[xmlsec] OpenSSL Gost support - final patch

Roumen Petrov xmlsec at roumenpetrov.info
Fri Sep 9 01:39:49 PDT 2011 

Dmitry Belyavsky wrote:
> Greetings!
>
> On Thu, Sep 8, 2011 at 8:43 PM, Roumen Petrov<xmlsec at roumenpetrov.info>  wrote:
>    
>> Dmitry Belyavsky wrote:
>>      
>>> Greetings!
>>>
>>> It seems to work. It's compatible with example provided before
>>> (xmlsec1 --verify --trusted-pem tests/keys/gost2001ca.pem
>>> --verification-time "2006-04-01 00:00:00"
>>> tests/aleksey-xmldsig-01/enveloped-gost.xml is successful) and
>>> self-compatible.
>>>
>>> On Wed, Sep 7, 2011 at 2:32 AM, Aleksey Sanin<aleksey at aleksey.com>    wrote:
>>>
>>>        
>>>> [SNIP]
>>>>
>>>>          
>>
>> Which openssl version for first time offer GOST support, even as externally
>> maintained patch ?
>>
>>
>> If first is 0.9.8 I think that xmlsec regression test could be automated .
>>      
> Unfortunately, no. You need 1.0 version with gost engine enabled
> through the openssl.cnf file according to README.gost file.
>    
So I'm not familiar with status of GOST support in OpenSSL . Internet 
search point to page on cryptocom.ru where is listed patch for openssl 
0.9.8.
I cannot found earlier version.
> BTW, does anybody really need th pre-0.9.8 version of the OpenSSL
> library (and its support)?
>    
May be nobody . I ask because openssl engine configuration is different 
between openssl version 0.9.7 and 0.9.8+.

So following the guide README.gost I do this

$ cd [XMLSEC_TOP_BUILD_DIR]

$ cat openssl.cnf
openssl_conf = openssl_def

[ openssl_def ]
engines = engine_section

[ engine_section ]
gost = gost_section

[ gost_section ]
#engine_id = gost
#dynamic_path = /usr/lib/ssl/engines/libgost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

$ OPENSSL_CONF=`pwd`/openssl.cnf \
make check

An result is this (extract from console log):
......
--------- These tests CAN FAIL (extra OS config required) ----------
aleksey-xmldsig-01/enveloped-gost
     Checking required transforms                            OK
     Checking required key data                              OK
     Verify existing signature                               OK
.......

With above I confirm that xlsec test could be fully automated.
Tested with openssl 1.0.0e, dynamic engine build including GOST engine.

Regards,
Roumen

More information about the xmlsec mailing list