Hello, Which engine do you use? I'd strongly recommend using gost-engine (https://github.com/gost-engine/engine) loading it via config. Also I'm not sure that `streebog256` is supported - it's an alias, the name is `md_gost12_256` On Tue, Feb 14, 2023 at 1:01 PM Eugene M. Zheganin <eugene@xxxxxxxxx> wrote: > > Hello, > > I need to create a certificate request using a pluggable engine, in my case it's GOST, that I built in LibreSSL and attached to OpenSSL 3.0.x. > > So, in LibreSSL, say, I have a call like > > openssl req -newkey gost2001 -pkeyopt dgst:streebog256 -pkeyopt paramset:A -streebog256 \ > -nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=John Doe/emailaddress=doe@xxxxxxx" \ > -keyout /tmp/key.pem -out /tmp/csr.pem -utf8 > > and it pretty much does the job. But OpenSSL 3.0.x doesn't recognize the streebog256 as the acceptable digest: > > Key parameter error "dgst:streebog256" > > That is because it's manual page clearly states: > > "The engine is not used for digests unless the -engine_impl option is used or it is configured to do so, see "Engine Configuration Module" in config(5)." > > Funny thing is, the config(5) manual page doesnt'y say a word about configuring digests (I was able to configure gost as an engine for default loading as there are plenty of examples). > > So, when using openssl dgst with both -engine gost and -engine_impl gost I can see the needed streebog256 as valid digest but how do I do this while calling openssl req or when using openssl.cnf ? > > > Thanks. > > Eugene. -- SY, Dmitry Belyavsky
