[openssl-dev] [PATCH] GOST engine and custom paramsets

Dmitry Belyavsky beldmit at gmail.com
Sat Aug 15 11:52:29 UTC 2015 

Hello Arseniy,

On Fri, Aug 7, 2015 at 9:37 AM, Arseniy Ankudinov <a.ankudinov at drweb.com>
wrote:

> We strictly need use our custom paramsets for GOST algorithms (all of
> cipher, hash and signature,
> including X509 and TLS). If most of the functionality may be implemented
> by "dirty" overriding
> initialization methods, X509 requires ccgost engine sources patching.
>
> Seems 2 ways:
> 1. Put our paramsets into ccgost sources and simple support for several
> paramsets in ASN1 hash
> params serializing.
> 2. Allow set any paramset from outside.
>
> First way seems the simplest, but second - more universal and useful.
>

The 2nd way is not universal until the GOST algorithms become the 1st-class
citizens. And becoming the 1st-class citizens is hardly possible.
So the patch you suggest is engine-specific, and it means that it will be
unsuitable for any other implementation.


> Our current implementation for second way (see attached patch) requires
> ccgost engine directly
> using, not only through high-level APIs.
>
> Example of usage for X509 (GOST 28147-89, GOST R 34.10-2001 and GOST R
> 34.11-94, with one paramset
> for cipher and hash):
>
> 1. Add custom paramsets to chains:
>
>   gost2001_paramset_append( gost2001_custom_paramset );
>   gost_cipher_list_append( gost89_custom_paramset );
>
> 2. Make private key for certificate:
>
>   EC_KEY *ec( EC_KEY_new() );
>   BN_CTX *ctx( BN_CTX_new() );
>   BN_CTX_start( ctx );
>   EC_GROUP *grp( EC_GROUP_new_curve_GFp( gost2001_custom_paramset->p,
> gost2001_custom_paramset->a,
> gost2001_custom_paramset->b, ctx ) );
>   EC_GROUP_set_curve_name( grp, NID_id_GostR3410_2001_DrWebParamSet );
>   EC_POINT *P( EC_POINT_new( grp ) );
>   EC_POINT_set_affine_coordinates_GFp( grp, P, gost2001_custom_paramset->x,
> gost2001_custom_paramset->y, ctx );
>   EC_GROUP_set_generator( grp, P, gost2001_custom_paramset->q, 0 );
>   EC_KEY_set_group( ec, grp );
>   BN_CTX_end( ctx );
>
>   EVP_PKEY *pkey( EVP_PKEY_new() );
>   EVP_PKEY_assign( pkey, NID_id_GostR3410_2001, ec );
>
>   GOST3410_EX_DATA *ex_data = GOST3410_get_ex_data( pkey );
>   ex_data->hash_params_nid = NID_id_Gost28147_89_DrWebParamSet;
>   ex_data->cipher_params_nid = NID_id_Gost28147_89_DrWebParamSet;
>
> Can this feature be useful for the community? And which way seems be more
> useful?
> --
> With best regards, Arseniy Ankudinov
> Software Engineer, Doctor Web Ltd
>
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>


-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150815/4bdcf8ec/attachment.html>

More information about the openssl-dev mailing list