Feature #9830
open
Support for GOST private/public keys
Description
Hello everyone.
We're required to use GOST encryption algorithms for signing requests, interacting with HTTPS services with client certificate authentication and so on.
OpenSSL 1.0.0 is bundled with GOST engine, and, if correctly configured, can handle all of these tasks from command line. Also see #9822.
Issue
Ruby can't read GOST private and public keys:
ruby> privkey = OpenSSL::PKey.read(File.read('gost_r_34_10_2001_private_key.pem'))
OpenSSL::PKey::PKeyError: unsupported key type
ruby> # Same for public keys
ruby> crt = OpenSSL::X509::Certificate.new(File.read('gost_r_34_10_2001_certificate.pem'))
ruby> crt.public_key
OpenSSL::PKey::PKeyError: unsupported key type
The problem is there is no "Generic PKey" class in Ruby's OpenSSL.
In source in ext/openssl/openssl_pkey.c at line 76 in method ossl_pkey_new there is examination of key type and creating appropriate Ruby classes. But GOST R 34.10-2001 key type have type NID_id_GostR3410_2001 (811), and Ruby fails.
Possible solution
GOST keys are EC keys in fact (at least for GOST R 34.10-2001). And, if I add case NID_id_GostR3410_2001: right before case EVP_PKEY_EC: and remove checks about key type in ext/openssl/openssl_pkey_ec.c – everything will work.
To illustrate this, I've attached required patches (one from issue #9822), self-signed GOST R 34.10-2001 certificate with private key and two test scripts.
NOTE: You will need OpenSSL version 1.0.0 or newer with correct configuration, see links below!
Question
How should GOST keys support implemented in Ruby? Should it even use OpenSSL::PKey::EC, or, may be, subclass from it?
I'm not experienced neither in C programming nor in cryptography, but I would be glad to help with the implementation of this.
Further information
- README.gost: Instructions for setting up OpenSSL and usage: https://github.com/openssl/openssl/blob/master/engines/ccgost/README.gost
- OpenSSL GOST engine source: https://github.com/openssl/openssl/tree/master/engines/ccgost
-
RFC 5830: GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms:
http://tools.ietf.org/html/rfc5830 -
RFC 5831: GOST R 34.11-94: Hash Function Algorithm:
http://tools.ietf.org/html/rfc5831 -
RFC 5832: GOST R 34.10-2001: Digital Signature Algorithm:
http://tools.ietf.org/html/rfc5832 -
RFC 4491: Using the GOST Algorithms with the Internet X.509 Public Key Infrastructure:
http://tools.ietf.org/html/rfc4491 -
RFC 4490: Using the GOST Algorithms with Cryptographic Message Syntax (CMS):
http://tools.ietf.org/html/rfc4490 - RFC 4357: Additional Cryptographic Algorithms for Use with GOST Algorithms
- Some stackoverflow.com related questions: http://stackoverflow.com/questions/12868384/openssl-gost-parameter-set and http://stackoverflow.com/questions/14580340/generate-gost-34-10-2001-keypair-and-save-it-to-some-keystore
Files
Updated by zzak (zzak _) over 10 years ago
- Status changed from Open to Assigned
- Target version set to 2.2.0
Updated by zzak (zzak _) over 10 years ago
- Tracker changed from Bug to Feature
I would consider this a feature, and requires Martin's approval && review.
Updated by Envek (Andrey Novikov) about 10 years ago
I've tried to subclass OpenSSL::PKey::EC, it compiles, but new class is not available: https://github.com/Envek/ruby/commit/ecd27db1578ecc2722442a262b7078f92066d5f6
Updated by zzak (zzak _) about 9 years ago
- Assignee changed from MartinBosslet (Martin Bosslet) to 7150
Updated by hsbt (Hiroshi SHIBATA) almost 2 years ago
- Assignee set to rhenium (Kazuki Yamaguchi)