Is this a full configuration file?
It certainly isn’t – but I figured I’d post only the relevant part of it, rather than “crowding” the mailing list with something unnecessary.
Are there any other parts of the openssl.cnf that could be related to this issue, or help diagnose it’s cause?
пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx>:
MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).
Engines defined in the openssl.cnf file:
#############
[engine_section]
pkcs11 = pkcs11_section
gost = gost_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
MODULE_PATH = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0
[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
init = 1
#############
Note, whether the above has "init = 1" or not, does not alter the outcome.
Engine in question is "gost".
First, the engine does not load automatically/dynamically. For "openssl dgst" I have to specify it explicitly, otherwise the algorithms it provides, are not available:
$ openssl dgst -md_gost94 ~/LastTest.log
dgst: Unrecognized flag md_gost94
dgst: Use -help for summary.
$ openssl dgst -engine gost -md_gost94 ~/LastTest.log
engine "gost" set.
md_gost94(/Users/ur20980/LastTest.log)= e82e6e515c86851498eac606722b50b724b1f95952d4edb7202029f127751816
$
Second - even when I explicitly specify the engine, "openssl speed" refuses to recognize the ciphers provided by it, though "openssl enc" shows that it can access them:
$ openssl speed -engine gost -evp gost89-cbc
speed: gost89-cbc is an unknown cipher or digest
$ openssl enc -engine gost -ciphers
engine "gost" set.
Supported ciphers:
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ctr -aes-128-ecb
. . . . .
-des3-wrap -desx -desx-cbc
-gost89 -gost89-cbc -gost89-cnt
-gost89-cnt-12 -grasshopper-cbc -grasshopper-cfb
-grasshopper-ctr -grasshopper-ecb -grasshopper-ofb
-id-aes128-wrap -id-aes128-wrap-pad -id-aes192-wrap
Seems like a bug...?
--
Regards,
Uri