[xmlsec] OpenSSL Gost support - final patch
xmlsec at roumenpetrov.info
Fri Sep 9 01:39:49 PDT 2011
Dmitry Belyavsky wrote:
> On Thu, Sep 8, 2011 at 8:43 PM, Roumen Petrov<xmlsec at roumenpetrov.info> wrote:
>> Dmitry Belyavsky wrote:
>>> It seems to work. It's compatible with example provided before
>>> (xmlsec1 --verify --trusted-pem tests/keys/gost2001ca.pem
>>> --verification-time "2006-04-01 00:00:00"
>>> tests/aleksey-xmldsig-01/enveloped-gost.xml is successful) and
>>> On Wed, Sep 7, 2011 at 2:32 AM, Aleksey Sanin<aleksey at aleksey.com> wrote:
>> Which openssl version for first time offer GOST support, even as externally
>> maintained patch ?
>> If first is 0.9.8 I think that xmlsec regression test could be automated .
> Unfortunately, no. You need 1.0 version with gost engine enabled
> through the openssl.cnf file according to README.gost file.
So I'm not familiar with status of GOST support in OpenSSL . Internet
search point to page on cryptocom.ru where is listed patch for openssl
I cannot found earlier version.
> BTW, does anybody really need th pre-0.9.8 version of the OpenSSL
> library (and its support)?
May be nobody . I ask because openssl engine configuration is different
between openssl version 0.9.7 and 0.9.8+.
So following the guide README.gost I do this
$ cd [XMLSEC_TOP_BUILD_DIR]
$ cat openssl.cnf
openssl_conf = openssl_def
[ openssl_def ]
engines = engine_section
[ engine_section ]
gost = gost_section
[ gost_section ]
#engine_id = gost
#dynamic_path = /usr/lib/ssl/engines/libgost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
$ OPENSSL_CONF=`pwd`/openssl.cnf \
An result is this (extract from console log):
--------- These tests CAN FAIL (extra OS config required) ----------
Checking required transforms OK
Checking required key data OK
Verify existing signature OK
With above I confirm that xlsec test could be fully automated.
Tested with openssl 1.0.0e, dynamic engine build including GOST engine.
More information about the xmlsec