[xmlsec] The support of new GOST algorithms in xmlsec

Aleksey Sanin aleksey at aleksey.com
Mon Sep 9 10:25:36 PDT 2013

Copy/paste/replace is probably a bad idea. If you setup new URI
mapping to a new key data/transform then at any point in the code
you will have access to the relevant object "id" (e.g. see
xmlSecOpenSSLEvpSignatureCheckId). Then you can have common functions
implementing both old and new GOST algorithm and just tweak it
as necessary based on the object "id".

Does it make sense? Or did I misunderstood your question?


On 9/9/13 5:48 AM, Dmitry Belyavsky wrote:
> Greetings!
> There are new digest and signature algorithms in Russia, the standards
> were published in 2012.
> I'm thinking about implementing their support at least for the openssl
> backend in the xmlsec.
> It seems to me that the difference against current implementation will
> be very small and include only some points:
> - The URIs identifying algorithms
> - The string names of algorithms
> - The lengths of keys, signature and digests.
> It has no sense to provide a custom format for public key
> representation, and either the tag containing X.509 cert itself or the
> tags containing issuer and serial are enough. So I think it will be
> better to implement a common solution for such cases. Of cause, I can
> just clone the current GOST algorithms Klass structures and call a
> search-and-replace, but it seems to be not very good idea at all.
> Can you give me the piece of advice what should be a best way to provide
> support for such cases?
> Thank you!
> -- 
> SY, Dmitry Belyavsky
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list