Support for GOST private/public keys
We're required to use GOST encryption algorithms for signing requests, interacting with HTTPS services with client certificate authentication and so on.
OpenSSL 1.0.0 is bundled with GOST engine, and, if correctly configured, can handle all of these tasks from command line. Also see #9822.
Ruby can't read GOST private and public keys:
ruby> privkey = OpenSSL::PKey.read(File.read('gost_r_34_10_2001_private_key.pem')) OpenSSL::PKey::PKeyError: unsupported key type ruby> # Same for public keys ruby> crt = OpenSSL::X509::Certificate.new(File.read('gost_r_34_10_2001_certificate.pem')) ruby> crt.public_key OpenSSL::PKey::PKeyError: unsupported key type
The problem is there is no "Generic PKey" class in Ruby's OpenSSL.
In source in
ext/openssl/openssl_pkey.c at line 76 in method
ossl_pkey_new there is examination of key type and creating appropriate Ruby classes. But GOST R 34.10-2001 key type have type
NID_id_GostR3410_2001 (811), and Ruby fails.
GOST keys are EC keys in fact (at least for GOST R 34.10-2001). And, if I add
case NID_id_GostR3410_2001: right before
case EVP_PKEY_EC: and remove checks about key type in
ext/openssl/openssl_pkey_ec.c – everything will work.
To illustrate this, I've attached required patches (one from issue #9822), self-signed GOST R 34.10-2001 certificate with private key and two test scripts.
NOTE: You will need OpenSSL version 1.0.0 or newer with correct configuration, see links below!
How should GOST keys support implemented in Ruby? Should it even use
OpenSSL::PKey::EC, or, may be, subclass from it?
I'm not experienced neither in C programming nor in cryptography, but I would be glad to help with the implementation of this.
- README.gost: Instructions for setting up OpenSSL and usage: https://github.com/openssl/openssl/blob/master/engines/ccgost/README.gost
- OpenSSL GOST engine source: https://github.com/openssl/openssl/tree/master/engines/ccgost
- RFC 5830: GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms: http://tools.ietf.org/html/rfc5830
- RFC 5831: GOST R 34.11-94: Hash Function Algorithm: http://tools.ietf.org/html/rfc5831
- RFC 5832: GOST R 34.10-2001: Digital Signature Algorithm: http://tools.ietf.org/html/rfc5832
- RFC 4491: Using the GOST Algorithms with the Internet X.509 Public Key Infrastructure: http://tools.ietf.org/html/rfc4491
- RFC 4490: Using the GOST Algorithms with Cryptographic Message Syntax (CMS): http://tools.ietf.org/html/rfc4490
- RFC 4357: Additional Cryptographic Algorithms for Use with GOST Algorithms
- Some stackoverflow.com related questions: http://stackoverflow.com/questions/12868384/openssl-gost-parameter-set and http://stackoverflow.com/questions/14580340/generate-gost-34-10-2001-keypair-and-save-it-to-some-keystore
#3 Updated by Andrey Novikov about 1 year ago
I've tried to subclass OpenSSL::PKey::EC, it compiles, but new class is not available: https://github.com/Envek/ruby/commit/ecd27db1578ecc2722442a262b7078f92066d5f6