec at roumenpetrov.info> wrote:
> Dmitry Belyavsky wrote:
>>
>> Greetings!
>>
>> On Thu, Sep 8, 2011 at 8:43 PM, Roumen Petrov<xmlsec at roumenpetrov.info>
>>  wrote:
>>
>>>
>>> Dmitry Belyavsky wrote:
>>>
>>>>
>>>> Greetings!
>>>>
>>>> It seems to work. It's compatible with example provided before
>>>> (xmlsec1 --verify --trusted-pem tests/keys/gost2001ca.pem
>>>> --verification-time "2006-04-01 00:00:00"
>>>> tests/aleksey-xmldsig-01/enveloped-gost.xml is successful) and
>>>> self-compatible.
>>>>
>>>> On Wed, Sep 7, 2011 at 2:32 AM, Aleksey Sanin<aleksey at aleksey.com>
>>>>  wrote:
>>>>
>>>>
>>>>>
>>>>> [SNIP]
>>>>>
>>>>>
>>>
>>> Which openssl version for first time offer GOST support, even as
>>> externally
>>> maintained patch ?
>>>
>>>
>>> If first is 0.9.8 I think that xmlsec regression test could be automated
>>> .
>>>
>>
>> Unfortunately, no. You need 1.0 version with gost engine enabled
>> through the openssl.cnf file according to README.gost file.
>>
>
> So I'm not familiar with status of GOST support in OpenSSL . Internet search
> point to page on cryptocom.ru where is listed patch for openssl 0.9.8.
> I cannot found earlier version.

I'm familiar with status of GOST in OpenSSL and was among the authors
of the Cryptocom's patch.
I have a little patch making GOST support to xmlsec with
cryptocom-builded OpenSSL, but really it's almost not interesting
outside Russia.

>>
>> BTW, does anybody really need th pre-0.9.8 version of the OpenSSL
>> library (and its support)?
>>
>
> May be nobody . I ask because openssl engine configuration is different
> between openssl version 0.9.7 and 0.9.8+.
>
> So following the guide README.gost I do this
>
> $ cd [XMLSEC_TOP_BUILD_DIR]
>
> $ cat openssl.cnf
> openssl_conf = openssl_def
>
> [ openssl_def ]
> engines = engine_section
>
> [ engine_section ]
> gost = gost_section
>
> [ gost_section ]
> #engine_id = gost
> #dynamic_path = /usr/lib/ssl/engines/libgost.so
> default_algorithms = ALL
> CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
>
> $ OPENSSL_CONF=`pwd`/openssl.cnf \
> make check
>
> An result is this (extract from console log):
> ......
> --------- These tests CAN FAIL (extra OS config required) ----------
> aleksey-xmldsig-01/enveloped-gost
>    Checking required transforms                            OK
>    Checking required key data                              OK
>    Verify existing signature                               OK
> .......
>
> With above I confirm that xlsec test could be fully automated.
> Tested with openssl 1.0.0e, dynamic engine build including GOST engine.

Thank you, it should really work!

-- 
SY, Dmitry Belyavsky


More information about the xmlsec mailing list