Project

General

Profile

Actions

Feature #9830

open

Support for GOST private/public keys

Added by Envek (Andrey Novikov) over 10 years ago. Updated almost 2 years ago.

Status:
Assigned
Target version:
-
[ruby-core:62534]

Description

Hello everyone.

We're required to use GOST encryption algorithms for signing requests, interacting with HTTPS services with client certificate authentication and so on.

OpenSSL 1.0.0 is bundled with GOST engine, and, if correctly configured, can handle all of these tasks from command line. Also see #9822.

Issue

Ruby can't read GOST private and public keys:

ruby> privkey = OpenSSL::PKey.read(File.read('gost_r_34_10_2001_private_key.pem'))
OpenSSL::PKey::PKeyError: unsupported key type
ruby> # Same for public keys
ruby> crt = OpenSSL::X509::Certificate.new(File.read('gost_r_34_10_2001_certificate.pem'))
ruby> crt.public_key
OpenSSL::PKey::PKeyError: unsupported key type

The problem is there is no "Generic PKey" class in Ruby's OpenSSL.

In source in ext/openssl/openssl_pkey.c at line 76 in method ossl_pkey_new there is examination of key type and creating appropriate Ruby classes. But GOST R 34.10-2001 key type have type NID_id_GostR3410_2001 (811), and Ruby fails.

Possible solution

GOST keys are EC keys in fact (at least for GOST R 34.10-2001). And, if I add case NID_id_GostR3410_2001: right before case EVP_PKEY_EC: and remove checks about key type in ext/openssl/openssl_pkey_ec.c – everything will work.

To illustrate this, I've attached required patches (one from issue #9822), self-signed GOST R 34.10-2001 certificate with private key and two test scripts.

NOTE: You will need OpenSSL version 1.0.0 or newer with correct configuration, see links below!

Question

How should GOST keys support implemented in Ruby? Should it even use OpenSSL::PKey::EC, or, may be, subclass from it?

I'm not experienced neither in C programming nor in cryptography, but I would be glad to help with the implementation of this.

Further information


Files

gost_keys_support_draft.patch (1.92 KB) gost_keys_support_draft.patch Patch illustrating this issue Envek (Andrey Novikov), 05/11/2014 08:27 PM
gost_r_34_10_2001_certificate.pem (826 Bytes) gost_r_34_10_2001_certificate.pem GOST R 34.10-2001 self-signed certificate Envek (Andrey Novikov), 05/11/2014 08:27 PM
gost_r_34_10_2001_private_key.pem (152 Bytes) gost_r_34_10_2001_private_key.pem GOST R 34.10-2001 private key Envek (Andrey Novikov), 05/11/2014 08:27 PM
gost_sigining.rb (541 Bytes) gost_sigining.rb Test script: digital signature creating and verifying Envek (Andrey Novikov), 05/11/2014 08:27 PM
gost_ssl_example_with_certs.rb (742 Bytes) gost_ssl_example_with_certs.rb Test script: connecting to GOST HTTPS with certificate auth Envek (Andrey Novikov), 05/11/2014 08:27 PM
respect_system_openssl_settings.patch (430 Bytes) respect_system_openssl_settings.patch Patch from #9822 (required!) Envek (Andrey Novikov), 05/11/2014 08:27 PM

Updated by zzak (zzak _) over 10 years ago

  • Status changed from Open to Assigned
  • Target version set to 2.2.0

Updated by zzak (zzak _) over 10 years ago

  • Tracker changed from Bug to Feature

I would consider this a feature, and requires Martin's approval && review.

Updated by Envek (Andrey Novikov) about 10 years ago

I've tried to subclass OpenSSL::PKey::EC, it compiles, but new class is not available: https://github.com/Envek/ruby/commit/ecd27db1578ecc2722442a262b7078f92066d5f6

Actions #4

Updated by zzak (zzak _) about 9 years ago

  • Assignee changed from MartinBosslet (Martin Bosslet) to 7150

Updated by hsbt (Hiroshi SHIBATA) almost 2 years ago

  • Assignee set to rhenium (Kazuki Yamaguchi)
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0