Search code examples
opensslgost3410

OpenSSL with GOST engine

I want to use OpenSSL to generate private/public/(Certificate Signing Request) and to sign some data later. But I want to use OpenSSL GOST engine.

I downloaded OpenSSL 1.0.0 and modified openssl.cfg file:

    openssl_conf = openssl_def

    [openssl_def]
    engines = engine_section

    [engine_section]
    gost = gost_section

    [gost_section]
    engine_id = gost
    dynamic_path = ./gost.dll
    default_algorithms = ALL
    CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

I can generate private key and CSR (single line command string):

    openssl req -newkey gost2001 -pkeyopt paramset:A -passout pass:aofvlgzm \
    -subj "/C=RU/ST=Moscow/L=Moscow/O=foo_bar/OU=foo_bar/CN=developer/ \
           [email protected]" \
    -new > certificate_signing_request.csr

I get 2 files:

  • certificate_signing_request.csr
  • privkey.pem

I know that I can do (prints an (unencrypted) text representation of private and public keys):

    openssl genpkey -algorithm gost2001 -pkeyopt paramset:A -text

I use GOST instead RSA that is why I cannot just do:

    openssl rsa -in privkey.pem -pubout -out pubkey.pem
    Enter pass phrase for privkey.pem:
    6132:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:.\crypto\evp\p_lib.c:288:

My question is : how can I generate/get public key (mabye from private key or from csr) using gost?

I use:

  • Windows 7 professional x64;
  • OpenSSL 1.0.0;
  • Gost engine.

Thanks for any help.

Solution

  • I resolved my problem.

    Step by step guide for everyone who wants an alternative to КРИПТО-ПРО

    Certificate Signing Request(CSR) + private key

    ./openssl req -newkey gost2001 -pkeyopt paramset:A -passout pass:aofvlgzm -subj "/C=RU/ST=Moscow/L=Moscow/O=foo_bar/OU=foo_bar/CN=developer/[email protected]" -keyout private.key.pem -out csr.csr

    Sign CSR (csr.csr) with private.key.pem (!!! ADMIN COMMAND PROMT ONLY !!!)

    if not admin: "unable to write 'random state'"

    ./openssl x509 -req -days 365 -in csr.csr -signkey private.key.pem -out crt.crt

    Get public key

    ./openssl x509 -inform pem -in crt.crt -pubkey -noout > public.key.pem

    Get GOST2001-md_gost94 hex

    ./openssl.exe dgst -hex -sign private.key.pem message.xml

    Get MIME application/x-pkcs7-signature

    ./openssl smime -sign -inkey private.key.pem -signer crt.crt -in message.xml