<div dir="ltr">Hello Arseniy,<div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 7, 2015 at 9:37 AM, Arseniy Ankudinov <span dir="ltr"><<a href="mailto:a.ankudinov@drweb.com" target="_blank">a.ankudinov@drweb.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">We strictly need use our custom paramsets for GOST algorithms (all of cipher, hash and signature,<br>
including X509 and TLS). If most of the functionality may be implemented by "dirty" overriding<br>
initialization methods, X509 requires ccgost engine sources patching.<br>
<br>
Seems 2 ways:<br>
1. Put our paramsets into ccgost sources and simple support for several paramsets in ASN1 hash<br>
params serializing.<br>
2. Allow set any paramset from outside.<br>
<br>
First way seems the simplest, but second - more universal and useful.<br></blockquote><div><br></div><div>The 2nd way is not universal until the GOST algorithms become the 1st-class citizens. And becoming the 1st-class citizens is hardly possible.</div><div>So the patch you suggest is engine-specific, and it means that it will be unsuitable for any other implementation.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Our current implementation for second way (see attached patch) requires ccgost engine directly<br>
using, not only through high-level APIs.<br>
<br>
Example of usage for X509 (GOST 28147-89, GOST R 34.10-2001 and GOST R 34.11-94, with one paramset<br>
for cipher and hash):<br>
<br>
1. Add custom paramsets to chains:<br>
<br>
gost2001_paramset_append( gost2001_custom_paramset );<br>
gost_cipher_list_append( gost89_custom_paramset );<br>
<br>
2. Make private key for certificate:<br>
<br>
EC_KEY *ec( EC_KEY_new() );<br>
BN_CTX *ctx( BN_CTX_new() );<br>
BN_CTX_start( ctx );<br>
EC_GROUP *grp( EC_GROUP_new_curve_GFp( gost2001_custom_paramset->p, gost2001_custom_paramset->a,<br>
gost2001_custom_paramset->b, ctx ) );<br>
EC_GROUP_set_curve_name( grp, NID_id_GostR3410_2001_DrWebParamSet );<br>
EC_POINT *P( EC_POINT_new( grp ) );<br>
EC_POINT_set_affine_coordinates_GFp( grp, P, gost2001_custom_paramset->x,<br>
gost2001_custom_paramset->y, ctx );<br>
EC_GROUP_set_generator( grp, P, gost2001_custom_paramset->q, 0 );<br>
EC_KEY_set_group( ec, grp );<br>
BN_CTX_end( ctx );<br>
<br>
EVP_PKEY *pkey( EVP_PKEY_new() );<br>
EVP_PKEY_assign( pkey, NID_id_GostR3410_2001, ec );<br>
<br>
GOST3410_EX_DATA *ex_data = GOST3410_get_ex_data( pkey );<br>
ex_data->hash_params_nid = NID_id_Gost28147_89_DrWebParamSet;<br>
ex_data->cipher_params_nid = NID_id_Gost28147_89_DrWebParamSet;<br>
<br>
Can this feature be useful for the community? And which way seems be more useful?<br>
<span class="HOEnZb"><font color="#888888">--<br>
With best regards, Arseniy Ankudinov<br>
Software Engineer, Doctor Web Ltd<br>
<br>
</font></span><br>_______________________________________________<br>
openssl-dev mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-dev" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">SY, Dmitry Belyavsky</div>
</div></div>