[#70843] Re: [ruby-cvs:58952] hsbt:r51801 (trunk): * lib/rubygems: Update to RubyGems HEAD(fe61e4c112). — Eric Wong <normalperson@...>
hsbt@ruby-lang.org wrote:
3 messages
2015/09/17
[ruby-core:70742] [Ruby trunk - Feature #9830] Support for GOST private/public keys
From:
zzak@...
Date:
2015-09-13 03:10:07 UTC
List:
ruby-core #70742
Issue #9830 has been updated by Zachary Scott.
Assignee changed from Martin Bosslet to openssl
----------------------------------------
Feature #9830: Support for GOST private/public keys
https://bugs.ruby-lang.org/issues/9830#change-54121
* Author: Andrey Novikov
* Status: Assigned
* Priority: Normal
* Assignee: openssl
----------------------------------------
Hello everyone.
We're required to use GOST encryption algorithms for signing requests, inte=
racting with HTTPS services with client certificate authentication and so o=
n.
OpenSSL 1.0.0 is bundled with GOST engine, and, if correctly configured, ca=
n handle all of these tasks from command line. Also see #9822.
**Issue**
Ruby can't read GOST private and public keys:
~~~
ruby> privkey =3D OpenSSL::PKey.read(File.read('gost_r_34_10_2001_private_k=
ey.pem'))
OpenSSL::PKey::PKeyError: unsupported key type
ruby> # Same for public keys
ruby> crt =3D OpenSSL::X509::Certificate.new(File.read('gost_r_34_10_2001_c=
ertificate.pem'))
ruby> crt.public_key
OpenSSL::PKey::PKeyError: unsupported key type
~~~
The problem is there is no "Generic PKey" class in Ruby's OpenSSL.
In source in `ext/openssl/openssl_pkey.c` at line 76 in method `ossl_pkey_n=
ew` there is examination of key type and creating appropriate Ruby classes.=
But GOST R 34.10-2001 key type have type `NID_id_GostR3410_2001` (811), an=
d Ruby fails.
**Possible solution**
GOST keys are EC keys in fact (at least for GOST R 34.10-2001). And, if I a=
dd `case NID_id_GostR3410_2001:` right before `case EVP_PKEY_EC:` and remov=
e checks about key type in `ext/openssl/openssl_pkey_ec.c` =E2=80=93 everyt=
hing will work.
To illustrate this, I've attached required patches (one from issue #9822), =
self-signed GOST R 34.10-2001 certificate with private key and two test scr=
ipts.
**NOTE**: You will need OpenSSL version 1.0.0 or newer with correct configu=
ration, see links below!
**Question**
How should GOST keys support implemented in Ruby? Should it even use `OpenS=
SL::PKey::EC`, or, may be, subclass from it?
I'm not experienced neither in C programming nor in cryptography, but I wou=
ld be glad to help with the implementation of this.
**Further information**
* **README.gost**: Instructions for setting up OpenSSL and usage: https://g=
ithub.com/openssl/openssl/blob/master/engines/ccgost/README.gost
* **OpenSSL GOST engine source**: https://github.com/openssl/openssl/tree/m=
aster/engines/ccgost
* **RFC 5830**: GOST 28147-89: Encryption, Decryption, and Message Authenti=
cation Code (MAC) Algorithms:
http://tools.ietf.org/html/rfc5830
* **RFC 5831**: GOST R 34.11-94: Hash Function Algorithm:
http://tools.ietf.org/html/rfc5831
* **RFC 5832**: GOST R 34.10-2001: Digital Signature Algorithm:
http://tools.ietf.org/html/rfc5832
* **RFC 4491**: Using the GOST Algorithms with the Internet X.509 Public Ke=
y Infrastructure:
http://tools.ietf.org/html/rfc4491
* **RFC 4490**: Using the GOST Algorithms with Cryptographic Message Syntax=
(CMS):
http://tools.ietf.org/html/rfc4490
* **RFC 4357**: Additional Cryptographic Algorithms for Use with GOST Algor=
ithms
* Some stackoverflow.com related questions: http://stackoverflow.com/questi=
ons/12868384/openssl-gost-parameter-set and http://stackoverflow.com/questi=
ons/14580340/generate-gost-34-10-2001-keypair-and-save-it-to-some-keystore
---Files--------------------------------
gost_keys_support_draft.patch (1.92 KB)
gost_r_34_10_2001_certificate.pem (826 Bytes)
gost_r_34_10_2001_private_key.pem (152 Bytes)
gost_sigining.rb (541 Bytes)
gost_ssl_example_with_certs.rb (742 Bytes)
respect_system_openssl_settings.patch (430 Bytes)
--=20
https://bugs.ruby-lang.org/