Windows openssl gost engine
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
engine / INSTALL.md
Building and Installation
To build and install OpenSSL GOST Engine, you will need
- OpenSSL 3.0 development version
- an ANSI C compiler
- CMake (3.0 or newer)
Here is a quick build guide:
Instead of Release you can use Debug , RelWithDebInfo or MinSizeRel configuration. See cmake docs for details. You will find built binaries in ../bin directory.
If you want to build against a specific OpenSSL instance (you will need it if you have more than one OpenSSL instance for example), you can use the cmake variable OPENSSL_ROOT_DIR to specify absolute path of the desirable OpenSSL instance:
If you use Visual Studio, you can also set CMAKE_INSTALL_PREFIX variable to set install path, like this:
Also instead of cmake —build tool you can just open gost-engine.sln in Visual Studio, select configuration and call Build Solution manually.
Instructions how to build OpenSSL 1.1.0 with Microsoft Visual Studio you can find there.
To install GOST Engine you can call:
or old plain and Unix only:
The engine library gost.so should be installed into OpenSSL engine directory.
To ensure that it is installed propery call:
Then check that gost.so there
Finally, to start using GOST Engine through OpenSSL, you should edit openssl.cnf configuration file as specified below.
The very minimal example of the configuration file is provided in this distribution and named example.conf .
Configuration file should include following statement in the global section, i.e. before first bracketed section header (see config(5) for details)
where openssl_def is name of the section in configuration file which describes global defaults.
This section should contain following statement:
which points to the section which describes list of the engines to be loaded. This section should contain:
And section which describes configuration of the engine should contain
Various cryptoproviders (e.g. BouncyCastle) has some problems with private key parsing from PrivateKeyInfo, so if you want to use old private key representation format, which supported by BC, you will have to add:
Where engine_id parameter specifies name of engine (should be gost ).
dynamic_path is a location of the loadable shared library implementing the engine. If the engine is compiled statically or is located in the OpenSSL engines directory, this line can be omitted.
default_algorithms parameter specifies that all algorithms, provided by engine, should be used.
The CRYPT_PARAMS parameter is engine-specific. It allows the user to choose between different parameter sets of symmetric cipher algorithm. RFC 4357 specifies several parameters for the GOST 28147-89 algorithm, but OpenSSL doesn’t provide user interface to choose one when encrypting. So use engine configuration parameter instead. It SHOULD NOT be used nowadays because all the parameters except the default one are deprecated now.
Value of this parameter can be either short name, defined in OpenSSL obj_dat.h header file or numeric representation of OID, defined in RFC 4357.
Windows openssl gost engine
Для использования SSL сертификатов с ГОСТ алгоритмами необходимо произвести описанные ниже настройки.
каталоги установки (по умолчанию), в которых расположен файл конфигурации сервиса:
|
- Скачать библиотеку из состава OpenSSL, реализующую ГОСТ алгоритмы, в соответствии с используемой разрядностью приложения, которое будет использовать данную библиотеку. Если настраивается серверная сторона Сервиса, то в соответствии с его разрядностью, если настраивается клиентская сторона — приложение для удаленного доступа, то в соответствии с его разрядностью (на текущий момент только Win32). В случае настройки Сервиса, скопировать полученный файл в каталог с файлом конфигурации сервиса (см. каталоги установки по умолчанию):
- Win32: http://techmill.ru/paruspub/current/gost/gost.dll
- Win64: http://techmill.ru/paruspub/current/gost/win64/gost.dll
Указанные по ссылкам файлы взяты из версии OpenSSL1.0.2, которая соответсвует версии остальных библиотек распространяемых в стандартной поставке текущего Сервиса.
Предполагается, что gost.dll должна работать только с соответствующей ей версии OpenSSL из состава которого эта библиотека была взята.
Начиная с версии OpenSLL 1.1.0 библиотека gost.dll исключена из состава стандартной поставки OpenSSL, и оформилась в виде отдельного продукта , который по прежнему требует соответствие версий с OpenSSL.
Поддержка алгоритмов ГОСТ 2001 имеется во всех версиях библиотеки gost.dll. Однако поддержка алгоритмов ГОСТ 2012 реализована только в версиях начиная с OpenSSL 1.1.0.
