Feature #9830

Support for GOST private/public keys

Added by Andrey Novikov about 1 year ago. Updated 10 months ago.

[ruby-core:62534]
Status:Assigned
Priority:Normal
Assignee:Martin Bosslet

Description

Hello everyone.

We're required to use GOST encryption algorithms for signing requests, interacting with HTTPS services with client certificate authentication and so on.

OpenSSL 1.0.0 is bundled with GOST engine, and, if correctly configured, can handle all of these tasks from command line. Also see #9822.

Issue

Ruby can't read GOST private and public keys:

ruby> privkey = OpenSSL::PKey.read(File.read('gost_r_34_10_2001_private_key.pem'))
OpenSSL::PKey::PKeyError: unsupported key type
ruby> # Same for public keys
ruby> crt = OpenSSL::X509::Certificate.new(File.read('gost_r_34_10_2001_certificate.pem'))
ruby> crt.public_key
OpenSSL::PKey::PKeyError: unsupported key type

The problem is there is no "Generic PKey" class in Ruby's OpenSSL.

In source in ext/openssl/openssl_pkey.c at line 76 in method ossl_pkey_new there is examination of key type and creating appropriate Ruby classes. But GOST R 34.10-2001 key type have type NID_id_GostR3410_2001 (811), and Ruby fails.

Possible solution

GOST keys are EC keys in fact (at least for GOST R 34.10-2001). And, if I add case NID_id_GostR3410_2001: right before case EVP_PKEY_EC: and remove checks about key type in ext/openssl/openssl_pkey_ec.c – everything will work.

To illustrate this, I've attached required patches (one from issue #9822), self-signed GOST R 34.10-2001 certificate with private key and two test scripts.

NOTE: You will need OpenSSL version 1.0.0 or newer with correct configuration, see links below!

Question

How should GOST keys support implemented in Ruby? Should it even use OpenSSL::PKey::EC, or, may be, subclass from it?

I'm not experienced neither in C programming nor in cryptography, but I would be glad to help with the implementation of this.

Further information

gost_keys_support_draft.patch Magnifier - Patch illustrating this issue (1.92 KB) Andrey Novikov, 05/11/2014 08:27 PM

gost_r_34_10_2001_certificate.pem - GOST R 34.10-2001 self-signed certificate (826 Bytes) Andrey Novikov, 05/11/2014 08:27 PM

gost_r_34_10_2001_private_key.pem - GOST R 34.10-2001 private key (152 Bytes) Andrey Novikov, 05/11/2014 08:27 PM

gost_sigining.rb Magnifier - Test script: digital signature creating and verifying (541 Bytes) Andrey Novikov, 05/11/2014 08:27 PM

gost_ssl_example_with_certs.rb Magnifier - Test script: connecting to GOST HTTPS with certificate auth (742 Bytes) Andrey Novikov, 05/11/2014 08:27 PM

respect_system_openssl_settings.patch Magnifier - Patch from #9822 (required!) (430 Bytes) Andrey Novikov, 05/11/2014 08:27 PM

History

#1 Updated by Zachary Scott 11 months ago

  • Status changed from Open to Assigned
  • Target version set to current: 2.2.0

#2 Updated by Zachary Scott 11 months ago

  • Tracker changed from Bug to Feature

I would consider this a feature, and requires Martin's approval && review.

#3 Updated by Andrey Novikov 10 months ago

I've tried to subclass OpenSSL::PKey::EC, it compiles, but new class is not available: https://github.com/Envek/ruby/commit/ecd27db1578ecc2722442a262b7078f92066d5f6

Also available in: Atom PDF