Re: openssl and pluggable engine digests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Which engine do you use?
I'd strongly recommend using gost-engine
(https://github.com/gost-engine/engine) loading it via config.
Also I'm not sure that `streebog256` is supported - it's an alias, the
name is `md_gost12_256`

On Tue, Feb 14, 2023 at 1:01 PM Eugene M. Zheganin <eugene@xxxxxxxxx> wrote:
>
> Hello,
>
> I need to create a certificate request using a pluggable engine, in my case it's GOST, that I built in LibreSSL and attached to OpenSSL 3.0.x.
>
> So, in LibreSSL, say, I have a call like
>
> openssl req -newkey gost2001 -pkeyopt dgst:streebog256 -pkeyopt paramset:A -streebog256 \
> -nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=John Doe/emailaddress=doe@xxxxxxx" \
> -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
>
> and it pretty much does the job. But OpenSSL 3.0.x doesn't recognize the streebog256 as the acceptable digest:
>
> Key parameter error "dgst:streebog256"
>
> That is because it's manual page clearly states:
>
> "The engine is not used for digests unless the -engine_impl option is used or it is configured to do so, see "Engine Configuration Module" in config(5)."
>
> Funny thing is, the config(5) manual page doesnt'y say a word about configuring digests (I was able to configure gost as an engine for default loading as there are plenty of examples).
>
> So, when using openssl dgst with both -engine gost and -engine_impl gost I can see the needed streebog256 as valid digest but how do I do this while calling openssl req or when using openssl.cnf ?
>
>
> Thanks.
>
> Eugene.



-- 
SY, Dmitry Belyavsky



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux