[ruby-core:111043] [Ruby master Feature#9830] Support for GOST private/public keys

["hsbt (Hiroshi SHIBATA)" <noreply@ruby-lang.org>]

Issue #9830 has been updated by hsbt (Hiroshi SHIBATA).

Assignee set to rhenium (Kazuki Yamaguchi)

----------------------------------------
Feature #9830: Support for GOST private/public keys
https://bugs.ruby-lang.org/issues/9830#change-100296

* Author: Envek (Andrey Novikov)
* Status: Assigned
* Priority: Normal
* Assignee: rhenium (Kazuki Yamaguchi)
----------------------------------------
Hello everyone.

We're required to use GOST encryption algorithms for signing requests, interacting with HTTPS services with client certificate authentication and so on.

OpenSSL 1.0.0 is bundled with GOST engine, and, if correctly configured, can handle all of these tasks from command line. Also see #9822.

**Issue**

Ruby can't read GOST private and public keys:

~~~
ruby> privkey = OpenSSL::PKey.read(File.read('gost_r_34_10_2001_private_key.pem'))
OpenSSL::PKey::PKeyError: unsupported key type
ruby> # Same for public keys
ruby> crt = OpenSSL::X509::Certificate.new(File.read('gost_r_34_10_2001_certificate.pem'))
ruby> crt.public_key
OpenSSL::PKey::PKeyError: unsupported key type
~~~

The problem is there is no "Generic PKey" class in Ruby's OpenSSL.

In source in `ext/openssl/openssl_pkey.c` at line 76 in method `ossl_pkey_new` there is examination of key type and creating appropriate Ruby classes. But GOST R 34.10-2001 key type have type `NID_id_GostR3410_2001` (811), and Ruby fails.

**Possible solution**

GOST keys are EC keys in fact (at least for GOST R 34.10-2001). And, if I add `case NID_id_GostR3410_2001:` right before `case EVP_PKEY_EC:` and remove checks about key type in `ext/openssl/openssl_pkey_ec.c` – everything will work.

To illustrate this, I've attached required patches (one from issue #9822), self-signed GOST R 34.10-2001 certificate with private key and two test scripts.

**NOTE**: You will need OpenSSL version 1.0.0 or newer with correct configuration, see links below!

**Question**

How should GOST keys support implemented in Ruby? Should it even use `OpenSSL::PKey::EC`, or, may be, subclass from it?

I'm not experienced neither in C programming nor in cryptography, but I would be glad to help with the implementation of this.

**Further information**

* **README.gost**: Instructions for setting up OpenSSL and usage: https://github.com/openssl/openssl/blob/master/engines/ccgost/README.gost
* **OpenSSL GOST engine source**: https://github.com/openssl/openssl/tree/master/engines/ccgost
* **RFC 5830**: GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms:
  http://tools.ietf.org/html/rfc5830
* **RFC 5831**: GOST R 34.11-94: Hash Function Algorithm:
  http://tools.ietf.org/html/rfc5831
* **RFC 5832**: GOST R 34.10-2001: Digital Signature Algorithm:
  http://tools.ietf.org/html/rfc5832
* **RFC 4491**: Using the GOST Algorithms with the Internet X.509 Public Key Infrastructure:
  http://tools.ietf.org/html/rfc4491
* **RFC 4490**: Using the GOST Algorithms with Cryptographic Message Syntax (CMS):
  http://tools.ietf.org/html/rfc4490
* **RFC 4357**: Additional Cryptographic Algorithms for Use with GOST Algorithms
* Some stackoverflow.com related questions: http://stackoverflow.com/questions/12868384/openssl-gost-parameter-set and http://stackoverflow.com/questions/14580340/generate-gost-34-10-2001-keypair-and-save-it-to-some-keystore


---Files--------------------------------
gost_keys_support_draft.patch (1.92 KB)
gost_r_34_10_2001_certificate.pem (826 Bytes)
gost_r_34_10_2001_private_key.pem (152 Bytes)
gost_sigining.rb (541 Bytes)
gost_ssl_example_with_certs.rb (742 Bytes)
respect_system_openssl_settings.patch (430 Bytes)


-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/