Рядом со скопированным файлом создать файл конфигурации OpenSSL следующего вида:
В случае использования существующего файла конфигурации, например поставляемого с самим OpenSSL, необходимо 1-ю строчку (openssl_conf = openssl_def) вставить в начало этого файла, а остальные строки в самый конец файла.
Указанный файл конфигурации является примером, и может быть изменен пользователем в зависимости от требуемых настроек.
Подобным образом возможно подключить любые другие расширения (engine) для OpenSSL.
Например, в случае если приватный ключ сертификата хранится на аппаратном носителе (USB токен, смарт карт) который не допускает их экспортирования в файл, но при этом предосталяет возможность их использования через свой интерфейс. Обычно в таких случаях криптопровайдер распространяет расширения для интеграции с OpenSSL.
В таких случаях, в процессе конфигурирования вместо указания пути к файлу (Параметры сетевых настроек, поле Закрытый ключ) необходимо указать через какое расширение можно обращаться к закрытому ключу:
Windows openssl gost engine
Docker image with OpenSSL 1.1.1, GOST engine and cURL
This image was built to have ability to connect to servers with GOST SSL certificates. In addition, it helps to encrypt, decrypt, hash messages with GOST algorithms.
Since version 1.1.1 OpenSSL does not contain GOST-engine anymore, but it can be compiled and used separately. This image does this work.
Output of openssl ciphers supports:
There are some issues with OpenSSL 1.1.1 and GOST-engine (GOST ciphers are not in list), so versions are fixed in default docker’s build args.
You can pull my docker container: docker pull gosha20777/openssl-gost:dev . if you want to build a docker image yourself or build it into your host mashine, see the instructions below.
Build form sh script
The image has been built and pushed into https://hub.docker.com/repository/docker/gosha20777/openssl-gost. In examples below I use image rnix/openssl-gost from Docker Hub, but you can build this image for you own and use your tag.
As usual, you can run commands directly from host or you can use ‘interactive mode’ with -i . Pull the image and run a container with mounted current dir in interactive mode:
Run command with mounted current dir without interactive mode:
If you use Windows, pwd is incorrect. Use absolute path instead, for example:
In the container you run commands.
To show certificate of host with GOST
To send a file to host with POST and save the response into new file
To generate new key and certificate with Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
To sign file with electronic signature by GOST using public certificate (-signer cert.pem), private key (-inkey key.pem), with opaque signing (-nodetach), DER as output format without including certificate and attributes (-nocerts -noattr):
To extract data (verify) from signed file (DER-format) using public certificate (-certfile cert.pem) issued by CA (-CAfile cert.pem) (the same because cert.pem is self-signed):
Certification authority (CA)
In Russia, it is common to issue GOST-certificates signed by CA which are not worldwide trusted. In this case you get error. For example, curl: (60) SSL certificate problem: unable to get local issuer certificate . To solve this problem you have two options: 1) do not verify CA (not recommended), 2) find and use CA.
To ignore security error use -k with curl and -noverify with openssl. For example curl https://gost.examples.com -k or openssl cms -verify -noverify .
Find and download CA-certificate file. For example, CryptoPRO CA. It is PKCS7, but you need PEM. Run command to extract all certificates from p7b and write them as a chain of certificates in one file:
When you have CA-file you can:
- Install it in default CA certificate store
- Specify it in every openssl or curl command
To install it in default CA certificate store use commands:
To specify it in curl:
To specify it in openssl with verifying signature:
Usage in other Dockerfiles
Compiled libraries can be used in other Dockerfiles with multi-stage approach. Basic template is in any-gost directory. Working example with PHP is in php-fpm-gost directory.
There some notices:
- OpenSSL and cURL are build in custom directory /usr/local/ssl and usr/local/curl which contain bin , include , lib .
- Before compiling the main Dockerfile folders /usr/local/ssl and usr/local/curl should be copied into new image.
- During building packages openssl and curl can be installed and overwrite new /usr/bin/openssl and /usr/bin/curl .
- Specify paths of libraries in configuring scripts to new locations.