[openssl-dev] [PATCH] GOST engine and custom paramsets

Arseniy Ankudinov a.ankudinov at drweb.com
Fri Aug 7 06:37:16 UTC 2015 

We strictly need use our custom paramsets for GOST algorithms (all of cipher, hash and signature,
including X509 and TLS). If most of the functionality may be implemented by "dirty" overriding
initialization methods, X509 requires ccgost engine sources patching.

Seems 2 ways:
1. Put our paramsets into ccgost sources and simple support for several paramsets in ASN1 hash
params serializing.
2. Allow set any paramset from outside.

First way seems the simplest, but second - more universal and useful.

Our current implementation for second way (see attached patch) requires ccgost engine directly
using, not only through high-level APIs.

Example of usage for X509 (GOST 28147-89, GOST R 34.10-2001 and GOST R 34.11-94, with one paramset
for cipher and hash):

1. Add custom paramsets to chains:

  gost2001_paramset_append( gost2001_custom_paramset );
  gost_cipher_list_append( gost89_custom_paramset );

2. Make private key for certificate:

  EC_KEY *ec( EC_KEY_new() );
  BN_CTX *ctx( BN_CTX_new() );
  BN_CTX_start( ctx );
  EC_GROUP *grp( EC_GROUP_new_curve_GFp( gost2001_custom_paramset->p, gost2001_custom_paramset->a,
gost2001_custom_paramset->b, ctx ) );
  EC_GROUP_set_curve_name( grp, NID_id_GostR3410_2001_DrWebParamSet );
  EC_POINT *P( EC_POINT_new( grp ) );
  EC_POINT_set_affine_coordinates_GFp( grp, P, gost2001_custom_paramset->x,
gost2001_custom_paramset->y, ctx );
  EC_GROUP_set_generator( grp, P, gost2001_custom_paramset->q, 0 );
  EC_KEY_set_group( ec, grp );
  BN_CTX_end( ctx );

  EVP_PKEY *pkey( EVP_PKEY_new() );
  EVP_PKEY_assign( pkey, NID_id_GostR3410_2001, ec );

  GOST3410_EX_DATA *ex_data = GOST3410_get_ex_data( pkey );
  ex_data->hash_params_nid = NID_id_Gost28147_89_DrWebParamSet;
  ex_data->cipher_params_nid = NID_id_Gost28147_89_DrWebParamSet;

Can this feature be useful for the community? And which way seems be more useful?
-- 
With best regards, Arseniy Ankudinov
Software Engineer, Doctor Web Ltd

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Deleted: tls_gost_custom_paramsets.patch
Type: text/x-moz-deleted
Size: 275 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150807/90a05e1f/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tls_gost_custom_paramsets.patch
Type: text/x-patch
Size: 37423 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150807/90a05e1f/attachment-0003.bin>

More information about the openssl-dev mailing list