Which engine do you use? I'd strongly recommend using gost-engine (https://github.com/gost-engine/engine) loading it via config. Also I'm not sure that `streebog256` is supported - it's an alias, the name is `md_gost12_256` On Tue, Feb 14, 2023 at 1:01 PM Eugene M. Zheganin <eugene@xxxxxxxxx> wrote:
My bad, this is indeed https://github.com/gost-engine/engine, I've just checked (phantom memories):
===Cut===
# git remote -v
origin https://github.com/gost-engine/engine (fetch)
origin https://github.com/gost-engine/engine (push)
# git log | head -n 10
commit b2b4d629f100eaee9f5942a106b1ccefe85b8808
Author: Dmitry Belyavskiy <beldmit@xxxxxxxxx>
Date: Sat May 21 20:20:20 2022 +0200
On unpacking key blob output buffer size should be fixed
Related: CVE-2022-29242
commit 7df766124f87768b43b9e8947c5a01e17545772c
Author: Dmitry Belyavskiy <beldmit@xxxxxxxxx>
===Cut===
And I've also checked the md5 sum on gost.so, and it's compy in the build directory, so it's the same file:
# md5sum
/home/emz/src/engine/build/bin/gost.so
3464035a7a21ba47f2e0120e0ffb4af8
/home/emz/src/engine/build/bin/gost.so
# md5sum /usr/local/openssl-3.0.7/lib64/engines-3/gost.so
3464035a7a21ba47f2e0120e0ffb4af8
/usr/local/openssl-3.0.7/lib64/engines-3/gost.s
===Cut===
# /usr/local/libressl/bin/openssl req -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pkeyopt paramset:A -md_gost12_256 -nodes \
-subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe@xxxxxxx" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
Key parameter error "dgst:md_gost12_256"
# /usr/local/libressl/bin/openssl req -engine gost -engine_impl gost -newkey gost2001 -pkeyopt dgst:md_gost12_256 \ -pkeyopt paramset:A -md_gost12_256 -nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe@xxxxxxx" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8 Engine "gost" set. req: Use -help for summary.
# /usr/local/libressl/bin/openssl req -engine gost -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pkeyopt paramset:A \ -md_gost12_256 -nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe@xxxxxxx" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
Engine "gost" set.
Key parameter error "dgst:md_gost12_256"
===Cut===
So, the problem persists at
least on it's version from May, 2022. Is there any chance these
commands will work on more recent version of the engine or do I
completely misunderstand how they should be called ?
Engine is plugged in as:
===Cut===
[openssl_init]
engines = engine_section
providers = provider_sect
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
dynamic_path =
/usr/local/openssl-3.0.7/lib64/engines-3/gost.so
default_algorithms = ALL
===Cut===
Thanks.
Eugene.
