private keys, should use generic EVP_PKEY API instead of using RSA or
other algorithm-specific API.
-CONFIGURATION FILE
-
-The very minimal example of the configuration file is provided in this
-distribution and named 'example.conf'.
-
-Configuration file should include following statement in the global
-section, i.e. before first bracketed section header (see config(5) for details)
-
- openssl_conf = openssl_def
-
-where openssl_def is name of the section in configuration file which
-describes global defaults.
-
-This section should contain following statement:
-
- [openssl_def]
- engines = engine_section
-
-which points to the section which describes list of the engines to be
-loaded. This section should contain:
-
- [engine_section]
- gost = gost_section
-
-And section which describes configuration of the engine should contain
-
- [gost_section]
- engine_id = gost
- dynamic_path = /usr/lib/ssl/engines/libgost.so
- default_algorithms = ALL
- CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
-
-BouncyCastle cryptoprovider has some problems with private key parsing from PrivateKeyInfo,
-so if you want to use old private key representation format, which supported by BC,
-you must add:
- PK_PARAMS = LEGACY_PK_WRAP
-
-to [gost_section]
-
-Where engine_id parameter specifies name of engine (should be "gost").
-dynamic_path is a location of the loadable shared library implementing the
-engine. If the engine is compiled statically or is located in the OpenSSL
-engines directory, this line can be omitted.
-default_algorithms parameter specifies that all algorithms, provided by
-engine, should be used.
-
-The CRYPT_PARAMS parameter is engine-specific. It allows the user to choose
-between different parameter sets of symmetric cipher algorithm. RFC 4357
-specifies several parameters for the GOST 28147-89 algorithm, but OpenSSL
-doesn't provide user interface to choose one when encrypting. So use engine
-configuration parameter instead.
-
-Value of this parameter can be either short name, defined in OpenSSL
-obj_dat.h header file or numeric representation of OID, defined in RFC
-4357.
-
USAGE WITH COMMAND LINE openssl UTILITY
1. Generation of private key
Use -pkeyopt option to pass paramset to algorithm. The following paramsets
are supported by
gost2001: 0,A,B,C,XA,XB
- gost2012_256: 0,A,B,C,XA,XB
- gost2012_512: A,B
+ gost2012_256: 0,A,B,C,XA,XB,TCA,TCB,TCC,TCD
+ gost2012_512: A,B,C
You can also use numeric representation of OID as to destinate
paramset.
Calculation of HMAC based on GOST R 34.11-94
- openssl dgst -md_gost94 -mac hmac -macopt key:<32 bytes of key> datafile
+ openssl dgst -md_gost94 -hmac <32 bytes of key> datafile
(or use hexkey if key contain NUL bytes)
Calculation of GOST 28147 MAC
projects / openssl-gost / engine.git / blobdiff