openssl and pluggable engine digests
Eugene M. Zheganin
eugene at zhegan.in
Tue Feb 14 12:00:39 UTC 2023
Hello,
I need to create a certificate request using a pluggable engine, in my
case it's GOST, that I built in LibreSSL and attached to OpenSSL 3.0.x.
So, in LibreSSL, say, I have a call like
|openssl req -newkey gost2001 -pkeyopt dgst:streebog256 -pkeyopt
paramset:A -streebog256 \ -nodes -subj "/C=Some/ST=Some/O=FooBar
LLC/CN=John Doe/emailaddress=doe at foo.bar" \ -keyout /tmp/key.pem -out
/tmp/csr.pem -utf8 |
and it pretty much does the job. But OpenSSL 3.0.x doesn't recognize the
streebog256 as the acceptable digest:
|Key parameter error "dgst:streebog256" |
That is because it's manual page clearly states:
"The engine is not used for digests unless the -engine_impl option is
used or it is configured to do so, see "Engine Configuration Module" in
config(5)."
Funny thing is, the config(5) manual page doesnt'y say a word about
configuring digests (I was able to configure gost as an engine for
default loading as there are plenty of examples).
So, when using |openssl dgst| with both |-engine gost| and |-engine_impl
gost| I can see the needed /streebog256/ as valid digest but how do I do
this while calling |openssl req| or when using |openssl.cnf| ?
Thanks.
Eugene.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230214/b6b63f8d/attachment.htm>
More information about the openssl-users
mailing list