openssl and pluggable engine digests
Eugene M. Zheganin
eugene at zhegan.in
Wed Feb 15 06:58:48 UTC 2023
Hello,
On 14.02.2023 17:07, Dmitry Belyavsky wrote:
> Which engine do you use?
> I'd strongly recommend using gost-engine
> (https://github.com/gost-engine/engine) loading it via config.
> Also I'm not sure that `streebog256` is supported - it's an alias, the
> name is `md_gost12_256`
>
> On Tue, Feb 14, 2023 at 1:01 PM Eugene M. Zheganin<eugene at zhegan.in> wrote:
>
My bad, this is indeed https://github.com/gost-engine/engine, I've just
checked (phantom memories):
===Cut=== # git remote -vorigin https://github.com/gost-engine/engine
(fetch) origin https://github.com/gost-engine/engine (push)
# git log | head -n 10 commit b2b4d629f100eaee9f5942a106b1ccefe85b8808
Author: Dmitry Belyavskiy <beldmit at gmail.com> Date: Sat May 21
20:20:20 2022 +0200 On unpacking key blob output buffer size should
be fixed Related: CVE-2022-29242 commit
7df766124f87768b43b9e8947c5a01e17545772c Author: Dmitry Belyavskiy
<beldmit at gmail.com>
===Cut===
And I've also checked the md5 sum on gost.so, and it's compy in the
build directory, so it's the same file:
# md5sum /home/emz/src/engine/build/bin/gost.so
3464035a7a21ba47f2e0120e0ffb4af8 /home/emz/src/engine/build/bin/gost.so
# md5sum /usr/local/openssl-3.0.7/lib64/engines-3/gost.so
3464035a7a21ba47f2e0120e0ffb4af8
/usr/local/openssl-3.0.7/lib64/engines-3/gost.s
===Cut===
# /usr/local/libressl/bin/openssl req -newkey gost2001 -pkeyopt
dgst:md_gost12_256 -pkeyopt paramset:A -md_gost12_256 -nodes \ -subj
"/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe at foo.bar"
-keyout /tmp/key.pem -out /tmp/csr.pem -utf8 Key parameter error
"dgst:md_gost12_256"
# /usr/local/libressl/bin/openssl req -engine gost -engine_impl gost
-newkey gost2001 -pkeyopt dgst:md_gost12_256 \ -pkeyopt paramset:A
-md_gost12_256 -nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane
Doe/emailaddress=doe at foo.bar" -keyout /tmp/key.pem -out /tmp/csr.pem
-utf8 Engine "gost" set. req: Use -help for summary.
# /usr/local/libressl/bin/openssl req -engine gost -newkey gost2001
-pkeyopt dgst:md_gost12_256 -pkeyopt paramset:A \ -md_gost12_256 -nodes
-subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane
Doe/emailaddress=doe at foo.bar" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
Engine "gost" set.
Key parameter error "dgst:md_gost12_256"
===Cut===
So, the problem persists at least on it's version from May, 2022. Is
there any chance these commands will work on more recent version of the
engine or do I completely misunderstand how they should be called ?
Engine is plugged in as:
===Cut===
[openssl_init]
engines = engine_section
providers = provider_sect
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
dynamic_path = /usr/local/openssl-3.0.7/lib64/engines-3/gost.so
default_algorithms = ALL
===Cut===
Thanks.
Eugene.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230215/dade92b5/attachment.htm>
More information about the openssl-users
mailing list